bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/49136.txt
Offensive Security 4b9e53700f DB: 2020-12-02 
18 changes to exploits/shellcodes

10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)
EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path
Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path
Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path
Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path
TypeSetter 5.1 - CSRF (Change admin e-mail)
Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload
Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting
Online Shopping Alphaware 1.0 - Error Based SQL injection
Pharmacy/Medical Store & Sale Point 1.0  - 'email' SQL Injection
Setelsa Conacwin 3.7.1.2 - Local File Inclusion
Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS
Tailor Management System 1.0 - Unrestricted File Upload to Remote Code Execution
LEPTON CMS 4.7.0 - 'URL' Persistent Cross-Site Scripting
Medical Center Portal Management System 1.0 - 'login' SQL Injection
Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities # Date: 11-14-2020
Social Networking Site - Authentication Bypass (SQli)
Tendenci 12.3.1 - CSV/ Formula Injection
2020-12-02 05:01:55 +00:00

28 lines
No EOL
1.9 KiB
Text
Raw Blame History

# Exploit Title: Tailor Management System 1.0 - Unrestricted File Upload to Remote Code Execution
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-09-18
# Vendor Homepage: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14378&title=Tailor+Management+System+in+PHP+MySQL
# Affected Version: Version 1
# Category: Web Application
# Tested on: Parrot OS
Step 1: Log in to the CMS with any valid user credentials.
Step 2: Select Measurement Settings and click on "Set Measurement Parts".
Step 3: Create any php payload on locally on your system. ( i used the default php webshell in /usr/share/webshells/php/php-reverse-shell.php)
Step 4: Fill the required details and upload the php payload you created using the image upload field.
Step 5: Select Measurement Settings and click on "View/Edit Measurement Parts".
Step 6: Start netcat listener.
Step 7: Use the search filter to find your measurement and click on "edit" to trigger the php payload.
========================== OR ==========================
Step 1: Embed an image with the code "exiftool -Comment='<?php system($_GET['cmd']); ?>' r0b0t.jpg"
Step 2: Rename the malicious image to have include a ".php" extention. Example ( mv r0b0t.jpg r0b0t.jpg.php )
Step 3: Log in to the CMS with any valid user credentials.
Step 4: Select Measurement Settings and click on "Set Measurement Parts".
Step 5: Fill the required details and upload malicious image you created using the image upload field.
Step 6: Select Measurement Settings and click on "View/Edit Measurement Parts".
Step 7: Use the search filter to find your measurement and click on "edit" to edit details.
Step 8: Righ click on the broken image and copy image location.
Step 9: Paste image location in browser and you will have RCE. ( http://localhost/img/part/r0b0t.jpg.php?cmd=cat /etc/passwd )
Reference in a new issue View git blame Copy permalink