Top các CVE được khai thác nhiều nhất và cách khai thác (2017-2022 updated)

Sau đây là top các lỗ hổng được hacker ưa chuộng nhất mọi thời đại (mọi thời đại là từ năm 2017 nhé ae :v). Có thể nói các bug hunter, hacker mà vớ được host có các lỗi này thì lại rất sướng, xiên không ngừng. Một phần các lỗi này ngày xưa cũngContinue reading “Top các CVE được khai thác nhiều nhất và cách khai thác (2017-2022 updated)”

[CVE-2021-25055] FeedWordPress < 2022.0123- Cross-Site Scripting (Authenticated)

# Referrer: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25055https://wpscan.com/vulnerability/7ed050a4-27eb-4ecb-9182-1d8fa1e71571# Version: 1.0# Tested on: Windows 10 + XAMPP v3.2.4POC:

[CVE-2020-11511] WordPress Plugin LearnPress < 3.2.6.9 – User Registration Privilege Escalation

# Exploit Title: WordPress Plugin LearnPress < 3.2.6.9 – User Registration Privilege Escalation# https://www.exploit-db.com/exploits/50138# https://packetstormsecurity.com/files/163538/WordPress-LearnPress-Privilege-Escalation.html# Date: 07-17-2021# Exploit Author: nhattruong or nhattruong.blog# Vendor Homepage: https://thimpress.com/learnpress/# Software Link: https://wordpress.org/plugins/learnpress/# Version: < 3.2.6.9# References link: https://wpscan.com/vulnerability/22b2cbaa-9173-458a-bc12-85e7c96961cd# CVE: CVE-2020-11511 The function learn_press_accept_become_a_teacher can be used to boot a registered user to a trainer position, resulting in a privilege escalation. The reason is that the code doesn’t check the permissions of the requesting person, consequently letting any pupil name this feature.Continue reading “[CVE-2020-11511] WordPress Plugin LearnPress < 3.2.6.9 – User Registration Privilege Escalation”

[CVE-2020-6010] WordPress Plugin LearnPress < 3.2.6.8 – Time-Based Blind SQL Injection (Authenticated)

DB-Exploit: https://www.exploit-db.com/exploits/50137PacketStorm: https://packetstormsecurity.com/files/163536/WordPress-LearnPress-SQL-Injection.html Exploit Title: WordPress Plugin LearnPress < 3.2.6.8 – SQL Injection (Authenticated) Date: 07-17-2021 Exploit Author: nhattruong or nhattruong.blog Vendor Homepage: https://thimpress.com/learnpress/ Software Link: https://wordpress.org/plugins/learnpress/ Version: < 3.2.6.8 References link: https://wpscan.com/vulnerability/10208 CVE: CVE-2020-6010 POC: Go to url http:///wp-admin Login with a cred Execute the payload Modify current_items[] as you want

[CVE-2021-28424] Teachers Record Management System 1.0 – ‘email’ Stored Cross-site Scripting (XSS) vulnerability (Authenticated)

# Exploit Author: nhattruong.blog# Referrer: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28424https://www.exploit-db.com/exploits/50019https://packetstormsecurity.com/files/163171/Teachers-Record-Management-System-1.0-Cross-Site-Scripting.html# Version: 1.0# Tested on: Windows 10 + XAMPP v3.2.4POC: Go to url http://localhost/admin/index.php Do login Execute the payload Reload page to see the different The entry point in ’email’ POST parameter in admin/adminprofile.php Payload:

[CVE-2021-28423] Teachers Record Management System 1.0 – Multiple SQL Injection (Authenticated)

# Exploit Author: nhattruong.bloghttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28423https://www.exploit-db.com/exploits/50018https://packetstormsecurity.com/files/163172/Teachers-Record-Management-System-1.0-SQL-Injection.html# Version: 1.0# Tested on: Windows 10 + XAMPP v3.2.4 POC: Go to url http://localhost/admin/index.php Do login Execute the payload SQLi #1: The entry point in ‘editid’ GET parameter in edit-subjects-detail.php SQLi #2: The entry point in ‘searchdata’ POST parameter in /admin/search.php SQLi #3: The entry point in ‘editid’ GET parameter in edit-teacher-detail.php